<div dir="ltr"><div><div><div>Hi,<br><br>I get the same error when I use a pk12 with only the server certificate (and key) in it.<br></div>Not sure what else I can try.<br><br></div>Regards,<br><br></div>D<br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-04-11 0:23 GMT+02:00 Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">David Dejaeghere wrote:<br>
> Hi,<br>
><br>
> I even tried the command using an export from the http service nss db,<br>
> same issue.<br>
><br>
> regarding SElinux:<br>
> ausearch -m AVC -ts recent<br>
> <no matches><br>
><br>
> Sending you the log personally.<br>
<br>
</span>Ok, so the way the certs are imported is all the certs in the PKCS#12<br>
file are loaded in, then marked as untrusted.<br>
<br>
certutil -O is executed against the server cert which prints out what<br>
the trust chain should be and those certs marked as trusted CA's.<br>
<br>
That part is working fine.<br>
<br>
Finally it makes another pass through the database to verify the chain.<br>
<br>
Looking at the output there are two certs with the subject CN=Go Daddy<br>
Root Certificate Authority - G2,O="GoDaddy.com,<br>
Inc.",L=Scottsdale,ST=Arizona,C=US and different serial numbers. I<br>
wonder if this is confusing the cert loader. These certs are included in<br>
the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which one<br>
is the "right' one, or if there even is one.<br>
<span class="HOEnZb"><font color="#888888"><br>
rob<br>
</font></span><span class="im HOEnZb"><br>
<br>
><br>
> Regards,<br>
><br>
> D<br>
><br>
> 2015-04-10 17:03 GMT+02:00 Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
</span><div class="HOEnZb"><div class="h5">> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>:<br>
><br>
> David Dejaeghere wrote:<br>
> > Hi Rob,<br>
> ><br>
> > Without the --http-pin the command will give a prompt to enter the password.<br>
> > Tried both.<br>
> ><br>
> > I am sending the output of the pk12util -l to you in another email.<br>
> > It holds the wildcard certificate and the godaddy bundle for as far as I<br>
> > can tell.<br>
><br>
> I have to admit, I'm a bit stumped. (SEC_ERROR_LIBRARY_FAILURE) is a<br>
> rather generic NSS error which can mean any number of things. It often<br>
> means that the NSS database it is using is bad in some way but given<br>
> that this is a temporary database created just for this purpose I doubt<br>
> that's it. You may want to look for SELinux AVCs though: ausearch -m AVC<br>
> -ts recent.<br>
><br>
> At the point where it is blowing up, the PKCS#12 file has already been<br>
> imported and IPA is walking through the results trying to ensure that<br>
> the full cert trust chain is available. It does this by reading the<br>
> certs out of the database, and at that point it's blowing up.<br>
><br>
> The PKCS#12 output you sent me looks ok. I don't believe this is an<br>
> issue with trust or missing parts of the chain.<br>
><br>
> I created a simple PKCS#12 file and was able to prepare a replica using<br>
> it, so AFAICT the code isn't completely broken.<br>
><br>
> Can you provide the full output from ipa-replica-prepare?<br>
><br>
> rob<br>
> ><br>
> > Regards,<br>
> ><br>
> > D<br>
> ><br>
> > 2015-04-09 21:39 GMT+02:00 Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
</div></div><span class="im HOEnZb">> > <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>>:<br>
> ><br>
> > David Dejaeghere wrote:<br>
> > > Hi,<br>
> > ><br>
</span><div class="HOEnZb"><div class="h5">> > > Sorry for the lack of details!<br>
> > > You are indeed correct about the version its 4.1<br>
> > > The command I am using is this:<br>
> > > ipa-replica-prepare <a href="http://ipa-r1.myobscureddomain.com" target="_blank">ipa-r1.myobscureddomain.com</a> <<a href="http://ipa-r1.myobscureddomain.com" target="_blank">http://ipa-r1.myobscureddomain.com</a>><br>
> <<a href="http://ipa-r1.myobscureddomain.com" target="_blank">http://ipa-r1.myobscureddomain.com</a>><br>
> > > <<a href="http://ipa-r1.myobscureddomain.com" target="_blank">http://ipa-r1.myobscureddomain.com</a>> --http-cert-file<br>
> > > /home/fedora/newcert.pk12 --dirsrv-cert-file /home/fedora/newcert.pk12<br>
> > > --ip-address 172.31.16.31 -v<br>
> ><br>
> > I was pretty sure a pin was required with those options as well.<br>
> ><br>
> > What do the PKCS#12 files look like: pk12util -l<br>
> > /home/fedora/newcert.pk12<br>
> ><br>
> > rob<br>
> ><br>
> > ><br>
> > > Regards,<br>
> > ><br>
> > > D<br>
> > ><br>
> > > 2015-04-09 16:16 GMT+02:00 Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>><br>
> > > <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>>>:<br>
> > ><br>
> > > David Dejaeghere wrote:<br>
> > > > Hi,<br>
> > > ><br>
> > > > Does somebody have any pointers for me regarding this<br>
> issue?<br>
> > ><br>
> > > It would help very much if you'd include the version<br>
> you're working<br>
> > > with. Based on line numbers I'll assume IPA 4.1.<br>
> > ><br>
> > > It's hard to say since you don't include the<br>
> command-line you're using,<br>
> > > or what those files consist of.<br>
> > ><br>
> > > It looks like it is blowing up trying to verify that the<br>
> whole<br>
> > > certificate chain is available. NSS unfortunately<br>
> doesn't always provide<br>
> > > the best error messages so it's hard to say why this<br>
> particular cert<br>
> > > can't be loaded.<br>
> > ><br>
> > > rob<br>
> > ><br>
> > > ><br>
> > > > Regards,<br>
> > > ><br>
> > > > D<br>
> > > ><br>
> > > > 2015-04-07 13:34 GMT+02:00 David Dejaeghere<br>
> <<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>>><br>
> > <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>>>><br>
> > > > <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>><br>
> > <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>>><br>
> > > <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>><br>
> > <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>>>>>>:<br>
> > > ><br>
> > > > Hello,<br>
> > > ><br>
> > > > I am trying to setup a replica for my master which has<br>
> > been setup<br>
> > > > with an external CA to use our godaddy wildcard<br>
> certificate.<br>
> > > > The ipa-replica-prepare is failing with the<br>
> following debug<br>
> > > information.<br>
> > > > I am using --http-cert and --dirsrv-cert with my pk12<br>
> > server<br>
> > > > certificate.<br>
> > > > What can I verify to get an idea of what is going<br>
> wrong?<br>
> > > ><br>
> > > > ipa: DEBUG: stderr=<br>
> > > ><br>
> > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:<br>
> > > > File<br>
> > ><br>
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line<br>
> > > > 169, in execute<br>
> > > > self.ask_for_options()<br>
> > > > File<br>
> > > ><br>
> > ><br>
> ><br>
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",<br>
> > > > line 276, in ask_for_options<br>
> > > > options.http_cert_name)<br>
> > > > File<br>
> > > ><br>
> > ><br>
> ><br>
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",<br>
> > > > line 176, in load_pkcs12<br>
> > > > host_name=self.replica_fqdn)<br>
> > > > File<br>
> > > ><br>
> > ><br>
> ><br>
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",<br>
> > > line<br>
> > > > 785, in load_pkcs12<br>
> > > > nss_cert = x509.load_certificate(cert, x509.DER)<br>
> > > > File<br>
> > "/usr/lib/python2.7/site-packages/ipalib/x509.py", line<br>
> > > 128,<br>
> > > > in load_certificate<br>
> > > > return nss.Certificate(buffer(data))<br>
> > > ><br>
> > > ><br>
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare:<br>
> > > DEBUG: The<br>
> > > > ipa-replica-prepare command failed, exception:<br>
> NSPRError:<br>
> > > > (SEC_ERROR_LIBRARY_FAILURE) security library failure.<br>
> > > ><br>
> > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:<br>
> > > > (SEC_ERROR_LIBRARY_FAILURE) security library failure.<br>
> > > ><br>
> > > > Regards,<br>
> > > ><br>
> > > > D<br>
> > > ><br>
> > > ><br>
> > > ><br>
> > > ><br>
> > ><br>
> > ><br>
> ><br>
> ><br>
><br>
><br>
<br>
</div></div></blockquote></div><br></div>