For example, this is what happens with an expired certificate:
Unexpected error - see /var/log/ipaserver-install.log for details: NSPRError: [Errno -8181] (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
ipaserver-install.log:
2013-05-29T23:44:40Z INFO File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 615, in run_script return_value = main_function() File "/sbin/ipa-server-install", line 842, in main http_cert_name = check_pkcs12(http_pkcs12_info, ca_file, host_name) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 751, in check_pkcs12 nssdb.verify_server_cert_validity(server_cert_name, hostname) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 289, in verify_server_cert_validity approved_usage = cert.verify_now(certdb, True, intended_usage) 2013-05-29T23:44:40Z INFO The ipa-server-install command failed, exception: NSPRError: [Errno -8181] (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
Similar error can be observed if certificate's key usage is not valid for SSL server.
This also happens if --root-ca-file is a PEM file with a non-CA certificate.
This ticket is a Fedora 19 development issue (CA-less installation feature - ticket #3363). jcholast is working on resolution, has most of the patches ready.
Moving to 3.2.x bugfixing bucket.
... and now the actual milestone change.
master: 1e772b1[[BR]] ipa-3-2: 4211505
Metadata Update from @jcholast: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 3.2.x - 2013/06 (bug fixing)
Login to comment on this ticket.