James James wrote:
I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12,
--http_pin and the ipa-replica-prepare command runs without failure.

Thanks for your help.

Yes, this is what I was going to suggest. Using ipa-server-certinstall replace the IPA CA with an external one.

I should note that we're deprecating this tool and do not recommend that it be used. We instead suggest that if you need certificates from an external CA you get the IPA CA signed as a subordinate.


2013/2/8 James James <jre...@gmail.com <mailto:jre...@gmail.com>>

    My ipa version is ipa-server-2.2.0-17.el6_3.1.x86_64 and the distro
    is  Scientific Linux 6.3.  I have used ipa-server-certinstall to
    replace the default IPA certs.

    2013/2/8 Rob Crittenden <rcrit...@redhat.com

        James James wrote:

            today I wanted to install a ipa replica. When I used the
            ipa-replica-prepare command, I've got this error :

            [root@ipa ~]# ipa-replica-prepare ipa2-example.com
            <http://ipa2-example.com> <http://ipa2-example.com>

            Directory Manager (existing master) password:

            Preparing replica for ipa-EXAMPLE.COM from ipa.EXAMPLE.COM

            Creating SSL certificate for the Directory Server
            certutil: could not find certificate named "CN=EXAMPLE.COM
            <http://EXAMPLE.COM> Certificate Authority": security
            library: bad database.

            certutil: unable to create cert (security library: bad
            preparation of replica failed: Command '/usr/bin/certutil -d
            /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i
            /var/lib/ipa/ipa-6qKbha/__tmpcert.der -f
            /tmp/tmpoUpN72ipa/realm_info/__pwdfile.txt' returned
            non-zero exit status 255
            Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n
            Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/__tmpcert.der -f
            /tmp/tmpoUpN72ipa/realm_info/__pwdfile.txt' returned
            non-zero exit status 255
                File "/usr/sbin/ipa-replica-__prepare", line 459, in

                File "/usr/sbin/ipa-replica-__prepare", line 345, in main
                  export_certdb(api.env.realm, ds_dir, dir,
            passwd_fname, "dscert",
            replica_fqdn, subject_base)

                File "/usr/sbin/ipa-replica-__prepare", line 143, in
                  raise e

            I have a certificate generated by a custom certificate
            authority in the
            ipa server.

        Need more information on your installation. What version of IPA,
        what distro?

        Did you use ipa-server-certinstall to replace the default IPA certs?


Freeipa-users mailing list

Reply via email to