Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 953485
Created attachment 737273 ipaserver-install.log Description of problem: ipa-server-install fails with external ca Version-Release number of selected component (if applicable): freeipa-server-3.2.0-0.2.beta1.fc19.x86_64 pki-ca-10.0.1-2.1.fc19.noarch How reproducible: Steps to Reproduce: 1. ipa-server-install --setup-dns --external-ca 2.ipa-server-install --external_cert_file=/root/sign-ipa.crt --external_ca_file=/root/ad-ca.crt Actual results: Configuring certificate server (pki-tomcatd): Estimated time 33 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance [3/20]: disabling nonces [4/20]: creating RA agent certificate database [5/20]: importing CA chain to RA certificate database [6/20]: fixing RA database permissions [7/20]: setting up signing cert profile [8/20]: set up CRL publishing [9/20]: set certificate subject base [10/20]: enabling Subject Key Identifier [11/20]: enabling CRL and OCSP extensions for certificates [12/20]: setting audit signing renewal to 2 years [13/20]: configuring certificate server to start on boot [14/20]: restarting certificate server [15/20]: requesting RA certificate from CA [16/20]: issuing RA agent certificate Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -f XXXXXXXX -A -t u,u,u -n ipaCert -a -i /tmp/tmphU1n_0' returned non-zero exit status 255 Expected results: ipa-server-installation should succeed Additional info:
Fixed in upstream NSS in:
nss-3.14.3-2.fc18
nss-3.14.3-12.0.fc19
We just need to set our deps right.
attachment freeipa-rcrit-1097-nss.patch
master: 732d104
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.2 - 2013/04-05 (GA)
Login to comment on this ticket.