On 01/16/2013 04:28 PM, Orion Poplawski wrote:
I've installed ipa 2.2 on EL6.  I initially simply did an ipa-server-install.
  Then I changed the cert used via ipa-server-certinstall to use a wildcard
SSL cert issued by Comodo.  This has led to a lot of grief and needing to
install the Comodo CA chain into lots of SSL dbs.

Now I'm looking at replicating the server with:

ipa-replica-prepare ipapub.cora.nwra.com
--dirsrv_pkcs12=STAR_cora_nwra_com.p12 --dirsrv_pin=xxxxx
--http_pkcs12=STAR_cora_nwra_com.p12 --http_pin=xxxxxx

But I get:

Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com
Copying SSL certificate for the Directory Server from STAR_cora_nwra_com.p12
Creating SSL certificate for the dogtag Directory Server
ipa: ERROR: cert validation failed for "CN=ipa.cora.nwra.com,O=NWRA.COM"
((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not
trusted by the user.)
preparation of replica failed: cannot connect to
'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
-8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
as not trusted by the user.
cannot connect to
'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
-8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
as not trusted by the user.
   File "/usr/sbin/ipa-replica-prepare", line 459, in <module>
     main()

   File "/usr/sbin/ipa-replica-prepare", line 353, in main
     export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dogtagcert",
replica_fqdn, subject_base)

   File "/usr/sbin/ipa-replica-prepare", line 143, in export_certdb
     raise e

Any suggestions?

I don't really understand how the dogtag ca fits in with this scenario. Should
I just get rid of it?  Can I?


I (re?) added the dogtag ca cert to the /etc/httpd/alias db:

certutil -d /var/lib/pki-ca/alias/ -L -n 'caSigningCert cert-pki-ca' -a > IPACA.asc

certutil -d /etc/httpd/alias -A -n 'IPA CA' -i IPACA.asc -t CTu,Cu,Cu

Now I get:

Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com
Copying SSL certificate for the Directory Server from STAR_cora_nwra_com.p12
Creating SSL certificate for the dogtag Directory Server
Certificate issuance failed

/var/log/pki-ca/debug shows:

[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input Parameter requestor_name='IPA Installer' [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input Parameter xmlOutput='true' [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input Parameter profileId='caIPAserviceCert'
[16/Jan/2013:16:46:35][http-9444-2]: End of ProfileSubmitServlet Input 
Parameters
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: start serving
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: SubId=profile
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: isRenewal false
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: profileId caIPAserviceCert [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: authenticator raCertAuth found [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet:setCredentialsIntoContext() authIds` null [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmistServlet: set Inputs into profile Context [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: set sslClientCertProvider
[16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthentication: start
[16/Jan/2013:16:46:35][http-9444-2]: authenticator instance name is raCertAuth
[16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthenticator: got provider
[16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthenticator: retrieving client certificate [16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthentication: No SSL Client Certs Found [16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: authentication error Invalid Credential.

What cert needs to be created? Aren't I already specifying the certs for the new server?

Thanks.

--
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder Office                  FAX: 303-415-9702
3380 Mitchell Lane                       or...@nwra.com
Boulder, CO 80301                   http://www.nwra.com

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to