[Freeipa-users] ipa-replica-prepare error

Orion Poplawski orion at cora.nwra.com
Mon Jul 20 17:52:48 UTC 2015 

On 07/20/2015 12:57 AM, Jan Cholasta wrote:
> Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a):
>> On 07/14/2015 11:53 PM, Jan Cholasta wrote:
>>>
>>>      # ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
>>> --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX
>>
>> Directory Manager (existing master) password:
>>
>> (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>>
>> Not much :(
>>
>> Seems to be very early.
>>
>> I can't find an ipa-replica-prepare.log file.
> 
> That's weird, there should be ~50 lines of output before ipa-replica-prepare
> prompts you for directory manager password.
> 
> I didn't have any luck in reproducing the issue so far.
> 
> Could you please try this:
> 
>     $ mkdir tmpdb
>     $ certutil -N -d tmpdb
>     $ pk12util -i nwra.com.p12
>     $ certutil -L -d tmpdb              # look for nickname of certificate
> which has trust attributes of u,u,u
>     $ certutil -O -d tmpdb -n nickname  # use the nickname from above
> 
> I would like to see the output of the last 2 commands.
> 

[root at europa ~]# pk12util -i nwra.com.p12 -d tmpdb
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
pk12util: no nickname for cert in PKCS12 file.
pk12util: using nickname: *.nwra.com - COMODO CA Limited
pk12util: PKCS12 IMPORT SUCCESSFUL
[root at europa ~]# certutil -L -d tmpdb

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

COMODO RSA Domain Validation Secure Server CA - COMODO CA Limited ,,
AddTrust External CA Root - AddTrust AB                      ,,
*.nwra.com - COMODO CA Limited                               u,u,u
COMODO RSA Certification Authority - AddTrust AB             ,,
[root at europa ~]# certutil -O -d tmpdb -n '*.nwra.com - COMODO CA Limited'
"AddTrust External CA Root - AddTrust AB" [CN=AddTrust External CA
Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE]

  "COMODO RSA Certification Authority - AddTrust AB" [CN=COMODO RSA
Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB]

    "COMODO RSA Domain Validation Secure Server CA - COMODO CA Limited"
[CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB]

      "*.nwra.com - COMODO CA Limited" [CN=*.nwra.com,OU=PositiveSSL
Wildcard,OU=Domain Control Validated]


-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                   http://www.nwra.com

More information about the Freeipa-users mailing list