[Freeipa-users] ipa-replica-prepare clarification

Rob Crittenden rcritten at redhat.com
Tue Sep 15 17:33:23 UTC 2009 

James Roman wrote:
> Yes the valicert.com certificate did get installed in the DS cert 
> database and then subsequently failed to install in the web server 
> database. I can't find any output to indicate why it was missed. The 
> answer to your next question is yes, I did specify  the same PKCS12 
> certificate file and pin for the dirsrv and http options when I ran 
> ipa-replica-prepare.
> 
> Now I am getting past the certificate trust failure, but have 
> encountered a whole new set of problems. My Directory server is failing 
> to start with the following error:
> 
> Starting dirsrv:
>    REALM-COM...[15/Sep/2009:09:39:18 -0400] dse - The entry cn=schema in 
> file /etc/dirsrv/slapd-REALM-COM/schema/99user.ldif is invalid, error 
> code 21 (Invalid syntax) - object class nsAIMpresence: Unknown allowed 
> attribute type "nsaimid"
> [15/Sep/2009:09:39:18 -0400] dse - Please edit the file to correct the 
> reported problems and then restart the server.
> 
> I am pretty sure I know why this is happening, I'm just not sure how I 
> want to address it. My Master is a FC9 install, my replica is a FC10 
> install. My master was installed as FC9 due to issues loading FC10 into 
> a Cent 5 Xen VM. Now that I've overcome those, I was hoping that I could 
> go this route to provide a migration path. Perhaps not. This will be 
> subject of a new thread.

I've seen this happen too, it is a bug in 389-DS I think. It doesn't 
happen all the time though, I've worked around it by trying the replica 
installation again.

rob

> 
> Rob Crittenden wrote:
>> James Roman wrote:
>>> I installed the 1.2.2-1 version from the test repo. I get really 
>>> close to the end, but it is still bombing when trying to set the 
>>> trust permissions on the web server cert. For some reason the final 
>>> cert in the chain did not get installed into the /etc/httpd/alias 
>>> directory. All worked fine for the directory server.
>>
>> Strange, Does the valicert.com certificate exist in the DS database?
>>
>> I guess I assumed that if the certificate was in the PKCS#12 file then 
>> it would be loaded by NSS. That doesn't seem to be the case.
>>
>> This patch should help. It will log the failure of setting trust but 
>> will continue. If the certificate is indeed not needed then it 
>> shouldn't hurt anything.
>>
>> diff --git a/ipa-server/ipaserver/certs.py 
>> b/ipa-server/ipaserver/certs.py
>> index 95e6ac7..3782acf 100644
>> --- a/ipa-server/ipaserver/certs.py
>> +++ b/ipa-server/ipaserver/certs.py
>> @@ -386,8 +386,11 @@ class CertDB(object):
>>           if root_nickname[:7] == "Builtin":
>>               logging.debug("No need to add trust for built-in root 
>> CA's, skippi
>>           else:
>> -             self.run_certutil(["-M", "-n", root_nickname,
>> -                                "-t", "CT,CT,"])
>> +             try:
>> +                 self.run_certutil(["-M", "-n", root_nickname,
>> +                                    "-t", "CT,CT,"])
>> +             except ipautil.CalledProcessError, e:
>> +                 logging.error("Setting trust on %s failed" % 
>> root_nickname)
>>
>>      def find_server_certs(self):
>>          p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
>>
>> The file to modify on an installed system is 
>> /usr/lib[64]/python*/site-packages/ipaserver/certs.py
>>
>> Let me know if this fixes it for you and I'll see about getting this 
>> committed.
>>
>> rob
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090915/61cafe0a/attachment.bin>

More information about the Freeipa-users mailing list