James Roman wrote:
OK I am still running into a similar problem when installing the replica server. It appears that the problem stems from the chained CA certificates from GoDaddy again. On the replica server, all the certs appear to be installed properly. The script is choking when modifying the trust arguments. It looks like it is grabbing the certificate name from the wrong place again.


This should be fixed in ipa v1.2.2 which is in the Fedora updates-testing repo.

rob



     ipa-replica-install Error:

NOTE: Take a look at where the quotes are showing up in the "certutil -d" lines.

root        : DEBUG      [10/17]: configuring ssl for ds instance
 [10/17]: configuring ssl for ds instance
root : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' root : INFO root : INFO root : INFO pk12util: PKCS12 IMPORT SUCCESSFUL

root : INFO root : INFO root : INFO certutil: could not find certificate named "valicert.com" [e=i...@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.": The security card or token does not exist, needs to be initialized, or has been removed.

creation of replica failed: Command '/usr/bin/certutil -d /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" [e=i...@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned non-zero exit status 255 root : DEBUG Command '/usr/bin/certutil -d /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" [e=i...@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned non-zero exit status 255
 File "/usr/sbin/ipa-replica-install", line 294, in <module>
   main()

 File "/usr/sbin/ipa-replica-install", line 244, in main
   ds = install_ds(config)

 File "/usr/sbin/ipa-replica-install", line 115, in install_ds
ds.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password, pkcs12_info)

File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line 193, in create_instance
   self.start_creation("Configuring directory server:")

File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line 139, in start_creation
   method()

File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line 345, in __enable_ssl
   ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])

File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 403, in create_from_pkcs12
   self.trust_root_cert(nickname)

File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 322, in trust_root_cert
   "-t", "CT,CT,"])

File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126, in run_certutil
   return ipautil.run(new_args, stdin)

 File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
   raise CalledProcessError(p.returncode, ' '.join(args))


     Replica server Cert DB:

[r...@replica slapd-REALM-COM]# certutil -L -d .

Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u
Go Daddy Secure Certification Authority ,, Go Daddy Class 2 Certification Authority ,, valicert.com ,,

Rob Crittenden wrote:
James Roman wrote:
Can anyone elaborate on the options for the ipa-replica-prepare command? I have a third party signed certificate for both my master and replica server. Am I supposed to provide the PKCS12 file for the master server or the replica? If it is looking for the master server, I really don't want the script generating a new certificate for the replica. I already have one. Any way to by-pass that option?

The PKCS#12 file(s) are for the replica server. If you provide both then IPA will not attempt to generate one.

rob


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to