[Freeipa-users] ipa-replica-prepare failing
David Dejaeghere
david.dejaeghere at gmail.com
Mon Apr 13 14:32:46 UTC 2015
Hi Rob,
So you want to output of the command using pk12 with server cert and key?
or with the ca chain in there too?
Regards,
David
2015-04-13 16:28 GMT+02:00 Rob Crittenden <rcritten at redhat.com>:
> David Dejaeghere wrote:
> > Hi,
> >
> > I get the same error when I use a pk12 with only the server certificate
> > (and key) in it.
> > Not sure what else I can try.
>
> I'd need to see the full output again.
>
> rob
>
> >
> > Regards,
> >
> > D
> >
> > 2015-04-11 0:23 GMT+02:00 Rob Crittenden <rcritten at redhat.com
> > <mailto:rcritten at redhat.com>>:
> >
> > David Dejaeghere wrote:
> > > Hi,
> > >
> > > I even tried the command using an export from the http service nss
> db,
> > > same issue.
> > >
> > > regarding SElinux:
> > > ausearch -m AVC -ts recent
> > > <no matches>
> > >
> > > Sending you the log personally.
> >
> > Ok, so the way the certs are imported is all the certs in the PKCS#12
> > file are loaded in, then marked as untrusted.
> >
> > certutil -O is executed against the server cert which prints out what
> > the trust chain should be and those certs marked as trusted CA's.
> >
> > That part is working fine.
> >
> > Finally it makes another pass through the database to verify the
> chain.
> >
> > Looking at the output there are two certs with the subject CN=Go
> Daddy
> > Root Certificate Authority - G2,O="GoDaddy.com,
> > Inc.",L=Scottsdale,ST=Arizona,C=US and different serial numbers. I
> > wonder if this is confusing the cert loader. These certs are
> included in
> > the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which
> one
> > is the "right' one, or if there even is one.
> >
> > rob
> >
> >
> > >
> > > Regards,
> > >
> > > D
> > >
> > > 2015-04-10 17:03 GMT+02:00 Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>
> > > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>:
> > >
> > > David Dejaeghere wrote:
> > > > Hi Rob,
> > > >
> > > > Without the --http-pin the command will give a prompt to
> > enter the password.
> > > > Tried both.
> > > >
> > > > I am sending the output of the pk12util -l to you in another
> > email.
> > > > It holds the wildcard certificate and the godaddy bundle for
> > as far as I
> > > > can tell.
> > >
> > > I have to admit, I'm a bit stumped.
> > (SEC_ERROR_LIBRARY_FAILURE) is a
> > > rather generic NSS error which can mean any number of things.
> > It often
> > > means that the NSS database it is using is bad in some way but
> > given
> > > that this is a temporary database created just for this
> > purpose I doubt
> > > that's it. You may want to look for SELinux AVCs though:
> > ausearch -m AVC
> > > -ts recent.
> > >
> > > At the point where it is blowing up, the PKCS#12 file has
> > already been
> > > imported and IPA is walking through the results trying to
> > ensure that
> > > the full cert trust chain is available. It does this by
> > reading the
> > > certs out of the database, and at that point it's blowing up.
> > >
> > > The PKCS#12 output you sent me looks ok. I don't believe this
> > is an
> > > issue with trust or missing parts of the chain.
> > >
> > > I created a simple PKCS#12 file and was able to prepare a
> > replica using
> > > it, so AFAICT the code isn't completely broken.
> > >
> > > Can you provide the full output from ipa-replica-prepare?
> > >
> > > rob
> > > >
> > > > Regards,
> > > >
> > > > D
> > > >
> > > > 2015-04-09 21:39 GMT+02:00 Rob Crittenden
> > <rcritten at redhat.com <mailto:rcritten at redhat.com>
> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
> > > > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>
> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>>:
> > > >
> > > > David Dejaeghere wrote:
> > > > > Hi,
> > > > >
> > > > > Sorry for the lack of details!
> > > > > You are indeed correct about the version its 4.1
> > > > > The command I am using is this:
> > > > > ipa-replica-prepare ipa-r1.myobscureddomain.com
> > <http://ipa-r1.myobscureddomain.com>
> > <http://ipa-r1.myobscureddomain.com>
> > > <http://ipa-r1.myobscureddomain.com>
> > > > > <http://ipa-r1.myobscureddomain.com> --http-cert-file
> > > > > /home/fedora/newcert.pk12 --dirsrv-cert-file
> > /home/fedora/newcert.pk12
> > > > > --ip-address 172.31.16.31 -v
> > > >
> > > > I was pretty sure a pin was required with those options
> > as well.
> > > >
> > > > What do the PKCS#12 files look like: pk12util -l
> > > > /home/fedora/newcert.pk12
> > > >
> > > > rob
> > > >
> > > > >
> > > > > Regards,
> > > > >
> > > > > D
> > > > >
> > > > > 2015-04-09 16:16 GMT+02:00 Rob Crittenden
> > <rcritten at redhat.com <mailto:rcritten at redhat.com>
> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
> > > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>
> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>
> > > > > <mailto:rcritten at redhat.com
> > <mailto:rcritten at redhat.com> <mailto:rcritten at redhat.com
> > <mailto:rcritten at redhat.com>>
> > > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>
> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>>>:
> > > > >
> > > > > David Dejaeghere wrote:
> > > > > > Hi,
> > > > > >
> > > > > > Does somebody have any pointers for me regarding
> > this
> > > issue?
> > > > >
> > > > > It would help very much if you'd include the
> version
> > > you're working
> > > > > with. Based on line numbers I'll assume IPA 4.1.
> > > > >
> > > > > It's hard to say since you don't include the
> > > command-line you're using,
> > > > > or what those files consist of.
> > > > >
> > > > > It looks like it is blowing up trying to verify
> > that the
> > > whole
> > > > > certificate chain is available. NSS unfortunately
> > > doesn't always provide
> > > > > the best error messages so it's hard to say why
> this
> > > particular cert
> > > > > can't be loaded.
> > > > >
> > > > > rob
> > > > >
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > D
> > > > > >
> > > > > > 2015-04-07 13:34 GMT+02:00 David Dejaeghere
> > > <david.dejaeghere at gmail.com
> > <mailto:david.dejaeghere at gmail.com>
> > <mailto:david.dejaeghere at gmail.com <mailto:
> david.dejaeghere at gmail.com>>
> > > <mailto:david.dejaeghere at gmail.com
> > <mailto:david.dejaeghere at gmail.com>
> > <mailto:david.dejaeghere at gmail.com <mailto:
> david.dejaeghere at gmail.com>>>
> > > > <mailto:david.dejaeghere at gmail.com
> > <mailto:david.dejaeghere at gmail.com>
> > > <mailto:david.dejaeghere at gmail.com
> > <mailto:david.dejaeghere at gmail.com>>
> > > <mailto:david.dejaeghere at gmail.com
> > <mailto:david.dejaeghere at gmail.com>
> > <mailto:david.dejaeghere at gmail.com
> > <mailto:david.dejaeghere at gmail.com>>>>
> > > > > > <mailto:david.dejaeghere at gmail.com
> > <mailto:david.dejaeghere at gmail.com>
> > > <mailto:david.dejaeghere at gmail.com
> > <mailto:david.dejaeghere at gmail.com>>
> > > > <mailto:david.dejaeghere at gmail.com
> > <mailto:david.dejaeghere at gmail.com>
> > > <mailto:david.dejaeghere at gmail.com
> > <mailto:david.dejaeghere at gmail.com>>>
> > > > > <mailto:david.dejaeghere at gmail.com
> > <mailto:david.dejaeghere at gmail.com>
> > > <mailto:david.dejaeghere at gmail.com
> > <mailto:david.dejaeghere at gmail.com>>
> > > > <mailto:david.dejaeghere at gmail.com
> > <mailto:david.dejaeghere at gmail.com>
> > > <mailto:david.dejaeghere at gmail.com
> > <mailto:david.dejaeghere at gmail.com>>>>>>:
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > > I am trying to setup a replica for my master
> > which has
> > > > been setup
> > > > > > with an external CA to use our godaddy
> wildcard
> > > certificate.
> > > > > > The ipa-replica-prepare is failing with the
> > > following debug
> > > > > information.
> > > > > > I am using --http-cert and --dirsrv-cert
> > with my pk12
> > > > server
> > > > > > certificate.
> > > > > > What can I verify to get an idea of what is
> > going
> > > wrong?
> > > > > >
> > > > > > ipa: DEBUG: stderr=
> > > > > >
> > > >
> > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
> > > > > > File
> > > > >
> > > "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
> line
> > > > > > 169, in execute
> > > > > > self.ask_for_options()
> > > > > > File
> > > > > >
> > > > >
> > > >
> > >
> >
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> > > > > > line 276, in ask_for_options
> > > > > > options.http_cert_name)
> > > > > > File
> > > > > >
> > > > >
> > > >
> > >
> >
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> > > > > > line 176, in load_pkcs12
> > > > > > host_name=self.replica_fqdn)
> > > > > > File
> > > > > >
> > > > >
> > > >
> > >
> > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> > > > > line
> > > > > > 785, in load_pkcs12
> > > > > > nss_cert = x509.load_certificate(cert,
> > x509.DER)
> > > > > > File
> > > > "/usr/lib/python2.7/site-packages/ipalib/x509.py", line
> > > > > 128,
> > > > > > in load_certificate
> > > > > > return nss.Certificate(buffer(data))
> > > > > >
> > > > > >
> > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare:
> > > > > DEBUG: The
> > > > > > ipa-replica-prepare command failed,
> exception:
> > > NSPRError:
> > > > > > (SEC_ERROR_LIBRARY_FAILURE) security library
> > failure.
> > > > > >
> > > >
> > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
> > > > > > (SEC_ERROR_LIBRARY_FAILURE) security library
> > failure.
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > D
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150413/462d0230/attachment.htm>
More information about the Freeipa-users
mailing list