Hi, On Mon, Oct 9, 2023 at 5:30 PM Frederic Ayrault <[email protected]> wrote:
> > Le 09/10/2023 à 16:47, Florence Blanc-Renaud a écrit : > > Is this your external CA? I assume that its subject conflicts with the > default subject name that IPA installer would pick. If that's the case, you > can force ipa-ca-install to use a different subject name with the > --ca-subject option. > > flo > > > I run ipa-ca-install --ca-subject="CN=New Certificate Authority,O= > LIX.POLYTECHNIQUE.FR" > but after the last step (30/30) I get > > Done configuring certificate server (pki-tomcatd). > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Unexpected error - see /var/log/ipareplica-ca-install.log for details: > DuplicateEntry: This entry already exists > > > the ipareplica-ca-install.log ends with > > 2023-10-09T14:55:53Z DEBUG stderr= > 2023-10-09T14:55:53Z DEBUG Starting external process > 2023-10-09T14:55:53Z DEBUG args=/usr/bin/certutil -d > dbm:/etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ -A -n LIX.POLYTECHNIQUE.FR > IPA CA -t CT,C,C -a -f /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/pwdfile.txt > 2023-10-09T14:55:53Z DEBUG Process finished, return code=0 > 2023-10-09T14:55:53Z DEBUG stdout= > 2023-10-09T14:55:53Z DEBUG stderr= > 2023-10-09T14:55:53Z DEBUG File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line > 1015, in run_script > return_value = main_function() > > File "/usr/sbin/ipa-ca-install", line 343, in main > install(safe_options, options, filename) > > File "/usr/sbin/ipa-ca-install", line 279, in install > install_master(safe_options, options) > > File "/usr/sbin/ipa-ca-install", line 266, in install_master > ca.install(True, None, options, custodia=custodia) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line > 255, in install > install_step_1(standalone, replica_config, options, custodia=custodia) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line > 379, in install_step_1 > config_ipa=True, config_compat=True) > > File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", > line 372, in put_ca_cert_nss > config_ipa, config_compat) > > File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", > line 239, in put_ca_cert > config_ipa=config_ipa, config_compat=config_compat) > > File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", > line 152, in add_ca_cert > ldap.add_entry(entry) > > The error is an LDAP error when adding an entry/attribute for the CA. Can you check in /var/log/dirsrv/slapd-<YOURDOMAIN>/errors if there were any errors reported at the same date (~2023-10-09T14:55:53Z)? The error would happen either on a ADD or on a MOD operation. It would also help if you can provide a description of your current certificate chain (the subject of the Root CA, if relevant the intermediate ones) or share your /etc/ipa/ca.crt file. You didn't clarify so far whether IPA was installed CA-less or with an embedded CA that was externally-signed. If you still have access to the first server that was installed, you can have a look at /var/log/ipaserver-install.log and check the options that were provided. flo > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1580, > in add_entry > self.conn.add_s(str(entry.dn), list(attrs.items())) > > File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ > self.gen.throw(type, value, traceback) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1029, > in error_handler > raise errors.DuplicateEntry() > > 2023-10-09T14:55:53Z DEBUG The ipa-ca-install command failed, exception: > DuplicateEntry: This entry already exists > > > If I look the database with /usr/bin/certutil -d > dbm:/etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ -L , I get > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > CNRS2-Standard - CNRS C,, > CA 3 CT,C,C > LIX.POLYTECHNIQUE.FR IPA CA CT,C,C > IPA3 u,u,u > CNRS2 - CNRS ,, > CA 3 CT,C,C > CA 3 CT,C,C > > > looks like problem is "CA 3" but I do not know what to do > > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
