[Freeipa-users] CA cert issues

Rob Crittenden rcritten at redhat.com
Thu Jan 17 16:27:56 UTC 2013 

Orion Poplawski wrote:
> On 01/16/2013 06:50 PM, Rob Crittenden wrote:
>>
>> We really need to put a big fat warning on this too: there be dragons.
>>
>> It is really meant for v1 servers where we didn't have a full CA. The
>> CA is
>> really integrated into IPA v2+ such that replacing certs is going to
>> cause
>> some amount of grief (as you've seen).
>>
>> I didn't think we blew away the existing NSS database using the tool,
>> though
>> it certainly sounds like we are.
>>
>> What you're missing in the ipaCert in /etc/httpd/alias. This is used to
>> authenticate to dogtag. Can you poke around in /etc/httpd to see if a
>> backup
>> was made, or use certutil to get a list of the nicknames in there?
>>
>> I'm guessing it is trying to issue an SSL cert for the CA 389-ds
>> instance.
>> There are no cli options for providing that. Even if you did manage to
>> get a
>> prepared file you'd likely run into a whole new batch of install
>> problems.
>>
>> Sorry about that. We really need to decide whether this tool is worth
>> supporting at all and fix it (or make it safer) or simply do away with
>> it.
>> Right now it's just a really sharp tool waiting to cut someone.
>>
>> rob
>
> Well, it looks like it move all of the existing files in
> /etc/httpd/alias to .orig extensions.  I moved those over to an
> alias.orig directory and imported the ipaCert key.  That allowed
> ipa-replica-prepare to run.
>
> Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com
> Copying SSL certificate for the Directory Server from
> STAR_cora_nwra_com.p12
> Creating SSL certificate for the dogtag Directory Server
> Copying SSL certificate for the Web Server from STAR_cora_nwra_com.p12
> Copying additional files
> Finalizing configuration
> Packaging replica information into
> /var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg
>
>
> But then on ipa-replica-install, problems as predicted:
>
> ipa-replica-install --setup-ca
> /var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg
> ...
>    [16/30]: configuring ssl for ds instance
> creation of replica failed: Could not find a CA cert in
> /tmp/tmpPAtailipa/realm_info/dscert.p12
>

Ok, I think what I would recommend is preparing a replica w/o replacing 
the certs (e.g. let the CA issue certs for all the services).

Install the replica.

Then replace with the wildcard certs once the install is up and functioning.

rob

More information about the Freeipa-users mailing list