<div dir="ltr"><div><div>Now on the replica server I've got this error :<br>Run connection check to master<br>Connection check OK<br>Configuring ntpd<br> [1/4]: stopping ntpd<br> [2/4]: writing configuration<br> [3/4]: configuring ntpd to start on boot<br>
[4/4]: starting ntpd<br>done configuring ntpd.<br>Configuring directory server: Estimated time 1 minute<br> [1/30]: creating directory server user<br> [2/30]: creating directory server instance<br> [3/30]: adding default schema<br>
[4/30]: enabling memberof plugin<br> [5/30]: enabling referential integrity plugin<br> [6/30]: enabling winsync plugin<br> [7/30]: configuring replication version plugin<br> [8/30]: enabling IPA enrollment plugin<br>
[9/30]: enabling ldapi<br> [10/30]: configuring uniqueness plugin<br> [11/30]: configuring uuid plugin<br> [12/30]: configuring modrdn plugin<br> [13/30]: enabling entryUSN plugin<br> [14/30]: configuring lockout plugin<br>
[15/30]: creating indices<br> [16/30]: configuring ssl for ds instance<br>creation of replica failed: Could not find a CA cert in /tmp/tmp21VpT8ipa/realm_info/dscert.p12<br><br>Your system may be partly configured.<br>
Run /usr/sbin/ipa-server-install --uninstall to clean up.<br><br><br></div>Where I have to put the CA certficate ?<br><br></div>Regards (again)<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/2/8 Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">James James wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12,<br>
--http_pin and the ipa-replica-prepare command runs without failure.<br>
<br>
Thanks for your help.<br>
</blockquote>
<br></div>
Yes, this is what I was going to suggest. Using ipa-server-certinstall replace the IPA CA with an external one.<br>
<br>
I should note that we're deprecating this tool and do not recommend that it be used. We instead suggest that if you need certificates from an external CA you get the IPA CA signed as a subordinate.<br>
<br>
rob<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<br>
2013/2/8 James James <<a href="mailto:jreg2k@gmail.com" target="_blank">jreg2k@gmail.com</a> <mailto:<a href="mailto:jreg2k@gmail.com" target="_blank">jreg2k@gmail.com</a>>><div class="im"><br>
<br>
My ipa version is ipa-server-2.2.0-17.el6_3.1.<u></u>x86_64 and the distro<br>
is Scientific Linux 6.3. I have used ipa-server-certinstall to<br>
replace the default IPA certs.<br>
<br>
<br>
<br>
<br>
2013/2/8 Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br></div>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>><div class="im"><br>
<br>
James James wrote:<br>
<br>
Hi,<br>
today I wanted to install a ipa replica. When I used the<br>
ipa-replica-prepare command, I've got this error :<br>
<br>
[root@ipa ~]# ipa-replica-prepare <a href="http://ipa2-example.com" target="_blank">ipa2-example.com</a><br></div>
<<a href="http://ipa2-example.com" target="_blank">http://ipa2-example.com</a>> <<a href="http://ipa2-example.com" target="_blank">http://ipa2-example.com</a>><div class="im"><br>
<br>
Directory Manager (existing master) password:<br>
<br>
Preparing replica for ipa-EXAMPLE.COM from <a href="http://ipa.EXAMPLE.COM" target="_blank">ipa.EXAMPLE.COM</a><br>
<<a href="http://ipa.EXAMPLE.COM" target="_blank">http://ipa.EXAMPLE.COM</a>><br>
<<a href="http://ipa.EXAMPLE.COM" target="_blank">http://ipa.EXAMPLE.COM</a>><br>
<br>
Creating SSL certificate for the Directory Server<br>
certutil: could not find certificate named "CN=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a><br>
<<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br>
<<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>> Certificate Authority": security<br>
library: bad database.<br>
<br>
certutil: unable to create cert (security library: bad<br>
database.)<br>
preparation of replica failed: Command '/usr/bin/certutil -d<br>
/tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i<br></div>
/var/lib/ipa/ipa-6qKbha/__<u></u>tmpcert.der -f<br>
/tmp/tmpoUpN72ipa/realm_info/_<u></u>_pwdfile.txt' returned<div class="im"><br>
non-zero exit status 255<br>
Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n<br></div>
Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/__<u></u>tmpcert.der -f<br>
/tmp/tmpoUpN72ipa/realm_info/_<u></u>_pwdfile.txt' returned<br>
non-zero exit status 255<br>
File "/usr/sbin/ipa-replica-__<u></u>prepare", line 459, in<br>
<module><br>
main()<br>
<br>
File "/usr/sbin/ipa-replica-__<u></u>prepare", line 345, in main<div class="im"><br>
export_certdb(api.env.realm, ds_dir, dir,<br>
passwd_fname, "dscert",<br>
replica_fqdn, subject_base)<br>
<br></div>
File "/usr/sbin/ipa-replica-__<u></u>prepare", line 143, in<div class="im"><br>
export_certdb<br>
raise e<br>
<br>
<br>
I have a certificate generated by a custom certificate<br>
authority in the<br>
ipa server.<br>
<br>
<br>
Need more information on your installation. What version of IPA,<br>
what distro?<br>
<br>
Did you use ipa-server-certinstall to replace the default IPA certs?<br>
<br>
rob<br>
<br>
<br>
<br>
</div></blockquote>
<br>
</blockquote></div><br></div>