[Freeipa-users] ipa-replica-prepare failed

James James jreg2k at gmail.com
Fri Feb 8 20:21:54 UTC 2013 

Now on the replica server I've got this error :
Run connection check to master
Connection check OK
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server: Estimated time 1 minute
  [1/30]: creating directory server user
  [2/30]: creating directory server instance
  [3/30]: adding default schema
  [4/30]: enabling memberof plugin
  [5/30]: enabling referential integrity plugin
  [6/30]: enabling winsync plugin
  [7/30]: configuring replication version plugin
  [8/30]: enabling IPA enrollment plugin
  [9/30]: enabling ldapi
  [10/30]: configuring uniqueness plugin
  [11/30]: configuring uuid plugin
  [12/30]: configuring modrdn plugin
  [13/30]: enabling entryUSN plugin
  [14/30]: configuring lockout plugin
  [15/30]: creating indices
  [16/30]: configuring ssl for ds instance
creation of replica failed: Could not find a CA cert in
/tmp/tmp21VpT8ipa/realm_info/dscert.p12

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


Where I have to put the CA certficate ?

Regards (again)


2013/2/8 Rob Crittenden <rcritten at redhat.com>

> James James wrote:
>
>> I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12,
>> --http_pin and the ipa-replica-prepare command runs without failure.
>>
>> Thanks for your help.
>>
>
> Yes, this is what I was going to suggest. Using ipa-server-certinstall
> replace the IPA CA with an external one.
>
> I should note that we're deprecating this tool and do not recommend that
> it be used. We instead suggest that if you need certificates from an
> external CA you get the IPA CA signed as a subordinate.
>
> rob
>
>
>>
>> 2013/2/8 James James <jreg2k at gmail.com <mailto:jreg2k at gmail.com>>
>>
>>
>>     My ipa version is ipa-server-2.2.0-17.el6_3.1.**x86_64 and the distro
>>     is  Scientific Linux 6.3.  I have used ipa-server-certinstall to
>>     replace the default IPA certs.
>>
>>
>>
>>
>>     2013/2/8 Rob Crittenden <rcritten at redhat.com
>>     <mailto:rcritten at redhat.com>>
>>
>>
>>         James James wrote:
>>
>>             Hi,
>>             today I wanted to install a ipa replica. When I used the
>>             ipa-replica-prepare command, I've got this error :
>>
>>             [root at ipa ~]# ipa-replica-prepare ipa2-example.com
>>             <http://ipa2-example.com> <http://ipa2-example.com>
>>
>>
>>             Directory Manager (existing master) password:
>>
>>             Preparing replica for ipa-EXAMPLE.COM from ipa.EXAMPLE.COM
>>             <http://ipa.EXAMPLE.COM>
>>             <http://ipa.EXAMPLE.COM>
>>
>>             Creating SSL certificate for the Directory Server
>>             certutil: could not find certificate named "CN=EXAMPLE.COM
>>             <http://EXAMPLE.COM>
>>             <http://EXAMPLE.COM> Certificate Authority": security
>>             library: bad database.
>>
>>             certutil: unable to create cert (security library: bad
>>             database.)
>>             preparation of replica failed: Command '/usr/bin/certutil -d
>>             /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i
>>             /var/lib/ipa/ipa-6qKbha/__**tmpcert.der -f
>>             /tmp/tmpoUpN72ipa/realm_info/_**_pwdfile.txt' returned
>>
>>             non-zero exit status 255
>>             Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A
>> -n
>>             Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/__**tmpcert.der
>> -f
>>             /tmp/tmpoUpN72ipa/realm_info/_**_pwdfile.txt' returned
>>             non-zero exit status 255
>>                 File "/usr/sbin/ipa-replica-__**prepare", line 459, in
>>             <module>
>>                   main()
>>
>>                 File "/usr/sbin/ipa-replica-__**prepare", line 345, in
>> main
>>
>>                   export_certdb(api.env.realm, ds_dir, dir,
>>             passwd_fname, "dscert",
>>             replica_fqdn, subject_base)
>>
>>                 File "/usr/sbin/ipa-replica-__**prepare", line 143, in
>>
>>             export_certdb
>>                   raise e
>>
>>
>>             I have a certificate generated by a custom certificate
>>             authority in the
>>             ipa server.
>>
>>
>>         Need more information on your installation. What version of IPA,
>>         what distro?
>>
>>         Did you use ipa-server-certinstall to replace the default IPA
>> certs?
>>
>>         rob
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130208/20bdf665/attachment.htm>

More information about the Freeipa-users mailing list