On 12/15/20 5:07 PM, iulian roman via FreeIPA-users wrote:
After some plumbing and manual operations I managed to have CA running during
installation of the FreeIPA server. Currently the install fails in :
Configuring directory server (dirsrv)
[2/3]: adding CA certificate entry
args=['/usr/bin/certutil', '-d', 'dbm:/etc/dirsrv/slapd-IPA-LOCAL/', '-O',
'--simple-self-signed', '-n', 'IPA.LOCAL IPA CA', '-f',
'/etc/dirsrv/slapd-IPA-LOCAL/pwdfile.txt']
The installation seems to fail due to the fact that certutil does not support
--simple-self-signed parameter.
Does anybody know if there is a version of libnss3-tools for Ubuntu 18.04
which does have a certutil package which support the option invoked or if the
option can be disabled/removed during install ?
Hi,
On ubuntu I don't know which version is shipped but on fedora the option
was introduced in nss 3.38.
The option was added in IPA to fix https://pagure.io/freeipa/issue/7926
(cert renewal failing when ipa ca cert is renewed from self-signed >
external ca > self-sign). Unless you are intending to change your
certificate chaining, it won't affect your install.
flo
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
