subject:"\[Freeipa\-users\] ipa\-replica\-prepare failing"

Re: [Freeipa-users] ipa-replica-prepare failing

2016-10-27 Thread Rob Crittenden


Joshua Ruybal wrote:

While trying to run IPA replica prepare with debug, we see an
unexplained failure.

Debug seems to show the process running smoothly, then I see:
"Certificate issuance failed".

Looking at previous mail-archives, I see that someone has run into this
before, however all permissions on caIPAserviceCert.cfg are correct (the
solution for him).

Is there any method to get more details on the failure from
ipa-replica-prepare?


I'd check the dogtag logs. This error is thrown when no certificate is 
issued by the CA.


There is no way other than instrumenting the code to get more details 
about the error from ipa-replica-prepare.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2016-10-26 Thread Fraser Tweedale

On Wed, Oct 26, 2016 at 04:18:12PM -0700, Joshua Ruybal wrote:
> While trying to run IPA replica prepare with debug, we see an unexplained
> failure.
> 
> Debug seems to show the process running smoothly, then I see: "Certificate
> issuance failed".
> 
> Looking at previous mail-archives, I see that someone has run into this
> before, however all permissions on caIPAserviceCert.cfg are correct (the
> solution for him).
> 
> Is there any method to get more details on the failure from
> ipa-replica-prepare?
> 
> Thanks
> 
Need some more information to be able to render assistance :)

Do you have any logs pertaining to the failure?  Is certificate
issuance working e.g. via `ipa cert-request'?  Are all certificates
in your infrastructure currently valid?

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-replica-prepare failing

2016-10-26 Thread Joshua Ruybal

While trying to run IPA replica prepare with debug, we see an unexplained
failure.

Debug seems to show the process running smoothly, then I see: "Certificate
issuance failed".

Looking at previous mail-archives, I see that someone has run into this
before, however all permissions on caIPAserviceCert.cfg are correct (the
solution for him).

Is there any method to get more details on the failure from
ipa-replica-prepare?

Thanks

-- 


*Joshua Ruybal | Systems Engineer*
o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549>
e: jruy...@owneriq.com


  

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-08-17 Thread Orion Poplawski

On 08/06/2015 04:10 PM, David Dejaeghere wrote:
 Hello Guys,
 
 I was able to resolve this today.
 My webserver and dirsrv certificate were expired yesterday and trying to
 replace them gave me the same error ERROR: (SEC_ERROR_LIBRARY_FAILURE)
 security library failure.
 So I tried some things to resolve this.
 The trick was to replace /etc/ipa/ca.crt with the godaddy file gdig2 which
 only has 1 certificare. This file you can get while downloading your
 certificate from godaddy. Then I had to add the bundle from godaddy, file
 gd_bundle-g2-g1 into my server cert.
 This made both the command ipa-server-certinstall and ipa-replicate-prepare
 finish as expected!
 
 Hope this helps. I saw somebody else with a very similar issue.
 
 Kind Regards,
 
 D

Yeah, the source of this issue appears to be a wrong /etc/ipa/ca.crt created
during ipa-server-install.  I was able to work around it with:

ipa-certupdate

Which wrote out a correct /etc/ipa/ca.crt.

See https://fedorahosted.org/freeipa/ticket/5117#comment:16


-- 
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane   or...@nwra.com
Boulder, CO 80301   http://www.nwra.com

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-08-06 Thread David Dejaeghere

Hello Guys,

I was able to resolve this today.
My webserver and dirsrv certificate were expired yesterday and trying to
replace them gave me the same error ERROR: (SEC_ERROR_LIBRARY_FAILURE)
security library failure.
So I tried some things to resolve this.
The trick was to replace /etc/ipa/ca.crt with the godaddy file gdig2
which only has 1 certificare. This file you can get while downloading your
certificate from godaddy. Then I had to add the bundle from godaddy, file
gd_bundle-g2-g1 into my server cert.
This made both the command ipa-server-certinstall and ipa-replicate-prepare
finish as expected!

Hope this helps. I saw somebody else with a very similar issue.

Kind Regards,

D

2015-04-23 7:40 GMT+02:00 Jan Cholasta jchol...@redhat.com:

 Hi,

 yes, you can definitely use a different certificate in the meantime,
 although it can't be self-signed.

 Honza

 Dne 20.4.2015 v 14:17 David Dejaeghere napsal(a):

 Hi,

 Let me know how I can assist.
 In the meantime could I setup a replica using a different certificate?
 Self signed or anything like that?

 Regards,

 D

 2015-04-17 15:27 GMT+02:00 Jan Cholasta jchol...@redhat.com
 mailto:jchol...@redhat.com:

 Hi,

 I don't have any new information. I'm trying to reproduce the
 problem but had no luck so far.

 Honza

 Dne 17.4.2015 v 15:23 David Dejaeghere napsal(a):

 Hi,

 Any more things I can try out? How do we proceed?

 Kind Regards,

 D

 2015-04-15 11:48 GMT+02:00 David Dejaeghere
 david.dejaegh...@gmail.com mailto:david.dejaegh...@gmail.com
 mailto:david.dejaegh...@gmail.com
 mailto:david.dejaegh...@gmail.com:

  Hi Honza,

  That gave me the exact same output.  Any ideas?

  Regards,

  D

  2015-04-15 7:33 GMT+02:00 Jan Cholasta jchol...@redhat.com
 mailto:jchol...@redhat.com
  mailto:jchol...@redhat.com mailto:jchol...@redhat.com:


  Hi,

  Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a):

  David Dejaeghere wrote:

  Hi Rob,

  So you want to output of the command using pk12
 with
  server cert and
  key? or with the ca chain in there too?


  Oddly enough it is failing in exactly the same
 place. Those
  GoDaddy CA
  certs are still being loaded from somewhere, I'm
 not sure
  where, and I
  suspect that is the source of the problem.


  They are in the default CA certificate bundle (in the
  ca-certificate package). I guess NSS loads it
 automatically.


  I'm going to forward the log to a colleague who has
 worked
  on this code
  more recently than I have. Maybe he will have an
 idea.


  Could you try if the following works?

   # mv
 /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt
  /root/ca-bundle.trust.crt

   # update-ca-trust

   # ipa-replica-prepare ...

   # mv /root/ca-bundle.trust.crt
  /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt

   # update-ca-trust


  rob


  Honza

  --
  Jan Cholasta





 --
 Jan Cholasta




 --
 Jan Cholasta

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-22 Thread Jan Cholasta


Hi,

yes, you can definitely use a different certificate in the meantime, 
although it can't be self-signed.


Honza

Dne 20.4.2015 v 14:17 David Dejaeghere napsal(a):

Hi,

Let me know how I can assist.
In the meantime could I setup a replica using a different certificate?
Self signed or anything like that?

Regards,

D

2015-04-17 15:27 GMT+02:00 Jan Cholasta jchol...@redhat.com
mailto:jchol...@redhat.com:

Hi,

I don't have any new information. I'm trying to reproduce the
problem but had no luck so far.

Honza

Dne 17.4.2015 v 15:23 David Dejaeghere napsal(a):

Hi,

Any more things I can try out? How do we proceed?

Kind Regards,

D

2015-04-15 11:48 GMT+02:00 David Dejaeghere
david.dejaegh...@gmail.com mailto:david.dejaegh...@gmail.com
mailto:david.dejaegh...@gmail.com
mailto:david.dejaegh...@gmail.com:

 Hi Honza,

 That gave me the exact same output.  Any ideas?

 Regards,

 D

 2015-04-15 7:33 GMT+02:00 Jan Cholasta jchol...@redhat.com
mailto:jchol...@redhat.com
 mailto:jchol...@redhat.com mailto:jchol...@redhat.com:

 Hi,

 Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a):

 David Dejaeghere wrote:

 Hi Rob,

 So you want to output of the command using pk12
with
 server cert and
 key? or with the ca chain in there too?


 Oddly enough it is failing in exactly the same
place. Those
 GoDaddy CA
 certs are still being loaded from somewhere, I'm
not sure
 where, and I
 suspect that is the source of the problem.


 They are in the default CA certificate bundle (in the
 ca-certificate package). I guess NSS loads it
automatically.


 I'm going to forward the log to a colleague who has
worked
 on this code
 more recently than I have. Maybe he will have an idea.


 Could you try if the following works?

  # mv
/usr/share/pki/ca-trust-__source/ca-bundle.trust.crt
 /root/ca-bundle.trust.crt

  # update-ca-trust

  # ipa-replica-prepare ...

  # mv /root/ca-bundle.trust.crt
 /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt

  # update-ca-trust


 rob


 Honza

 --
 Jan Cholasta





--
Jan Cholasta





--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-20 Thread David Dejaeghere

Hi,

Let me know how I can assist.
In the meantime could I setup a replica using a different certificate? Self
signed or anything like that?

Regards,

D

2015-04-17 15:27 GMT+02:00 Jan Cholasta jchol...@redhat.com:

 Hi,

 I don't have any new information. I'm trying to reproduce the problem but
 had no luck so far.

 Honza

 Dne 17.4.2015 v 15:23 David Dejaeghere napsal(a):

 Hi,

 Any more things I can try out? How do we proceed?

 Kind Regards,

 D

 2015-04-15 11:48 GMT+02:00 David Dejaeghere david.dejaegh...@gmail.com
 mailto:david.dejaegh...@gmail.com:

 Hi Honza,

 That gave me the exact same output.  Any ideas?

 Regards,

 D

 2015-04-15 7:33 GMT+02:00 Jan Cholasta jchol...@redhat.com
 mailto:jchol...@redhat.com:

 Hi,

 Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a):

 David Dejaeghere wrote:

 Hi Rob,

 So you want to output of the command using pk12 with
 server cert and
 key? or with the ca chain in there too?


 Oddly enough it is failing in exactly the same place. Those
 GoDaddy CA
 certs are still being loaded from somewhere, I'm not sure
 where, and I
 suspect that is the source of the problem.


 They are in the default CA certificate bundle (in the
 ca-certificate package). I guess NSS loads it automatically.


 I'm going to forward the log to a colleague who has worked
 on this code
 more recently than I have. Maybe he will have an idea.


 Could you try if the following works?

  # mv /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt
 /root/ca-bundle.trust.crt

  # update-ca-trust

  # ipa-replica-prepare ...

  # mv /root/ca-bundle.trust.crt
 /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt

  # update-ca-trust


 rob


 Honza

 --
 Jan Cholasta





 --
 Jan Cholasta

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-17 Thread David Dejaeghere

Hi,

Any more things I can try out? How do we proceed?

Kind Regards,

D

2015-04-15 11:48 GMT+02:00 David Dejaeghere david.dejaegh...@gmail.com:

 Hi Honza,

 That gave me the exact same output.  Any ideas?

 Regards,

 D

 2015-04-15 7:33 GMT+02:00 Jan Cholasta jchol...@redhat.com:

 Hi,

 Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a):

 David Dejaeghere wrote:

 Hi Rob,

 So you want to output of the command using pk12 with server cert and
 key? or with the ca chain in there too?


 Oddly enough it is failing in exactly the same place. Those GoDaddy CA
 certs are still being loaded from somewhere, I'm not sure where, and I
 suspect that is the source of the problem.


 They are in the default CA certificate bundle (in the ca-certificate
 package). I guess NSS loads it automatically.


 I'm going to forward the log to a colleague who has worked on this code
 more recently than I have. Maybe he will have an idea.


 Could you try if the following works?

 # mv /usr/share/pki/ca-trust-source/ca-bundle.trust.crt
 /root/ca-bundle.trust.crt

 # update-ca-trust

 # ipa-replica-prepare ...

 # mv /root/ca-bundle.trust.crt /usr/share/pki/ca-trust-
 source/ca-bundle.trust.crt

 # update-ca-trust


 rob


 Honza

 --
 Jan Cholasta



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-17 Thread Jan Cholasta


Hi,

I don't have any new information. I'm trying to reproduce the problem 
but had no luck so far.


Honza

Dne 17.4.2015 v 15:23 David Dejaeghere napsal(a):

Hi,

Any more things I can try out? How do we proceed?

Kind Regards,

D

2015-04-15 11:48 GMT+02:00 David Dejaeghere david.dejaegh...@gmail.com
mailto:david.dejaegh...@gmail.com:

Hi Honza,

That gave me the exact same output.  Any ideas?

Regards,

D

2015-04-15 7:33 GMT+02:00 Jan Cholasta jchol...@redhat.com
mailto:jchol...@redhat.com:

Hi,

Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a):

David Dejaeghere wrote:

Hi Rob,

So you want to output of the command using pk12 with
server cert and
key? or with the ca chain in there too?


Oddly enough it is failing in exactly the same place. Those
GoDaddy CA
certs are still being loaded from somewhere, I'm not sure
where, and I
suspect that is the source of the problem.


They are in the default CA certificate bundle (in the
ca-certificate package). I guess NSS loads it automatically.


I'm going to forward the log to a colleague who has worked
on this code
more recently than I have. Maybe he will have an idea.


Could you try if the following works?

 # mv /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt
/root/ca-bundle.trust.crt

 # update-ca-trust

 # ipa-replica-prepare ...

 # mv /root/ca-bundle.trust.crt
/usr/share/pki/ca-trust-__source/ca-bundle.trust.crt

 # update-ca-trust


rob


Honza

--
Jan Cholasta






--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-15 Thread David Dejaeghere

Hi Honza,

That gave me the exact same output.  Any ideas?

Regards,

D

2015-04-15 7:33 GMT+02:00 Jan Cholasta jchol...@redhat.com:

 Hi,

 Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a):

 David Dejaeghere wrote:

 Hi Rob,

 So you want to output of the command using pk12 with server cert and
 key? or with the ca chain in there too?


 Oddly enough it is failing in exactly the same place. Those GoDaddy CA
 certs are still being loaded from somewhere, I'm not sure where, and I
 suspect that is the source of the problem.


 They are in the default CA certificate bundle (in the ca-certificate
 package). I guess NSS loads it automatically.


 I'm going to forward the log to a colleague who has worked on this code
 more recently than I have. Maybe he will have an idea.


 Could you try if the following works?

 # mv /usr/share/pki/ca-trust-source/ca-bundle.trust.crt
 /root/ca-bundle.trust.crt

 # update-ca-trust

 # ipa-replica-prepare ...

 # mv /root/ca-bundle.trust.crt /usr/share/pki/ca-trust-
 source/ca-bundle.trust.crt

 # update-ca-trust


 rob


 Honza

 --
 Jan Cholasta

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-14 Thread Rob Crittenden

David Dejaeghere wrote:
 Hi Rob,
 
 So you want to output of the command using pk12 with server cert and
 key? or with the ca chain in there too?
 

Oddly enough it is failing in exactly the same place. Those GoDaddy CA
certs are still being loaded from somewhere, I'm not sure where, and I
suspect that is the source of the problem.

I'm going to forward the log to a colleague who has worked on this code
more recently than I have. Maybe he will have an idea.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-14 Thread Jan Cholasta


Hi,

Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a):

David Dejaeghere wrote:

Hi Rob,

So you want to output of the command using pk12 with server cert and
key? or with the ca chain in there too?



Oddly enough it is failing in exactly the same place. Those GoDaddy CA
certs are still being loaded from somewhere, I'm not sure where, and I
suspect that is the source of the problem.


They are in the default CA certificate bundle (in the ca-certificate 
package). I guess NSS loads it automatically.




I'm going to forward the log to a colleague who has worked on this code
more recently than I have. Maybe he will have an idea.


Could you try if the following works?

# mv /usr/share/pki/ca-trust-source/ca-bundle.trust.crt 
/root/ca-bundle.trust.crt


# update-ca-trust

# ipa-replica-prepare ...

# mv /root/ca-bundle.trust.crt 
/usr/share/pki/ca-trust-source/ca-bundle.trust.crt


# update-ca-trust



rob



Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-13 Thread David Dejaeghere

Hi Rob,

So you want to output of the command using pk12 with server cert and key?
or with the ca chain in there too?

Regards,

David

2015-04-13 16:28 GMT+02:00 Rob Crittenden rcrit...@redhat.com:

 David Dejaeghere wrote:
  Hi,
 
  I get the same error when I use a pk12 with only the server certificate
  (and key) in it.
  Not sure what else I can try.

 I'd need to see the full output again.

 rob

 
  Regards,
 
  D
 
  2015-04-11 0:23 GMT+02:00 Rob Crittenden rcrit...@redhat.com
  mailto:rcrit...@redhat.com:
 
  David Dejaeghere wrote:
   Hi,
  
   I even tried the command using an export from the http service nss
 db,
   same issue.
  
   regarding SElinux:
   ausearch -m AVC -ts recent
   no matches
  
   Sending you the log personally.
 
  Ok, so the way the certs are imported is all the certs in the PKCS#12
  file are loaded in, then marked as untrusted.
 
  certutil -O is executed against the server cert which prints out what
  the trust chain should be and those certs marked as trusted CA's.
 
  That part is working fine.
 
  Finally it makes another pass through the database to verify the
 chain.
 
  Looking at the output there are two certs with the subject CN=Go
 Daddy
  Root Certificate Authority - G2,O=GoDaddy.com,
  Inc.,L=Scottsdale,ST=Arizona,C=US and different serial numbers. I
  wonder if this is confusing the cert loader. These certs are
 included in
  the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which
 one
  is the right' one, or if there even is one.
 
  rob
 
 
  
   Regards,
  
   D
  
   2015-04-10 17:03 GMT+02:00 Rob Crittenden rcrit...@redhat.com
 mailto:rcrit...@redhat.com
   mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com:
  
   David Dejaeghere wrote:
Hi Rob,
   
Without the --http-pin the command will give a prompt to
  enter the password.
Tried both.
   
I am sending the output of the pk12util -l to you in another
  email.
It holds the wildcard certificate and the godaddy bundle for
  as far as I
can tell.
  
   I have to admit, I'm a bit stumped.
  (SEC_ERROR_LIBRARY_FAILURE) is a
   rather generic NSS error which can mean any number of things.
  It often
   means that the NSS database it is using is bad in some way but
  given
   that this is a temporary database created just for this
  purpose I doubt
   that's it. You may want to look for SELinux AVCs though:
  ausearch -m AVC
   -ts recent.
  
   At the point where it is blowing up, the PKCS#12 file has
  already been
   imported and IPA is walking through the results trying to
  ensure that
   the full cert trust chain is available. It does this by
  reading the
   certs out of the database, and at that point it's blowing up.
  
   The PKCS#12 output you sent me looks ok. I don't believe this
  is an
   issue with trust or missing parts of the chain.
  
   I created a simple PKCS#12 file and was able to prepare a
  replica using
   it, so AFAICT the code isn't completely broken.
  
   Can you provide the full output from ipa-replica-prepare?
  
   rob
   
Regards,
   
D
   
2015-04-09 21:39 GMT+02:00 Rob Crittenden
  rcrit...@redhat.com mailto:rcrit...@redhat.com
  mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com
mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com
  mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com:
   
David Dejaeghere wrote:
 Hi,

 Sorry for the lack of details!
 You are indeed  correct about the version its 4.1
 The command I am using is this:
 ipa-replica-prepare ipa-r1.myobscureddomain.com
  http://ipa-r1.myobscureddomain.com
  http://ipa-r1.myobscureddomain.com
   http://ipa-r1.myobscureddomain.com
 http://ipa-r1.myobscureddomain.com --http-cert-file
 /home/fedora/newcert.pk12 --dirsrv-cert-file
  /home/fedora/newcert.pk12
 --ip-address 172.31.16.31 -v
   
I was pretty sure a pin was required with those options
  as well.
   
What do the PKCS#12 files look like: pk12util -l
/home/fedora/newcert.pk12
   
rob
   

 Regards,

 D

 2015-04-09 16:16 GMT+02:00 Rob Crittenden
  rcrit...@redhat.com mailto:rcrit...@redhat.com
  mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-13 Thread Rob Crittenden

David Dejaeghere wrote:
 Hi,
 
 I get the same error when I use a pk12 with only the server certificate
 (and key) in it.
 Not sure what else I can try.

I'd need to see the full output again.

rob

 
 Regards,
 
 D
 
 2015-04-11 0:23 GMT+02:00 Rob Crittenden rcrit...@redhat.com
 mailto:rcrit...@redhat.com:
 
 David Dejaeghere wrote:
  Hi,
 
  I even tried the command using an export from the http service nss db,
  same issue.
 
  regarding SElinux:
  ausearch -m AVC -ts recent
  no matches
 
  Sending you the log personally.
 
 Ok, so the way the certs are imported is all the certs in the PKCS#12
 file are loaded in, then marked as untrusted.
 
 certutil -O is executed against the server cert which prints out what
 the trust chain should be and those certs marked as trusted CA's.
 
 That part is working fine.
 
 Finally it makes another pass through the database to verify the chain.
 
 Looking at the output there are two certs with the subject CN=Go Daddy
 Root Certificate Authority - G2,O=GoDaddy.com,
 Inc.,L=Scottsdale,ST=Arizona,C=US and different serial numbers. I
 wonder if this is confusing the cert loader. These certs are included in
 the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which one
 is the right' one, or if there even is one.
 
 rob
 
 
 
  Regards,
 
  D
 
  2015-04-10 17:03 GMT+02:00 Rob Crittenden rcrit...@redhat.com 
 mailto:rcrit...@redhat.com
  mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com:
 
  David Dejaeghere wrote:
   Hi Rob,
  
   Without the --http-pin the command will give a prompt to
 enter the password.
   Tried both.
  
   I am sending the output of the pk12util -l to you in another
 email.
   It holds the wildcard certificate and the godaddy bundle for
 as far as I
   can tell.
 
  I have to admit, I'm a bit stumped.
 (SEC_ERROR_LIBRARY_FAILURE) is a
  rather generic NSS error which can mean any number of things.
 It often
  means that the NSS database it is using is bad in some way but
 given
  that this is a temporary database created just for this
 purpose I doubt
  that's it. You may want to look for SELinux AVCs though:
 ausearch -m AVC
  -ts recent.
 
  At the point where it is blowing up, the PKCS#12 file has
 already been
  imported and IPA is walking through the results trying to
 ensure that
  the full cert trust chain is available. It does this by
 reading the
  certs out of the database, and at that point it's blowing up.
 
  The PKCS#12 output you sent me looks ok. I don't believe this
 is an
  issue with trust or missing parts of the chain.
 
  I created a simple PKCS#12 file and was able to prepare a
 replica using
  it, so AFAICT the code isn't completely broken.
 
  Can you provide the full output from ipa-replica-prepare?
 
  rob
  
   Regards,
  
   D
  
   2015-04-09 21:39 GMT+02:00 Rob Crittenden
 rcrit...@redhat.com mailto:rcrit...@redhat.com
 mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com
   mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com
 mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com:
  
   David Dejaeghere wrote:
Hi,
   
Sorry for the lack of details!
You are indeed  correct about the version its 4.1
The command I am using is this:
ipa-replica-prepare ipa-r1.myobscureddomain.com
 http://ipa-r1.myobscureddomain.com
 http://ipa-r1.myobscureddomain.com
  http://ipa-r1.myobscureddomain.com
http://ipa-r1.myobscureddomain.com --http-cert-file
/home/fedora/newcert.pk12 --dirsrv-cert-file
 /home/fedora/newcert.pk12
--ip-address 172.31.16.31 -v
  
   I was pretty sure a pin was required with those options
 as well.
  
   What do the PKCS#12 files look like: pk12util -l
   /home/fedora/newcert.pk12
  
   rob
  
   
Regards,
   
D
   
2015-04-09 16:16 GMT+02:00 Rob Crittenden
 rcrit...@redhat.com mailto:rcrit...@redhat.com
 mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com
  mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com
 mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com
mailto:rcrit...@redhat.com
 mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com
 mailto:rcrit...@redhat.com
  mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-10 Thread Rob Crittenden

David Dejaeghere wrote:
 Hi,
 
 I even tried the command using an export from the http service nss db,
 same issue.
 
 regarding SElinux:
 ausearch -m AVC -ts recent
 no matches
 
 Sending you the log personally.

Ok, so the way the certs are imported is all the certs in the PKCS#12
file are loaded in, then marked as untrusted.

certutil -O is executed against the server cert which prints out what
the trust chain should be and those certs marked as trusted CA's.

That part is working fine.

Finally it makes another pass through the database to verify the chain.

Looking at the output there are two certs with the subject CN=Go Daddy
Root Certificate Authority - G2,O=GoDaddy.com,
Inc.,L=Scottsdale,ST=Arizona,C=US and different serial numbers. I
wonder if this is confusing the cert loader. These certs are included in
the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which one
is the right' one, or if there even is one.

rob


 
 Regards,
 
 D
 
 2015-04-10 17:03 GMT+02:00 Rob Crittenden rcrit...@redhat.com
 mailto:rcrit...@redhat.com:
 
 David Dejaeghere wrote:
  Hi Rob,
 
  Without the --http-pin the command will give a prompt to enter the 
 password.
  Tried both.
 
  I am sending the output of the pk12util -l to you in another email.
  It holds the wildcard certificate and the godaddy bundle for as far as I
  can tell.
 
 I have to admit, I'm a bit stumped. (SEC_ERROR_LIBRARY_FAILURE) is a
 rather generic NSS error which can mean any number of things. It often
 means that the NSS database it is using is bad in some way but given
 that this is a temporary database created just for this purpose I doubt
 that's it. You may want to look for SELinux AVCs though: ausearch -m AVC
 -ts recent.
 
 At the point where it is blowing up, the PKCS#12 file has already been
 imported and IPA is walking through the results trying to ensure that
 the full cert trust chain is available. It does this by reading the
 certs out of the database, and at that point it's blowing up.
 
 The PKCS#12 output you sent me looks ok. I don't believe this is an
 issue with trust or missing parts of the chain.
 
 I created a simple PKCS#12 file and was able to prepare a replica using
 it, so AFAICT the code isn't completely broken.
 
 Can you provide the full output from ipa-replica-prepare?
 
 rob
 
  Regards,
 
  D
 
  2015-04-09 21:39 GMT+02:00 Rob Crittenden rcrit...@redhat.com 
 mailto:rcrit...@redhat.com
  mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com:
 
  David Dejaeghere wrote:
   Hi,
  
   Sorry for the lack of details!
   You are indeed  correct about the version its 4.1
   The command I am using is this:
   ipa-replica-prepare ipa-r1.myobscureddomain.com 
 http://ipa-r1.myobscureddomain.com
 http://ipa-r1.myobscureddomain.com
   http://ipa-r1.myobscureddomain.com --http-cert-file
   /home/fedora/newcert.pk12 --dirsrv-cert-file 
 /home/fedora/newcert.pk12
   --ip-address 172.31.16.31 -v
 
  I was pretty sure a pin was required with those options as well.
 
  What do the PKCS#12 files look like: pk12util -l
  /home/fedora/newcert.pk12
 
  rob
 
  
   Regards,
  
   D
  
   2015-04-09 16:16 GMT+02:00 Rob Crittenden rcrit...@redhat.com 
 mailto:rcrit...@redhat.com
 mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com
   mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com
 mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com:
  
   David Dejaeghere wrote:
Hi,
   
Does somebody have any pointers for me regarding this
 issue?
  
   It would help very much if you'd include the version
 you're working
   with. Based on line numbers I'll assume IPA 4.1.
  
   It's hard to say since you don't include the
 command-line you're using,
   or what those files consist of.
  
   It looks like it is blowing up trying to verify that the
 whole
   certificate chain is available. NSS unfortunately
 doesn't always provide
   the best error messages so it's hard to say why this
 particular cert
   can't be loaded.
  
   rob
  
   
Regards,
   
D
   
2015-04-07 13:34 GMT+02:00 David Dejaeghere
 david.dejaegh...@gmail.com mailto:david.dejaegh...@gmail.com
 mailto:david.dejaegh...@gmail.com mailto:david.dejaegh...@gmail.com
  mailto:david.dejaegh...@gmail.com
 mailto:david.dejaegh...@gmail.com
 mailto:david.dejaegh...@gmail.com mailto:david.dejaegh...@gmail.com

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-10 Thread David Dejaeghere

Hi,

I get the same error when I use a pk12 with only the server certificate
(and key) in it.
Not sure what else I can try.

Regards,

D

2015-04-11 0:23 GMT+02:00 Rob Crittenden rcrit...@redhat.com:

 David Dejaeghere wrote:
  Hi,
 
  I even tried the command using an export from the http service nss db,
  same issue.
 
  regarding SElinux:
  ausearch -m AVC -ts recent
  no matches
 
  Sending you the log personally.

 Ok, so the way the certs are imported is all the certs in the PKCS#12
 file are loaded in, then marked as untrusted.

 certutil -O is executed against the server cert which prints out what
 the trust chain should be and those certs marked as trusted CA's.

 That part is working fine.

 Finally it makes another pass through the database to verify the chain.

 Looking at the output there are two certs with the subject CN=Go Daddy
 Root Certificate Authority - G2,O=GoDaddy.com,
 Inc.,L=Scottsdale,ST=Arizona,C=US and different serial numbers. I
 wonder if this is confusing the cert loader. These certs are included in
 the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which one
 is the right' one, or if there even is one.

 rob


 
  Regards,
 
  D
 
  2015-04-10 17:03 GMT+02:00 Rob Crittenden rcrit...@redhat.com
  mailto:rcrit...@redhat.com:
 
  David Dejaeghere wrote:
   Hi Rob,
  
   Without the --http-pin the command will give a prompt to enter the
 password.
   Tried both.
  
   I am sending the output of the pk12util -l to you in another email.
   It holds the wildcard certificate and the godaddy bundle for as
 far as I
   can tell.
 
  I have to admit, I'm a bit stumped. (SEC_ERROR_LIBRARY_FAILURE) is a
  rather generic NSS error which can mean any number of things. It
 often
  means that the NSS database it is using is bad in some way but given
  that this is a temporary database created just for this purpose I
 doubt
  that's it. You may want to look for SELinux AVCs though: ausearch -m
 AVC
  -ts recent.
 
  At the point where it is blowing up, the PKCS#12 file has already
 been
  imported and IPA is walking through the results trying to ensure that
  the full cert trust chain is available. It does this by reading the
  certs out of the database, and at that point it's blowing up.
 
  The PKCS#12 output you sent me looks ok. I don't believe this is an
  issue with trust or missing parts of the chain.
 
  I created a simple PKCS#12 file and was able to prepare a replica
 using
  it, so AFAICT the code isn't completely broken.
 
  Can you provide the full output from ipa-replica-prepare?
 
  rob
  
   Regards,
  
   D
  
   2015-04-09 21:39 GMT+02:00 Rob Crittenden rcrit...@redhat.com
 mailto:rcrit...@redhat.com
   mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com:
  
   David Dejaeghere wrote:
Hi,
   
Sorry for the lack of details!
You are indeed  correct about the version its 4.1
The command I am using is this:
ipa-replica-prepare ipa-r1.myobscureddomain.com 
 http://ipa-r1.myobscureddomain.com
  http://ipa-r1.myobscureddomain.com
http://ipa-r1.myobscureddomain.com --http-cert-file
/home/fedora/newcert.pk12 --dirsrv-cert-file
 /home/fedora/newcert.pk12
--ip-address 172.31.16.31 -v
  
   I was pretty sure a pin was required with those options as
 well.
  
   What do the PKCS#12 files look like: pk12util -l
   /home/fedora/newcert.pk12
  
   rob
  
   
Regards,
   
D
   
2015-04-09 16:16 GMT+02:00 Rob Crittenden 
 rcrit...@redhat.com mailto:rcrit...@redhat.com
  mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com
mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com
  mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com:
   
David Dejaeghere wrote:
 Hi,

 Does somebody have any pointers for me regarding this
  issue?
   
It would help very much if you'd include the version
  you're working
with. Based on line numbers I'll assume IPA 4.1.
   
It's hard to say since you don't include the
  command-line you're using,
or what those files consist of.
   
It looks like it is blowing up trying to verify that the
  whole
certificate chain is available. NSS unfortunately
  doesn't always provide
the best error messages so it's hard to say why this
  particular cert
can't be loaded.
   
rob
   

 Regards,

 D

 2015-04-07 13:34 GMT+02:00

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-09 Thread David Dejaeghere

Hi,

Does somebody have any pointers for me regarding this issue?

Regards,

D

2015-04-07 13:34 GMT+02:00 David Dejaeghere david.dejaegh...@gmail.com:

 Hello,

 I am trying to setup a replica for my master which has been setup with an
 external CA to use our godaddy wildcard certificate.
 The ipa-replica-prepare is failing with the following debug information.
 I am using --http-cert  and --dirsrv-cert with my pk12 server certificate.
 What can I verify to get an idea of what is going wrong?

 ipa: DEBUG: stderr=
 ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File
 /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 169, in
 execute
 self.ask_for_options()
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
 line 276, in ask_for_options
 options.http_cert_name)
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
 line 176, in load_pkcs12
 host_name=self.replica_fqdn)
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line
 785, in load_pkcs12
 nss_cert = x509.load_certificate(cert, x509.DER)
   File /usr/lib/python2.7/site-packages/ipalib/x509.py, line 128, in
 load_certificate
 return nss.Certificate(buffer(data))

 ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
 ipa-replica-prepare command failed, exception: NSPRError:
 (SEC_ERROR_LIBRARY_FAILURE) security library failure.
 ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
 (SEC_ERROR_LIBRARY_FAILURE) security library failure.

 Regards,

 D

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-09 Thread Rob Crittenden

David Dejaeghere wrote:
 Hi,
 
 Does somebody have any pointers for me regarding this issue?

It would help very much if you'd include the version you're working
with. Based on line numbers I'll assume IPA 4.1.

It's hard to say since you don't include the command-line you're using,
or what those files consist of.

It looks like it is blowing up trying to verify that the whole
certificate chain is available. NSS unfortunately doesn't always provide
the best error messages so it's hard to say why this particular cert
can't be loaded.

rob

 
 Regards,
 
 D
 
 2015-04-07 13:34 GMT+02:00 David Dejaeghere david.dejaegh...@gmail.com
 mailto:david.dejaegh...@gmail.com:
 
 Hello,
 
 I am trying to setup a replica for my master which has been setup
 with an external CA to use our godaddy wildcard certificate.
 The ipa-replica-prepare is failing with the following debug information.
 I am using --http-cert  and --dirsrv-cert with my pk12 server
 certificate.
 What can I verify to get an idea of what is going wrong?
 
 ipa: DEBUG: stderr=
 ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:  
 File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line
 169, in execute
 self.ask_for_options()
   File
 
 /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
 line 276, in ask_for_options
 options.http_cert_name)
   File
 
 /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
 line 176, in load_pkcs12
 host_name=self.replica_fqdn)
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line
 785, in load_pkcs12
 nss_cert = x509.load_certificate(cert, x509.DER)
   File /usr/lib/python2.7/site-packages/ipalib/x509.py, line 128,
 in load_certificate
 return nss.Certificate(buffer(data))
 
 ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
 ipa-replica-prepare command failed, exception: NSPRError:
 (SEC_ERROR_LIBRARY_FAILURE) security library failure.
 ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
 (SEC_ERROR_LIBRARY_FAILURE) security library failure.
 
 Regards,
 
 D
 
 
 
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-09 Thread David Dejaeghere

Hi,

Sorry for the lack of details!
You are indeed  correct about the version its 4.1
The command I am using is this:
ipa-replica-prepare ipa-r1.myobscureddomain.com --http-cert-file
/home/fedora/newcert.pk12 --dirsrv-cert-file /home/fedora/newcert.pk12
--ip-address 172.31.16.31 -v

Regards,

D

2015-04-09 16:16 GMT+02:00 Rob Crittenden rcrit...@redhat.com:

 David Dejaeghere wrote:
  Hi,
 
  Does somebody have any pointers for me regarding this issue?

 It would help very much if you'd include the version you're working
 with. Based on line numbers I'll assume IPA 4.1.

 It's hard to say since you don't include the command-line you're using,
 or what those files consist of.

 It looks like it is blowing up trying to verify that the whole
 certificate chain is available. NSS unfortunately doesn't always provide
 the best error messages so it's hard to say why this particular cert
 can't be loaded.

 rob

 
  Regards,
 
  D
 
  2015-04-07 13:34 GMT+02:00 David Dejaeghere david.dejaegh...@gmail.com
  mailto:david.dejaegh...@gmail.com:
 
  Hello,
 
  I am trying to setup a replica for my master which has been setup
  with an external CA to use our godaddy wildcard certificate.
  The ipa-replica-prepare is failing with the following debug
 information.
  I am using --http-cert  and --dirsrv-cert with my pk12 server
  certificate.
  What can I verify to get an idea of what is going wrong?
 
  ipa: DEBUG: stderr=
  ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
  File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line
  169, in execute
  self.ask_for_options()
File
 
  /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
  line 276, in ask_for_options
  options.http_cert_name)
File
 
  /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
  line 176, in load_pkcs12
  host_name=self.replica_fqdn)
File
 
  /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line
  785, in load_pkcs12
  nss_cert = x509.load_certificate(cert, x509.DER)
File /usr/lib/python2.7/site-packages/ipalib/x509.py, line 128,
  in load_certificate
  return nss.Certificate(buffer(data))
 
  ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
  ipa-replica-prepare command failed, exception: NSPRError:
  (SEC_ERROR_LIBRARY_FAILURE) security library failure.
  ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
  (SEC_ERROR_LIBRARY_FAILURE) security library failure.
 
  Regards,
 
  D
 
 
 
 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-09 Thread Rob Crittenden

David Dejaeghere wrote:
 Hi,
 
 Sorry for the lack of details!
 You are indeed  correct about the version its 4.1
 The command I am using is this:
 ipa-replica-prepare ipa-r1.myobscureddomain.com
 http://ipa-r1.myobscureddomain.com --http-cert-file
 /home/fedora/newcert.pk12 --dirsrv-cert-file /home/fedora/newcert.pk12
 --ip-address 172.31.16.31 -v

I was pretty sure a pin was required with those options as well.

What do the PKCS#12 files look like: pk12util -l /home/fedora/newcert.pk12

rob

 
 Regards,
 
 D
 
 2015-04-09 16:16 GMT+02:00 Rob Crittenden rcrit...@redhat.com
 mailto:rcrit...@redhat.com:
 
 David Dejaeghere wrote:
  Hi,
 
  Does somebody have any pointers for me regarding this issue?
 
 It would help very much if you'd include the version you're working
 with. Based on line numbers I'll assume IPA 4.1.
 
 It's hard to say since you don't include the command-line you're using,
 or what those files consist of.
 
 It looks like it is blowing up trying to verify that the whole
 certificate chain is available. NSS unfortunately doesn't always provide
 the best error messages so it's hard to say why this particular cert
 can't be loaded.
 
 rob
 
 
  Regards,
 
  D
 
  2015-04-07 13:34 GMT+02:00 David Dejaeghere david.dejaegh...@gmail.com 
 mailto:david.dejaegh...@gmail.com
  mailto:david.dejaegh...@gmail.com
 mailto:david.dejaegh...@gmail.com:
 
  Hello,
 
  I am trying to setup a replica for my master which has been setup
  with an external CA to use our godaddy wildcard certificate.
  The ipa-replica-prepare is failing with the following debug
 information.
  I am using --http-cert  and --dirsrv-cert with my pk12 server
  certificate.
  What can I verify to get an idea of what is going wrong?
 
  ipa: DEBUG: stderr=
  ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
  File
 /usr/lib/python2.7/site-packages/ipapython/admintool.py, line
  169, in execute
  self.ask_for_options()
File

  
 /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
  line 276, in ask_for_options
  options.http_cert_name)
File

  
 /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
  line 176, in load_pkcs12
  host_name=self.replica_fqdn)
File

  /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
 line
  785, in load_pkcs12
  nss_cert = x509.load_certificate(cert, x509.DER)
File /usr/lib/python2.7/site-packages/ipalib/x509.py, line
 128,
  in load_certificate
  return nss.Certificate(buffer(data))
 
  ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare:
 DEBUG: The
  ipa-replica-prepare command failed, exception: NSPRError:
  (SEC_ERROR_LIBRARY_FAILURE) security library failure.
  ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
  (SEC_ERROR_LIBRARY_FAILURE) security library failure.
 
  Regards,
 
  D
 
 
 
 
 
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-replica-prepare failing

2015-04-07 Thread David Dejaeghere

Hello,

I am trying to setup a replica for my master which has been setup with an
external CA to use our godaddy wildcard certificate.
The ipa-replica-prepare is failing with the following debug information.
I am using --http-cert  and --dirsrv-cert with my pk12 server certificate.
What can I verify to get an idea of what is going wrong?

ipa: DEBUG: stderr=
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File
/usr/lib/python2.7/site-packages/ipapython/admintool.py, line 169, in
execute
self.ask_for_options()
  File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 276, in ask_for_options
options.http_cert_name)
  File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 176, in load_pkcs12
host_name=self.replica_fqdn)
  File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line
785, in load_pkcs12
nss_cert = x509.load_certificate(cert, x509.DER)
  File /usr/lib/python2.7/site-packages/ipalib/x509.py, line 128, in
load_certificate
return nss.Certificate(buffer(data))

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: NSPRError:
(SEC_ERROR_LIBRARY_FAILURE) security library failure.
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
(SEC_ERROR_LIBRARY_FAILURE) security library failure.

Regards,

D
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

[Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

[Freeipa-users] ipa-replica-prepare failing

21 matches

Site Navigation

Mail list logo

Footer information