[Freeipa-users] ipa-replica-prepare failing
David Dejaeghere
david.dejaeghere at gmail.com
Thu Aug 6 22:10:31 UTC 2015
Hello Guys,
I was able to resolve this today.
My webserver and dirsrv certificate were expired yesterday and trying to
replace them gave me the same error "ERROR: (SEC_ERROR_LIBRARY_FAILURE)
security library failure."
So I tried some things to resolve this.
The trick was to replace /etc/ipa/ca.crt with the godaddy file "gdig2"
which only has 1 certificare. This file you can get while downloading your
certificate from godaddy. Then I had to add the bundle from godaddy, file
gd_bundle-g2-g1 into my server cert.
This made both the command ipa-server-certinstall and ipa-replicate-prepare
finish as expected!
Hope this helps. I saw somebody else with a very similar issue.
Kind Regards,
D
2015-04-23 7:40 GMT+02:00 Jan Cholasta <jcholast at redhat.com>:
> Hi,
>
> yes, you can definitely use a different certificate in the meantime,
> although it can't be self-signed.
>
> Honza
>
> Dne 20.4.2015 v 14:17 David Dejaeghere napsal(a):
>
>> Hi,
>>
>> Let me know how I can assist.
>> In the meantime could I setup a replica using a different certificate?
>> Self signed or anything like that?
>>
>> Regards,
>>
>> D
>>
>> 2015-04-17 15:27 GMT+02:00 Jan Cholasta <jcholast at redhat.com
>> <mailto:jcholast at redhat.com>>:
>>
>> Hi,
>>
>> I don't have any new information. I'm trying to reproduce the
>> problem but had no luck so far.
>>
>> Honza
>>
>> Dne 17.4.2015 v 15:23 David Dejaeghere napsal(a):
>>
>> Hi,
>>
>> Any more things I can try out? How do we proceed?
>>
>> Kind Regards,
>>
>> D
>>
>> 2015-04-15 11:48 GMT+02:00 David Dejaeghere
>> <david.dejaeghere at gmail.com <mailto:david.dejaeghere at gmail.com>
>> <mailto:david.dejaeghere at gmail.com
>> <mailto:david.dejaeghere at gmail.com>>>:
>>
>> Hi Honza,
>>
>> That gave me the exact same output. Any ideas?
>>
>> Regards,
>>
>> D
>>
>> 2015-04-15 7:33 GMT+02:00 Jan Cholasta <jcholast at redhat.com
>> <mailto:jcholast at redhat.com>
>> <mailto:jcholast at redhat.com <mailto:jcholast at redhat.com>>>:
>>
>>
>> Hi,
>>
>> Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a):
>>
>> David Dejaeghere wrote:
>>
>> Hi Rob,
>>
>> So you want to output of the command using pk12
>> with
>> server cert and
>> key? or with the ca chain in there too?
>>
>>
>> Oddly enough it is failing in exactly the same
>> place. Those
>> GoDaddy CA
>> certs are still being loaded from somewhere, I'm
>> not sure
>> where, and I
>> suspect that is the source of the problem.
>>
>>
>> They are in the default CA certificate bundle (in the
>> ca-certificate package). I guess NSS loads it
>> automatically.
>>
>>
>> I'm going to forward the log to a colleague who has
>> worked
>> on this code
>> more recently than I have. Maybe he will have an
>> idea.
>>
>>
>> Could you try if the following works?
>>
>> # mv
>> /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt
>> /root/ca-bundle.trust.crt
>>
>> # update-ca-trust
>>
>> # ipa-replica-prepare ...
>>
>> # mv /root/ca-bundle.trust.crt
>> /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt
>>
>> # update-ca-trust
>>
>>
>> rob
>>
>>
>> Honza
>>
>> --
>> Jan Cholasta
>>
>>
>>
>>
>>
>> --
>> Jan Cholasta
>>
>>
>>
>
> --
> Jan Cholasta
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150807/f01aabf9/attachment.htm>
More information about the Freeipa-users
mailing list