Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1444896
Created attachment 1273618 external_ca.sh Description of problem: IPA server installation fails with following error: ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR CA certificate CN=PRIMARY,O=TESTRELM.TEST in /root/nssdb/chain.crt is not valid: (SEC_ERROR_BAD_SIGNATURE) Peer's certificate has an invalid signature. ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Version-Release number of selected component (if applicable): # rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.5.0-7.el7.x86_64 ipa-client-4.5.0-7.el7.x86_64 389-ds-base-1.3.6.1-9.el7.x86_64 pki-ca-10.4.1-2.el7.noarch krb5-server-1.15.1-7.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. Run attached script Actual results: Installation fails with above error Expected results: Same script works fine in non-FIPS mode. Installation is non-FIPS mode with external-ca is successful.
Metadata Update from @stlaz: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1444896
Metadata Update from @stlaz: - Issue assigned to stlaz
Metadata Update from @pvoborni: - Issue priority set to: blocker - Issue set to the milestone: FreeIPA 4.5.1 - Issue tagged with: bug
ipa-4-5:
Metadata Update from @mbasti: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.