[Freeipa-users] ipa-replica install failing

Wed Sep 30 20:58:35 UTC 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dmitri Pal wrote:
> David Christensen wrote:
>> When I installed my first ipa server I used the self signed ssl cert and
>> soon followed up with a replica.  Shortly after installing the replica I
>>  attempted to import a wild card CA signed cert and ran into an issue.
>>
>> I discovered (thanks to the helpful folks on the FREEIPA irc, that a
>> regex in /usr/lib/python2.5/site-packages/ipaserver/certs.py for
>> root_nickname was bad.  I modified root_nickname = re.match('\
>> *"(.*)".*', chain[0]).groups()[0] to re.match('\ *"(.*)" \[.*',
>> chain[0]).groups()[0] and was able to import the cert.
>>
>> I had to do the same thing to the replica and replication continued.
>>
>> Now I am trying to create a 3rd replica and have run into what I think
>> is a similar issue.  I can export the replica package from the "master"
>> ipa server using the pk12 options however the replica install fails.
>>
>> I ran the debug on the replica install and this is where the install
>> fails:
>>
>> root        : INFO
>> creation of replica failed: Could not find a CA cert in
>> /tmp/tmplO4Bp3ipa/realm_info/dscert.p12
>> root        : DEBUG    Could not find a CA cert in
>> /tmp/tmplO4Bp3ipa/realm_info/dscert.p12
>>   File "/usr/sbin/ipa-replica-install", line 294, in <module>
>>     main()
>>
>>   File "/usr/sbin/ipa-replica-install", line 244, in main
>>     ds = install_ds(config)
>>
>>   File "/usr/sbin/ipa-replica-install", line 115, in install_ds
>>     ds.create_instance(config.ds_user, config.realm_name,
>> config.host_name, config.domain_name, config.dirman_password, pkcs12_info)
>>
>>   File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line
>> 193, in create_instance
>>     self.start_creation("Configuring directory server:")
>>
>>   File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line
>> 139, in start_creation
>>     method()
>>
>>   File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line
>> 345, in __enable_ssl
>>     ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
>>
>>   File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 472,
>> in create_from_pkcs12
>>     raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname)
>>
>>
>> Your system may be partly configured.
>>
>> Is this issue similar to what I experienced with the ssl cert import or
>> is it something entirely different?
>>
>> David
> Are you running latest 1.2.2 FreeIPA on the server?
> Some of the cert issues were addressed in the recently published patch.
> The issue that you see shmould be addressed by these patches.
>
I am running 1.2.1-2 on FC10 from the repos.

So looks like I am not running the latest.

Must have missed the patches.  Are there any release notes and where do
I need to grab them?

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkrDxnsACgkQ5B+8XEnAvqs3ZgCfUBrxBn+M+FyPiKNx2ouM+h2b
PlkAniIdB/EnvsaqzLXXAGKgvCbgo8JO
=aA4L
-----END PGP SIGNATURE-----