Steven Jones wrote: > Hi, > > I have no idea how. $ kinit admin $ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX
It should have an attribuete cACertificate;binary likely beginning with MII. If it begins with TU then it is likely double-encoded. And remember, this may be a red herring. rob > > regards > > Steven > ________________________________________ > From: Rob Crittenden <rcrit...@redhat.com> > Sent: Tuesday, 17 February 2015 10:40 a.m. > To: Steven Jones > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into > a RHEL6.6 cluster so I can upgrade. > > Steven Jones wrote: >> While attempting to initialise the new server I am getting, >> >> >> [root@xx <mailto:root@vuwunicoipam001> replica-files]# ipa-replica-install >> --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg >> --skip-conncheck --debug >> >> >> =====8><---- >> packages/ipaserver/install/plugins/update_uniqueness.py' >> ipa : DEBUG importing plugin module >> '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' >> ipa : DEBUG importing plugin module >> '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' >> ipa.ipaserver.install.installutils: DEBUG group dirsrv exists >> ipa.ipaserver.install.installutils: DEBUG user dirsrv exists >> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection >> context.ldap2_59928528 >> ipa.ipapython.ipaldap.SchemaCache: DEBUG flushing >> ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache >> ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for >> SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz >> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0> >> error copying files: failed to decode certificate: >> (SEC_ERROR_LIBRARY_FAILURE) security library failure. >> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Destroyed connection >> context.ldap2_59928528 >> ipa : DEBUG File >> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line >> 646, in run_script >> return_value = main_function() >> >> File "/sbin/ipa-replica-install", line 658, in main >> install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) >> >> File "/sbin/ipa-replica-install", line 227, in install_ca_cert >> sys.exit(1) >> >> ipa : DEBUG The ipa-replica-install command failed, exception: >> SystemExit: 1 >> >> ======== >> >> >> Any idea what is wrong please? > > What a strange error. My initial thought was that it couldn't read or > parse the CA cert from the 3.0 master, but this security library error > is unexpected. > > I might be sending you on a wild goose chase but take a look at the CA > cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX > > There was a bug quite a while back where the cert value was > double-base64-encoded. I wouldn't expect this error from this problem > but who knows. > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project