Entrepreneur AJ via FreeIPA-users wrote: > I have created an internal CA with openssl for my company with a sub ca for > signing certain services such as FreeIPA root CA's problem I am having is I > have signed the csr and uploaded it back to the freeipa server but when I try > to run the second part of the install it errors out. The following is the > command used to run the second part of the install: > ipa-server-install --external-cert-file=/root/ipa.crt > --external-cert-file=/root/internal-ca.cert.pem > > this is the output: > The log file for this installation can be found in > /var/log/ipaserver-install.log > Directory Manager password: > > ============================================================================== > This program will set up the IPA Server. > Version 4.12.2 > > This includes: > * Configure a stand-alone CA (dogtag) for certificate management > * Configure the NTP client (chronyd) > * Create and configure an instance of Directory Server > * Create and configure a Kerberos Key Distribution Center (KDC) > * Configure Apache (httpd) > * Configure SID generation > * Configure the KDC to enable PKINIT > > IPA CA certificate with subject 'CN=Certificate Authority,O=EAJ Global,OU=UK > Internal Certificate Authority,C=GB' was not found in > /root/ipa.crt,/root/internal-ca.cert.pem. > The ipa-server-install command failed. See /var/log/ipaserver-install.log for > more information > > I used openssl to verify the certificate subject matches: > root@ipa1:~# openssl x509 -in /root/ipa.crt -noout -subject > subject=C=GB, O=EAJ Global, OU=UK Internal Certificate Authority, > CN=Certificate Authority > > Only difference i see is the order of the subject line. But the subject > itself is still valid. > > I am running Fedora 42 with the latest version in the repos installed. > > Any help would be appreciated. >
It's difficult to troubleshoot based on just this. The server install log plus the cert filess would make it easier. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
