[Freeipa-users] ipa-replica-prepare failing

Rob Crittenden rcritten at redhat.com
Fri Apr 10 15:03:59 UTC 2015 

David Dejaeghere wrote:
> Hi Rob,
> 
> Without the --http-pin the command will give a prompt to enter the password.
> Tried both.
> 
> I am sending the output of the pk12util -l to you in another email.
> It holds the wildcard certificate and the godaddy bundle for as far as I
> can tell.

I have to admit, I'm a bit stumped. (SEC_ERROR_LIBRARY_FAILURE) is a
rather generic NSS error which can mean any number of things. It often
means that the NSS database it is using is bad in some way but given
that this is a temporary database created just for this purpose I doubt
that's it. You may want to look for SELinux AVCs though: ausearch -m AVC
-ts recent.

At the point where it is blowing up, the PKCS#12 file has already been
imported and IPA is walking through the results trying to ensure that
the full cert trust chain is available. It does this by reading the
certs out of the database, and at that point it's blowing up.

The PKCS#12 output you sent me looks ok. I don't believe this is an
issue with trust or missing parts of the chain.

I created a simple PKCS#12 file and was able to prepare a replica using
it, so AFAICT the code isn't completely broken.

Can you provide the full output from ipa-replica-prepare?

rob
> 
> Regards,
> 
> D
> 
> 2015-04-09 21:39 GMT+02:00 Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>>:
> 
>     David Dejaeghere wrote:
>     > Hi,
>     >
>     > Sorry for the lack of details!
>     > You are indeed  correct about the version its 4.1
>     > The command I am using is this:
>     > ipa-replica-prepare ipa-r1.myobscureddomain.com <http://ipa-r1.myobscureddomain.com>
>     > <http://ipa-r1.myobscureddomain.com> --http-cert-file
>     > /home/fedora/newcert.pk12 --dirsrv-cert-file /home/fedora/newcert.pk12
>     > --ip-address 172.31.16.31 -v
> 
>     I was pretty sure a pin was required with those options as well.
> 
>     What do the PKCS#12 files look like: pk12util -l
>     /home/fedora/newcert.pk12
> 
>     rob
> 
>     >
>     > Regards,
>     >
>     > D
>     >
>     > 2015-04-09 16:16 GMT+02:00 Rob Crittenden <rcritten at redhat.com <mailto:rcritten at redhat.com>
>     > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>:
>     >
>     >     David Dejaeghere wrote:
>     >     > Hi,
>     >     >
>     >     > Does somebody have any pointers for me regarding this issue?
>     >
>     >     It would help very much if you'd include the version you're working
>     >     with. Based on line numbers I'll assume IPA 4.1.
>     >
>     >     It's hard to say since you don't include the command-line you're using,
>     >     or what those files consist of.
>     >
>     >     It looks like it is blowing up trying to verify that the whole
>     >     certificate chain is available. NSS unfortunately doesn't always provide
>     >     the best error messages so it's hard to say why this particular cert
>     >     can't be loaded.
>     >
>     >     rob
>     >
>     >     >
>     >     > Regards,
>     >     >
>     >     > D
>     >     >
>     >     > 2015-04-07 13:34 GMT+02:00 David Dejaeghere <david.dejaeghere at gmail.com <mailto:david.dejaeghere at gmail.com>
>     <mailto:david.dejaeghere at gmail.com <mailto:david.dejaeghere at gmail.com>>
>     >     > <mailto:david.dejaeghere at gmail.com
>     <mailto:david.dejaeghere at gmail.com>
>     >     <mailto:david.dejaeghere at gmail.com
>     <mailto:david.dejaeghere at gmail.com>>>>:
>     >     >
>     >     >     Hello,
>     >     >
>     >     >     I am trying to setup a replica for my master which has
>     been setup
>     >     >     with an external CA to use our godaddy wildcard certificate.
>     >     >     The ipa-replica-prepare is failing with the following debug
>     >     information.
>     >     >     I am using --http-cert  and --dirsrv-cert with my pk12
>     server
>     >     >     certificate.
>     >     >     What can I verify to get an idea of what is going wrong?
>     >     >
>     >     >     ipa: DEBUG: stderr=
>     >     >   
>      ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
>     >     >     File
>     >     "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
>     >     >     169, in execute
>     >     >         self.ask_for_options()
>     >     >       File
>     >     >
>     >     
>     "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>     >     >     line 276, in ask_for_options
>     >     >         options.http_cert_name)
>     >     >       File
>     >     >
>     >     
>     "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>     >     >     line 176, in load_pkcs12
>     >     >         host_name=self.replica_fqdn)
>     >     >       File
>     >     >
>     >     
>     "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>     >     line
>     >     >     785, in load_pkcs12
>     >     >         nss_cert = x509.load_certificate(cert, x509.DER)
>     >     >       File
>     "/usr/lib/python2.7/site-packages/ipalib/x509.py", line
>     >     128,
>     >     >     in load_certificate
>     >     >         return nss.Certificate(buffer(data))
>     >     >
>     >     >     ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare:
>     >     DEBUG: The
>     >     >     ipa-replica-prepare command failed, exception: NSPRError:
>     >     >     (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>     >     >   
>      ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
>     >     >     (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>     >     >
>     >     >     Regards,
>     >     >
>     >     >     D
>     >     >
>     >     >
>     >     >
>     >     >
>     >
>     >
> 
>

More information about the Freeipa-users mailing list