[Freeipa-users] ipa-replica-prepare failing

Jan Cholasta jcholast at redhat.com
Thu Apr 23 05:40:27 UTC 2015 

Hi,

yes, you can definitely use a different certificate in the meantime, 
although it can't be self-signed.

Honza

Dne 20.4.2015 v 14:17 David Dejaeghere napsal(a):
> Hi,
>
> Let me know how I can assist.
> In the meantime could I setup a replica using a different certificate?
> Self signed or anything like that?
>
> Regards,
>
> D
>
> 2015-04-17 15:27 GMT+02:00 Jan Cholasta <jcholast at redhat.com
> <mailto:jcholast at redhat.com>>:
>
>     Hi,
>
>     I don't have any new information. I'm trying to reproduce the
>     problem but had no luck so far.
>
>     Honza
>
>     Dne 17.4.2015 v 15:23 David Dejaeghere napsal(a):
>
>         Hi,
>
>         Any more things I can try out? How do we proceed?
>
>         Kind Regards,
>
>         D
>
>         2015-04-15 11:48 GMT+02:00 David Dejaeghere
>         <david.dejaeghere at gmail.com <mailto:david.dejaeghere at gmail.com>
>         <mailto:david.dejaeghere at gmail.com
>         <mailto:david.dejaeghere at gmail.com>>>:
>
>              Hi Honza,
>
>              That gave me the exact same output.  Any ideas?
>
>              Regards,
>
>              D
>
>              2015-04-15 7:33 GMT+02:00 Jan Cholasta <jcholast at redhat.com
>         <mailto:jcholast at redhat.com>
>              <mailto:jcholast at redhat.com <mailto:jcholast at redhat.com>>>:
>
>                  Hi,
>
>                  Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a):
>
>                      David Dejaeghere wrote:
>
>                          Hi Rob,
>
>                          So you want to output of the command using pk12
>         with
>                          server cert and
>                          key? or with the ca chain in there too?
>
>
>                      Oddly enough it is failing in exactly the same
>         place. Those
>                      GoDaddy CA
>                      certs are still being loaded from somewhere, I'm
>         not sure
>                      where, and I
>                      suspect that is the source of the problem.
>
>
>                  They are in the default CA certificate bundle (in the
>                  ca-certificate package). I guess NSS loads it
>         automatically.
>
>
>                      I'm going to forward the log to a colleague who has
>         worked
>                      on this code
>                      more recently than I have. Maybe he will have an idea.
>
>
>                  Could you try if the following works?
>
>                       # mv
>         /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt
>                  /root/ca-bundle.trust.crt
>
>                       # update-ca-trust
>
>                       # ipa-replica-prepare ...
>
>                       # mv /root/ca-bundle.trust.crt
>                  /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt
>
>                       # update-ca-trust
>
>
>                      rob
>
>
>                  Honza
>
>                  --
>                  Jan Cholasta
>
>
>
>
>
>     --
>     Jan Cholasta
>
>


-- 
Jan Cholasta

More information about the Freeipa-users mailing list