[Freeipa-users] ipa-replica-prepare error

Jan Cholasta jcholast at redhat.com
Wed Jul 29 05:09:04 UTC 2015 

Dne 20.7.2015 v 19:52 Orion Poplawski napsal(a):
> On 07/20/2015 12:57 AM, Jan Cholasta wrote:
>> Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a):
>>> On 07/14/2015 11:53 PM, Jan Cholasta wrote:
>>>>
>>>>       # ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
>>>> --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX
>>>
>>> Directory Manager (existing master) password:
>>>
>>> (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>>>
>>> Not much :(
>>>
>>> Seems to be very early.
>>>
>>> I can't find an ipa-replica-prepare.log file.
>>
>> That's weird, there should be ~50 lines of output before ipa-replica-prepare
>> prompts you for directory manager password.
>>
>> I didn't have any luck in reproducing the issue so far.
>>
>> Could you please try this:
>>
>>      $ mkdir tmpdb
>>      $ certutil -N -d tmpdb
>>      $ pk12util -i nwra.com.p12
>>      $ certutil -L -d tmpdb              # look for nickname of certificate
>> which has trust attributes of u,u,u
>>      $ certutil -O -d tmpdb -n nickname  # use the nickname from above
>>
>> I would like to see the output of the last 2 commands.
>>
>
> [root at europa ~]# pk12util -i nwra.com.p12 -d tmpdb
> Enter Password or Pin for "NSS Certificate DB":
> Enter password for PKCS12 file:
> pk12util: no nickname for cert in PKCS12 file.
> pk12util: using nickname: *.nwra.com - COMODO CA Limited
> pk12util: PKCS12 IMPORT SUCCESSFUL
> [root at europa ~]# certutil -L -d tmpdb
>
> Certificate Nickname                                         Trust Attributes
>                                                               SSL,S/MIME,JAR/XPI
>
> COMODO RSA Domain Validation Secure Server CA - COMODO CA Limited ,,
> AddTrust External CA Root - AddTrust AB                      ,,
> *.nwra.com - COMODO CA Limited                               u,u,u
> COMODO RSA Certification Authority - AddTrust AB             ,,
> [root at europa ~]# certutil -O -d tmpdb -n '*.nwra.com - COMODO CA Limited'
> "AddTrust External CA Root - AddTrust AB" [CN=AddTrust External CA
> Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE]
>
>    "COMODO RSA Certification Authority - AddTrust AB" [CN=COMODO RSA
> Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB]
>
>      "COMODO RSA Domain Validation Secure Server CA - COMODO CA Limited"
> [CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
> Limited,L=Salford,ST=Greater Manchester,C=GB]
>
>        "*.nwra.com - COMODO CA Limited" [CN=*.nwra.com,OU=PositiveSSL
> Wildcard,OU=Domain Control Validated]

Thanks. Unfortunately it looks perfectly fine, so I still have no idea 
what's wrong.

This is a long shot, but coult you try running ipa-replica-prepare in 
strace and post the log of that?

     # strace -o ipa-replica-prepare-strace.log ipa-replica-prepare 
ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XXXXXX 
--http_pkcs12=nwra.com.p12 --http_pin=XXXXXX

-- 
Jan Cholasta

More information about the Freeipa-users mailing list