[Freeipa-devel] Failed replica installation (v2)

[Thomas,Dave]

This fixed my problem with v1.2.1 as well. Thanks.
Dave
________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Wednesday, July 01, 2009 8:10 AM
To: Martin Nagy
Cc: freeipa-devel at redhat.com
Subject: Re: [Freeipa-devel] Failed replica installation (v2)

Rob Crittenden wrote:
> Martin Nagy wrote:
>> On Wed, 01 Jul 2009 08:33:36 -0400, Rob Crittenden
>> <rcritten at redhat.com> wrote:
>>
>>> Martin Nagy wrote:
>>>> I'm trying to install a replica, but the installation script fails
>>>> when trying to restart the 389 server:
>>>>
>>>> 2009-07-01 04:11:59,777 INFO [01/Jul/2009:04:11:49 -0400] - SSL
>>>> alert: CERT_VerifyCertificateNow: verify certificate failed for cert
>>>> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
>>>> Portable Runtime error -8179 - Peer's Certificate issuer is not
>>>> recognized.) [01/Jul/2009:04:11:49 -0400] - SSL failure: None of
>>>> the cipher are valid
>>>>
>>>> Is this somehow my fault or is this a bug?
>>> That would be a bug. It would seem that the CA is not being imported
>>> into DS either because it wasn't put into the replica file or some
>>> other bug.
>>
>> Submitted as bug# 509111. Is there a workaround? BTW, I can
>> see a ca.crt inside the replica info file.
>>
>> Martin
>
> I'm firing up a second F-11 VM now to give replication a test. It worked
> the last time I tried a few weeks ago so I don't know if this is another
> F-11 idiosyncrasy or a generic bug.
>
> rob

The NSS tool certutil used to list the entire cert chain with the -O
option. Now it only lists those certs in the chain that are trusted. We
used this to determine what CA's to trust when importing from a PKCS#12
  file. I've filed a bug on this.

A short-term workaround is to modify ipaserver/install/certs.py in
find_root_cert() to always return "CA certificate". This will only work
with our self-signed CA.

I was able to stand up a replica with this change.

rob