[Freeipa-users] ipa-replica-prepare clarification
Rob Crittenden
rcritten at redhat.com
Mon Sep 14 15:55:55 UTC 2009
James Roman wrote:
> OK I am still running into a similar problem when installing the replica
> server. It appears that the problem stems from the chained CA
> certificates from GoDaddy again. On the replica server, all the certs
> appear to be installed properly. The script is choking when modifying
> the trust arguments. It looks like it is grabbing the certificate name
> from the wrong place again.
This should be fixed in ipa v1.2.2 which is in the Fedora
updates-testing repo.
rob
>
>
> ipa-replica-install Error:
>
> NOTE: Take a look at where the quotes are showing up in the "certutil
> -d" lines.
>
> root : DEBUG [10/17]: configuring ssl for ds instance
> [10/17]: configuring ssl for ds instance
> root : DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> root : INFO root : INFO root : INFO
> pk12util: PKCS12 IMPORT SUCCESSFUL
>
> root : INFO root : INFO root : INFO
> certutil: could not find certificate named "valicert.com"
> [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
> Policy Validation Authority,O="ValiCert, Inc.": The security card or
> token does not exist, needs to be initialized, or has been removed.
>
> creation of replica failed: Command '/usr/bin/certutil -d
> /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com"
> [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
> Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned
> non-zero exit status 255
> root : DEBUG Command '/usr/bin/certutil -d
> /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com"
> [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
> Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned
> non-zero exit status 255
> File "/usr/sbin/ipa-replica-install", line 294, in <module>
> main()
>
> File "/usr/sbin/ipa-replica-install", line 244, in main
> ds = install_ds(config)
>
> File "/usr/sbin/ipa-replica-install", line 115, in install_ds
> ds.create_instance(config.ds_user, config.realm_name,
> config.host_name, config.domain_name, config.dirman_password, pkcs12_info)
>
> File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line
> 193, in create_instance
> self.start_creation("Configuring directory server:")
>
> File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line 139,
> in start_creation
> method()
>
> File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line
> 345, in __enable_ssl
> ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
>
> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 403,
> in create_from_pkcs12
> self.trust_root_cert(nickname)
>
> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 322,
> in trust_root_cert
> "-t", "CT,CT,"])
>
> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126,
> in run_certutil
> return ipautil.run(new_args, stdin)
>
> File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
> raise CalledProcessError(p.returncode, ' '.join(args))
>
>
> Replica server Cert DB:
>
> [root at replica slapd-REALM-COM]# certutil -L -d .
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> Server-Cert u,u,u
> Go Daddy Secure Certification Authority ,, Go
> Daddy Class 2 Certification Authority ,,
> valicert.com ,,
>
>
> Rob Crittenden wrote:
>> James Roman wrote:
>>> Can anyone elaborate on the options for the ipa-replica-prepare
>>> command? I have a third party signed certificate for both my master
>>> and replica server. Am I supposed to provide the PKCS12 file for the
>>> master server or the replica? If it is looking for the master server,
>>> I really don't want the script generating a new certificate for the
>>> replica. I already have one. Any way to by-pass that option?
>>
>> The PKCS#12 file(s) are for the replica server. If you provide both
>> then IPA will not attempt to generate one.
>>
>> rob
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090914/91c31d9f/attachment.bin>
More information about the Freeipa-users
mailing list