[Freeipa-users] ipa-replica install failing

James Roman james.roman at ssaihq.com
Thu Oct 1 18:44:47 UTC 2009 

David Christensen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> When I installed my first ipa server I used the self signed ssl cert and
> soon followed up with a replica.  Shortly after installing the replica I
>  attempted to import a wild card CA signed cert and ran into an issue.
>   
This is a bit unclear. Did you try to import a 3rd party CA signed 
wildcard certificate? If so, depending on who your signing CA is, you 
may need to import a certificate chain for your signing CA to get to a 
CA that NSS trusts. Most 3rd party CAs will tell you this (or at least 
will let you know in their support knowledge-base).
OR
did you issue a wildcard certificate from your IPA CA certificate?
>
> Now I am trying to create a 3rd replica and have run into what I think
> is a similar issue.  I can export the replica package from the "master"
> ipa server using the pk12 options however the replica install fails.
>
> I ran the debug on the replica install and this is where the install fails:
>
> root        : INFO
> creation of replica failed: Could not find a CA cert in
> /tmp/tmplO4Bp3ipa/realm_info/dscert.p12
> root        : DEBUG    Could not find a CA cert in
> /tmp/tmplO4Bp3ipa/realm_info/dscert.p12
>   File "/usr/sbin/ipa-replica-install", line 294, in <module>
>     main()
>
>   File "/usr/sbin/ipa-replica-install", line 244, in main
>     ds = install_ds(config)
>
>   File "/usr/sbin/ipa-replica-install", line 115, in install_ds
>     ds.create_instance(config.ds_user, config.realm_name,
> config.host_name, config.domain_name, config.dirman_password, pkcs12_info)
>
>   File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line
> 193, in create_instance
>     self.start_creation("Configuring directory server:")
>
>   File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line
> 139, in start_creation
>     method()
>
>   File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line
> 345, in __enable_ssl
>     ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
>
>   File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 472,
> in create_from_pkcs12
>     raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname)
>
>
>   
If you changed the initial CA certs, you will most likely need to 
provide a PKCS12 file for both the directory server and httpd server.
ipa-replica-prepare --dirsrv_pkcs12=/path/to/pkcs12/file 
--http_pkcs12=/path/to/pkcs12/file \
--dirsrv_pin=PasswordUsedToGeneratePKCS12File 
--http_pin=PasswordUsedToGeneratePKCS12File

Are you providing a certificate or trying to have the script generate 
one using the default?
If you did generate a pkcs12 file to include in the ipa-replica-prepare 
script, run
 pk12util -l /path/to/pkcs12/file

and verify that the entire certificate chain up to an NSS trusted CA is 
included. (Start from the end and look at the "Subject:" and "Issuer:" 
lines. Scroll up and see if the next subject line is the previous 
issuer, repeat as needed until you get an issuer CA certificate that NSS 
(or Firefox) include in their default trusted CAs.

> Your system may be partly configured.
>
> Is this issue similar to what I experienced with the ssl cert import or
> is it something entirely different?
>
> David
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkrDrP8ACgkQ5B+8XEnAvqtBCgCgnO75V05RxkDtpxTzK0gdk1Cg
> pRQAniFkA0G4JHjChzeyZ7bP/oTHTurz
> =F7r+
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list