[Freeipa-users] ipa-replica-prepare failed
James James
jreg2k at gmail.com
Fri Feb 8 20:21:54 UTC 2013
Now on the replica server I've got this error :
Run connection check to master
Connection check OK
Configuring ntpd
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
done configuring ntpd.
Configuring directory server: Estimated time 1 minute
[1/30]: creating directory server user
[2/30]: creating directory server instance
[3/30]: adding default schema
[4/30]: enabling memberof plugin
[5/30]: enabling referential integrity plugin
[6/30]: enabling winsync plugin
[7/30]: configuring replication version plugin
[8/30]: enabling IPA enrollment plugin
[9/30]: enabling ldapi
[10/30]: configuring uniqueness plugin
[11/30]: configuring uuid plugin
[12/30]: configuring modrdn plugin
[13/30]: enabling entryUSN plugin
[14/30]: configuring lockout plugin
[15/30]: creating indices
[16/30]: configuring ssl for ds instance
creation of replica failed: Could not find a CA cert in
/tmp/tmp21VpT8ipa/realm_info/dscert.p12
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Where I have to put the CA certficate ?
Regards (again)
2013/2/8 Rob Crittenden <rcritten at redhat.com>
> James James wrote:
>
>> I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12,
>> --http_pin and the ipa-replica-prepare command runs without failure.
>>
>> Thanks for your help.
>>
>
> Yes, this is what I was going to suggest. Using ipa-server-certinstall
> replace the IPA CA with an external one.
>
> I should note that we're deprecating this tool and do not recommend that
> it be used. We instead suggest that if you need certificates from an
> external CA you get the IPA CA signed as a subordinate.
>
> rob
>
>
>>
>> 2013/2/8 James James <jreg2k at gmail.com <mailto:jreg2k at gmail.com>>
>>
>>
>> My ipa version is ipa-server-2.2.0-17.el6_3.1.**x86_64 and the distro
>> is Scientific Linux 6.3. I have used ipa-server-certinstall to
>> replace the default IPA certs.
>>
>>
>>
>>
>> 2013/2/8 Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>>
>>
>>
>> James James wrote:
>>
>> Hi,
>> today I wanted to install a ipa replica. When I used the
>> ipa-replica-prepare command, I've got this error :
>>
>> [root at ipa ~]# ipa-replica-prepare ipa2-example.com
>> <http://ipa2-example.com> <http://ipa2-example.com>
>>
>>
>> Directory Manager (existing master) password:
>>
>> Preparing replica for ipa-EXAMPLE.COM from ipa.EXAMPLE.COM
>> <http://ipa.EXAMPLE.COM>
>> <http://ipa.EXAMPLE.COM>
>>
>> Creating SSL certificate for the Directory Server
>> certutil: could not find certificate named "CN=EXAMPLE.COM
>> <http://EXAMPLE.COM>
>> <http://EXAMPLE.COM> Certificate Authority": security
>> library: bad database.
>>
>> certutil: unable to create cert (security library: bad
>> database.)
>> preparation of replica failed: Command '/usr/bin/certutil -d
>> /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i
>> /var/lib/ipa/ipa-6qKbha/__**tmpcert.der -f
>> /tmp/tmpoUpN72ipa/realm_info/_**_pwdfile.txt' returned
>>
>> non-zero exit status 255
>> Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A
>> -n
>> Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/__**tmpcert.der
>> -f
>> /tmp/tmpoUpN72ipa/realm_info/_**_pwdfile.txt' returned
>> non-zero exit status 255
>> File "/usr/sbin/ipa-replica-__**prepare", line 459, in
>> <module>
>> main()
>>
>> File "/usr/sbin/ipa-replica-__**prepare", line 345, in
>> main
>>
>> export_certdb(api.env.realm, ds_dir, dir,
>> passwd_fname, "dscert",
>> replica_fqdn, subject_base)
>>
>> File "/usr/sbin/ipa-replica-__**prepare", line 143, in
>>
>> export_certdb
>> raise e
>>
>>
>> I have a certificate generated by a custom certificate
>> authority in the
>> ipa server.
>>
>>
>> Need more information on your installation. What version of IPA,
>> what distro?
>>
>> Did you use ipa-server-certinstall to replace the default IPA
>> certs?
>>
>> rob
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130208/20bdf665/attachment.htm>
More information about the Freeipa-users
mailing list