Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-15443

Server install: failure to install with externally signed CA because of timezone issue

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • rhel-9.4
    • rhel-9.4
    • ipa
    • ipa-4.11.0-2.el9
    • None
    • 1
    • sst_idm_ipa
    • ssg_idm
    • 10
    • 12
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • 2023-Q4-Alpha-S4
    • All
    • None

      What were you trying to do that didn't work?

      Installation of IPA with an externally signed CA

      Please provide the package NVR for which bug is seen:

      ipa-server-4.11.0-1.el9.x86_64

      How reproducible:

      100%

      Steps to reproduce

      1. Generate a CSR with  
        /usr/sbin/ipa-server-install -p Secret123 -a Secret123 -r TESTREALM.TEST --setup-dns --forwarder 10.11.5.19 --domain testrealm.test --realm TESTREALM.TEST --external-ca -U

         

      1. sign the CSR /root/ipa.csr with your external ca
      2. Continue the installation with the CA cert:  
        /usr/sbin/ipa-server-install --external-cert-file /tmp/nssdb/chain.crt -p Secret123 -U -p Secret123 -a Secret123 -r TESTREALM.TEST

      Expected results

      Installation should succeed

      Actual results

      Installation fails:

      CA certificate CN=Certificate Authority,O=TESTREALM.TEST in /tmp/nssdb/chain.crt is not valid: not valid before 2023-10-06 16:56:56+00:00 UTC is in the future.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

       

      This is a RHEL 9.4 tracker for https://pagure.io/freeipa/issue/9462

            frenaud@redhat.com Florence Renaud
            frenaud@redhat.com Florence Renaud
            Florence Renaud Florence Renaud
            Erik Belko Erik Belko
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: