[Freeipa-users] ipa-replica-prepare error
Rob Crittenden
rcritten at redhat.com
Thu May 28 21:09:33 UTC 2015
Orion Poplawski wrote:
> We did a CAless install:
>
> ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat
> /etc/ldap.secret` --root-ca-file=PositiveSSLCA2.crt
> --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XXXX --http_pkcs12=nwra.com.p12
> --http_pin=XXXX --idstart=8000
>
> But now when we try to setup a replica:
>
> # ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
> --dirsrv_pin=XXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXX
> Directory Manager (existing master) password:
>
> The full certificate chain is not present in nwra.com.p12
>
>
> p12 file was created with:
>
> openssl pkcs12 -export -in /etc/pki/tls/certs/nwra.com.crt -inkey
> /etc/pki/tls/private/nwra.com.key -certfile
> /etc/pki/tls/certs/PositiveSSLCA2.crt -out nwra.com.p12
>
> ipa-server-4.1.0-18.sl7_1.3.x86_64
>
> Any thoughts?
>
At a glance your creation steps look ok. Strangely, the same code that
loads the PKCS#12 files are used both in the server install and replica
prepare, the only difference it seems is that with the server install we
get a copy of the CA separately too.
Can you provide the output of: pk12util -l nwra.com.p12
Maybe we can work out what it thinks is missing.
rob
More information about the Freeipa-users
mailing list