#5791 CA fails to start after doing ipa-ca-install --external-ca
Closed: Fixed None Opened 8 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1318616

Description of problem:
While converting CA-less to CA-FULL IPA server, CA fails to start after
ipa-ca-install installation.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create Self-signed CA certificate and server certificates
2. # ipa-server-install --http_pkcs12 server.p12 --http_pin Secret123
--dirsrv_pkcs12 server.p12 --dirsrv_pin Secret123 --root-ca-file ca.crt
--ip-address -r testrelm.test -p 'Secret123' -a 'Secret123'
--setup-dns --forwarder -U
3. # ipa-ca-install --external-ca
4. Get IPA CSR signed using external CA
   # certutil -C  -i /root/ipa.csr -o ipa.crt -c "ca1" -d nssdb -a
5. # /usr/sbin/ipa-ca-install --external-cert-file=ipa.crt
--external-cert-file=ca.crt <= This command fails to start CA server

Actual results:
CA did not start even after waiting for 300 seconds.

Expected results:
CA should start and installation should be successful.

Additional info:
Please see installation logs and console.log in attachments.

Requires also a fix on PKI side.

This should be done sooner. It actually doesn't depend on the PKI side. See https://bugzilla.redhat.com/show_bug.cgi?id=1318616#c8

This bug can't be fixed on our side until this pki bug is resolved:

I was wrong, the bug had nothing to do with PKI, it needed a fix on our side. PR posted for review.


  • 2bc70a5 Keep NSS trust flags of existing certificates


  • b3e57f7 Keep NSS trust flags of existing certificates

Not closing ticket, patch for 4.2 needed


  • 202ab87 Keep NSS trust flags of existing certificates

I forgot to push to 4.4, fixed now :)


  • 741f2e4 Keep NSS trust flags of existing certificates

Metadata Update from @pvoborni:
- Issue assigned to tkrizek
- Issue set to the milestone: FreeIPA 4.2.5

7 years ago

Log in to comment on this ticket.