Hi, I'm trying to install on CentOS 6.5 (ipa-server-3.0.0-37.el6.x86_64) and an external CA. I'm getting this error:
Command '/usr/bin/sslget -v -n ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-jNYt3P -r /ca/agent/ca/profileReview?requestId=6 auth.lan:9443' returned non-zero exit status 4 I found a thread from back in 2012 with exact same symptoms: https://www.redhat.com/archives/freeipa-users/2012-May/msg00357.html Unfortunately, the thread died out without any resolution/fix. When I run the suggested commands from that thread, I get the same results the OP did.. #certutil -L -d /tmp/tmp-jNYt3P/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ipa-ca-agent u,u,u Certificate Authority - xxx CT,C,C testnick P,, xxx Certificate Authority - xxx CT,C,C # certutil -V -u C -n ipa-ca-agent -d /tmp/tmp-jNYt3P/ certutil: certificate is invalid: Issuer certificate is invalid. # certutil -L -n ipa-ca-agent -d /tmp/tmp-jNYt3P/ Certificate: Data: Version: 3 (0x2) Serial Number: 5 (0x5) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Certificate Authority,O=xxx" Validity: Not Before: Thu Mar 06 04:17:13 2014 Not After : Wed Feb 24 04:17:13 2016 Subject: "CN=ipa-ca-agent,O=xxx" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: bf:0c:5b:f0:14:9e:0f:26:91:21:66:62:95:0c:4d:04: e5:ec:96:6f:a1:3b:a8:05:de:1b:40:a7:7c:59:55:c4: 1e:a0:62:3d:7a:50:e8:c4:8b:d7:5d:cd:55:b2:e7:f9: 63:f6:43:75:1e:3d:3c:ac:51:a4:81:94:6b:e5:7f:94: d7:b2:aa:8d:e8:b6:50:f2:24:96:76:8d:5f:e9:aa:43: 07:97:c8:06:2e:dc:22:9b:d1:2e:90:24:d8:07:94:33: d1:0f:44:e5:14:37:3c:96:ee:24:e0:07:91:f1:ee:c8: c4:01:e9:85:d8:35:eb:42:92:8a:58:c3:ae:e8:7d:27: 4d:2d:cb:b8:97:0b:5d:e0:3c:99:8a:a8:a2:b7:e2:10: 61:2b:77:33:87:ea:59:16:87:f7:f7:43:cf:c2:7b:60: 3a:fc:44:2f:9e:9c:56:bc:99:0c:d0:e9:08:d6:db:f5: b1:d2:5e:28:45:d2:8f:71:1d:49:e9:41:c6:d2:e0:03: ac:85:ea:51:c6:17:5d:ed:eb:a5:11:86:40:37:cf:49: d3:cc:11:f1:3f:17:61:38:52:fa:12:a6:a0:bf:61:74: aa:3e:87:bd:ff:d1:eb:d7:c5:d7:d5:90:8f:d6:d6:e1: ab:d0:1f:db:91:8e:ff:d1:52:e3:6a:7a:fe:20:b3:53 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: b5:5e:45:9f:e9:71:c5:11:a2:6c:6c:06:00:be:02:ad: 8e:ae:76:1b Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://auth.lan:80/ca/ocsp" Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage TLS Web Client Authentication Certificate E-Mail Protection Certificate Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 91:e8:3c:26:1e:e6:24:35:64:95:92:10:79:9b:c3:3f: 3d:6c:7b:db:56:bd:98:85:31:4a:2c:6c:1f:76:e4:74: 8a:90:49:43:6d:16:63:f9:cc:9b:89:bd:bc:5c:fa:3b: 55:9e:a8:54:ce:61:fa:62:61:cf:b5:47:54:e5:70:f6: d0:a0:a6:56:bf:1e:19:4d:f3:95:8a:70:1f:43:c2:6b: 85:bf:dd:90:6a:13:f7:58:9d:b2:40:88:d6:3a:d1:84: 2e:7f:b8:b8:e1:f9:5f:83:c5:d4:55:c4:a7:1a:28:a4: 64:fc:ac:78:3b:43:a0:00:78:db:f1:cc:a6:b6:11:70: 64:2f:43:d2:74:a5:2a:50:91:e0:8d:8c:82:c5:1a:5c: dd:00:60:62:55:be:0a:ea:b9:75:0f:8d:0e:40:cd:26: 9c:63:08:3f:7d:79:c5:6b:73:fd:26:60:d3:e4:59:1e: 1d:0f:82:ea:eb:23:b3:b4:59:7f:a9:87:e8:01:c7:aa: 7b:c0:dd:0a:f0:4d:da:90:c9:57:00:4b:86:ea:58:22: ff:45:11:18:25:de:09:ee:a4:7a:4a:ea:8f:17:c9:ad: 38:15:af:fa:c0:f3:fb:1c:6c:e1:69:1f:99:4e:fe:a2: eb:66:92:77:3a:5d:8f:7a:63:9b:14:ea:95:3e:c7:e9 Fingerprint (MD5): 96:68:7A:76:9F:06:78:BC:67:85:0C:82:A8:43:14:6B Fingerprint (SHA1): 99:7D:9F:1B:F4:A7:52:9F:CF:BF:23:4F:5B:1A:90:22:19:14:37:16 Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User ... and so on... Any suggestions from anyone who has gotten an external-ca install to work? Robert -- Senior Software Engineer @ Parsons
signature.asc
Description: PGP signature
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users