[Freeipa-users] ipa-replica-prepare error

[Rob Crittenden]

Orion Poplawski wrote:
> On 05/28/2015 03:09 PM, Rob Crittenden wrote:
>> Orion Poplawski wrote:
>>> We did a CAless install:
>>>
>>> ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat
>>> /etc/ldap.secret` --root-ca-file=PositiveSSLCA2.crt
>>> --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XXXX --http_pkcs12=nwra.com.p12
>>> --http_pin=XXXX --idstart=8000
>>>
>>> But now when we try to setup a replica:
>>>
>>> # ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
>>> --dirsrv_pin=XXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXX
>>> Directory Manager (existing master) password:
>>>
>>> The full certificate chain is not present in nwra.com.p12
>>>
>>>
>>> p12 file was created with:
>>>
>>> openssl pkcs12 -export -in /etc/pki/tls/certs/nwra.com.crt -inkey
>>> /etc/pki/tls/private/nwra.com.key -certfile
>>> /etc/pki/tls/certs/PositiveSSLCA2.crt -out nwra.com.p12
>>>
>>> ipa-server-4.1.0-18.sl7_1.3.x86_64
>>>
>>> Any thoughts?
>>>
>>
>> At a glance your creation steps look ok. Strangely, the same code that loads
>> the PKCS#12 files are used both in the server install and replica prepare, the
>> only difference it seems is that with the server install we get a copy of the
>> CA separately too.
>>
>> Can you provide the output of: pk12util -l nwra.com.p12
>>
>> Maybe we can work out what it thinks is missing.
>>
>> rob
>
> I think I need to redo our install with an updated (SHA-2?) certificate, but I
> wouldn't think that would affect this issue either.

I don't believe this is related to the signature.

It looks like the right certs are there so I'm not sure what is going 
on. It may be that the built-ins aren't being found and this is needed 
because the AddTrust External Root isn't included, and it shouldn't need 
to be.

What is really blowing my mind is the same function that loads the 
PKCS#12 file is called both on install and replica prepare but only 
failing on the later.

Maybe Honza has some ideas.

rob