David Dejaeghere wrote:
> Hi,
> 
> I even tried the command using an export from the http service nss db,
> same issue.
> 
> regarding SElinux:
> ausearch -m AVC -ts recent
> <no matches>
> 
> Sending you the log personally.

Ok, so the way the certs are imported is all the certs in the PKCS#12
file are loaded in, then marked as untrusted.

certutil -O is executed against the server cert which prints out what
the trust chain should be and those certs marked as trusted CA's.

That part is working fine.

Finally it makes another pass through the database to verify the chain.

Looking at the output there are two certs with the subject CN=Go Daddy
Root Certificate Authority - G2,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US and different serial numbers. I
wonder if this is confusing the cert loader. These certs are included in
the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which one
is the "right' one, or if there even is one.

rob


> 
> Regards,
> 
> D
> 
> 2015-04-10 17:03 GMT+02:00 Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>>:
> 
>     David Dejaeghere wrote:
>     > Hi Rob,
>     >
>     > Without the --http-pin the command will give a prompt to enter the 
> password.
>     > Tried both.
>     >
>     > I am sending the output of the pk12util -l to you in another email.
>     > It holds the wildcard certificate and the godaddy bundle for as far as I
>     > can tell.
> 
>     I have to admit, I'm a bit stumped. (SEC_ERROR_LIBRARY_FAILURE) is a
>     rather generic NSS error which can mean any number of things. It often
>     means that the NSS database it is using is bad in some way but given
>     that this is a temporary database created just for this purpose I doubt
>     that's it. You may want to look for SELinux AVCs though: ausearch -m AVC
>     -ts recent.
> 
>     At the point where it is blowing up, the PKCS#12 file has already been
>     imported and IPA is walking through the results trying to ensure that
>     the full cert trust chain is available. It does this by reading the
>     certs out of the database, and at that point it's blowing up.
> 
>     The PKCS#12 output you sent me looks ok. I don't believe this is an
>     issue with trust or missing parts of the chain.
> 
>     I created a simple PKCS#12 file and was able to prepare a replica using
>     it, so AFAICT the code isn't completely broken.
> 
>     Can you provide the full output from ipa-replica-prepare?
> 
>     rob
>     >
>     > Regards,
>     >
>     > D
>     >
>     > 2015-04-09 21:39 GMT+02:00 Rob Crittenden <rcrit...@redhat.com 
> <mailto:rcrit...@redhat.com>
>     > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>:
>     >
>     >     David Dejaeghere wrote:
>     >     > Hi,
>     >     >
>     >     > Sorry for the lack of details!
>     >     > You are indeed  correct about the version its 4.1
>     >     > The command I am using is this:
>     >     > ipa-replica-prepare ipa-r1.myobscureddomain.com 
> <http://ipa-r1.myobscureddomain.com>
>     <http://ipa-r1.myobscureddomain.com>
>     >     > <http://ipa-r1.myobscureddomain.com> --http-cert-file
>     >     > /home/fedora/newcert.pk12 --dirsrv-cert-file 
> /home/fedora/newcert.pk12
>     >     > --ip-address 172.31.16.31 -v
>     >
>     >     I was pretty sure a pin was required with those options as well.
>     >
>     >     What do the PKCS#12 files look like: pk12util -l
>     >     /home/fedora/newcert.pk12
>     >
>     >     rob
>     >
>     >     >
>     >     > Regards,
>     >     >
>     >     > D
>     >     >
>     >     > 2015-04-09 16:16 GMT+02:00 Rob Crittenden <rcrit...@redhat.com 
> <mailto:rcrit...@redhat.com>
>     <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
>     >     > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>
>     <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>>:
>     >     >
>     >     >     David Dejaeghere wrote:
>     >     >     > Hi,
>     >     >     >
>     >     >     > Does somebody have any pointers for me regarding this
>     issue?
>     >     >
>     >     >     It would help very much if you'd include the version
>     you're working
>     >     >     with. Based on line numbers I'll assume IPA 4.1.
>     >     >
>     >     >     It's hard to say since you don't include the
>     command-line you're using,
>     >     >     or what those files consist of.
>     >     >
>     >     >     It looks like it is blowing up trying to verify that the
>     whole
>     >     >     certificate chain is available. NSS unfortunately
>     doesn't always provide
>     >     >     the best error messages so it's hard to say why this
>     particular cert
>     >     >     can't be loaded.
>     >     >
>     >     >     rob
>     >     >
>     >     >     >
>     >     >     > Regards,
>     >     >     >
>     >     >     > D
>     >     >     >
>     >     >     > 2015-04-07 13:34 GMT+02:00 David Dejaeghere
>     <david.dejaegh...@gmail.com <mailto:david.dejaegh...@gmail.com>
>     <mailto:david.dejaegh...@gmail.com <mailto:david.dejaegh...@gmail.com>>
>     >     <mailto:david.dejaegh...@gmail.com
>     <mailto:david.dejaegh...@gmail.com>
>     <mailto:david.dejaegh...@gmail.com <mailto:david.dejaegh...@gmail.com>>>
>     >     >     > <mailto:david.dejaegh...@gmail.com
>     <mailto:david.dejaegh...@gmail.com>
>     >     <mailto:david.dejaegh...@gmail.com
>     <mailto:david.dejaegh...@gmail.com>>
>     >     >     <mailto:david.dejaegh...@gmail.com
>     <mailto:david.dejaegh...@gmail.com>
>     >     <mailto:david.dejaegh...@gmail.com
>     <mailto:david.dejaegh...@gmail.com>>>>>:
>     >     >     >
>     >     >     >     Hello,
>     >     >     >
>     >     >     >     I am trying to setup a replica for my master which has
>     >     been setup
>     >     >     >     with an external CA to use our godaddy wildcard
>     certificate.
>     >     >     >     The ipa-replica-prepare is failing with the
>     following debug
>     >     >     information.
>     >     >     >     I am using --http-cert  and --dirsrv-cert with my pk12
>     >     server
>     >     >     >     certificate.
>     >     >     >     What can I verify to get an idea of what is going
>     wrong?
>     >     >     >
>     >     >     >     ipa: DEBUG: stderr=
>     >     >     >
>     >      ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
>     >     >     >     File
>     >     >   
>      "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
>     >     >     >     169, in execute
>     >     >     >         self.ask_for_options()
>     >     >     >       File
>     >     >     >
>     >     >
>     >   
>      
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>     >     >     >     line 276, in ask_for_options
>     >     >     >         options.http_cert_name)
>     >     >     >       File
>     >     >     >
>     >     >
>     >   
>      
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>     >     >     >     line 176, in load_pkcs12
>     >     >     >         host_name=self.replica_fqdn)
>     >     >     >       File
>     >     >     >
>     >     >
>     >   
>      "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>     >     >     line
>     >     >     >     785, in load_pkcs12
>     >     >     >         nss_cert = x509.load_certificate(cert, x509.DER)
>     >     >     >       File
>     >     "/usr/lib/python2.7/site-packages/ipalib/x509.py", line
>     >     >     128,
>     >     >     >     in load_certificate
>     >     >     >         return nss.Certificate(buffer(data))
>     >     >     >
>     >     >     >   
>      ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare:
>     >     >     DEBUG: The
>     >     >     >     ipa-replica-prepare command failed, exception:
>     NSPRError:
>     >     >     >     (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>     >     >     >
>     >      ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
>     >     >     >     (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>     >     >     >
>     >     >     >     Regards,
>     >     >     >
>     >     >     >     D
>     >     >     >
>     >     >     >
>     >     >     >
>     >     >     >
>     >     >
>     >     >
>     >
>     >
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to