[Freeipa-users] Unable to install replica using replica file
Abhijeet Kasurde
akasurde at redhat.com
Wed Jun 15 13:54:33 UTC 2016
Thanks Rob, find my comment inline,
On 06/15/2016 07:18 PM, Rob Crittenden wrote:
> Abhijeet Kasurde wrote:
>> Hi All,
>>
>> I am creating master replica setup using following commands and getting
>> error on replica server
>>
>> 2016-06-15T03:53:31Z DEBUG The ipa-replica-install command failed,
>> exception: NetworkError: cannot connect to
>> 'ldaps://dhcp201-141.testrelm.test:636': TLS error -8157:Certificate
>> extension not found.
>>
>> Can anyone explain me what does this error is trying to say ?
>
> I think the server certs you created are lacking one or more
> extensions, I'm just not entirely sure which ones.
>
>> I am performing following steps
>>
>> $ mkdir /tmp/nssdb
>> $ vim /tmp/nssdb/password.txt
>> $ vim /tmp/nssdb/noise.txt
>> $ certutil -d /tmp/nssdb/ -N -f /tmp/nssdb/password.txt
>> $ certutil -d /tmp/nssdb -S -n ca -s cn=Test_CA -x -t CTu,Cu,Cu -g 2048
>> -v 60 -z /tmp/nssdb/noise.txt -2 -f /tmp/nssdb/passwd.txt
>
> You are answering Y, <blank>, Y here right, for: CA certificate, no
> length, critical?
>
Yes I am passing 'Y', 0, 'Y' for CA Certificate, no length, Critical.
> I'd also add: --keyUsage
> digitalSignature,nonRepudiation,certSigning,critical
>
OK I will try this.
>> $ certutil -d /tmp/nssdb -S -n server -s cn=dhcp201-172.testrelm.test -t
>> ,, -z /tmp/nssdb/noise.txt -c ca -f /tmp/nssdb/passwd.txt
>
> I'd add in: --extKeyUsage serverAuth,clientAuth --keyUsage
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
OK I will add this too.
> You pass in a serial # elsewhere, you may want -m 2 for consistency.
>
OK
>> $ /usr/bin/pk12util -o /tmp/nssdb/server.p12 -n server -d /tmp/nssdb -k
>> /tmp/nssdb/passwd.txt -W Secret123
>> $ ipa-server-install --http-cert-file /tmp/nssdb/server.p12
>> --dirsrv-cert-file /tmp/nssdb/server.p12 --ip-address 10.65.210.89 -r
>> TESTRELM.TEST -p Secret123 -a Secret123 --setup-dns --forwarder
>> 10.11.5.19 --http-pin Secret123 --dirsrv-pin Secret123 -U
>> $ certutil -d /tmp/nssdb -S -n ca -s cn=Test_CA -x -t CTu,Cu,Cu -g 2048
>> -v 60 -z /tmp/nssdb/noise.txt -2 -f /tmp/nssdb/passwd.txt -m 3
>
> No need to re-create the CA certificate.
>
I am trying to update serial number of CA certificate.
>> $ certutil -d /tmp/nssdb -S -n replica -s cn=dhcp201-141.testrelm.test
>> -t ,, -z /tmp/nssdb/noise.txt -c ca -f /tmp/nssdb/passwd.txt -m 4
>> $ /usr/bin/pk12util -o /tmp/nssdb/replica.p12 -n replica -d /tmp/nssdb
>> -k /tmp/nssdb/passwd.txt -W Secret123·
>> $ ipa-replica-prepare dhcp201-141.testrelm.test --http_pkcs12
>> /tmp/nssdb/replica.p12 --http_pin Secret123 --dirsrv_pkcs12
>> /tmp/nssdb/replica.p12 --dirsrv_pin Secret123 --ip-address 10.65.210.91
>> --reverse-zone=210.65.10.in-addr.arpa.
>> $ scp /var/lib/ipa/replica-info-dhcp201-141.testrelm.test.gpg
>> root at dhcp201-141.testrelm.test:/root/
>>
>> Attaching console.log and replicainstall.log
>>
>>
>>
>
I will try above modification and let you know, Rob. Thanks.
--
Thanks,
Abhijeet Kasurde
IRC: akasurde
http://akasurde.github.io
More information about the Freeipa-users
mailing list