[Freeipa-users] CA cert issues
Orion Poplawski
orion at cora.nwra.com
Thu Jan 17 16:25:06 UTC 2013
On 01/16/2013 06:50 PM, Rob Crittenden wrote:
>
> We really need to put a big fat warning on this too: there be dragons.
>
> It is really meant for v1 servers where we didn't have a full CA. The CA is
> really integrated into IPA v2+ such that replacing certs is going to cause
> some amount of grief (as you've seen).
>
> I didn't think we blew away the existing NSS database using the tool, though
> it certainly sounds like we are.
>
> What you're missing in the ipaCert in /etc/httpd/alias. This is used to
> authenticate to dogtag. Can you poke around in /etc/httpd to see if a backup
> was made, or use certutil to get a list of the nicknames in there?
>
> I'm guessing it is trying to issue an SSL cert for the CA 389-ds instance.
> There are no cli options for providing that. Even if you did manage to get a
> prepared file you'd likely run into a whole new batch of install problems.
>
> Sorry about that. We really need to decide whether this tool is worth
> supporting at all and fix it (or make it safer) or simply do away with it.
> Right now it's just a really sharp tool waiting to cut someone.
>
> rob
Well, it looks like it move all of the existing files in /etc/httpd/alias to
.orig extensions. I moved those over to an alias.orig directory and imported
the ipaCert key. That allowed ipa-replica-prepare to run.
Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com
Copying SSL certificate for the Directory Server from STAR_cora_nwra_com.p12
Creating SSL certificate for the dogtag Directory Server
Copying SSL certificate for the Web Server from STAR_cora_nwra_com.p12
Copying additional files
Finalizing configuration
Packaging replica information into
/var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg
But then on ipa-replica-install, problems as predicted:
ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg
...
[16/30]: configuring ssl for ds instance
creation of replica failed: Could not find a CA cert in
/tmp/tmpPAtailipa/realm_info/dscert.p12
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 http://www.nwra.com
More information about the Freeipa-users
mailing list