Trying to upgrade from FreeIPA 3.0 running on CentOS 6 to 3.3 on CentOS 7 using migration. I seem to have run into some certificate problems and the replica installation halts half-way through. We have a simple CA-structure, where FreeIPA has been installed as a sub-ca directly under ca root ca.
A replica bundle was created on the master using: ipa-replica-prepare replica.example.net --ip-address 192.168.100.2 the gpg-file was copied to replica:/var/lib/ipa and the following command was executed: ipa-replica-install --mkhomedir -d --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-replica.example.net.gpg During the first attempt, I was instructed to also run copy-schema-to-ca.py on the master server, which has been done. The replica installation halts complainig that ca.crt contains more than one certificate. Both the FreeIPA CA and the Root CA certificates are in that file. Debug output in /var/log/ipareplica-install.log tells the following: 2014-08-08T12:22:08Z DEBUG [17/34]: configuring ssl for ds instance 2014-08-08T12:22:08Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2014-08-08T12:22:08Z DEBUG Starting external process 2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-NET/ -N -f /etc/dirsrv/slapd-EXAMPLE-NET//pwdfile.txt 2014-08-08T12:22:08Z DEBUG Process finished, return code=0 2014-08-08T12:22:08Z DEBUG stdout= 2014-08-08T12:22:08Z DEBUG stderr= 2014-08-08T12:22:08Z DEBUG Starting external process 2014-08-08T12:22:08Z DEBUG args=/usr/bin/pk12util -d /etc/dirsrv/slapd-EXAMPLE-NET/ -i /tmp/tmpNOzZ3cipa/realm_info/dscert.p12 -k /etc/dirsrv/slapd-EXAMPLE-NET//pwdfile.txt -v -w /dev/stdin 2014-08-08T12:22:08Z DEBUG Process finished, return code=0 2014-08-08T12:22:08Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL 2014-08-08T12:22:08Z DEBUG stderr= 2014-08-08T12:22:08Z DEBUG Starting external process 2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-NET/ -L 2014-08-08T12:22:08Z DEBUG Process finished, return code=0 2014-08-08T12:22:08Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u CN=Example Root CA,O=Example AB ,, EXAMPLE.NET IPA CA ,, 2014-08-08T12:22:08Z DEBUG stderr= 2014-08-08T12:22:08Z DEBUG Starting external process 2014-08-08T12:22:08Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-NET/ -A -n CA -t CT,CT, -a 2014-08-08T12:22:08Z DEBUG Process finished, return code=0 2014-08-08T12:22:08Z DEBUG stdout= 2014-08-08T12:22:08Z DEBUG stderr= 2014-08-08T12:22:08Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 638, in run_script return_value = main_function() File "/usr/sbin/ipa-replica-install", line 664, in main ds = install_replica_ds(config) File "/usr/sbin/ipa-replica-install", line 189, in install_replica_ds ca_file=config.dir + "/ca.crt", File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 360, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 364, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 606, in enable_ssl ca_file=self.ca_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 841, in create_from_pkcs12 self.nssdb.import_pem_cert('CA', 'CT,CT,', ca_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 240, in import_pem_cert location) 2014-08-08T12:22:08Z DEBUG The ipa-replica-install command failed, exception: ValueError: /tmp/tmpNOzZ3cipa/realm_info/ca.crt contains more than one certificate Is there anything obvious that is wrong or odd with this setup or process? Best regards Nicklas Björk
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project