On 01/16/2013 06:50 PM, Rob Crittenden wrote:

We really need to put a big fat warning on this too: there be dragons.

It is really meant for v1 servers where we didn't have a full CA. The CA is
really integrated into IPA v2+ such that replacing certs is going to cause
some amount of grief (as you've seen).

I didn't think we blew away the existing NSS database using the tool, though
it certainly sounds like we are.

What you're missing in the ipaCert in /etc/httpd/alias. This is used to
authenticate to dogtag. Can you poke around in /etc/httpd to see if a backup
was made, or use certutil to get a list of the nicknames in there?

I'm guessing it is trying to issue an SSL cert for the CA 389-ds instance.
There are no cli options for providing that. Even if you did manage to get a
prepared file you'd likely run into a whole new batch of install problems.

Sorry about that. We really need to decide whether this tool is worth
supporting at all and fix it (or make it safer) or simply do away with it.
Right now it's just a really sharp tool waiting to cut someone.


Well, it looks like it move all of the existing files in /etc/httpd/alias to .orig extensions. I moved those over to an alias.orig directory and imported the ipaCert key. That allowed ipa-replica-prepare to run.

Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com
Copying SSL certificate for the Directory Server from STAR_cora_nwra_com.p12
Creating SSL certificate for the dogtag Directory Server
Copying SSL certificate for the Web Server from STAR_cora_nwra_com.p12
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg

But then on ipa-replica-install, problems as predicted:

ipa-replica-install --setup-ca 
  [16/30]: configuring ssl for ds instance
creation of replica failed: Could not find a CA cert in /tmp/tmpPAtailipa/realm_info/dscert.p12

Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder Office                  FAX: 303-415-9702
3380 Mitchell Lane                       or...@nwra.com
Boulder, CO 80301                   http://www.nwra.com

Freeipa-users mailing list

Reply via email to