On 05/19/2015 10:53 AM, Dewangga Bachrul Alam wrote: > Hello! > > On 05/19/2015 12:53 PM, Martin Kosek wrote: >> On 05/19/2015 04:04 AM, Dewangga Bachrul Alam wrote: >>> Hello! >>> >>> I'm trying to reinstall ipa client, but have a problem with old/existing >>> ca.crt in `/etc/ipa/ca.crt`. Should I remove it manually? Since the IPA >>> server still on development and always reinstalled, I need to reproduce >>> any possible problem/error on FreeIPA 4.x on CentOS 7. >>> >>> The error was : >>> LDAP Error: Connect error: TLS error -8054:You are attempting to import >>> a cert with the same issuer/serial as an existing cert, but that is not >>> the same cert. >>> >>> Currently, I was renamed ca.crt to ca.crt.old and the ipa client >>> successfully reconnected to new FreeIPA Server using dns discovery. >>> >>> Is it normal? And why the ipa-client-install --uninstall didn't >>> completely remove the old ca.crt? >> >> Hello, >> >> ipa-client-install uninstall the CA certificate properly since FreeIPA >> 3.2. This is the upstream ticket: >> https://fedorahosted.org/freeipa/ticket/3537 >> >> CentOS/RHEL speaking, this should be thus fixed in 7.0+. In 6.x >> versions, you need to delete the certificate manually if you reinstalled >> the IPA server. >> >> HTH, >> Martin > > Could you gimme advice, which version is suitable on production? 3.x or > 4.x ?.Or is there any release timeline for FreeIPA version (like EOL, etc).
All versions in RHEL should be suitable for production - RHEL is an OS targeting production/stable environment. For FreeIPA, I would recommend using environment built on top of RHEL-7.1 version (FreeIPA 4.1) as it contains the most fixes and most functionality to be offered. I would not recommend having mixed RHEL-6.x and RHEL-7.x as you you will have limited capabilities of your infrastructure as most of the new server features are not backported to RHEL-6.x and clients connected to these servers could not use them. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
