[Freeipa-users] ipa-replica-prepare clarification
James Roman
james.roman at ssaihq.com
Tue Sep 15 14:00:29 UTC 2009
Yes the valicert.com certificate did get installed in the DS cert
database and then subsequently failed to install in the web server
database. I can't find any output to indicate why it was missed. The
answer to your next question is yes, I did specify the same PKCS12
certificate file and pin for the dirsrv and http options when I ran
ipa-replica-prepare.
Now I am getting past the certificate trust failure, but have
encountered a whole new set of problems. My Directory server is failing
to start with the following error:
Starting dirsrv:
REALM-COM...[15/Sep/2009:09:39:18 -0400] dse - The entry cn=schema
in file /etc/dirsrv/slapd-REALM-COM/schema/99user.ldif is invalid, error
code 21 (Invalid syntax) - object class nsAIMpresence: Unknown allowed
attribute type "nsaimid"
[15/Sep/2009:09:39:18 -0400] dse - Please edit the file to correct the
reported problems and then restart the server.
I am pretty sure I know why this is happening, I'm just not sure how I
want to address it. My Master is a FC9 install, my replica is a FC10
install. My master was installed as FC9 due to issues loading FC10 into
a Cent 5 Xen VM. Now that I've overcome those, I was hoping that I could
go this route to provide a migration path. Perhaps not. This will be
subject of a new thread.
Rob Crittenden wrote:
> James Roman wrote:
>> I installed the 1.2.2-1 version from the test repo. I get really
>> close to the end, but it is still bombing when trying to set the
>> trust permissions on the web server cert. For some reason the final
>> cert in the chain did not get installed into the /etc/httpd/alias
>> directory. All worked fine for the directory server.
>
> Strange, Does the valicert.com certificate exist in the DS database?
>
> I guess I assumed that if the certificate was in the PKCS#12 file then
> it would be loaded by NSS. That doesn't seem to be the case.
>
> This patch should help. It will log the failure of setting trust but
> will continue. If the certificate is indeed not needed then it
> shouldn't hurt anything.
>
> diff --git a/ipa-server/ipaserver/certs.py
> b/ipa-server/ipaserver/certs.py
> index 95e6ac7..3782acf 100644
> --- a/ipa-server/ipaserver/certs.py
> +++ b/ipa-server/ipaserver/certs.py
> @@ -386,8 +386,11 @@ class CertDB(object):
> if root_nickname[:7] == "Builtin":
> logging.debug("No need to add trust for built-in root
> CA's, skippi
> else:
> - self.run_certutil(["-M", "-n", root_nickname,
> - "-t", "CT,CT,"])
> + try:
> + self.run_certutil(["-M", "-n", root_nickname,
> + "-t", "CT,CT,"])
> + except ipautil.CalledProcessError, e:
> + logging.error("Setting trust on %s failed" %
> root_nickname)
>
> def find_server_certs(self):
> p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
>
> The file to modify on an installed system is
> /usr/lib[64]/python*/site-packages/ipaserver/certs.py
>
> Let me know if this fixes it for you and I'll see about getting this
> committed.
>
> rob
More information about the Freeipa-users
mailing list