[Freeipa-users] ca.crt contains more than one certificate
Nicklas Björk
nicklas.bjork at skalarit.se
Fri Aug 8 12:46:02 UTC 2014
Trying to upgrade from FreeIPA 3.0 running on CentOS 6 to 3.3 on CentOS
7 using migration. I seem to have run into some certificate problems and
the replica installation halts half-way through. We have a simple
CA-structure, where FreeIPA has been installed as a sub-ca directly
under ca root ca.
A replica bundle was created on the master using:
ipa-replica-prepare replica.example.net --ip-address 192.168.100.2
the gpg-file was copied to replica:/var/lib/ipa and the following
command was executed:
ipa-replica-install --mkhomedir -d --setup-ca --setup-dns
--no-forwarders /var/lib/ipa/replica-info-replica.example.net.gpg
During the first attempt, I was instructed to also run
copy-schema-to-ca.py on the master server, which has been done. The
replica installation halts complainig that ca.crt contains more than one
certificate. Both the FreeIPA CA and the Root CA certificates are in
that file.
Debug output in /var/log/ipareplica-install.log tells the following:
2014-08-08T12:22:08Z DEBUG [17/34]: configuring ssl for ds instance
2014-08-08T12:22:08Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2014-08-08T12:22:08Z DEBUG Starting external process
2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-EXAMPLE-NET/ -N -f
/etc/dirsrv/slapd-EXAMPLE-NET//pwdfile.txt
2014-08-08T12:22:08Z DEBUG Process finished, return code=0
2014-08-08T12:22:08Z DEBUG stdout=
2014-08-08T12:22:08Z DEBUG stderr=
2014-08-08T12:22:08Z DEBUG Starting external process
2014-08-08T12:22:08Z DEBUG args=/usr/bin/pk12util -d
/etc/dirsrv/slapd-EXAMPLE-NET/ -i
/tmp/tmpNOzZ3cipa/realm_info/dscert.p12 -k
/etc/dirsrv/slapd-EXAMPLE-NET//pwdfile.txt -v -w /dev/stdin
2014-08-08T12:22:08Z DEBUG Process finished, return code=0
2014-08-08T12:22:08Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL
2014-08-08T12:22:08Z DEBUG stderr=
2014-08-08T12:22:08Z DEBUG Starting external process
2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-EXAMPLE-NET/ -L
2014-08-08T12:22:08Z DEBUG Process finished, return code=0
2014-08-08T12:22:08Z DEBUG stdout=
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
CN=Example Root CA,O=Example AB ,,
EXAMPLE.NET IPA CA ,,
2014-08-08T12:22:08Z DEBUG stderr=
2014-08-08T12:22:08Z DEBUG Starting external process
2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-EXAMPLE-NET/ -A -n CA -t CT,CT, -a
2014-08-08T12:22:08Z DEBUG Process finished, return code=0
2014-08-08T12:22:08Z DEBUG stdout=
2014-08-08T12:22:08Z DEBUG stderr=
2014-08-08T12:22:08Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 638, in run_script
return_value = main_function()
File "/usr/sbin/ipa-replica-install", line 664, in main
ds = install_replica_ds(config)
File "/usr/sbin/ipa-replica-install", line 189, in install_replica_ds
ca_file=config.dir + "/ca.crt",
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
360, in create_replica
self.start_creation(runtime=60)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 364, in start_creation
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
606, in enable_ssl
ca_file=self.ca_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 841, in create_from_pkcs12
self.nssdb.import_pem_cert('CA', 'CT,CT,', ca_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 240, in import_pem_cert
location)
2014-08-08T12:22:08Z DEBUG The ipa-replica-install command failed,
exception: ValueError: /tmp/tmpNOzZ3cipa/realm_info/ca.crt contains more
than one certificate
Is there anything obvious that is wrong or odd with this setup or process?
Best regards
Nicklas Björk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140808/34c5dac7/attachment.sig>
More information about the Freeipa-users
mailing list