<div dir="ltr"><div><div><div><div><div>Hi,<br><br></div>Sorry for the lack of details!<br></div>You are indeed  correct about the version its 4.1<br></div>The command I am using is this:<br>ipa-replica-prepare <a href="http://ipa-r1.myobscureddomain.com">ipa-r1.myobscureddomain.com</a> --http-cert-file /home/fedora/newcert.pk12 --dirsrv-cert-file /home/fedora/newcert.pk12 --ip-address 172.31.16.31 -v<br><br></div>Regards,<br><br></div>D<br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-04-09 16:16 GMT+02:00 Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">David Dejaeghere wrote:<br>
> Hi,<br>
><br>
> Does somebody have any pointers for me regarding this issue?<br>
<br>
</span>It would help very much if you'd include the version you're working<br>
with. Based on line numbers I'll assume IPA 4.1.<br>
<br>
It's hard to say since you don't include the command-line you're using,<br>
or what those files consist of.<br>
<br>
It looks like it is blowing up trying to verify that the whole<br>
certificate chain is available. NSS unfortunately doesn't always provide<br>
the best error messages so it's hard to say why this particular cert<br>
can't be loaded.<br>
<br>
rob<br>
<span class=""><br>
><br>
> Regards,<br>
><br>
> D<br>
><br>
> 2015-04-07 13:34 GMT+02:00 David Dejaeghere <<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
</span>> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>>>:<br>
<div class="HOEnZb"><div class="h5">><br>
>     Hello,<br>
><br>
>     I am trying to setup a replica for my master which has been setup<br>
>     with an external CA to use our godaddy wildcard certificate.<br>
>     The ipa-replica-prepare is failing with the following debug information.<br>
>     I am using --http-cert  and --dirsrv-cert with my pk12 server<br>
>     certificate.<br>
>     What can I verify to get an idea of what is going wrong?<br>
><br>
>     ipa: DEBUG: stderr=<br>
>     ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:<br>
>     File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line<br>
>     169, in execute<br>
>         self.ask_for_options()<br>
>       File<br>
>     "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",<br>
>     line 276, in ask_for_options<br>
>         options.http_cert_name)<br>
>       File<br>
>     "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",<br>
>     line 176, in load_pkcs12<br>
>         host_name=self.replica_fqdn)<br>
>       File<br>
>     "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line<br>
>     785, in load_pkcs12<br>
>         nss_cert = x509.load_certificate(cert, x509.DER)<br>
>       File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128,<br>
>     in load_certificate<br>
>         return nss.Certificate(buffer(data))<br>
><br>
>     ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The<br>
>     ipa-replica-prepare command failed, exception: NSPRError:<br>
>     (SEC_ERROR_LIBRARY_FAILURE) security library failure.<br>
>     ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:<br>
>     (SEC_ERROR_LIBRARY_FAILURE) security library failure.<br>
><br>
>     Regards,<br>
><br>
>     D<br>
><br>
><br>
><br>
><br>
<br>
</div></div></blockquote></div><br></div>