[Freeipa-users] ca.crt contains more than one certificate

Jan Cholasta jcholast at redhat.com
Mon Aug 25 08:55:22 UTC 2014 

Hi,

Dne 8.8.2014 v 14:46 Nicklas Björk napsal(a):
> Trying to upgrade from FreeIPA 3.0 running on CentOS 6 to 3.3 on CentOS
> 7 using migration. I seem to have run into some certificate problems and
> the replica installation halts half-way through. We have a simple
> CA-structure, where FreeIPA has been installed as a sub-ca directly
> under ca root ca.
>
> A replica bundle was created on the master using:
> ipa-replica-prepare replica.example.net --ip-address 192.168.100.2
> the gpg-file was copied to replica:/var/lib/ipa and the following
> command was executed:
> ipa-replica-install --mkhomedir -d --setup-ca --setup-dns
> --no-forwarders /var/lib/ipa/replica-info-replica.example.net.gpg
>
> During the first attempt, I was instructed to also run
> copy-schema-to-ca.py on the master server, which has been done. The
> replica installation halts complainig that ca.crt contains more than one
> certificate. Both the FreeIPA CA and the Root CA certificates are in
> that file.
>
>
> Debug output in /var/log/ipareplica-install.log tells the following:
>
> 2014-08-08T12:22:08Z DEBUG   [17/34]: configuring ssl for ds instance
> 2014-08-08T12:22:08Z DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2014-08-08T12:22:08Z DEBUG Starting external process
> 2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-EXAMPLE-NET/ -N -f
> /etc/dirsrv/slapd-EXAMPLE-NET//pwdfile.txt
> 2014-08-08T12:22:08Z DEBUG Process finished, return code=0
> 2014-08-08T12:22:08Z DEBUG stdout=
> 2014-08-08T12:22:08Z DEBUG stderr=
> 2014-08-08T12:22:08Z DEBUG Starting external process
> 2014-08-08T12:22:08Z DEBUG args=/usr/bin/pk12util -d
> /etc/dirsrv/slapd-EXAMPLE-NET/ -i
> /tmp/tmpNOzZ3cipa/realm_info/dscert.p12 -k
> /etc/dirsrv/slapd-EXAMPLE-NET//pwdfile.txt -v -w /dev/stdin
> 2014-08-08T12:22:08Z DEBUG Process finished, return code=0
> 2014-08-08T12:22:08Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
>
> 2014-08-08T12:22:08Z DEBUG stderr=
> 2014-08-08T12:22:08Z DEBUG Starting external process
> 2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-EXAMPLE-NET/ -L
> 2014-08-08T12:22:08Z DEBUG Process finished, return code=0
> 2014-08-08T12:22:08Z DEBUG stdout=
> Certificate Nickname                                         Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> Server-Cert                                                  u,u,u
> CN=Example Root CA,O=Example AB                            ,,
> EXAMPLE.NET IPA CA                                          ,,
>
> 2014-08-08T12:22:08Z DEBUG stderr=
> 2014-08-08T12:22:08Z DEBUG Starting external process
> 2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-EXAMPLE-NET/ -A -n CA -t CT,CT, -a
> 2014-08-08T12:22:08Z DEBUG Process finished, return code=0
> 2014-08-08T12:22:08Z DEBUG stdout=
> 2014-08-08T12:22:08Z DEBUG stderr=
> 2014-08-08T12:22:08Z DEBUG   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line 638, in run_script
>      return_value = main_function()
>
>    File "/usr/sbin/ipa-replica-install", line 664, in main
>      ds = install_replica_ds(config)
>
>    File "/usr/sbin/ipa-replica-install", line 189, in install_replica_ds
>      ca_file=config.dir + "/ca.crt",
>
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
> 360, in create_replica
>      self.start_creation(runtime=60)
>
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 364, in start_creation
>      method()
>
>    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
> 606, in enable_ssl
>      ca_file=self.ca_file)
>
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> line 841, in create_from_pkcs12
>      self.nssdb.import_pem_cert('CA', 'CT,CT,', ca_file)
>
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> line 240, in import_pem_cert
>      location)
>
> 2014-08-08T12:22:08Z DEBUG The ipa-replica-install command failed,
> exception: ValueError: /tmp/tmpNOzZ3cipa/realm_info/ca.crt contains more
> than one certificate
>
>
>
> Is there anything obvious that is wrong or odd with this setup or process?

It seems you somehow ended up with more than one certificate in 
/etc/ipa/ca.crt on the master. It should contain only the IPA CA 
certificate, if you delete all other certificates from it and re-run 
ipa-replica-prepare, you should be able to successfully install the 
replica using ipa-replica-install.

>
>
> Best regards
> Nicklas Björk
>
>
>

Honza

-- 
Jan Cholasta

More information about the Freeipa-users mailing list