[Freeipa-devel] Failed replica installation (v2)

[Rob Crittenden]

Rob Crittenden wrote:
> Martin Nagy wrote:
>> On Wed, 01 Jul 2009 08:33:36 -0400, Rob Crittenden
>> <rcritten at redhat.com> wrote:
>>
>>> Martin Nagy wrote:
>>>> I'm trying to install a replica, but the installation script fails
>>>> when trying to restart the 389 server:
>>>>
>>>> 2009-07-01 04:11:59,777 INFO [01/Jul/2009:04:11:49 -0400] - SSL
>>>> alert: CERT_VerifyCertificateNow: verify certificate failed for cert
>>>> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
>>>> Portable Runtime error -8179 - Peer's Certificate issuer is not
>>>> recognized.) [01/Jul/2009:04:11:49 -0400] - SSL failure: None of
>>>> the cipher are valid
>>>>
>>>> Is this somehow my fault or is this a bug?
>>> That would be a bug. It would seem that the CA is not being imported 
>>> into DS either because it wasn't put into the replica file or some
>>> other bug.
>>
>> Submitted as bug# 509111. Is there a workaround? BTW, I can
>> see a ca.crt inside the replica info file.
>>
>> Martin
> 
> I'm firing up a second F-11 VM now to give replication a test. It worked 
> the last time I tried a few weeks ago so I don't know if this is another 
> F-11 idiosyncrasy or a generic bug.
> 
> rob

The NSS tool certutil used to list the entire cert chain with the -O 
option. Now it only lists those certs in the chain that are trusted. We 
used this to determine what CA's to trust when importing from a PKCS#12 
  file. I've filed a bug on this.

A short-term workaround is to modify ipaserver/install/certs.py in 
find_root_cert() to always return "CA certificate". This will only work 
with our self-signed CA.

I was able to stand up a replica with this change.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090701/0a51bdc7/attachment.bin>