[Freeipa-users] CA cert issues

Orion Poplawski orion at cora.nwra.com
Thu Jan 17 16:25:06 UTC 2013 

On 01/16/2013 06:50 PM, Rob Crittenden wrote:
>
> We really need to put a big fat warning on this too: there be dragons.
>
> It is really meant for v1 servers where we didn't have a full CA. The CA is
> really integrated into IPA v2+ such that replacing certs is going to cause
> some amount of grief (as you've seen).
>
> I didn't think we blew away the existing NSS database using the tool, though
> it certainly sounds like we are.
>
> What you're missing in the ipaCert in /etc/httpd/alias. This is used to
> authenticate to dogtag. Can you poke around in /etc/httpd to see if a backup
> was made, or use certutil to get a list of the nicknames in there?
>
> I'm guessing it is trying to issue an SSL cert for the CA 389-ds instance.
> There are no cli options for providing that. Even if you did manage to get a
> prepared file you'd likely run into a whole new batch of install problems.
>
> Sorry about that. We really need to decide whether this tool is worth
> supporting at all and fix it (or make it safer) or simply do away with it.
> Right now it's just a really sharp tool waiting to cut someone.
>
> rob

Well, it looks like it move all of the existing files in /etc/httpd/alias to 
.orig extensions.  I moved those over to an alias.orig directory and imported 
the ipaCert key.  That allowed ipa-replica-prepare to run.

Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com
Copying SSL certificate for the Directory Server from STAR_cora_nwra_com.p12
Creating SSL certificate for the dogtag Directory Server
Copying SSL certificate for the Web Server from STAR_cora_nwra_com.p12
Copying additional files
Finalizing configuration
Packaging replica information into 
/var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg


But then on ipa-replica-install, problems as predicted:

ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg
...
   [16/30]: configuring ssl for ds instance
creation of replica failed: Could not find a CA cert in 
/tmp/tmpPAtailipa/realm_info/dscert.p12

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder Office                  FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                   http://www.nwra.com

More information about the Freeipa-users mailing list