<div dir="ltr"><div><div><div>Hi Rob,<br><br></div>So you want to output of the command using pk12 with server cert and key? or with the ca chain in there too?<br><br></div>Regards,<br><br></div>David <div class=""><div id=":2ld" class="" tabindex="0"><img class="" src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif"></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-04-13 16:28 GMT+02:00 Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">David Dejaeghere wrote:<br>
> Hi,<br>
><br>
<span class="">> I get the same error when I use a pk12 with only the server certificate<br>
> (and key) in it.<br>
> Not sure what else I can try.<br>
<br>
</span>I'd need to see the full output again.<br>
<span class="HOEnZb"><font color="#888888"><br>
rob<br>
</font></span><span class="im HOEnZb"><br>
><br>
> Regards,<br>
><br>
> D<br>
><br>
> 2015-04-11 0:23 GMT+02:00 Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
</span><span class="im HOEnZb">> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>:<br>
><br>
> David Dejaeghere wrote:<br>
> > Hi,<br>
> ><br>
</span><span class="im HOEnZb">> > I even tried the command using an export from the http service nss db,<br>
> > same issue.<br>
> ><br>
> > regarding SElinux:<br>
> > ausearch -m AVC -ts recent<br>
> > <no matches><br>
> ><br>
> > Sending you the log personally.<br>
><br>
> Ok, so the way the certs are imported is all the certs in the PKCS#12<br>
> file are loaded in, then marked as untrusted.<br>
><br>
> certutil -O is executed against the server cert which prints out what<br>
> the trust chain should be and those certs marked as trusted CA's.<br>
><br>
> That part is working fine.<br>
><br>
> Finally it makes another pass through the database to verify the chain.<br>
><br>
> Looking at the output there are two certs with the subject CN=Go Daddy<br>
> Root Certificate Authority - G2,O="GoDaddy.com,<br>
> Inc.",L=Scottsdale,ST=Arizona,C=US and different serial numbers. I<br>
> wonder if this is confusing the cert loader. These certs are included in<br>
> the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which one<br>
> is the "right' one, or if there even is one.<br>
><br>
> rob<br>
><br>
><br>
> ><br>
> > Regards,<br>
> ><br>
> > D<br>
> ><br>
> > 2015-04-10 17:03 GMT+02:00 Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
</span><div class="HOEnZb"><div class="h5">> > <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>>:<br>
> ><br>
> > David Dejaeghere wrote:<br>
> > > Hi Rob,<br>
> > ><br>
> > > Without the --http-pin the command will give a prompt to<br>
> enter the password.<br>
> > > Tried both.<br>
> > ><br>
> > > I am sending the output of the pk12util -l to you in another<br>
> email.<br>
> > > It holds the wildcard certificate and the godaddy bundle for<br>
> as far as I<br>
> > > can tell.<br>
> ><br>
> > I have to admit, I'm a bit stumped.<br>
> (SEC_ERROR_LIBRARY_FAILURE) is a<br>
> > rather generic NSS error which can mean any number of things.<br>
> It often<br>
> > means that the NSS database it is using is bad in some way but<br>
> given<br>
> > that this is a temporary database created just for this<br>
> purpose I doubt<br>
> > that's it. You may want to look for SELinux AVCs though:<br>
> ausearch -m AVC<br>
> > -ts recent.<br>
> ><br>
> > At the point where it is blowing up, the PKCS#12 file has<br>
> already been<br>
> > imported and IPA is walking through the results trying to<br>
> ensure that<br>
> > the full cert trust chain is available. It does this by<br>
> reading the<br>
> > certs out of the database, and at that point it's blowing up.<br>
> ><br>
> > The PKCS#12 output you sent me looks ok. I don't believe this<br>
> is an<br>
> > issue with trust or missing parts of the chain.<br>
> ><br>
> > I created a simple PKCS#12 file and was able to prepare a<br>
> replica using<br>
> > it, so AFAICT the code isn't completely broken.<br>
> ><br>
> > Can you provide the full output from ipa-replica-prepare?<br>
> ><br>
> > rob<br>
> > ><br>
> > > Regards,<br>
> > ><br>
> > > D<br>
> > ><br>
> > > 2015-04-09 21:39 GMT+02:00 Rob Crittenden<br>
> <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>><br>
</div></div><span class="im HOEnZb">> > > <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>>>:<br>
> > ><br>
> > > David Dejaeghere wrote:<br>
> > > > Hi,<br>
> > > ><br>
</span><div class="HOEnZb"><div class="h5">> > > > Sorry for the lack of details!<br>
> > > > You are indeed correct about the version its 4.1<br>
> > > > The command I am using is this:<br>
> > > > ipa-replica-prepare <a href="http://ipa-r1.myobscureddomain.com" target="_blank">ipa-r1.myobscureddomain.com</a><br>
> <<a href="http://ipa-r1.myobscureddomain.com" target="_blank">http://ipa-r1.myobscureddomain.com</a>><br>
> <<a href="http://ipa-r1.myobscureddomain.com" target="_blank">http://ipa-r1.myobscureddomain.com</a>><br>
> > <<a href="http://ipa-r1.myobscureddomain.com" target="_blank">http://ipa-r1.myobscureddomain.com</a>><br>
> > > > <<a href="http://ipa-r1.myobscureddomain.com" target="_blank">http://ipa-r1.myobscureddomain.com</a>> --http-cert-file<br>
> > > > /home/fedora/newcert.pk12 --dirsrv-cert-file<br>
> /home/fedora/newcert.pk12<br>
> > > > --ip-address 172.31.16.31 -v<br>
> > ><br>
> > > I was pretty sure a pin was required with those options<br>
> as well.<br>
> > ><br>
> > > What do the PKCS#12 files look like: pk12util -l<br>
> > > /home/fedora/newcert.pk12<br>
> > ><br>
> > > rob<br>
> > ><br>
> > > ><br>
> > > > Regards,<br>
> > > ><br>
> > > > D<br>
> > > ><br>
> > > > 2015-04-09 16:16 GMT+02:00 Rob Crittenden<br>
> <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>><br>
> > <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>><br>
> > > > <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>><br>
> > <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>>>>:<br>
> > > ><br>
> > > > David Dejaeghere wrote:<br>
> > > > > Hi,<br>
> > > > ><br>
> > > > > Does somebody have any pointers for me regarding<br>
> this<br>
> > issue?<br>
> > > ><br>
> > > > It would help very much if you'd include the version<br>
> > you're working<br>
> > > > with. Based on line numbers I'll assume IPA 4.1.<br>
> > > ><br>
> > > > It's hard to say since you don't include the<br>
> > command-line you're using,<br>
> > > > or what those files consist of.<br>
> > > ><br>
> > > > It looks like it is blowing up trying to verify<br>
> that the<br>
> > whole<br>
> > > > certificate chain is available. NSS unfortunately<br>
> > doesn't always provide<br>
> > > > the best error messages so it's hard to say why this<br>
> > particular cert<br>
> > > > can't be loaded.<br>
> > > ><br>
> > > > rob<br>
> > > ><br>
> > > > ><br>
> > > > > Regards,<br>
> > > > ><br>
> > > > > D<br>
> > > > ><br>
> > > > > 2015-04-07 13:34 GMT+02:00 David Dejaeghere<br>
> > <<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>>><br>
> > <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>>>><br>
> > > <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>><br>
> > <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>>><br>
> > <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>>>>><br>
> > > > > <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>><br>
> > <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>>><br>
> > > <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>><br>
> > <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>>>><br>
> > > > <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>><br>
> > <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>>><br>
> > > <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>><br>
> > <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a><br>
> <mailto:<a href="mailto:david.dejaeghere@gmail.com">david.dejaeghere@gmail.com</a>>>>>>>:<br>
> > > > ><br>
> > > > > Hello,<br>
> > > > ><br>
> > > > > I am trying to setup a replica for my master<br>
> which has<br>
> > > been setup<br>
> > > > > with an external CA to use our godaddy wildcard<br>
> > certificate.<br>
> > > > > The ipa-replica-prepare is failing with the<br>
> > following debug<br>
> > > > information.<br>
> > > > > I am using --http-cert and --dirsrv-cert<br>
> with my pk12<br>
> > > server<br>
> > > > > certificate.<br>
> > > > > What can I verify to get an idea of what is<br>
> going<br>
> > wrong?<br>
> > > > ><br>
> > > > > ipa: DEBUG: stderr=<br>
> > > > ><br>
> > ><br>
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:<br>
> > > > > File<br>
> > > ><br>
> > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line<br>
> > > > > 169, in execute<br>
> > > > > self.ask_for_options()<br>
> > > > > File<br>
> > > > ><br>
> > > ><br>
> > ><br>
> ><br>
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",<br>
> > > > > line 276, in ask_for_options<br>
> > > > > options.http_cert_name)<br>
> > > > > File<br>
> > > > ><br>
> > > ><br>
> > ><br>
> ><br>
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",<br>
> > > > > line 176, in load_pkcs12<br>
> > > > > host_name=self.replica_fqdn)<br>
> > > > > File<br>
> > > > ><br>
> > > ><br>
> > ><br>
> ><br>
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",<br>
> > > > line<br>
> > > > > 785, in load_pkcs12<br>
> > > > > nss_cert = x509.load_certificate(cert,<br>
> x509.DER)<br>
> > > > > File<br>
> > > "/usr/lib/python2.7/site-packages/ipalib/x509.py", line<br>
> > > > 128,<br>
> > > > > in load_certificate<br>
> > > > > return nss.Certificate(buffer(data))<br>
> > > > ><br>
> > > > ><br>
> > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare:<br>
> > > > DEBUG: The<br>
> > > > > ipa-replica-prepare command failed, exception:<br>
> > NSPRError:<br>
> > > > > (SEC_ERROR_LIBRARY_FAILURE) security library<br>
> failure.<br>
> > > > ><br>
> > ><br>
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:<br>
> > > > > (SEC_ERROR_LIBRARY_FAILURE) security library<br>
> failure.<br>
> > > > ><br>
> > > > > Regards,<br>
> > > > ><br>
> > > > > D<br>
> > > > ><br>
> > > > ><br>
> > > > ><br>
> > > > ><br>
> > > ><br>
> > > ><br>
> > ><br>
> > ><br>
> ><br>
> ><br>
><br>
><br>
<br>
</div></div></blockquote></div><br></div>