[Freeipa-users] ipa-replica-prepare error
Rob Crittenden
rcritten at redhat.com
Mon Jun 1 14:54:55 UTC 2015
Orion Poplawski wrote:
> On 05/28/2015 03:09 PM, Rob Crittenden wrote:
>> Orion Poplawski wrote:
>>> We did a CAless install:
>>>
>>> ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat
>>> /etc/ldap.secret` --root-ca-file=PositiveSSLCA2.crt
>>> --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XXXX --http_pkcs12=nwra.com.p12
>>> --http_pin=XXXX --idstart=8000
>>>
>>> But now when we try to setup a replica:
>>>
>>> # ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
>>> --dirsrv_pin=XXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXX
>>> Directory Manager (existing master) password:
>>>
>>> The full certificate chain is not present in nwra.com.p12
>>>
>>>
>>> p12 file was created with:
>>>
>>> openssl pkcs12 -export -in /etc/pki/tls/certs/nwra.com.crt -inkey
>>> /etc/pki/tls/private/nwra.com.key -certfile
>>> /etc/pki/tls/certs/PositiveSSLCA2.crt -out nwra.com.p12
>>>
>>> ipa-server-4.1.0-18.sl7_1.3.x86_64
>>>
>>> Any thoughts?
>>>
>>
>> At a glance your creation steps look ok. Strangely, the same code that loads
>> the PKCS#12 files are used both in the server install and replica prepare, the
>> only difference it seems is that with the server install we get a copy of the
>> CA separately too.
>>
>> Can you provide the output of: pk12util -l nwra.com.p12
>>
>> Maybe we can work out what it thinks is missing.
>>
>> rob
>
> I think I need to redo our install with an updated (SHA-2?) certificate, but I
> wouldn't think that would affect this issue either.
I don't believe this is related to the signature.
It looks like the right certs are there so I'm not sure what is going
on. It may be that the built-ins aren't being found and this is needed
because the AddTrust External Root isn't included, and it shouldn't need
to be.
What is really blowing my mind is the same function that loads the
PKCS#12 file is called both on install and replica prepare but only
failing on the later.
Maybe Honza has some ideas.
rob
More information about the Freeipa-users
mailing list