[Freeipa-users] Unable to prepare replica file after changing Directory Manager & PKI Admin Password on Freeipa-3.0.0
Eric Malloy
ejmalloy at gmail.com
Mon Jun 8 20:03:59 UTC 2015
Hello
Per http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password,
I had changed my dm_password and followed steps two and three of this how
to...
Then when I run `ipa-replica-prepare -p $(cat ~/dm_password)
--ip-address=172.17.0.6 ipa.us-west-2.domain.net --ca=/root/cacert.p12
--debug
I am not able to prepare replica file, which now errors out at:
```
Creating SSL certificate for the Directory Server
ipa : DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
ipa : DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
ipa : DEBUG args=/usr/bin/certutil -d
/tmp/tmpnq4o0Yipa/realm_info -N -f /tmp/tmpnq4o0Yipa/realm_info/pwdfile.txt
ipa : DEBUG stdout=
ipa : DEBUG stderr=
ipa : DEBUG args=/usr/bin/certutil -d
/tmp/tmpnq4o0Yipa/realm_info -A -n SHOOBX.NET IPA CA -t CT,,C -a
ipa : DEBUG stdout=
ipa : DEBUG stderr=
ipa : DEBUG args=/usr/bin/certutil -d
/tmp/tmpnq4o0Yipa/realm_info -R -s CN=ipa.us-west-2.XXXXX.net,O=XXXXX.NET
-o /var/lib/ipa/ipa-mB7ivC/tmpcertreq -k rsa -g 2048 -z
/tmp/tmpnq4o0Yipa/realm_info/noise.txt -f /tmp/tmpnq4o0Yip
a/realm_info/pwdfile.txt
ipa : DEBUG stdout=
ipa : DEBUG stderr=
Generating key. This may take a few moments...
certutil: could not find certificate named "CN=XXXXX.NET Certificate
Authority": SEC_ERROR_BAD_DATABASE: security library: bad database.
certutil: unable to create cert (security library: bad database.)
ipa : DEBUG args=/usr/bin/certutil -d
/tmp/tmpnq4o0Yipa/realm_info -A -n Server-Cert -t u,u,u -i
/var/lib/ipa/ipa-mB7ivC/tmpcert.der -f
/tmp/tmpnq4o0Yipa/realm_info/pwdfile.txt
ipa : DEBUG stdout=
ipa : DEBUG stderr=Notice: Trust flag u is set automatically if
the private key is present.
certutil: could not decode certificate: SEC_ERROR_INVALID_ARGS: security
library: invalid arguments.
preparation of replica failed: Command '/usr/bin/certutil -d
/tmp/tmpnq4o0Yipa/realm_info -A -n Server-Cert -t u,u,u -i
/var/lib/ipa/ipa-mB7ivC/tmpcert.der -f
/tmp/tmpnq4o0Yipa/realm_info/pwdfile.txt' returned non-zero exit status 255
ipa : DEBUG Command '/usr/bin/certutil -d
/tmp/tmpnq4o0Yipa/realm_info -A -n Server-Cert -t u,u,u -i
/var/lib/ipa/ipa-mB7ivC/tmpcert.der -f
/tmp/tmpnq4o0Yipa/realm_info/pwdfile.txt' returned non-zero exit status 255
File "/usr/sbin/ipa-replica-prepare", line 490, in <module>
main()
File "/usr/sbin/ipa-replica-prepare", line 361, in main
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb
raise e
Command '/usr/bin/certutil -d /tmp/tmpnq4o0Yipa/realm_info -A -n
Server-Cert -t u,u,u -i /var/lib/ipa/ipa-mB7ivC/tmpcert.der -f
/tmp/tmpnq4o0Yipa/realm_info/pwdfile.txt' returned non-zero exit status 255
File "/usr/sbin/ipa-replica-prepare", line 490, in <module>
main()
File "/usr/sbin/ipa-replica-prepare", line 361, in main
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb
raise e
```
I can run certutil successfully on these files:
# certutil -L -d /var/lib/pki-ca/alias
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
Any ideas?
Ultimately my goal is to replicate CA from freeipa-3.0.0 to freeipa >3.3
It was found from my ca_audit log that when the replica requested the
cookie that the authentication failed - which prompted me to sync up the dm
password with the pki admin password. This was suggested by edewata and
alee --
Hoping someone has experienced this and has a fix.
Thank you!
Sincerely,
Eric Malloy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150608/244c130e/attachment.htm>
More information about the Freeipa-users
mailing list