On 12/15/20 5:07 PM, iulian roman via FreeIPA-users wrote:
After some plumbing and manual operations I managed to have CA
running during installation of the FreeIPA server. Currently the install fails in :
Configuring directory server (dirsrv)
[2/3]: adding CA certificate entry
args=['/usr/bin/certutil', '-d',
'dbm:/etc/dirsrv/slapd-IPA-LOCAL/', '-O', '--simple-self-signed',
'-n', 'IPA.LOCAL IPA CA', '-f',
'/etc/dirsrv/slapd-IPA-LOCAL/pwdfile.txt']
The installation seems to fail due to the fact that certutil does not support
--simple-self-signed parameter.
Does anybody know if there is a version of libnss3-tools for Ubuntu 18.04 which does
have a certutil package which support the option invoked or if the option can be
disabled/removed during install ?
Hi,
On ubuntu I don't know which version is shipped but on fedora the option
was introduced in nss 3.38.
The option was added in IPA to fix
https://pagure.io/freeipa/issue/7926
(cert renewal failing when ipa ca cert is renewed from self-signed >
external ca > self-sign). Unless you are intending to change your
certificate chaining, it won't affect your install.
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...