[Freeipa-users] ipa-replica install failing
David Christensen
David.Christensen at viveli.com
Wed Sep 30 21:05:11 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dmitri Pal wrote:
> David Christensen wrote:
>> When I installed my first ipa server I used the self signed ssl cert and
>> soon followed up with a replica. Shortly after installing the replica I
>> attempted to import a wild card CA signed cert and ran into an issue.
>>
>> I discovered (thanks to the helpful folks on the FREEIPA irc, that a
>> regex in /usr/lib/python2.5/site-packages/ipaserver/certs.py for
>> root_nickname was bad. I modified root_nickname = re.match('\
>> *"(.*)".*', chain[0]).groups()[0] to re.match('\ *"(.*)" \[.*',
>> chain[0]).groups()[0] and was able to import the cert.
>>
>> I had to do the same thing to the replica and replication continued.
>>
>> Now I am trying to create a 3rd replica and have run into what I think
>> is a similar issue. I can export the replica package from the "master"
>> ipa server using the pk12 options however the replica install fails.
>>
>> I ran the debug on the replica install and this is where the install
>> fails:
>>
>> root : INFO
>> creation of replica failed: Could not find a CA cert in
>> /tmp/tmplO4Bp3ipa/realm_info/dscert.p12
>> root : DEBUG Could not find a CA cert in
>> /tmp/tmplO4Bp3ipa/realm_info/dscert.p12
>> File "/usr/sbin/ipa-replica-install", line 294, in <module>
>> main()
>>
>> File "/usr/sbin/ipa-replica-install", line 244, in main
>> ds = install_ds(config)
>>
>> File "/usr/sbin/ipa-replica-install", line 115, in install_ds
>> ds.create_instance(config.ds_user, config.realm_name,
>> config.host_name, config.domain_name, config.dirman_password, pkcs12_info)
>>
>> File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line
>> 193, in create_instance
>> self.start_creation("Configuring directory server:")
>>
>> File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line
>> 139, in start_creation
>> method()
>>
>> File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line
>> 345, in __enable_ssl
>> ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
>>
>> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 472,
>> in create_from_pkcs12
>> raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname)
>>
>>
>> Your system may be partly configured.
>>
>> Is this issue similar to what I experienced with the ssl cert import or
>> is it something entirely different?
>>
>> David
> Are you running latest 1.2.2 FreeIPA on the server?
> Some of the cert issues were addressed in the recently published patch.
> The issue that you see should be addressed by these patches.
>
Nevermind the request for the updates, I see they are in the repo now,
must have missed them.
Thanks for pointing it out none the less.
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkrDyAcACgkQ5B+8XEnAvqtVzgCfbWD3rI6LjwfzAK3585JsrTjm
Eu8AoI6JuWZmIAGvfpQa4w6vCch7kz21
=mwIL
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list