On 01/16/2013 06:50 PM, Rob Crittenden wrote:
Orion Poplawski wrote:
On 01/16/2013 04:28 PM, Orion Poplawski wrote:
I've installed ipa 2.2 on EL6.  I initially simply did an
ipa-server-install.
  Then I changed the cert used via ipa-server-certinstall to use a
wildcard
SSL cert issued by Comodo.  This has led to a lot of grief and
needing to
install the Comodo CA chain into lots of SSL dbs.

Now I'm looking at replicating the server with:

ipa-replica-prepare ipapub.cora.nwra.com
--dirsrv_pkcs12=STAR_cora_nwra_com.p12 --dirsrv_pin=xxxxx
--http_pkcs12=STAR_cora_nwra_com.p12 --http_pin=xxxxxx

But I get:

Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com
Copying SSL certificate for the Directory Server from
STAR_cora_nwra_com.p12
Creating SSL certificate for the dogtag Directory Server
ipa: ERROR: cert validation failed for "CN=ipa.cora.nwra.com,O=NWRA.COM"
((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
marked as not
trusted by the user.)
preparation of replica failed: cannot connect to
'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
-8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
marked
as not trusted by the user.
cannot connect to
'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
-8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
marked
as not trusted by the user.
   File "/usr/sbin/ipa-replica-prepare", line 459, in <module>
     main()

   File "/usr/sbin/ipa-replica-prepare", line 353, in main
     export_certdb(api.env.realm, ds_dir, dir, passwd_fname,
"dogtagcert",
replica_fqdn, subject_base)

   File "/usr/sbin/ipa-replica-prepare", line 143, in export_certdb
     raise e

Any suggestions?

I don't really understand how the dogtag ca fits in with this
scenario. Should
I just get rid of it?  Can I?


I (re?) added the dogtag ca cert to the /etc/httpd/alias db:

certutil -d /var/lib/pki-ca/alias/ -L -n 'caSigningCert cert-pki-ca' -a
 > IPACA.asc

certutil -d /etc/httpd/alias -A -n 'IPA CA' -i IPACA.asc -t CTu,Cu,Cu

Now I get:

Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com
Copying SSL certificate for the Directory Server from
STAR_cora_nwra_com.p12
Creating SSL certificate for the dogtag Directory Server
Certificate issuance failed

/var/log/pki-ca/debug shows:

[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input
Parameter requestor_name='IPA Installer'
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input
Parameter xmlOutput='true'
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet Input
Parameter profileId='caIPAserviceCert'
[16/Jan/2013:16:46:35][http-9444-2]: End of ProfileSubmitServlet Input
Parameters
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: start serving
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: SubId=profile
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: isRenewal
false
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: profileId
caIPAserviceCert
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: authenticator
raCertAuth found
[16/Jan/2013:16:46:35][http-9444-2]:
ProfileSubmitServlet:setCredentialsIntoContext() authIds` null
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmistServlet: set Inputs
into profile Context
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet: set
sslClientCertProvider
[16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthentication: start
[16/Jan/2013:16:46:35][http-9444-2]: authenticator instance name is
raCertAuth
[16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthenticator: got provider
[16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthenticator: retrieving
client certificate
[16/Jan/2013:16:46:35][http-9444-2]: AgentCertAuthentication: No SSL
Client Certs Found
[16/Jan/2013:16:46:35][http-9444-2]: ProfileSubmitServlet:
authentication error Invalid Credential.

What cert needs to be created?  Aren't I already specifying the certs
for the new server?

Thanks.


We really need to put a big fat warning on this too: there be dragons.

It is really meant for v1 servers where we didn't have a full CA. The CA
is really integrated into IPA v2+ such that replacing certs is going to
cause some amount of grief (as you've seen).

I didn't think we blew away the existing NSS database using the tool,
though it certainly sounds like we are.

What you're missing in the ipaCert in /etc/httpd/alias. This is used to
authenticate to dogtag. Can you poke around in /etc/httpd to see if a
backup was made, or use certutil to get a list of the nicknames in there?

I'm guessing it is trying to issue an SSL cert for the CA 389-ds
instance. There are no cli options for providing that. Even if you did
manage to get a prepared file you'd likely run into a whole new batch of
install problems.

Sorry about that. We really need to decide whether this tool is worth
supporting at all and fix it (or make it safer) or simply do away with
it. Right now it's just a really sharp tool waiting to cut someone.

rob

Thanks for the confirmation that this is indeed not very well supported :). I went down this route because I find it tedious to have to import CA certs into browsers and particularly into Thunderbird for accessing ldap address book directories. If there are suggestions for other ways to handle this, I would be appreciative. Otherwise I'll keep plugging away at this.

Do let me know if this is just not going to be supported though.

--
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA/CoRA Division                    FAX: 303-415-9702
3380 Mitchell Lane                  or...@cora.nwra.com
Boulder, CO 80301              http://www.cora.nwra.com

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to