Using self-signed certificates currently makes ipa-server-install stop after configuring DS:
<snip> [33/36]: adding replication acis [34/36]: enabling compatibility plugin [35/36]: tuning directory server [36/36]: configuring directory to start on boot Done configuring directory server (dirsrv). Could not find a CA cert in dirsrv.p12
Instead, it should either print an error message at the beginning, or support self-signed certificate installs.
Print the message.
We should also print error message when intermediate CA is used to avoid confusion and remove it when #3668 is fixed.
To reproduce create a self-signed certificate:
# mkdir /root/openssl # cd /root/openssl # openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -nodes -days 365
Create a PKCS 12 file:
# openssl pkcs12 -export -inkey key.pem -in cert.pem -out file.p12 -name "Server-Cert"
Install IPA:
# ipa-server-install --dirsrv_pkcs12=/root/openssl/file.p12 --http_pkcs12=/root/openssl/file.p12 --dirsrv_pin=password --http_pin=password --root-ca-file=/root/openssl/cert.pem
See also http://www.freeipa.org/page/V3/CA-less_install
master: ab96ca7
ipa-3-2: e1f481c
Metadata Update from @jcholast: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 3.2.x - 2013/06 (bug fixing)
Login to comment on this ticket.