James James wrote:
I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12,
--http_pin and the ipa-replica-prepare command runs without failure.
Thanks for your help.
Yes, this is what I was going to suggest. Using ipa-server-certinstall
replace the IPA CA with an external one.
I should note that we're deprecating this tool and do not recommend that
it be used. We instead suggest that if you need certificates from an
external CA you get the IPA CA signed as a subordinate.
rob
2013/2/8 James James <jre...@gmail.com <mailto:jre...@gmail.com>>
My ipa version is ipa-server-2.2.0-17.el6_3.1.x86_64 and the distro
is Scientific Linux 6.3. I have used ipa-server-certinstall to
replace the default IPA certs.
2013/2/8 Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>>
James James wrote:
Hi,
today I wanted to install a ipa replica. When I used the
ipa-replica-prepare command, I've got this error :
[root@ipa ~]# ipa-replica-prepare ipa2-example.com
<http://ipa2-example.com> <http://ipa2-example.com>
Directory Manager (existing master) password:
Preparing replica for ipa-EXAMPLE.COM from ipa.EXAMPLE.COM
<http://ipa.EXAMPLE.COM>
<http://ipa.EXAMPLE.COM>
Creating SSL certificate for the Directory Server
certutil: could not find certificate named "CN=EXAMPLE.COM
<http://EXAMPLE.COM>
<http://EXAMPLE.COM> Certificate Authority": security
library: bad database.
certutil: unable to create cert (security library: bad
database.)
preparation of replica failed: Command '/usr/bin/certutil -d
/tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i
/var/lib/ipa/ipa-6qKbha/__tmpcert.der -f
/tmp/tmpoUpN72ipa/realm_info/__pwdfile.txt' returned
non-zero exit status 255
Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n
Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/__tmpcert.der -f
/tmp/tmpoUpN72ipa/realm_info/__pwdfile.txt' returned
non-zero exit status 255
File "/usr/sbin/ipa-replica-__prepare", line 459, in
<module>
main()
File "/usr/sbin/ipa-replica-__prepare", line 345, in main
export_certdb(api.env.realm, ds_dir, dir,
passwd_fname, "dscert",
replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-__prepare", line 143, in
export_certdb
raise e
I have a certificate generated by a custom certificate
authority in the
ipa server.
Need more information on your installation. What version of IPA,
what distro?
Did you use ipa-server-certinstall to replace the default IPA certs?
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
