[Freeipa-users] ipa-replica-prepare failing
Joshua Ruybal
jruybal at owneriq.com
Thu Oct 27 20:21:00 UTC 2016
Took a look at the dogtag logs, the debug log only shows the following
every time I run ipa-replica-prepare.
[27/Oct/2016:12:55:02][http-9444-1]: CMSServlet: curDate=Thu Oct 27
12:55:02 EDT 2016 id=caProfileSubmitSSLClient time=10
The other logs don't appear to have anything.
I tried to run ipa cert-request on one of the servers and get:
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
I've check that the cert is in /etc/httpd/alias, /etc/pki/nssdb,
/etc/dirsrv/slapd-EXAMPLE-COM, and /etc/dirsrv/slapd-PKI-IPA
Is there anywhere else I would need to add the CA cert?
On Thu, Oct 27, 2016 at 5:23 AM, Rob Crittenden <rcritten at redhat.com> wrote:
> Joshua Ruybal wrote:
>
>> While trying to run IPA replica prepare with debug, we see an
>> unexplained failure.
>>
>> Debug seems to show the process running smoothly, then I see:
>> "Certificate issuance failed".
>>
>> Looking at previous mail-archives, I see that someone has run into this
>> before, however all permissions on caIPAserviceCert.cfg are correct (the
>> solution for him).
>>
>> Is there any method to get more details on the failure from
>> ipa-replica-prepare?
>>
>
> I'd check the dogtag logs. This error is thrown when no certificate is
> issued by the CA.
>
> There is no way other than instrumenting the code to get more details
> about the error from ipa-replica-prepare.
>
> rob
>
>
--
<http://www.owneriq.com/>
*Joshua Ruybal | Systems Engineer*
o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549>
e: jruybal at owneriq.com
<https://www.linkedin.com/company/owneriq-inc.>
<https://www.facebook.com/OwnerIQ> <https://twitter.com/owneriq>
<http://www.owneriq.com/blog/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161027/74093909/attachment.htm>
More information about the Freeipa-users
mailing list