[Freeipa-users] ipa-replica-prepare error
Jan Cholasta
jcholast at redhat.com
Mon Jul 20 06:57:34 UTC 2015
Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a):
> On 07/14/2015 11:53 PM, Jan Cholasta wrote:
>> Hi,
>>
>> Dne 10.7.2015 v 22:33 Orion Poplawski napsal(a):
>>> On 07/08/2015 11:31 AM, Orion Poplawski wrote:
>>>> But then when I go to make a replica:
>>>>
>>>> # ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
>>>> --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX
>>>> Directory Manager (existing master) password:
>>>>
>>>> (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>>>>
>>>> Which looks like others are experiencing (with not resolution that I could
>>>> see) https://www.redhat.com/archives/freeipa-users/2015-April/msg00514.html
>>
>> Unfortunately this error code can mean almost anything, NSS isn't particularly
>> helpful with errors.
>>
>>>>
>>>> Putting AddTrustExternalCARoot into nwra.com.p12 doesn't appear to help.
>>>>
>>>
>>> Filed https://fedorahosted.org/freeipa/ticket/5117
>>>
>>
>> Without ipa-replica-prepare log or pk12util output it's really hard to tell
>> what's going on. Could you provide the output of the following commands:
>>
>> # pk12util -l nwra.com.p12
>
> Certificate(has private key):
> Data:
> Version: 3 (0x2)
> Serial Number:
> 00:d1:3f:8c:79:cf:1c:87:53:f0:05:7c:f6:56:18:3a:
> 5c
> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
> Issuer: "CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
> Limited,L=Salford,ST=Greater Manchester,C=GB"
> Validity:
> Not Before: Thu Oct 11 00:00:00 2012
> Not After : Sun Jan 10 23:59:59 2016
> Subject: "CN=*.nwra.com,OU=PositiveSSL Wildcard,OU=Domain Control Val
> idated"
> Subject Public Key Info:
> Public Key Algorithm: PKCS #1 RSA Encryption
> RSA Public Key:
> Modulus:
> d8:08:80:96:8f:f0:80:86:cd:f0:e7:6a:11:7f:8e:fb:
> 4b:95:6a:42:93:c7:cf:c3:76:80:bd:a6:cc:6c:fd:e2:
> 89:1a:3f:97:c1:3d:2d:fe:e4:4a:90:c5:aa:33:97:b3:
> 54:cc:67:73:57:2d:cb:9f:d0:27:ea:f0:d8:9b:5d:24:
> 94:2f:f5:84:06:d4:04:e8:83:c5:b2:40:b1:59:2c:f8:
> 4f:73:9c:41:fc:8d:46:3d:be:46:e7:9f:15:5d:8c:a5:
> 47:23:de:e2:cf:b3:be:97:ed:0c:82:3e:00:29:b7:8b:
> a0:86:92:ec:07:00:8b:35:77:1c:27:ba:c8:a0:80:dc:
> 9a:69:dd:99:89:df:b4:70:f6:f6:8c:23:8b:f9:1d:bf:
> ba:07:32:36:17:bc:25:e7:fb:7a:b0:11:86:de:88:59:
> 51:ed:e5:de:5e:14:e5:c0:28:ce:d3:5b:92:38:de:fa:
> 4b:15:9d:62:13:69:31:5a:0d:21:6e:2e:a6:c6:ae:30:
> 94:95:ce:e6:6c:dc:22:71:b4:1a:3a:f9:ec:4b:72:e4:
> 9d:82:ba:6b:a5:46:b0:b7:5a:23:22:d3:92:57:5b:bf:
> 55:fd:70:df:36:13:9c:a9:df:50:6e:62:43:23:13:eb:
> f5:ef:ee:c7:15:e0:46:37:21:9b:3d:86:ea:2c:c7:01
> Exponent: 65537 (0x10001)
> Signed Extensions:
> Name: Certificate Authority Key Identifier
> Key ID:
> 90:af:6a:3a:94:5a:0b:d8:90:ea:12:56:73:df:43:b4:
> 3a:28:da:e7
>
> Name: Certificate Subject Key ID
> Data:
> e9:88:f0:50:0f:f6:09:89:5c:3d:53:70:38:ca:82:22:
> 42:7e:21:e3
>
> Name: Certificate Key Usage
> Critical: True
> Usages: Digital Signature
> Key Encipherment
>
> Name: Certificate Basic Constraints
> Critical: True
> Data: Is not a CA.
>
> Name: Extended Key Usage
> TLS Web Server Authentication Certificate
> TLS Web Client Authentication Certificate
>
> Name: Certificate Policies
> Data:
> Policy Name: OID.1.3.6.1.4.1.6449.1.2.2.7
> Policy Qualifier Name: PKIX CPS Pointer Qualifier
> Policy Qualifier Data: "https://secure.comodo.com/CPS"
> Policy Name: OID.2.23.140.1.2.1
>
> Name: CRL Distribution Points
> Distribution point:
> URI: "http://crl.comodoca.com/COMODORSADomainValidationSecure
> ServerCA.crl"
>
> Name: Authority Information Access
> Method: PKIX CA issuers access method
> Location:
> URI: "http://crt.comodoca.com/COMODORSADomainValidationSecure
> ServerCA.crt"
> Method: PKIX Online Certificate Status Protocol
> Location:
> URI: "http://ocsp.comodoca.com"
>
> Name: Certificate Subject Alt Name
> DNS name: "*.nwra.com"
> DNS name: "nwra.com"
>
> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
> Signature:
> 54:10:0f:42:9a:1f:42:df:1d:4e:e2:b8:bb:9f:c2:fc:
> e1:d7:b7:02:c5:9f:ed:5a:f1:d7:b4:58:23:ab:3c:a7:
> d3:9a:8d:71:f5:f4:a1:8b:02:0f:ce:ec:79:30:90:09:
> 41:fe:03:0d:0a:ee:44:ea:f0:9b:c0:e4:92:16:da:fd:
> b3:aa:bf:1d:30:7d:2d:40:33:cb:e5:a3:cc:a5:8f:0e:
> b3:40:8f:aa:1f:f5:74:40:95:5d:8f:5a:83:9a:3b:1f:
> ab:de:47:0a:e1:31:f8:ff:6e:85:89:4d:64:77:fb:7c:
> 45:fa:5f:82:59:cc:d8:d0:64:78:e9:19:53:26:3c:fb:
> da:08:27:50:be:63:6e:05:cc:f1:88:72:d2:1b:74:f3:
> c1:d1:7f:6b:8d:26:7f:82:5b:ca:2a:d8:bd:3d:c5:e3:
> 50:e3:ff:65:50:38:9c:dd:3c:12:ed:f2:69:e2:3f:99:
> 8e:8f:4f:a7:4e:0a:4a:8c:1a:c7:13:7b:a7:a6:36:f7:
> f4:5d:15:92:b3:24:61:bd:a7:e4:d9:bf:ad:33:ff:0f:
> 11:a0:5d:02:f6:e0:03:2d:54:f2:8f:5b:5d:27:a7:ec:
> 7b:39:0b:ca:4c:36:f8:45:6a:71:33:1b:ef:7a:9b:45:
> c7:fa:8c:de:7d:af:fd:a7:9a:b8:c0:5d:67:e8:5b:a7
> Fingerprint (SHA-256):
>
> F0:50:7E:1A:AA:26:ED:D2:2C:D4:ED:3C:55:16:5B:49:2D:F4:52:1E:FD:8C:EA:70:1F:59:E3:5C:0E:D2:97:E2
> Fingerprint (SHA1):
> 7C:19:10:39:E2:35:52:F8:36:89:38:01:A6:1B:8B:1A:DC:D2:26:86
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 2b:2e:6e:ea:d9:75:36:6c:14:8a:6e:db:a3:7c:8c:07
> Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption
> Issuer: "CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=
> Salford,ST=Greater Manchester,C=GB"
> Validity:
> Not Before: Wed Feb 12 00:00:00 2014
> Not After : Sun Feb 11 23:59:59 2029
> Subject: "CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO C
> A Limited,L=Salford,ST=Greater Manchester,C=GB"
> Subject Public Key Info:
> Public Key Algorithm: PKCS #1 RSA Encryption
> RSA Public Key:
> Modulus:
> 8e:c2:02:19:e1:a0:59:a4:eb:38:35:8d:2c:fd:01:d0:
> d3:49:c0:64:c7:0b:62:05:45:16:3a:a8:a0:c0:0c:02:
> 7f:1d:cc:db:c4:a1:6d:77:03:a3:0f:86:f9:e3:06:9c:
> 3e:0b:81:8a:9b:49:1b:ad:03:be:fa:4b:db:8c:20:ed:
> d5:ce:5e:65:8e:3e:0d:af:4c:c2:b0:b7:45:5e:52:2f:
> 34:de:48:24:64:b4:41:ae:00:97:f7:be:67:de:9e:d0:
> 7a:a7:53:80:3b:7c:ad:f5:96:55:6f:97:47:0a:7c:85:
> 8b:22:97:8d:b3:84:e0:96:57:d0:70:18:60:96:8f:ee:
> 2d:07:93:9d:a1:ba:ca:d1:cd:7b:e9:c4:2a:9a:28:21:
> 91:4d:6f:92:4f:25:a5:f2:7a:35:dd:26:dc:46:a5:d0:
> ac:59:35:8c:ff:4e:91:43:50:3f:59:93:1e:6c:51:21:
> ee:58:14:ab:fe:75:50:78:3e:4c:b0:1c:86:13:fa:6b:
> 98:bc:e0:3b:94:1e:85:52:dc:03:93:24:18:6e:cb:27:
> 51:45:e6:70:de:25:43:a4:0d:e1:4a:a5:ed:b6:7e:c8:
> cd:6d:ee:2e:1d:27:73:5d:dc:45:30:80:aa:e3:b2:41:
> 0b:af:bd:44:87:da:b9:e5:1b:9d:7f:ae:e5:85:82:a5
> Exponent: 65537 (0x10001)
> Signed Extensions:
> Name: Certificate Authority Key Identifier
> Key ID:
> bb:af:7e:02:3d:fa:a6:f1:3c:84:8e:ad:ee:38:98:ec:
> d9:32:32:d4
>
> Name: Certificate Subject Key ID
> Data:
> 90:af:6a:3a:94:5a:0b:d8:90:ea:12:56:73:df:43:b4:
> 3a:28:da:e7
>
> Name: Certificate Key Usage
> Critical: True
> Usages: Digital Signature
> Certificate Signing
> CRL Signing
>
> Name: Certificate Basic Constraints
> Critical: True
> Data: Is a CA with a maximum path length of 0.
>
> Name: Extended Key Usage
> TLS Web Server Authentication Certificate
> TLS Web Client Authentication Certificate
>
> Name: Certificate Policies
> Data:
> Policy Name: Certificate Policies AnyPolicy
> Policy Name: OID.2.23.140.1.2.1
>
> Name: CRL Distribution Points
> Distribution point:
> URI: "http://crl.comodoca.com/COMODORSACertificationAuthority
> .crl"
>
> Name: Authority Information Access
> Method: PKIX CA issuers access method
> Location:
> URI: "http://crt.comodoca.com/COMODORSAAddTrustCA.crt"
> Method: PKIX Online Certificate Status Protocol
> Location:
> URI: "http://ocsp.comodoca.com"
>
> Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption
> Signature:
> 4e:2b:76:4f:92:1c:62:36:89:ba:77:c1:27:05:f4:1c:
> d6:44:9d:a9:9a:3e:aa:d5:66:66:01:3e:ea:49:e6:a2:
> 35:bc:fa:f6:dd:95:8e:99:35:98:0e:36:18:75:b1:dd:
> dd:50:72:7c:ae:dc:77:88:ce:0f:f7:90:20:ca:a3:67:
> 2e:1f:56:7f:7b:e1:44:ea:42:95:c4:5d:0d:01:50:46:
> 15:f2:81:89:59:6c:8a:dd:8c:f1:12:a1:8d:3a:42:8a:
> 98:f8:4b:34:7b:27:3b:08:b4:6f:24:3b:72:9d:63:74:
> 58:3c:1a:6c:3f:4f:c7:11:9a:c8:a8:f5:b5:37:ef:10:
> 45:c6:6c:d9:e0:5e:95:26:b3:eb:ad:a3:b9:ee:7f:0c:
> 9a:66:35:73:32:60:4e:e5:dd:8a:61:2c:6e:52:11:77:
> 68:96:d3:18:75:51:15:00:1b:74:88:dd:e1:c7:38:04:
> 43:28:e9:16:fd:d9:05:d4:5d:47:27:60:d6:fb:38:3b:
> 6c:72:a2:94:f8:42:1a:df:ed:6f:06:8c:45:c2:06:00:
> aa:e4:e8:dc:d9:b5:e1:73:78:ec:f6:23:dc:d1:dd:6c:
> 8e:1a:8f:a5:ea:54:7c:96:b7:c3:fe:55:8e:8d:49:5e:
> fc:64:bb:cf:3e:bd:96:eb:69:cd:bf:e0:48:f1:62:82:
> 10:e5:0c:46:57:f2:33:da:d0:c8:63:ed:c6:1f:94:05:
> 96:4a:1a:91:d1:f7:eb:cf:8f:52:ae:0d:08:d9:3e:a8:
> a0:51:e9:c1:87:74:d5:c9:f7:74:ab:2e:53:fb:bb:7a:
> fb:97:e2:f8:1f:26:8f:b3:d2:a0:e0:37:5b:28:3b:31:
> e5:0e:57:2d:5a:b8:ad:79:ac:5e:20:66:1a:a5:b9:a6:
> b5:39:c1:f5:98:43:ff:ee:f9:a7:a7:fd:ee:ca:24:3d:
> 80:16:c4:17:8f:8a:c1:60:a1:0c:ae:5b:43:47:91:4b:
> d5:9a:17:5f:f9:d4:87:c1:c2:8c:b7:e7:e2:0f:30:19:
> 37:86:ac:e0:dc:42:03:e6:94:a8:9d:ae:fd:0f:24:51:
> 94:ce:92:08:d1:fc:50:f0:03:40:7b:88:59:ed:0e:dd:
> ac:d2:77:82:34:dc:06:95:02:d8:90:f9:2d:ea:37:d5:
> 1a:60:d0:67:20:d7:d8:42:0b:45:af:82:68:de:dd:66:
> 24:37:90:29:94:19:46:19:25:b8:80:d7:cb:d4:86:28:
> 6a:44:70:26:23:62:a9:9f:86:6f:bf:ba:90:70:d2:56:
> 77:85:78:ef:ea:25:a9:17:ce:50:72:8c:00:3a:aa:e3:
> db:63:34:9f:f8:06:71:01:e2:82:20:d4:fe:6f:bd:b1
> Fingerprint (SHA-256):
>
> 02:AB:57:E4:E6:7A:0C:B4:8D:D2:FF:34:83:0E:8A:C4:0F:44:76:FB:08:CA:6B:E3:F5:CD:84:6F:64:68:40:F0
> Fingerprint (SHA1):
> 33:9C:DD:57:CF:D5:B1:41:16:9B:61:5F:F3:14:28:78:2D:1D:A6:39
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22
> Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption
> Issuer: "CN=AddTrust External CA Root,OU=AddTrust External TTP Networ
> k,O=AddTrust AB,C=SE"
> Validity:
> Not Before: Tue May 30 10:48:38 2000
> Not After : Sat May 30 10:48:38 2020
> Subject: "CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L
> =Salford,ST=Greater Manchester,C=GB"
> Subject Public Key Info:
> Public Key Algorithm: PKCS #1 RSA Encryption
> RSA Public Key:
> Modulus:
> 91:e8:54:92:d2:0a:56:b1:ac:0d:24:dd:c5:cf:44:67:
> 74:99:2b:37:a3:7d:23:70:00:71:bc:53:df:c4:fa:2a:
> 12:8f:4b:7f:10:56:bd:9f:70:72:b7:61:7f:c9:4b:0f:
> 17:a7:3d:e3:b0:04:61:ee:ff:11:97:c7:f4:86:3e:0a:
> fa:3e:5c:f9:93:e6:34:7a:d9:14:6b:e7:9c:b3:85:a0:
> 82:7a:76:af:71:90:d7:ec:fd:0d:fa:9c:6c:fa:df:b0:
> 82:f4:14:7e:f9:be:c4:a6:2f:4f:7f:99:7f:b5:fc:67:
> 43:72:bd:0c:00:d6:89:eb:6b:2c:d3:ed:8f:98:1c:14:
> ab:7e:e5:e3:6e:fc:d8:a8:e4:92:24:da:43:6b:62:b8:
> 55:fd:ea:c1:bc:6c:b6:8b:f3:0e:8d:9a:e4:9b:6c:69:
> 99:f8:78:48:30:45:d5:ad:e1:0d:3c:45:60:fc:32:96:
> 51:27:bc:67:c3:ca:2e:b6:6b:ea:46:c7:c7:20:a0:b1:
> 1f:65:de:48:08:ba:a4:4e:a9:f2:83:46:37:84:eb:e8:
> cc:81:48:43:67:4e:72:2a:9b:5c:bd:4c:1b:28:8a:5c:
> 22:7b:b4:ab:98:d9:ee:e0:51:83:c3:09:46:4e:6d:3e:
> 99:fa:95:17:da:7c:33:57:41:3c:8d:51:ed:0b:b6:5c:
> af:2c:63:1a:df:57:c8:3f:bc:e9:5d:c4:9b:af:45:99:
> e2:a3:5a:24:b4:ba:a9:56:3d:cf:6f:aa:ff:49:58:be:
> f0:a8:ff:f4:b8:ad:e9:37:fb:ba:b8:f4:0b:3a:f9:e8:
> 43:42:1e:89:d8:84:cb:13:f1:d9:bb:e1:89:60:b8:8c:
> 28:56:ac:14:1d:9c:0a:e7:71:eb:cf:0e:dd:3d:a9:96:
> a1:48:bd:3c:f7:af:b5:0d:22:4c:c0:11:81:ec:56:3b:
> f6:d3:a2:e2:5b:b7:b2:04:22:52:95:80:93:69:e8:8e:
> 4c:65:f1:91:03:2d:70:74:02:ea:8b:67:15:29:69:52:
> 02:bb:d7:df:50:6a:55:46:bf:a0:a3:28:61:7f:70:d0:
> c3:a2:aa:2c:21:aa:47:ce:28:9c:06:45:76:bf:82:18:
> 27:b4:d5:ae:b4:cb:50:e6:6b:f4:4c:86:71:30:e9:a6:
> df:16:86:e0:d8:ff:40:dd:fb:d0:42:88:7f:a3:33:3a:
> 2e:5c:1e:41:11:81:63:ce:18:71:6b:2b:ec:a6:8a:b7:
> 31:5c:3a:6a:47:e0:c3:79:59:d6:20:1a:af:f2:6a:98:
> aa:72:bc:57:4a:d2:4b:9d:bb:10:fc:b0:4c:41:e5:ed:
> 1d:3d:5e:28:9d:9c:cc:bf:b3:51:da:a7:47:e5:84:53
> Exponent: 65537 (0x10001)
> Signed Extensions:
> Name: Certificate Authority Key Identifier
> Key ID:
> ad:bd:98:7a:34:b4:26:f7:fa:c4:26:54:ef:03:bd:e0:
> 24:cb:54:1a
>
> Name: Certificate Subject Key ID
> Data:
> bb:af:7e:02:3d:fa:a6:f1:3c:84:8e:ad:ee:38:98:ec:
> d9:32:32:d4
>
> Name: Certificate Key Usage
> Critical: True
> Usages: Digital Signature
> Certificate Signing
> CRL Signing
>
> Name: Certificate Basic Constraints
> Critical: True
> Data: Is a CA with no maximum path length.
>
> Name: Certificate Policies
> Data:
> Policy Name: Certificate Policies AnyPolicy
>
> Name: CRL Distribution Points
> Distribution point:
> URI: "http://crl.usertrust.com/AddTrustExternalCARoot.crl"
>
> Name: Authority Information Access
> Method: PKIX Online Certificate Status Protocol
> Location:
> URI: "http://ocsp.usertrust.com"
>
> Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption
> Signature:
> 64:bf:83:f1:5f:9a:85:d0:cd:b8:a1:29:57:0d:e8:5a:
> f7:d1:e9:3e:f2:76:04:6e:f1:52:70:bb:1e:3c:ff:4d:
> 0d:74:6a:cc:81:82:25:d3:c3:a0:2a:5d:4c:f5:ba:8b:
> a1:6d:c4:54:09:75:c7:e3:27:0e:5d:84:79:37:40:13:
> 77:f5:b4:ac:1c:d0:3b:ab:17:12:d6:ef:34:18:7e:2b:
> e9:79:d3:ab:57:45:0c:af:28:fa:d0:db:e5:50:95:88:
> bb:df:85:57:69:7d:92:d8:52:ca:73:81:bf:1c:f3:e6:
> b8:6e:66:11:05:b3:1e:94:2d:7f:91:95:92:59:f1:4c:
> ce:a3:91:71:4c:7c:47:0c:3b:0b:19:f6:a1:b1:6c:86:
> 3e:5c:aa:c4:2e:82:cb:f9:07:96:ba:48:4d:90:f2:94:
> c8:a9:73:a2:eb:06:7b:23:9d:de:a2:f3:4d:55:9f:7a:
> 61:45:98:18:68:c7:5e:40:6b:23:f5:79:7a:ef:8c:b5:
> 6b:8b:b7:6f:46:f4:7b:f1:3d:4b:04:d8:93:80:59:5a:
> e0:41:24:1d:b2:8f:15:60:58:47:db:ef:6e:46:fd:15:
> f5:d9:5f:9a:b3:db:d8:b8:e4:40:b3:cd:97:39:ae:85:
> bb:1d:8e:bc:dc:87:9b:d1:a6:ef:f1:3b:6f:10:38:6f
> Fingerprint (SHA-256):
>
> 4F:32:D5:DC:00:F7:15:25:0A:BC:C4:86:51:1E:37:F5:01:A8:99:DE:B3:BF:7E:A8:AD:BB:D3:AE:F1:C4:12:DA
> Fingerprint (SHA1):
> F5:AD:0B:CC:1A:D5:6C:D1:50:72:5B:1C:86:6C:30:AD:92:EF:21:B0
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 1 (0x1)
> Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
> Issuer: "CN=AddTrust External CA Root,OU=AddTrust External TTP Networ
> k,O=AddTrust AB,C=SE"
> Validity:
> Not Before: Tue May 30 10:48:38 2000
> Not After : Sat May 30 10:48:38 2020
> Subject: "CN=AddTrust External CA Root,OU=AddTrust External TTP Netwo
> rk,O=AddTrust AB,C=SE"
> Subject Public Key Info:
> Public Key Algorithm: PKCS #1 RSA Encryption
> RSA Public Key:
> Modulus:
> b7:f7:1a:33:e6:f2:00:04:2d:39:e0:4e:5b:ed:1f:bc:
> 6c:0f:cd:b5:fa:23:b6:ce:de:9b:11:33:97:a4:29:4c:
> 7d:93:9f:bd:4a:bc:93:ed:03:1a:e3:8f:cf:e5:6d:50:
> 5a:d6:97:29:94:5a:80:b0:49:7a:db:2e:95:fd:b8:ca:
> bf:37:38:2d:1e:3e:91:41:ad:70:56:c7:f0:4f:3f:e8:
> 32:9e:74:ca:c8:90:54:e9:c6:5f:0f:78:9d:9a:40:3c:
> 0e:ac:61:aa:5e:14:8f:9e:87:a1:6a:50:dc:d7:9a:4e:
> af:05:b3:a6:71:94:9c:71:b3:50:60:0a:c7:13:9d:38:
> 07:86:02:a8:e9:a8:69:26:18:90:ab:4c:b0:4f:23:ab:
> 3a:4f:84:d8:df:ce:9f:e1:69:6f:bb:d7:42:d7:6b:44:
> e4:c7:ad:ee:6d:41:5f:72:5a:71:08:37:b3:79:65:a4:
> 59:a0:94:37:f7:00:2f:0d:c2:92:72:da:d0:38:72:db:
> 14:a8:45:c4:5d:2a:7d:b7:b4:d6:c4:ee:ac:cd:13:44:
> b7:c9:2b:dd:43:00:25:fa:61:b9:69:6a:58:23:11:b7:
> a7:33:8f:56:75:59:f5:cd:29:d7:46:b7:0a:2b:65:b6:
> d3:42:6f:15:b2:b8:7b:fb:ef:e9:5d:53:d5:34:5a:27
> Exponent: 65537 (0x10001)
> Signed Extensions:
> Name: Certificate Subject Key ID
> Data:
> ad:bd:98:7a:34:b4:26:f7:fa:c4:26:54:ef:03:bd:e0:
> 24:cb:54:1a
>
> Name: Certificate Key Usage
> Usages: Certificate Signing
> CRL Signing
>
> Name: Certificate Basic Constraints
> Critical: True
> Data: Is a CA with no maximum path length.
>
> Name: Certificate Authority Key Identifier
> Key ID:
> ad:bd:98:7a:34:b4:26:f7:fa:c4:26:54:ef:03:bd:e0:
> 24:cb:54:1a
> Issuer:
> Directory Name: "CN=AddTrust External CA Root,OU=AddTrust Ext
> ernal TTP Network,O=AddTrust AB,C=SE"
> Serial Number: 1 (0x1)
>
> Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
> Signature:
> b0:9b:e0:85:25:c2:d6:23:e2:0f:96:06:92:9d:41:98:
> 9c:d9:84:79:81:d9:1e:5b:14:07:23:36:65:8f:b0:d8:
> 77:bb:ac:41:6c:47:60:83:51:b0:f9:32:3d:e7:fc:f6:
> 26:13:c7:80:16:a5:bf:5a:fc:87:cf:78:79:89:21:9a:
> e2:4c:07:0a:86:35:bc:f2:de:51:c4:d2:96:b7:dc:7e:
> 4e:ee:70:fd:1c:39:eb:0c:02:51:14:2d:8e:bd:16:e0:
> c1:df:46:75:e7:24:ad:ec:f4:42:b4:85:93:70:10:67:
> ba:9d:06:35:4a:18:d3:2b:7a:cc:51:42:a1:7a:63:d1:
> e6:bb:a1:c5:2b:c2:36:be:13:0d:e6:bd:63:7e:79:7b:
> a7:09:0d:40:ab:6a:dd:8f:8a:c3:f6:f6:8c:1a:42:05:
> 51:d4:45:f5:9f:a7:62:21:68:15:20:43:3c:99:e7:7c:
> bd:24:d8:a9:91:17:73:88:3f:56:1b:31:38:18:b4:71:
> 0f:9a:cd:c8:0e:9e:8e:2e:1b:e1:8c:98:83:cb:1f:31:
> f1:44:4c:c6:04:73:49:76:60:0f:c7:f8:bd:17:80:6b:
> 2e:e9:cc:4c:0e:5a:9a:79:0f:20:0a:2e:d5:9e:63:26:
> 1e:55:92:94:d8:82:17:5a:7b:d0:bc:c7:8f:4e:86:04
> Fingerprint (SHA-256):
>
> 68:7F:A4:51:38:22:78:FF:F0:C8:B1:1F:8D:43:D5:76:67:1C:6E:B2:BC:EA:B4:13:FB:83:D9:65:D0:6D:2F:F2
> Fingerprint (SHA1):
> 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68
>
> Key(shrouded):
> Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
> Parameters:
> Salt:
> b3:e3:41:6a:fb:9f:08:8b
> Iteration Count: 2048 (0x800)
>
>
>>
>> # ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
>> --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX
>
> Directory Manager (existing master) password:
>
> (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>
> Not much :(
>
> Seems to be very early.
>
> I can't find an ipa-replica-prepare.log file.
That's weird, there should be ~50 lines of output before
ipa-replica-prepare prompts you for directory manager password.
I didn't have any luck in reproducing the issue so far.
Could you please try this:
$ mkdir tmpdb
$ certutil -N -d tmpdb
$ pk12util -i nwra.com.p12
$ certutil -L -d tmpdb # look for nickname of
certificate which has trust attributes of u,u,u
$ certutil -O -d tmpdb -n nickname # use the nickname from above
I would like to see the output of the last 2 commands.
--
Jan Cholasta
More information about the Freeipa-users
mailing list