[Freeipa-users] ipa-replica-prepare failed
James James
jreg2k at gmail.com
Mon Feb 11 22:36:32 UTC 2013
Thanks you Rob. My replica is workin now.
:)
2013/2/10 Rob Crittenden <rcritten at redhat.com>
> James James wrote:
>
>> Maybe I am stupid or tired (or both ..) but I have tried many thing to
>> include the ca cert, the ipa key and pem file in a single pkcs12 file
>> but I am still stucked.
>>
>> Can you give me a more detailled help ?
>>
>
> Well, this is one of the reasons we're deprecating this feature, because
> it hasn't been well-tested since v1 and is ridden with corner cases.
>
> I think the only solution is going to be to in direct code changes to the
> IPA python scripts to match what your PKCS#12 files contain. If it is
> signed by a root CA then chances are if you simply skip the step where the
> CA is loaded and trusted then things may just work.
>
> It is failing in ipaserver/install/certs.p12 in the call to
> find_root_cert_from_pkcs12(). Either it is simply an issue of our
> identifying the CA or one isn't being loaded at all.
>
> You can do: certutil -L -d /etc/dirsrv/slapd-YOUR_REALM to list the
> certificates that were loaded. It may be that the CA was loaded but we
> aren't detecting the nickname, in which case you could simply hardcode it
> into the python file for a workaround, something like:
>
> ca_names = ['CA nickname']
>
> rob
>
>>
>>
>> 2013/2/8 Rob Crittenden <rcritten at redhat.com <mailto:rcritten at redhat.com
>> >>
>>
>> James James wrote:
>>
>> OK .. but I have to put the pkc12 file in /etc/pki/nssdb ?
>>
>>
>> No. The PKCS#12 file that contains your server private key and cert
>> needs to also contain the CA that signed it.
>>
>> rob
>>
>>
>>
>> 2013/2/8 Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com> <mailto:rcritten at redhat.com
>>
>> <mailto:rcritten at redhat.com>>>
>>
>>
>> James James wrote:
>>
>> Now on the replica server I've got this error :
>> Run connection check to master
>> Connection check OK
>> Configuring ntpd
>> [1/4]: stopping ntpd
>> [2/4]: writing configuration
>> [3/4]: configuring ntpd to start on boot
>> [4/4]: starting ntpd
>> done configuring ntpd.
>> Configuring directory server: Estimated time 1 minute
>> [1/30]: creating directory server user
>> [2/30]: creating directory server instance
>> [3/30]: adding default schema
>> [4/30]: enabling memberof plugin
>> [5/30]: enabling referential integrity plugin
>> [6/30]: enabling winsync plugin
>> [7/30]: configuring replication version plugin
>> [8/30]: enabling IPA enrollment plugin
>> [9/30]: enabling ldapi
>> [10/30]: configuring uniqueness plugin
>> [11/30]: configuring uuid plugin
>> [12/30]: configuring modrdn plugin
>> [13/30]: enabling entryUSN plugin
>> [14/30]: configuring lockout plugin
>> [15/30]: creating indices
>> [16/30]: configuring ssl for ds instance
>> creation of replica failed: Could not find a CA cert in
>> /tmp/tmp21VpT8ipa/realm_info/_**___dscert.p12
>>
>>
>>
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>>
>> Where I have to put the CA certficate ?
>>
>>
>> It needs to be in the PKCS#12 file.
>>
>> rob
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130211/77cc7bd7/attachment.htm>
More information about the Freeipa-users
mailing list