James James wrote:
Maybe I am stupid or tired (or both ..) but I  have tried many thing to
include the ca cert, the ipa key and pem file in a single pkcs12 file
but I am still stucked.

Can you give me a more detailled help ?

Well, this is one of the reasons we're deprecating this feature, because it hasn't been well-tested since v1 and is ridden with corner cases.

I think the only solution is going to be to in direct code changes to the IPA python scripts to match what your PKCS#12 files contain. If it is signed by a root CA then chances are if you simply skip the step where the CA is loaded and trusted then things may just work.

It is failing in ipaserver/install/certs.p12 in the call to find_root_cert_from_pkcs12(). Either it is simply an issue of our identifying the CA or one isn't being loaded at all.

You can do: certutil -L -d /etc/dirsrv/slapd-YOUR_REALM to list the certificates that were loaded. It may be that the CA was loaded but we aren't detecting the nickname, in which case you could simply hardcode it into the python file for a workaround, something like:

ca_names = ['CA nickname']

rob


2013/2/8 Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com>>

    James James wrote:

        OK .. but I have to put the pkc12 file in /etc/pki/nssdb ?


    No. The PKCS#12 file that contains your server private key and cert
    needs to also contain the CA that signed it.

    rob



        2013/2/8 Rob Crittenden <rcrit...@redhat.com
        <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com
        <mailto:rcrit...@redhat.com>>>


             James James wrote:

                 Now on the replica server I've got this error :
                 Run connection check to master
                 Connection check OK
                 Configuring ntpd
                     [1/4]: stopping ntpd
                     [2/4]: writing configuration
                     [3/4]: configuring ntpd to start on boot
                     [4/4]: starting ntpd
                 done configuring ntpd.
                 Configuring directory server: Estimated time 1 minute
                     [1/30]: creating directory server user
                     [2/30]: creating directory server instance
                     [3/30]: adding default schema
                     [4/30]: enabling memberof plugin
                     [5/30]: enabling referential integrity plugin
                     [6/30]: enabling winsync plugin
                     [7/30]: configuring replication version plugin
                     [8/30]: enabling IPA enrollment plugin
                     [9/30]: enabling ldapi
                     [10/30]: configuring uniqueness plugin
                     [11/30]: configuring uuid plugin
                     [12/30]: configuring modrdn plugin
                     [13/30]: enabling entryUSN plugin
                     [14/30]: configuring lockout plugin
                     [15/30]: creating indices
                     [16/30]: configuring ssl for ds instance
                 creation of replica failed: Could not find a CA cert in
                 /tmp/tmp21VpT8ipa/realm_info/____dscert.p12


                 Your system may be partly configured.
                 Run /usr/sbin/ipa-server-install --uninstall to clean up.


                 Where I have to put the CA certficate ?


             It needs to be in the PKCS#12 file.

             rob





_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to