tc...@eexchange.com wrote:
First of all, thanks for the help!

The /tmp/tmp-aZzm2V did not get remove. I am able to run the command per your 
suggestion. I do see the our CA cert and IPA CA cert. The /root/ca.crt is our 
root (private) ca cert (is not a chain). I have tested with a browser too and 
it could not verify the cert too.

[r...@ipa.dev.eexchange.com ~]# certutil -L -d /tmp/tmp-aZzm2V

Certificate Nickname                                         Trust Attributes
                                                              SSL,S/MIME,JAR/XPI

ipa-ca-agent                                                 u,u,u
testnick                                                     P,,
System Engineering - Currenex, Inc.                          CT,C,C
Certificate Authority - Currenex, Inc.                       CT,C,C

Ok, trust looks fine. I guess you added testnick?

Lets see if we have all we need by validating the agent cert:

# certutil -V -u C -n ipa-ca-agent -d /tmp/tmp-aZzm2V

Can you also provide this for each cert:

certutil -L -n <nickname> -d /tmp/tmp-aZzm2V

Oh, I guess we might examine the server's certificate database too.

The CA has its own cert db in in /var/lib/pki-ca/alias. Can you list the certs there?

# certutil -L -d /var/lib/pki-ca/alias

This will show the CA as it sees itself:

certutil -L -d /var/lib/pki-ca/alias -n 'caSigningCert cert-pki-ca'

Finally, what is the package version of pki-ca?

thanks

rob

-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Tuesday, May 22, 2012 9:40 AM
To: Tong Chow
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] freeipa 2.1.3-9 install with external CA failed

tc...@eexchange.com wrote:
Hi,

I am trying to install freeipa 2.1.3-9 with external CA and it failed.

Any help is appreciated and thanks in advance!


[r...@ipa.dev.example.com ~]# ipa-server-install
--external_cert_file=/root/ipa.crt --external_ca_file=/root/ca.crt

The log file for this installation can be found in
/var/log/ipaserver-install.log Directory Manager password:

==================================================
============================
This program will set up the IPA Server.

This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)

Excluded by options:
* Configure the Network Time Daemon (ntpd)

To accept the default shown in brackets, press the Enter key.

The IPA Master Server will be configured with
Hostname: ipa.dev.example.com
IP address: x.x.x.x
Domain name: example.com

Configuring certificate server: Estimated time 3 minutes 30 seconds
[1/16]: creating certificate server user
[2/16]: configuring certificate server instance
[3/16]: disabling nonces
[4/16]: creating CA agent PKCS#12 file in /root
[5/16]: creating RA agent certificate database
[6/16]: importing CA chain to RA certificate database
[7/16]: fixing RA database permissions
[8/16]: setting up signing cert profile
[9/16]: set up CRL publishing
[10/16]: set certificate subject base
[11/16]: configuring certificate server to start on boot
[12/16]: restarting certificate server
[13/16]: requesting RA certificate from CA
[14/16]: issuing RA agent certificate
*Unexpected error - see ipaserver-install.log for details:
Command '/usr/bin/sslget -n ipa-ca-agent -p XXXXXXXX -d
/tmp/tmp-aZzm2V -r /ca/agent/ca/profileReview?requestId=6 
ipa.dev.example.com:9443'
returned non-zero exit status 4*

*[r...@ipa.dev.example.com ~]# /usr/bin/sslget -n ipa-ca-agent -p
XXXXXXXX -d /tmp/tmp-aZzm2V -r /ca/agent/ca/profileReview?requestId=6
ipa.dev.example.com:9443 -v
GET /ca/agent/ca/profileReview?requestId=6 HTTP/1.0*

port: 9443
addr='ipa.dev.example.com'
family='2'
Subject: CN=ipa.dev.example.com,O=example.com
Issuer : CN=Certificate Authority,O=example.com Called
mygetclientauthdata - nickname = ipa-ca-agent mygetclientauthdata -
cert = 9716d0 mygetclientauthdata - privkey = 9b6f10 *exit after
PR_Write bigBuf with error -12271:*

This error means: SSL client cannot verify your certificate

Does /tmp/tmp-aZzm2V exist after the failure? I'd have thought it would be 
cleaned up. If so it holds the temporary NSS cert db we use during the 
installation and may tell us why there are trust problems.

A place to start is to list the certs in there:
# certutil -L -d /tmp/tmp-aZzm2V

I see in the log below our adding trust to a couple of certs. I assume that the 
entire CA chain is included in /root/ca.crt?

rob


*/va/log/ipaserver-install.log information*

2012-05-21 16:54:58,852 DEBUG duration: 1 seconds
2012-05-21 16:54:58,852 DEBUG [14/16]: issuing RA agent certificate
2012-05-21 16:54:58,866 DEBUG args=/usr/bin/certutil -d
/tmp/tmp-aZzm2V -f XXXXXXXX -M -t CT,C,C -n System Engineering - Currenex, Inc.
2012-05-21 16:54:58,867 DEBUG stdout=
2012-05-21 16:54:58,867 DEBUG stderr=
2012-05-21 16:54:58,873 DEBUG args=/usr/bin/certutil -d
/tmp/tmp-aZzm2V -f XXXXXXXX -M -t CT,C,C -n Certificate Authority - Currenex, 
Inc.
2012-05-21 16:54:58,874 DEBUG stdout=
2012-05-21 16:54:58,874 DEBUG stderr=
2012-05-21 16:54:58,909 DEBUG args=/usr/bin/sslget -n ipa-ca-agent -p
XXXXXXXX -d /tmp/tmp-aZzm2V -r /ca/agent/ca/profileReview?requestId=6
ipa.dev.eexchange.com:9443
2012-05-21 16:54:58,909 DEBUG stdout=
2012-05-21 16:54:58,909 DEBUG stderr=
2012-05-21 16:54:59,067 DEBUG Command '/usr/bin/sslget -n ipa-ca-agent
-p XXXXXXXX -d /tmp/tmp-aZzm2V -r
/ca/agent/ca/profileReview?requestId=6
ipa.dev.eexchange.com:9443' returned non-zero exit status 4 File
"/usr/sbin/ipa-server-install", line 1151, in<module>
sys.exit(main())

File "/usr/sbin/ipa-server-install", line 975, in main
subject_base=options.subject)

File
"/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
line 537, in configure_instance
self.start_creation("Configuring certificate server", 210)

File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
line 248, in start_creation
method()

File
"/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py",
line 755, in __issue_ra_cert
(stdout, stderr, returncode) = ipautil.run(args,
nolog=(self.admin_password,))

File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line
273, in run raise CalledProcessError(p.returncode, args)

Description: Edit/Delete Message
<http://forums.fedoraforum.org/editpost.php?do=editpost&p=1577747>


----------------------------------------------------------------------
-- The information contained in this e-mail (including any
attachments) is intended solely for the use of the intended
recipient(s), may be used solely for the purpose for which it was
sent, may contain confidential, proprietary, or personally
identifiable information, and/or may be subject to the attorney-client
or attorney work product privilege or other applicable confidentiality
protections. If you are not an intended recipient please notify the
author by replying to this e-mail and delete this e-mail immediately.
Any unauthorized copying, disclosure, retention, distribution or other
use of this email, its contents or its attachments is strictly
prohibited.


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


The information contained in this e-mail (including any attachments) is 
intended solely for the use of the intended recipient(s), may be used solely 
for the purpose for which it was sent, may contain confidential, proprietary, 
or personally identifiable information, and/or may be subject to the 
attorney-client or attorney work product privilege or other applicable 
confidentiality protections. If you are not an intended recipient please notify 
the author by replying to this e-mail and delete this e-mail immediately. Any 
unauthorized copying, disclosure, retention, distribution or other use of this 
email, its contents or its attachments is strictly prohibited.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to