[Freeipa-users] ipa-replica-prepare failing

Rob Crittenden rcritten at redhat.com
Thu Apr 9 19:39:49 UTC 2015 

David Dejaeghere wrote:
> Hi,
> 
> Sorry for the lack of details!
> You are indeed  correct about the version its 4.1
> The command I am using is this:
> ipa-replica-prepare ipa-r1.myobscureddomain.com
> <http://ipa-r1.myobscureddomain.com> --http-cert-file
> /home/fedora/newcert.pk12 --dirsrv-cert-file /home/fedora/newcert.pk12
> --ip-address 172.31.16.31 -v

I was pretty sure a pin was required with those options as well.

What do the PKCS#12 files look like: pk12util -l /home/fedora/newcert.pk12

rob

> 
> Regards,
> 
> D
> 
> 2015-04-09 16:16 GMT+02:00 Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>>:
> 
>     David Dejaeghere wrote:
>     > Hi,
>     >
>     > Does somebody have any pointers for me regarding this issue?
> 
>     It would help very much if you'd include the version you're working
>     with. Based on line numbers I'll assume IPA 4.1.
> 
>     It's hard to say since you don't include the command-line you're using,
>     or what those files consist of.
> 
>     It looks like it is blowing up trying to verify that the whole
>     certificate chain is available. NSS unfortunately doesn't always provide
>     the best error messages so it's hard to say why this particular cert
>     can't be loaded.
> 
>     rob
> 
>     >
>     > Regards,
>     >
>     > D
>     >
>     > 2015-04-07 13:34 GMT+02:00 David Dejaeghere <david.dejaeghere at gmail.com <mailto:david.dejaeghere at gmail.com>
>     > <mailto:david.dejaeghere at gmail.com
>     <mailto:david.dejaeghere at gmail.com>>>:
>     >
>     >     Hello,
>     >
>     >     I am trying to setup a replica for my master which has been setup
>     >     with an external CA to use our godaddy wildcard certificate.
>     >     The ipa-replica-prepare is failing with the following debug
>     information.
>     >     I am using --http-cert  and --dirsrv-cert with my pk12 server
>     >     certificate.
>     >     What can I verify to get an idea of what is going wrong?
>     >
>     >     ipa: DEBUG: stderr=
>     >     ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
>     >     File
>     "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
>     >     169, in execute
>     >         self.ask_for_options()
>     >       File
>     >   
>      "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>     >     line 276, in ask_for_options
>     >         options.http_cert_name)
>     >       File
>     >   
>      "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>     >     line 176, in load_pkcs12
>     >         host_name=self.replica_fqdn)
>     >       File
>     >   
>      "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>     line
>     >     785, in load_pkcs12
>     >         nss_cert = x509.load_certificate(cert, x509.DER)
>     >       File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line
>     128,
>     >     in load_certificate
>     >         return nss.Certificate(buffer(data))
>     >
>     >     ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare:
>     DEBUG: The
>     >     ipa-replica-prepare command failed, exception: NSPRError:
>     >     (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>     >     ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
>     >     (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>     >
>     >     Regards,
>     >
>     >     D
>     >
>     >
>     >
>     >
> 
>

More information about the Freeipa-users mailing list