David Dejaeghere wrote: > Hi, > > I get the same error when I use a pk12 with only the server certificate > (and key) in it. > Not sure what else I can try.
I'd need to see the full output again. rob > > Regards, > > D > > 2015-04-11 0:23 GMT+02:00 Rob Crittenden <[email protected] > <mailto:[email protected]>>: > > David Dejaeghere wrote: > > Hi, > > > > I even tried the command using an export from the http service nss db, > > same issue. > > > > regarding SElinux: > > ausearch -m AVC -ts recent > > <no matches> > > > > Sending you the log personally. > > Ok, so the way the certs are imported is all the certs in the PKCS#12 > file are loaded in, then marked as untrusted. > > certutil -O is executed against the server cert which prints out what > the trust chain should be and those certs marked as trusted CA's. > > That part is working fine. > > Finally it makes another pass through the database to verify the chain. > > Looking at the output there are two certs with the subject CN=Go Daddy > Root Certificate Authority - G2,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US and different serial numbers. I > wonder if this is confusing the cert loader. These certs are included in > the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which one > is the "right' one, or if there even is one. > > rob > > > > > > Regards, > > > > D > > > > 2015-04-10 17:03 GMT+02:00 Rob Crittenden <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>: > > > > David Dejaeghere wrote: > > > Hi Rob, > > > > > > Without the --http-pin the command will give a prompt to > enter the password. > > > Tried both. > > > > > > I am sending the output of the pk12util -l to you in another > email. > > > It holds the wildcard certificate and the godaddy bundle for > as far as I > > > can tell. > > > > I have to admit, I'm a bit stumped. > (SEC_ERROR_LIBRARY_FAILURE) is a > > rather generic NSS error which can mean any number of things. > It often > > means that the NSS database it is using is bad in some way but > given > > that this is a temporary database created just for this > purpose I doubt > > that's it. You may want to look for SELinux AVCs though: > ausearch -m AVC > > -ts recent. > > > > At the point where it is blowing up, the PKCS#12 file has > already been > > imported and IPA is walking through the results trying to > ensure that > > the full cert trust chain is available. It does this by > reading the > > certs out of the database, and at that point it's blowing up. > > > > The PKCS#12 output you sent me looks ok. I don't believe this > is an > > issue with trust or missing parts of the chain. > > > > I created a simple PKCS#12 file and was able to prepare a > replica using > > it, so AFAICT the code isn't completely broken. > > > > Can you provide the full output from ipa-replica-prepare? > > > > rob > > > > > > Regards, > > > > > > D > > > > > > 2015-04-09 21:39 GMT+02:00 Rob Crittenden > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>: > > > > > > David Dejaeghere wrote: > > > > Hi, > > > > > > > > Sorry for the lack of details! > > > > You are indeed correct about the version its 4.1 > > > > The command I am using is this: > > > > ipa-replica-prepare ipa-r1.myobscureddomain.com > <http://ipa-r1.myobscureddomain.com> > <http://ipa-r1.myobscureddomain.com> > > <http://ipa-r1.myobscureddomain.com> > > > > <http://ipa-r1.myobscureddomain.com> --http-cert-file > > > > /home/fedora/newcert.pk12 --dirsrv-cert-file > /home/fedora/newcert.pk12 > > > > --ip-address 172.31.16.31 -v > > > > > > I was pretty sure a pin was required with those options > as well. > > > > > > What do the PKCS#12 files look like: pk12util -l > > > /home/fedora/newcert.pk12 > > > > > > rob > > > > > > > > > > > Regards, > > > > > > > > D > > > > > > > > 2015-04-09 16:16 GMT+02:00 Rob Crittenden > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > > <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>>: > > > > > > > > David Dejaeghere wrote: > > > > > Hi, > > > > > > > > > > Does somebody have any pointers for me regarding > this > > issue? > > > > > > > > It would help very much if you'd include the version > > you're working > > > > with. Based on line numbers I'll assume IPA 4.1. > > > > > > > > It's hard to say since you don't include the > > command-line you're using, > > > > or what those files consist of. > > > > > > > > It looks like it is blowing up trying to verify > that the > > whole > > > > certificate chain is available. NSS unfortunately > > doesn't always provide > > > > the best error messages so it's hard to say why this > > particular cert > > > > can't be loaded. > > > > > > > > rob > > > > > > > > > > > > > > Regards, > > > > > > > > > > D > > > > > > > > > > 2015-04-07 13:34 GMT+02:00 David Dejaeghere > > <[email protected] > <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > <mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>>> > > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>> > > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>>>>>: > > > > > > > > > > Hello, > > > > > > > > > > I am trying to setup a replica for my master > which has > > > been setup > > > > > with an external CA to use our godaddy wildcard > > certificate. > > > > > The ipa-replica-prepare is failing with the > > following debug > > > > information. > > > > > I am using --http-cert and --dirsrv-cert > with my pk12 > > > server > > > > > certificate. > > > > > What can I verify to get an idea of what is > going > > wrong? > > > > > > > > > > ipa: DEBUG: stderr= > > > > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: > > > > > File > > > > > > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line > > > > > 169, in execute > > > > > self.ask_for_options() > > > > > File > > > > > > > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > > > > line 276, in ask_for_options > > > > > options.http_cert_name) > > > > > File > > > > > > > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > > > > line 176, in load_pkcs12 > > > > > host_name=self.replica_fqdn) > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > > > > line > > > > > 785, in load_pkcs12 > > > > > nss_cert = x509.load_certificate(cert, > x509.DER) > > > > > File > > > "/usr/lib/python2.7/site-packages/ipalib/x509.py", line > > > > 128, > > > > > in load_certificate > > > > > return nss.Certificate(buffer(data)) > > > > > > > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: > > > > DEBUG: The > > > > > ipa-replica-prepare command failed, exception: > > NSPRError: > > > > > (SEC_ERROR_LIBRARY_FAILURE) security library > failure. > > > > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: > > > > > (SEC_ERROR_LIBRARY_FAILURE) security library > failure. > > > > > > > > > > Regards, > > > > > > > > > > D > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
