Hi,
On Mon, Oct 9, 2023 at 5:30 PM Frederic Ayrault fred@lix.polytechnique.fr wrote:
Le 09/10/2023 à 16:47, Florence Blanc-Renaud a écrit :
Is this your external CA? I assume that its subject conflicts with the default subject name that IPA installer would pick. If that's the case, you can force ipa-ca-install to use a different subject name with the --ca-subject option.
flo
I run ipa-ca-install --ca-subject="CN=New Certificate Authority,O= LIX.POLYTECHNIQUE.FR" but after the last step (30/30) I get
Done configuring certificate server (pki-tomcatd).
Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
Unexpected error - see /var/log/ipareplica-ca-install.log for details: DuplicateEntry: This entry already exists
the ipareplica-ca-install.log ends with
2023-10-09T14:55:53Z DEBUG stderr= 2023-10-09T14:55:53Z DEBUG Starting external process 2023-10-09T14:55:53Z DEBUG args=/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ -A -n LIX.POLYTECHNIQUE.FR IPA CA -t CT,C,C -a -f /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/pwdfile.txt 2023-10-09T14:55:53Z DEBUG Process finished, return code=0 2023-10-09T14:55:53Z DEBUG stdout= 2023-10-09T14:55:53Z DEBUG stderr= 2023-10-09T14:55:53Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 1015, in run_script return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 343, in main install(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 279, in install install_master(safe_options, options)
File "/usr/sbin/ipa-ca-install", line 266, in install_master ca.install(True, None, options, custodia=custodia)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 255, in install install_step_1(standalone, replica_config, options, custodia=custodia)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 379, in install_step_1 config_ipa=True, config_compat=True)
File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 372, in put_ca_cert_nss config_ipa, config_compat)
File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 239, in put_ca_cert config_ipa=config_ipa, config_compat=config_compat)
File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 152, in add_ca_cert ldap.add_entry(entry)
The error is an LDAP error when adding an entry/attribute for the CA. Can
you check in /var/log/dirsrv/slapd-<YOURDOMAIN>/errors if there were any errors reported at the same date (~2023-10-09T14:55:53Z)? The error would happen either on a ADD or on a MOD operation. It would also help if you can provide a description of your current certificate chain (the subject of the Root CA, if relevant the intermediate ones) or share your /etc/ipa/ca.crt file. You didn't clarify so far whether IPA was installed CA-less or with an embedded CA that was externally-signed. If you still have access to the first server that was installed, you can have a look at /var/log/ipaserver-install.log and check the options that were provided.
flo
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1580, in add_entry self.conn.add_s(str(entry.dn), list(attrs.items()))
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1029, in error_handler raise errors.DuplicateEntry()
2023-10-09T14:55:53Z DEBUG The ipa-ca-install command failed, exception: DuplicateEntry: This entry already exists
If I look the database with /usr/bin/certutil -d dbm:/etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ -L , I get
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CNRS2-Standard - CNRS C,, CA 3 CT,C,C LIX.POLYTECHNIQUE.FR IPA CA CT,C,C IPA3 u,u,u CNRS2 - CNRS ,, CA 3 CT,C,C CA 3 CT,C,C
looks like problem is "CA 3" but I do not know what to do