When installing IPA with external CA, if a custom subject name is set via --subject "..." option:
--subject "..."
# ipa-server-install --subject 'o=IPA.LOCAL 201604041412' --external-ca
Then step 1 concludes with instruction:
The next step is to get /root/ipa.csr signed by your CA and re-run /sbin/ipa-server-install as: /sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
However, running this command (after issuing the IPA CA cert) result in the following error:
# ipa-server-install --external-cert-file=/path/to/ipa.crt --external-cert-file=/path/to/ca.crt The log file for this installation can be found in /var/log/ipaserver-install.log Directory Manager password: ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) ipa.ipapython.install.cli.install_tool(Server): ERROR IPA CA certificate not found in /root/ca/ipa.crt, /root/ca/ca.crt
Add the same --subject="..." that was used for step 1 makes it possible to get past this error.
--subject="..."
Possible solutions:
record the subject name and automatically pick it up for step 2 of installation, or
include the appropriate --subject argument in the instructions at the end of step 1.
--subject
what version of FreeIPA? master, 4.3, 4.2.3, 4.2.4? This is broken in 4.2.3. Should be fixed in 4.2.4 and above.
I hit it on RHEL 7.2. Fix for #5556 seems to be correct; closing.
Metadata Update from @ftweedal: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.