#6872 ipa server install fails with --external-ca option
Closed: fixed 7 years ago Opened 7 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1441548

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
ipa server install fails with `--external-ca` option with following error -

  [22/30]: Configure HTTP to proxy connections
  [23/30]: restarting certificate server
  [24/30]: migrating certificate profiles to LDAP
  [error] NetworkError: cannot connect to
'https://guest42.testrelm.test:8443/ca/rest/account/login': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
cannot connect to
'https://guest42.testrelm.test:8443/ca/rest/account/login': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The
ipa-server-install command failed. See /var/log/ipaserver-install.log for more
information


Version-Release number of selected component (if applicable):
# rpm -qa ipa-server selinux-policy 389-ds-base
389-ds-base-1.3.6.1-5.el7.x86_64
selinux-policy-3.13.1-141.el7.noarch
ipa-server-4.5.0-5.el7.x86_64


How reproducible:
100%

Steps to Reproduce:
1.  ipa-server-install --ip-address $(ip addr|grep "global"|cut -d " " -f6|cut
-d "/" -f1|head -n 1) -r testrelm.test -p 'Secret123' -a 'Secret123'
--setup-dns --forwarder 10.65.201.89 -U --external-ca
2. Generate certificate ipa.crt
3.# ipa-server-install --external_cert_file=/root/ipa-ca/ipa.crt
--external_ca_file=/root/ipa-ca/ipacacert.asc


Actual results:
installation fails with above mentioned message

Expected results:
installation should be successful.

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1441548

7 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1441548

7 years ago

Metadata Update from @pvoborni:
- Issue priority set to: blocker
- Issue tagged with: regression, testblocker

7 years ago

Metadata Update from @stlaz:
- Issue assigned to stlaz

7 years ago

master:

  • 7b85031 ext. CA: correctly write the cert chain

ipa-4-5:

  • a6af003 ext. CA: correctly write the cert chain

Metadata Update from @jcholast:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

Log in to comment on this ticket.

Metadata