Hi, I get the same error when I use a pk12 with only the server certificate (and key) in it. Not sure what else I can try.
Regards, D 2015-04-11 0:23 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>: > David Dejaeghere wrote: > > Hi, > > > > I even tried the command using an export from the http service nss db, > > same issue. > > > > regarding SElinux: > > ausearch -m AVC -ts recent > > <no matches> > > > > Sending you the log personally. > > Ok, so the way the certs are imported is all the certs in the PKCS#12 > file are loaded in, then marked as untrusted. > > certutil -O is executed against the server cert which prints out what > the trust chain should be and those certs marked as trusted CA's. > > That part is working fine. > > Finally it makes another pass through the database to verify the chain. > > Looking at the output there are two certs with the subject CN=Go Daddy > Root Certificate Authority - G2,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US and different serial numbers. I > wonder if this is confusing the cert loader. These certs are included in > the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which one > is the "right' one, or if there even is one. > > rob > > > > > > Regards, > > > > D > > > > 2015-04-10 17:03 GMT+02:00 Rob Crittenden <rcrit...@redhat.com > > <mailto:rcrit...@redhat.com>>: > > > > David Dejaeghere wrote: > > > Hi Rob, > > > > > > Without the --http-pin the command will give a prompt to enter the > password. > > > Tried both. > > > > > > I am sending the output of the pk12util -l to you in another email. > > > It holds the wildcard certificate and the godaddy bundle for as > far as I > > > can tell. > > > > I have to admit, I'm a bit stumped. (SEC_ERROR_LIBRARY_FAILURE) is a > > rather generic NSS error which can mean any number of things. It > often > > means that the NSS database it is using is bad in some way but given > > that this is a temporary database created just for this purpose I > doubt > > that's it. You may want to look for SELinux AVCs though: ausearch -m > AVC > > -ts recent. > > > > At the point where it is blowing up, the PKCS#12 file has already > been > > imported and IPA is walking through the results trying to ensure that > > the full cert trust chain is available. It does this by reading the > > certs out of the database, and at that point it's blowing up. > > > > The PKCS#12 output you sent me looks ok. I don't believe this is an > > issue with trust or missing parts of the chain. > > > > I created a simple PKCS#12 file and was able to prepare a replica > using > > it, so AFAICT the code isn't completely broken. > > > > Can you provide the full output from ipa-replica-prepare? > > > > rob > > > > > > Regards, > > > > > > D > > > > > > 2015-04-09 21:39 GMT+02:00 Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>: > > > > > > David Dejaeghere wrote: > > > > Hi, > > > > > > > > Sorry for the lack of details! > > > > You are indeed correct about the version its 4.1 > > > > The command I am using is this: > > > > ipa-replica-prepare ipa-r1.myobscureddomain.com < > http://ipa-r1.myobscureddomain.com> > > <http://ipa-r1.myobscureddomain.com> > > > > <http://ipa-r1.myobscureddomain.com> --http-cert-file > > > > /home/fedora/newcert.pk12 --dirsrv-cert-file > /home/fedora/newcert.pk12 > > > > --ip-address 172.31.16.31 -v > > > > > > I was pretty sure a pin was required with those options as > well. > > > > > > What do the PKCS#12 files look like: pk12util -l > > > /home/fedora/newcert.pk12 > > > > > > rob > > > > > > > > > > > Regards, > > > > > > > > D > > > > > > > > 2015-04-09 16:16 GMT+02:00 Rob Crittenden < > rcrit...@redhat.com <mailto:rcrit...@redhat.com> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>>: > > > > > > > > David Dejaeghere wrote: > > > > > Hi, > > > > > > > > > > Does somebody have any pointers for me regarding this > > issue? > > > > > > > > It would help very much if you'd include the version > > you're working > > > > with. Based on line numbers I'll assume IPA 4.1. > > > > > > > > It's hard to say since you don't include the > > command-line you're using, > > > > or what those files consist of. > > > > > > > > It looks like it is blowing up trying to verify that the > > whole > > > > certificate chain is available. NSS unfortunately > > doesn't always provide > > > > the best error messages so it's hard to say why this > > particular cert > > > > can't be loaded. > > > > > > > > rob > > > > > > > > > > > > > > Regards, > > > > > > > > > > D > > > > > > > > > > 2015-04-07 13:34 GMT+02:00 David Dejaeghere > > <david.dejaegh...@gmail.com <mailto:david.dejaegh...@gmail.com> > > <mailto:david.dejaegh...@gmail.com <mailto: > david.dejaegh...@gmail.com>> > > > <mailto:david.dejaegh...@gmail.com > > <mailto:david.dejaegh...@gmail.com> > > <mailto:david.dejaegh...@gmail.com <mailto: > david.dejaegh...@gmail.com>>> > > > > > <mailto:david.dejaegh...@gmail.com > > <mailto:david.dejaegh...@gmail.com> > > > <mailto:david.dejaegh...@gmail.com > > <mailto:david.dejaegh...@gmail.com>> > > > > <mailto:david.dejaegh...@gmail.com > > <mailto:david.dejaegh...@gmail.com> > > > <mailto:david.dejaegh...@gmail.com > > <mailto:david.dejaegh...@gmail.com>>>>>: > > > > > > > > > > Hello, > > > > > > > > > > I am trying to setup a replica for my master which > has > > > been setup > > > > > with an external CA to use our godaddy wildcard > > certificate. > > > > > The ipa-replica-prepare is failing with the > > following debug > > > > information. > > > > > I am using --http-cert and --dirsrv-cert with my > pk12 > > > server > > > > > certificate. > > > > > What can I verify to get an idea of what is going > > wrong? > > > > > > > > > > ipa: DEBUG: stderr= > > > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: > DEBUG: > > > > > File > > > > > > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line > > > > > 169, in execute > > > > > self.ask_for_options() > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > > > > line 276, in ask_for_options > > > > > options.http_cert_name) > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > > > > line 176, in load_pkcs12 > > > > > host_name=self.replica_fqdn) > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > > > > line > > > > > 785, in load_pkcs12 > > > > > nss_cert = x509.load_certificate(cert, > x509.DER) > > > > > File > > > "/usr/lib/python2.7/site-packages/ipalib/x509.py", line > > > > 128, > > > > > in load_certificate > > > > > return nss.Certificate(buffer(data)) > > > > > > > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: > > > > DEBUG: The > > > > > ipa-replica-prepare command failed, exception: > > NSPRError: > > > > > (SEC_ERROR_LIBRARY_FAILURE) security library > failure. > > > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: > ERROR: > > > > > (SEC_ERROR_LIBRARY_FAILURE) security library > failure. > > > > > > > > > > Regards, > > > > > > > > > > D > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project