[Freeipa-users] ipa-replica-prepare failing
David Dejaeghere
david.dejaeghere at gmail.com
Fri Apr 10 09:27:21 UTC 2015
Hi Rob,
Without the --http-pin the command will give a prompt to enter the password.
Tried both.
I am sending the output of the pk12util -l to you in another email.
It holds the wildcard certificate and the godaddy bundle for as far as I
can tell.
Regards,
D
2015-04-09 21:39 GMT+02:00 Rob Crittenden <rcritten at redhat.com>:
> David Dejaeghere wrote:
> > Hi,
> >
> > Sorry for the lack of details!
> > You are indeed correct about the version its 4.1
> > The command I am using is this:
> > ipa-replica-prepare ipa-r1.myobscureddomain.com
> > <http://ipa-r1.myobscureddomain.com> --http-cert-file
> > /home/fedora/newcert.pk12 --dirsrv-cert-file /home/fedora/newcert.pk12
> > --ip-address 172.31.16.31 -v
>
> I was pretty sure a pin was required with those options as well.
>
> What do the PKCS#12 files look like: pk12util -l /home/fedora/newcert.pk12
>
> rob
>
> >
> > Regards,
> >
> > D
> >
> > 2015-04-09 16:16 GMT+02:00 Rob Crittenden <rcritten at redhat.com
> > <mailto:rcritten at redhat.com>>:
> >
> > David Dejaeghere wrote:
> > > Hi,
> > >
> > > Does somebody have any pointers for me regarding this issue?
> >
> > It would help very much if you'd include the version you're working
> > with. Based on line numbers I'll assume IPA 4.1.
> >
> > It's hard to say since you don't include the command-line you're
> using,
> > or what those files consist of.
> >
> > It looks like it is blowing up trying to verify that the whole
> > certificate chain is available. NSS unfortunately doesn't always
> provide
> > the best error messages so it's hard to say why this particular cert
> > can't be loaded.
> >
> > rob
> >
> > >
> > > Regards,
> > >
> > > D
> > >
> > > 2015-04-07 13:34 GMT+02:00 David Dejaeghere <
> david.dejaeghere at gmail.com <mailto:david.dejaeghere at gmail.com>
> > > <mailto:david.dejaeghere at gmail.com
> > <mailto:david.dejaeghere at gmail.com>>>:
> > >
> > > Hello,
> > >
> > > I am trying to setup a replica for my master which has been
> setup
> > > with an external CA to use our godaddy wildcard certificate.
> > > The ipa-replica-prepare is failing with the following debug
> > information.
> > > I am using --http-cert and --dirsrv-cert with my pk12 server
> > > certificate.
> > > What can I verify to get an idea of what is going wrong?
> > >
> > > ipa: DEBUG: stderr=
> > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare:
> DEBUG:
> > > File
> > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
> > > 169, in execute
> > > self.ask_for_options()
> > > File
> > >
> >
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> > > line 276, in ask_for_options
> > > options.http_cert_name)
> > > File
> > >
> >
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> > > line 176, in load_pkcs12
> > > host_name=self.replica_fqdn)
> > > File
> > >
> >
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> > line
> > > 785, in load_pkcs12
> > > nss_cert = x509.load_certificate(cert, x509.DER)
> > > File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line
> > 128,
> > > in load_certificate
> > > return nss.Certificate(buffer(data))
> > >
> > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare:
> > DEBUG: The
> > > ipa-replica-prepare command failed, exception: NSPRError:
> > > (SEC_ERROR_LIBRARY_FAILURE) security library failure.
> > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare:
> ERROR:
> > > (SEC_ERROR_LIBRARY_FAILURE) security library failure.
> > >
> > > Regards,
> > >
> > > D
> > >
> > >
> > >
> > >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150410/b0cc9fd5/attachment.htm>
More information about the Freeipa-users
mailing list