Bug 1368388 - second step in external-ca install fails while doing CA-full from CA-less
Summary: second step in external-ca install fails while doing CA-full from CA-less
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-19 09:09 UTC by Kaleem
Modified: 2016-08-25 14:22 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-25 14:22:09 UTC
Target Upstream Version:

Attachments (Terms of Use)
installation console output (9.86 KB, text/plain)
2016-08-19 09:12 UTC, Kaleem 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Kaleem 2016-08-19 09:09:41 UTC 
Description of problem:
Second steps in external-ca install fails while making master CA-full from CA-less.

[root@dhcp207-129 ~]# ipa-server-install --external-cert-file=/root/ipa-ca/ipa.crt --external-cert-file=/root/ipa-ca/ipacacert.asc

The log file for this installation can be found in /var/log/ipaserver-install.log
ipa.ipapython.install.cli.install_tool(Server): ERROR    IPA client is already configured on this system.
Please uninstall it before configuring the IPA server, using 'ipa-client-install --uninstall'
ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
[root@dhcp207-129 ~]#

Version-Release number of selected component (if applicable):
[root@dhcp207-129 ~]# rpm -q ipa-server pki-ca
ipa-server-4.4.0-8.el7.x86_64
pki-ca-10.3.3-6.el7.noarch
[root@dhcp207-129 ~]# 


How reproducible:
Always

Steps to Reproduce:
1. Install CA-less IPA master
2. ipa-ca-install --external-ca
3. ipa-server-install --external-cert-file=/root/ipa-ca/ipa.crt --external-cert-file=/root/ipa-ca/ipacacert.asc

Actual results:
second step of external-ca install fails  

Expected results:
second step of external-ca should be successful 

Additional info:
Please find the attached console output.
Comment 1 Kaleem 2016-08-19 09:11:18 UTC 
A related bug where step2 failed but proceeded further.
https://bugzilla.redhat.com/show_bug.cgi?id=1318616
Comment 2 Kaleem 2016-08-19 09:12:51 UTC 
Created attachment 1192087 [details]
installation console output
Comment 5 Petr Vobornik 2016-08-22 08:23:11 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6237
Comment 6 Petr Vobornik 2016-08-25 14:22:09 UTC 
As Standa wrote in https://fedorahosted.org/freeipa/ticket/6237#comment:6 this is an invalid usage.

After running ipa-ca-install, the instructions are:

"""
The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-ca-install as:
/usr/sbin/ipa-ca-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
"""

I.e. run `ipa-ca-install` again.

But in the test an ipa-server-install is run:
 ipa-server-install --external-cert-file=/root/ipa-ca/ipa.crt --external-cert-file=/root/ipa-ca/ipacacert.asc
Note You need to log in before you can comment on or make changes to this bug.