Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1318616
Description of problem: While converting CA-less to CA-FULL IPA server, CA fails to start after ipa-ca-install installation. Version-Release number of selected component (if applicable): ipa-server-4.2.0-15.el7_2.10.x86_64 How reproducible: 100% Steps to Reproduce: 1. Create Self-signed CA certificate and server certificates 2. # ipa-server-install --http_pkcs12 server.p12 --http_pin Secret123 --dirsrv_pkcs12 server.p12 --dirsrv_pin Secret123 --root-ca-file ca.crt --ip-address 10.10.10.1 -r testrelm.test -p 'Secret123' -a 'Secret123' --setup-dns --forwarder 10.10.10.89 -U 3. # ipa-ca-install --external-ca 4. Get IPA CSR signed using external CA # certutil -C -i /root/ipa.csr -o ipa.crt -c "ca1" -d nssdb -a 5. # /usr/sbin/ipa-ca-install --external-cert-file=ipa.crt --external-cert-file=ca.crt <= This command fails to start CA server Actual results: CA did not start even after waiting for 300 seconds. Expected results: CA should start and installation should be successful. Additional info: Please see installation logs and console.log in attachments.
Requires also a fix on PKI side.
This should be done sooner. It actually doesn't depend on the PKI side. See https://bugzilla.redhat.com/show_bug.cgi?id=1318616#c8
This bug can't be fixed on our side until this pki bug is resolved: https://fedorahosted.org/pki/ticket/2451
I was wrong, the bug had nothing to do with PKI, it needed a fix on our side. PR posted for review.
master:
ipa-4-3:
Not closing ticket, patch for 4.2 needed
ipa-4-2:
I forgot to push to 4.4, fixed now :)
ipa-4-4:
Metadata Update from @pvoborni: - Issue assigned to tkrizek - Issue set to the milestone: FreeIPA 4.2.5
Login to comment on this ticket.