First of all, thanks for the help!

The /tmp/tmp-aZzm2V did not get remove. I am able to run the command per your 
suggestion. I do see the our CA cert and IPA CA cert. The /root/ca.crt is our 
root (private) ca cert (is not a chain). I have tested with a browser too and 
it could not verify the cert too.

[r...@ipa.dev.eexchange.com ~]# certutil -L -d /tmp/tmp-aZzm2V

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ipa-ca-agent                                                 u,u,u
testnick                                                     P,,
System Engineering - Currenex, Inc.                          CT,C,C
Certificate Authority - Currenex, Inc.                       CT,C,C


-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Tuesday, May 22, 2012 9:40 AM
To: Tong Chow
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] freeipa 2.1.3-9 install with external CA failed

tc...@eexchange.com wrote:
> Hi,
>
> I am trying to install freeipa 2.1.3-9 with external CA and it failed.
>
> Any help is appreciated and thanks in advance!
>
>
> [r...@ipa.dev.example.com ~]# ipa-server-install
> --external_cert_file=/root/ipa.crt --external_ca_file=/root/ca.crt
>
> The log file for this installation can be found in
> /var/log/ipaserver-install.log Directory Manager password:
>
> ==================================================
> ============================
> This program will set up the IPA Server.
>
> This includes:
> * Configure a stand-alone CA (dogtag) for certificate management
> * Create and configure an instance of Directory Server
> * Create and configure a Kerberos Key Distribution Center (KDC)
> * Configure Apache (httpd)
>
> Excluded by options:
> * Configure the Network Time Daemon (ntpd)
>
> To accept the default shown in brackets, press the Enter key.
>
> The IPA Master Server will be configured with
> Hostname: ipa.dev.example.com
> IP address: x.x.x.x
> Domain name: example.com
>
> Configuring certificate server: Estimated time 3 minutes 30 seconds
> [1/16]: creating certificate server user
> [2/16]: configuring certificate server instance
> [3/16]: disabling nonces
> [4/16]: creating CA agent PKCS#12 file in /root
> [5/16]: creating RA agent certificate database
> [6/16]: importing CA chain to RA certificate database
> [7/16]: fixing RA database permissions
> [8/16]: setting up signing cert profile
> [9/16]: set up CRL publishing
> [10/16]: set certificate subject base
> [11/16]: configuring certificate server to start on boot
> [12/16]: restarting certificate server
> [13/16]: requesting RA certificate from CA
> [14/16]: issuing RA agent certificate
> *Unexpected error - see ipaserver-install.log for details:
> Command '/usr/bin/sslget -n ipa-ca-agent -p XXXXXXXX -d
> /tmp/tmp-aZzm2V -r /ca/agent/ca/profileReview?requestId=6 
> ipa.dev.example.com:9443'
> returned non-zero exit status 4*
>
> *[r...@ipa.dev.example.com ~]# /usr/bin/sslget -n ipa-ca-agent -p
> XXXXXXXX -d /tmp/tmp-aZzm2V -r /ca/agent/ca/profileReview?requestId=6
> ipa.dev.example.com:9443 -v
> GET /ca/agent/ca/profileReview?requestId=6 HTTP/1.0*
>
> port: 9443
> addr='ipa.dev.example.com'
> family='2'
> Subject: CN=ipa.dev.example.com,O=example.com
> Issuer : CN=Certificate Authority,O=example.com Called
> mygetclientauthdata - nickname = ipa-ca-agent mygetclientauthdata -
> cert = 9716d0 mygetclientauthdata - privkey = 9b6f10 *exit after
> PR_Write bigBuf with error -12271:*

This error means: SSL client cannot verify your certificate

Does /tmp/tmp-aZzm2V exist after the failure? I'd have thought it would be 
cleaned up. If so it holds the temporary NSS cert db we use during the 
installation and may tell us why there are trust problems.

A place to start is to list the certs in there:
# certutil -L -d /tmp/tmp-aZzm2V

I see in the log below our adding trust to a couple of certs. I assume that the 
entire CA chain is included in /root/ca.crt?

rob

>
> */va/log/ipaserver-install.log information*
>
> 2012-05-21 16:54:58,852 DEBUG duration: 1 seconds
> 2012-05-21 16:54:58,852 DEBUG [14/16]: issuing RA agent certificate
> 2012-05-21 16:54:58,866 DEBUG args=/usr/bin/certutil -d
> /tmp/tmp-aZzm2V -f XXXXXXXX -M -t CT,C,C -n System Engineering - Currenex, 
> Inc.
> 2012-05-21 16:54:58,867 DEBUG stdout=
> 2012-05-21 16:54:58,867 DEBUG stderr=
> 2012-05-21 16:54:58,873 DEBUG args=/usr/bin/certutil -d
> /tmp/tmp-aZzm2V -f XXXXXXXX -M -t CT,C,C -n Certificate Authority - Currenex, 
> Inc.
> 2012-05-21 16:54:58,874 DEBUG stdout=
> 2012-05-21 16:54:58,874 DEBUG stderr=
> 2012-05-21 16:54:58,909 DEBUG args=/usr/bin/sslget -n ipa-ca-agent -p
> XXXXXXXX -d /tmp/tmp-aZzm2V -r /ca/agent/ca/profileReview?requestId=6
> ipa.dev.eexchange.com:9443
> 2012-05-21 16:54:58,909 DEBUG stdout=
> 2012-05-21 16:54:58,909 DEBUG stderr=
> 2012-05-21 16:54:59,067 DEBUG Command '/usr/bin/sslget -n ipa-ca-agent
> -p XXXXXXXX -d /tmp/tmp-aZzm2V -r
> /ca/agent/ca/profileReview?requestId=6
> ipa.dev.eexchange.com:9443' returned non-zero exit status 4 File
> "/usr/sbin/ipa-server-install", line 1151, in <module>
> sys.exit(main())
>
> File "/usr/sbin/ipa-server-install", line 975, in main
> subject_base=options.subject)
>
> File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> line 537, in configure_instance
> self.start_creation("Configuring certificate server", 210)
>
> File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
> line 248, in start_creation
> method()
>
> File
> "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
> line 755, in __issue_ra_cert
> (stdout, stderr, returncode) = ipautil.run(args,
> nolog=(self.admin_password,))
>
> File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line
> 273, in run raise CalledProcessError(p.returncode, args)
>
> Description: Edit/Delete Message
> <http://forums.fedoraforum.org/editpost.php?do=editpost&p=1577747>
>
>
> ----------------------------------------------------------------------
> -- The information contained in this e-mail (including any
> attachments) is intended solely for the use of the intended
> recipient(s), may be used solely for the purpose for which it was
> sent, may contain confidential, proprietary, or personally
> identifiable information, and/or may be subject to the attorney-client
> or attorney work product privilege or other applicable confidentiality
> protections. If you are not an intended recipient please notify the
> author by replying to this e-mail and delete this e-mail immediately.
> Any unauthorized copying, disclosure, retention, distribution or other
> use of this email, its contents or its attachments is strictly
> prohibited.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


The information contained in this e-mail (including any attachments) is 
intended solely for the use of the intended recipient(s), may be used solely 
for the purpose for which it was sent, may contain confidential, proprietary, 
or personally identifiable information, and/or may be subject to the 
attorney-client or attorney work product privilege or other applicable 
confidentiality protections. If you are not an intended recipient please notify 
the author by replying to this e-mail and delete this e-mail immediately. Any 
unauthorized copying, disclosure, retention, distribution or other use of this 
email, its contents or its attachments is strictly prohibited.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to