#6166 Subsequent external CA installation fails
Closed: Fixed None Opened 7 years ago by jcholast.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1341249

Created attachment 1163261
Logs from installing the external CA

Description of problem:
When trying to subsequently install an external CA on a CA-less IdM
installation, the setup fails, because the CA status can't be checked after
restarting pki-tomcatd@pki-tomcat.service.

In the ipaserver-ca-install.log logfile you can see that the URL
https://vm-01.idm.example.com:8443/ca/admin/ca/getStatus returns an 404 error
(Not found).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Set up an IdM master without CA
2. Run "ipa-ca-install --external-ca"
3. Submit the CSR to the external CA and copy the issued certificate + CA
certificate to the IdM host.
4. Continue with the CA Setup
  ipa-ca-install --external-cert-file=/root/vm-01.idm.example.com.crt

Actual results:
When continuing with the second step of the CA setup, ipa-ca-install fails:
  [13/27]: restarting certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the
Dogtag instance.See the installation log for details.

Expected results:
ipa-ca-install should finish successfully.


  • a42b456 install: fix external CA cert validation


  • 44401d2 install: fix external CA cert validation

Metadata Update from @jcholast:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.3.3

7 years ago

Login to comment on this ticket.