[Freeipa-users] ipa-replica-prepare clarification
James Roman
james.roman at ssaihq.com
Mon Sep 14 15:35:06 UTC 2009
OK I am still running into a similar problem when installing the replica
server. It appears that the problem stems from the chained CA
certificates from GoDaddy again. On the replica server, all the certs
appear to be installed properly. The script is choking when modifying
the trust arguments. It looks like it is grabbing the certificate name
from the wrong place again.
ipa-replica-install Error:
NOTE: Take a look at where the quotes are showing up in the "certutil
-d" lines.
root : DEBUG [10/17]: configuring ssl for ds instance
[10/17]: configuring ssl for ds instance
root : DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
root : INFO
root : INFO
root : INFO pk12util: PKCS12 IMPORT SUCCESSFUL
root : INFO
root : INFO
root : INFO certutil: could not find certificate named
"valicert.com"
[E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
Policy Validation Authority,O="ValiCert, Inc.": The security card or
token does not exist, needs to be initialized, or has been removed.
creation of replica failed: Command '/usr/bin/certutil -d
/etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com"
[E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned
non-zero exit status 255
root : DEBUG Command '/usr/bin/certutil -d
/etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com"
[E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned
non-zero exit status 255
File "/usr/sbin/ipa-replica-install", line 294, in <module>
main()
File "/usr/sbin/ipa-replica-install", line 244, in main
ds = install_ds(config)
File "/usr/sbin/ipa-replica-install", line 115, in install_ds
ds.create_instance(config.ds_user, config.realm_name,
config.host_name, config.domain_name, config.dirman_password, pkcs12_info)
File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line
193, in create_instance
self.start_creation("Configuring directory server:")
File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line
139, in start_creation
method()
File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line
345, in __enable_ssl
ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 403,
in create_from_pkcs12
self.trust_root_cert(nickname)
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 322,
in trust_root_cert
"-t", "CT,CT,"])
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126,
in run_certutil
return ipautil.run(new_args, stdin)
File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
raise CalledProcessError(p.returncode, ' '.join(args))
Replica server Cert DB:
[root at replica slapd-REALM-COM]# certutil -L -d .
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
Go Daddy Secure Certification Authority ,,
Go Daddy Class 2 Certification Authority ,,
valicert.com ,,
Rob Crittenden wrote:
> James Roman wrote:
>> Can anyone elaborate on the options for the ipa-replica-prepare
>> command? I have a third party signed certificate for both my master
>> and replica server. Am I supposed to provide the PKCS12 file for the
>> master server or the replica? If it is looking for the master server,
>> I really don't want the script generating a new certificate for the
>> replica. I already have one. Any way to by-pass that option?
>
> The PKCS#12 file(s) are for the replica server. If you provide both
> then IPA will not attempt to generate one.
>
> rob
More information about the Freeipa-users
mailing list