[Freeipa-users] ipa-replica-prepare clarification

Rob Crittenden rcritten at redhat.com
Mon Sep 14 15:55:55 UTC 2009 

James Roman wrote:
> OK I am still running into a similar problem when installing the replica 
> server. It appears that the problem stems from the chained CA 
> certificates from GoDaddy again. On the replica server, all the certs 
> appear to be installed properly. The script is choking when modifying 
> the trust arguments. It looks like it is grabbing the certificate name 
> from the wrong place again.

This should be fixed in ipa v1.2.2 which is in the Fedora 
updates-testing repo.

rob

> 
> 
>      ipa-replica-install Error:
> 
> NOTE: Take a look at where the quotes are showing up in the "certutil 
> -d" lines.
> 
> root        : DEBUG      [10/17]: configuring ssl for ds instance
>  [10/17]: configuring ssl for ds instance
> root        : DEBUG    Loading Index file from 
> '/var/lib/ipa/sysrestore/sysrestore.index'
> root        : INFO    root        : INFO    root        : INFO     
> pk12util: PKCS12 IMPORT SUCCESSFUL
> 
> root        : INFO    root        : INFO    root        : INFO     
> certutil: could not find certificate named "valicert.com" 
> [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 
> Policy Validation Authority,O="ValiCert, Inc.": The security card or 
> token does not exist, needs to be initialized, or has been removed.
> 
> creation of replica failed: Command '/usr/bin/certutil -d 
> /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" 
> [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 
> Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned 
> non-zero exit status 255
> root        : DEBUG    Command '/usr/bin/certutil -d 
> /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" 
> [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 
> Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned 
> non-zero exit status 255
>  File "/usr/sbin/ipa-replica-install", line 294, in <module>
>    main()
> 
>  File "/usr/sbin/ipa-replica-install", line 244, in main
>    ds = install_ds(config)
> 
>  File "/usr/sbin/ipa-replica-install", line 115, in install_ds
>    ds.create_instance(config.ds_user, config.realm_name, 
> config.host_name, config.domain_name, config.dirman_password, pkcs12_info)
> 
>  File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line 
> 193, in create_instance
>    self.start_creation("Configuring directory server:")
> 
>  File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line 139, 
> in start_creation
>    method()
> 
>  File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line 
> 345, in __enable_ssl
>    ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
> 
>  File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 403, 
> in create_from_pkcs12
>    self.trust_root_cert(nickname)
> 
>  File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 322, 
> in trust_root_cert
>    "-t", "CT,CT,"])
> 
>  File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126, 
> in run_certutil
>    return ipautil.run(new_args, stdin)
> 
>  File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
>    raise CalledProcessError(p.returncode, ' '.join(args))
> 
> 
>      Replica server Cert DB:
> 
> [root at replica slapd-REALM-COM]# certutil -L -d .
> 
> Certificate Nickname                                         Trust 
> Attributes
>                                                             
> SSL,S/MIME,JAR/XPI
> 
> Server-Cert                                                  u,u,u
> Go Daddy Secure Certification Authority                      ,,  Go 
> Daddy Class 2 Certification Authority                     ,,  
> valicert.com                                                 ,, 
> 
> 
> Rob Crittenden wrote:
>> James Roman wrote:
>>> Can anyone elaborate on the options for the ipa-replica-prepare 
>>> command? I have a third party signed certificate for both my master 
>>> and replica server. Am I supposed to provide the PKCS12 file for the 
>>> master server or the replica? If it is looking for the master server, 
>>> I really don't want the script generating a new certificate for the 
>>> replica. I already have one. Any way to by-pass that option?
>>
>> The PKCS#12 file(s) are for the replica server. If you provide both 
>> then IPA will not attempt to generate one.
>>
>> rob
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090914/91c31d9f/attachment.bin>

More information about the Freeipa-users mailing list