[Freeipa-users] EXTERNAL: Re: ipa-replica-install errors

Joseph, Matthew (EXP) matthew.joseph at lmco.com
Thu Apr 11 15:13:14 UTC 2013 

Hey,

Yes you are correct. For some reason my IPA CA certs were missing.
I've added them back onto both the Server and Client so now I am back to getting the; 
"Replica Data has a different generation ID than the local data"

Matt

-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com] 
Sent: Thursday, April 11, 2013 10:13 AM
To: Joseph, Matthew (EXP); Jatin Nansi; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors

Joseph, Matthew (EXP) wrote:
> Hey,
>
> Here is the output;
>
> Server-Cert	u,u,u
>
> I am using nss-3-13.3-6
> I am using the IPA CA.

The thing is, the IPA CA isn't there for some reason, on either side.

You should also have something like

EXAMPLE.COM IPA CA   Ct,C,C

You might check the working master with somethign like:

certutil -V -u V -n Server-Cert -d /etc/dirsrv/slapd-REALM

That will validate the cert trust. I'd suspect it will fail.

So you'd need to add the IPA CA.

certutil -A -n 'EXAMPLE.COM IPA CA' -d /etc/dirsrv/slapd-REALM -t CT,C,C -a -i /etc/ipa/ca.crt

This may address the symptom but how you ended up with the CA missing is baffling.

rob

>
> Matt
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com 
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jatin Nansi
> Sent: Wednesday, April 10, 2013 9:36 PM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
>
> On 04/10/2013 09:55 PM, Joseph, Matthew (EXP) wrote:
>>
>> Hey,
>>
>> I'm still trying to figure out this error but I am getting nothing.
>>
>> Anyone have any suggestions or ideas on why this is failing?
>>
>> Matt
>>
>> *From:*freeipa-users-bounces at redhat.com
>> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Joseph, 
>> Matthew (EXP)
>> *Sent:* Monday, April 08, 2013 12:30 PM
>> *To:* Nathan Kinder
>> *Cc:* freeipa-users at redhat.com
>> *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install 
>> errors
>>
>> Hey,
>>
>>
>> Yup, the client side says the following;
>>
>> Op=-1 fd=64 closed - Peer does not recognize and trust the CA that 
>> issued your certificate.
>>
>> Matt
>>
> Check the version of the nss package on your IPA server. There was a 
> change that went into nss-3.14 that disables support for certificate 
> signatures using the MD5 hash algorithm. To check if you are using MD5 
> certificate signatures, use this command to examine the certificates -
>
> cerutil -L -d/etc/dirsrv/slapd-DOMAIN-CA/ Server-Cert
>
>
> If this is the case, the workaround is to downgrade the nss package to version 3.13. The fix is to re-issue your certificates using the SHA256 hashes.
>
> Are you using the IPA CA, or are you managing the CA independently of IPA?
>
> --
> Jatin Nansi
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list