Mark Haney via FreeIPA-users wrote:
> On 08/01/2017 11:01 AM, Florence Blanc-Renaud wrote:
>> you can connect to IPA web UI on the server to revoke the cert:
>>, then navigate to Authentication >
>> Certificates, click on the certificate corresponding to the replica
>> which failed installation (CN=<replica>,o=DOM...) and then Actions >
>> Revoke Certificate (superseded).
>> Flo
> Okay, this is just bloody stupid. It should NOT be that hard to build a
> bloody replica of an existing LDAP server.  It's beyond insane.  I
> revoked the certs of ipa1 off ipa0, built a new ipa-replica file on
> ipa0, copied to ipa1 and ran ipa-replica-install
> --setup-ca and it FAILED AGAIN.

The cert revocation it not necessary but is a nice cleanup (you don't
want copies of the cert floating around). Every time ipa-replica-prepare
is run a new set of certs is issued.

> It seems the issue is that ipa1 can't find the GoDaddy supplied certs we
> are using for the web UI /only/.  I expected that ALL certs would be
> replicated over, but apparently that would be FAR too convenient.  It's
> silly crap like this that keeps LDAP from being anything more than a
> giant PITA and pushes people to not-centralize linux accounts outside of
> maybe AD (which in itself is sad).

1. IPA proxies the CA behind its web server so the server cert and CA
chain are VERY important.
2. Blame freeIPA if anything, not LDAP.
3. This isn't a replication issue. From what I can tell from the replica
log the CA chain is shipped over but for some reason the dogtag (CA)
installer can't find them after a certain point.

> The failure is exactly that as the previous 4 times I've tried this. 
> Why isn't the GoDaddy signed certs 1) not being found despite being on
> the server and 2) not carried over in the ipa-replica-prepare package?
> This really should be a straightforward process.  The fact it isn't, and
> the documentation being called sparse would be an insult to that word,
> I'm at my wits end.
> Does anyone have ANY ideas on why the GoDaddy signed certs aren't behaving?

Providing the dogtag debug log might be helpful. The replica install log
shows that the GoDaddy CA chain was imported and trusted reasonably
(C,,) but the installer later claims it can't find them by nickname. I
think we need Fraser to take a closer look as he's a dogtag developer.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to