David Dejaeghere wrote:
> Hi,
> 
> I get the same error when I use a pk12 with only the server certificate
> (and key) in it.
> Not sure what else I can try.

I'd need to see the full output again.

rob

> 
> Regards,
> 
> D
> 
> 2015-04-11 0:23 GMT+02:00 Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>>:
> 
>     David Dejaeghere wrote:
>     > Hi,
>     >
>     > I even tried the command using an export from the http service nss db,
>     > same issue.
>     >
>     > regarding SElinux:
>     > ausearch -m AVC -ts recent
>     > <no matches>
>     >
>     > Sending you the log personally.
> 
>     Ok, so the way the certs are imported is all the certs in the PKCS#12
>     file are loaded in, then marked as untrusted.
> 
>     certutil -O is executed against the server cert which prints out what
>     the trust chain should be and those certs marked as trusted CA's.
> 
>     That part is working fine.
> 
>     Finally it makes another pass through the database to verify the chain.
> 
>     Looking at the output there are two certs with the subject CN=Go Daddy
>     Root Certificate Authority - G2,O="GoDaddy.com,
>     Inc.",L=Scottsdale,ST=Arizona,C=US and different serial numbers. I
>     wonder if this is confusing the cert loader. These certs are included in
>     the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which one
>     is the "right' one, or if there even is one.
> 
>     rob
> 
> 
>     >
>     > Regards,
>     >
>     > D
>     >
>     > 2015-04-10 17:03 GMT+02:00 Rob Crittenden <rcrit...@redhat.com 
> <mailto:rcrit...@redhat.com>
>     > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>:
>     >
>     >     David Dejaeghere wrote:
>     >     > Hi Rob,
>     >     >
>     >     > Without the --http-pin the command will give a prompt to
>     enter the password.
>     >     > Tried both.
>     >     >
>     >     > I am sending the output of the pk12util -l to you in another
>     email.
>     >     > It holds the wildcard certificate and the godaddy bundle for
>     as far as I
>     >     > can tell.
>     >
>     >     I have to admit, I'm a bit stumped.
>     (SEC_ERROR_LIBRARY_FAILURE) is a
>     >     rather generic NSS error which can mean any number of things.
>     It often
>     >     means that the NSS database it is using is bad in some way but
>     given
>     >     that this is a temporary database created just for this
>     purpose I doubt
>     >     that's it. You may want to look for SELinux AVCs though:
>     ausearch -m AVC
>     >     -ts recent.
>     >
>     >     At the point where it is blowing up, the PKCS#12 file has
>     already been
>     >     imported and IPA is walking through the results trying to
>     ensure that
>     >     the full cert trust chain is available. It does this by
>     reading the
>     >     certs out of the database, and at that point it's blowing up.
>     >
>     >     The PKCS#12 output you sent me looks ok. I don't believe this
>     is an
>     >     issue with trust or missing parts of the chain.
>     >
>     >     I created a simple PKCS#12 file and was able to prepare a
>     replica using
>     >     it, so AFAICT the code isn't completely broken.
>     >
>     >     Can you provide the full output from ipa-replica-prepare?
>     >
>     >     rob
>     >     >
>     >     > Regards,
>     >     >
>     >     > D
>     >     >
>     >     > 2015-04-09 21:39 GMT+02:00 Rob Crittenden
>     <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
>     <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
>     >     > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>
>     <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>>:
>     >     >
>     >     >     David Dejaeghere wrote:
>     >     >     > Hi,
>     >     >     >
>     >     >     > Sorry for the lack of details!
>     >     >     > You are indeed  correct about the version its 4.1
>     >     >     > The command I am using is this:
>     >     >     > ipa-replica-prepare ipa-r1.myobscureddomain.com
>     <http://ipa-r1.myobscureddomain.com>
>     <http://ipa-r1.myobscureddomain.com>
>     >     <http://ipa-r1.myobscureddomain.com>
>     >     >     > <http://ipa-r1.myobscureddomain.com> --http-cert-file
>     >     >     > /home/fedora/newcert.pk12 --dirsrv-cert-file
>     /home/fedora/newcert.pk12
>     >     >     > --ip-address 172.31.16.31 -v
>     >     >
>     >     >     I was pretty sure a pin was required with those options
>     as well.
>     >     >
>     >     >     What do the PKCS#12 files look like: pk12util -l
>     >     >     /home/fedora/newcert.pk12
>     >     >
>     >     >     rob
>     >     >
>     >     >     >
>     >     >     > Regards,
>     >     >     >
>     >     >     > D
>     >     >     >
>     >     >     > 2015-04-09 16:16 GMT+02:00 Rob Crittenden
>     <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
>     <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
>     >     <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>
>     <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>
>     >     >     > <mailto:rcrit...@redhat.com
>     <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com
>     <mailto:rcrit...@redhat.com>>
>     >     <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>
>     <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>>>:
>     >     >     >
>     >     >     >     David Dejaeghere wrote:
>     >     >     >     > Hi,
>     >     >     >     >
>     >     >     >     > Does somebody have any pointers for me regarding
>     this
>     >     issue?
>     >     >     >
>     >     >     >     It would help very much if you'd include the version
>     >     you're working
>     >     >     >     with. Based on line numbers I'll assume IPA 4.1.
>     >     >     >
>     >     >     >     It's hard to say since you don't include the
>     >     command-line you're using,
>     >     >     >     or what those files consist of.
>     >     >     >
>     >     >     >     It looks like it is blowing up trying to verify
>     that the
>     >     whole
>     >     >     >     certificate chain is available. NSS unfortunately
>     >     doesn't always provide
>     >     >     >     the best error messages so it's hard to say why this
>     >     particular cert
>     >     >     >     can't be loaded.
>     >     >     >
>     >     >     >     rob
>     >     >     >
>     >     >     >     >
>     >     >     >     > Regards,
>     >     >     >     >
>     >     >     >     > D
>     >     >     >     >
>     >     >     >     > 2015-04-07 13:34 GMT+02:00 David Dejaeghere
>     >     <david.dejaegh...@gmail.com
>     <mailto:david.dejaegh...@gmail.com>
>     <mailto:david.dejaegh...@gmail.com <mailto:david.dejaegh...@gmail.com>>
>     >     <mailto:david.dejaegh...@gmail.com
>     <mailto:david.dejaegh...@gmail.com>
>     <mailto:david.dejaegh...@gmail.com <mailto:david.dejaegh...@gmail.com>>>
>     >     >     <mailto:david.dejaegh...@gmail.com
>     <mailto:david.dejaegh...@gmail.com>
>     >     <mailto:david.dejaegh...@gmail.com
>     <mailto:david.dejaegh...@gmail.com>>
>     >     <mailto:david.dejaegh...@gmail.com
>     <mailto:david.dejaegh...@gmail.com>
>     <mailto:david.dejaegh...@gmail.com
>     <mailto:david.dejaegh...@gmail.com>>>>
>     >     >     >     > <mailto:david.dejaegh...@gmail.com
>     <mailto:david.dejaegh...@gmail.com>
>     >     <mailto:david.dejaegh...@gmail.com
>     <mailto:david.dejaegh...@gmail.com>>
>     >     >     <mailto:david.dejaegh...@gmail.com
>     <mailto:david.dejaegh...@gmail.com>
>     >     <mailto:david.dejaegh...@gmail.com
>     <mailto:david.dejaegh...@gmail.com>>>
>     >     >     >     <mailto:david.dejaegh...@gmail.com
>     <mailto:david.dejaegh...@gmail.com>
>     >     <mailto:david.dejaegh...@gmail.com
>     <mailto:david.dejaegh...@gmail.com>>
>     >     >     <mailto:david.dejaegh...@gmail.com
>     <mailto:david.dejaegh...@gmail.com>
>     >     <mailto:david.dejaegh...@gmail.com
>     <mailto:david.dejaegh...@gmail.com>>>>>>:
>     >     >     >     >
>     >     >     >     >     Hello,
>     >     >     >     >
>     >     >     >     >     I am trying to setup a replica for my master
>     which has
>     >     >     been setup
>     >     >     >     >     with an external CA to use our godaddy wildcard
>     >     certificate.
>     >     >     >     >     The ipa-replica-prepare is failing with the
>     >     following debug
>     >     >     >     information.
>     >     >     >     >     I am using --http-cert  and --dirsrv-cert
>     with my pk12
>     >     >     server
>     >     >     >     >     certificate.
>     >     >     >     >     What can I verify to get an idea of what is
>     going
>     >     wrong?
>     >     >     >     >
>     >     >     >     >     ipa: DEBUG: stderr=
>     >     >     >     >
>     >     >     
>     ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
>     >     >     >     >     File
>     >     >     >
>     >      "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
>     >     >     >     >     169, in execute
>     >     >     >     >         self.ask_for_options()
>     >     >     >     >       File
>     >     >     >     >
>     >     >     >
>     >     >
>     >     
>     
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>     >     >     >     >     line 276, in ask_for_options
>     >     >     >     >         options.http_cert_name)
>     >     >     >     >       File
>     >     >     >     >
>     >     >     >
>     >     >
>     >     
>     
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>     >     >     >     >     line 176, in load_pkcs12
>     >     >     >     >         host_name=self.replica_fqdn)
>     >     >     >     >       File
>     >     >     >     >
>     >     >     >
>     >     >
>     >     
>     "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>     >     >     >     line
>     >     >     >     >     785, in load_pkcs12
>     >     >     >     >         nss_cert = x509.load_certificate(cert,
>     x509.DER)
>     >     >     >     >       File
>     >     >     "/usr/lib/python2.7/site-packages/ipalib/x509.py", line
>     >     >     >     128,
>     >     >     >     >     in load_certificate
>     >     >     >     >         return nss.Certificate(buffer(data))
>     >     >     >     >
>     >     >     >     >
>     >      ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare:
>     >     >     >     DEBUG: The
>     >     >     >     >     ipa-replica-prepare command failed, exception:
>     >     NSPRError:
>     >     >     >     >     (SEC_ERROR_LIBRARY_FAILURE) security library
>     failure.
>     >     >     >     >
>     >     >     
>     ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
>     >     >     >     >     (SEC_ERROR_LIBRARY_FAILURE) security library
>     failure.
>     >     >     >     >
>     >     >     >     >     Regards,
>     >     >     >     >
>     >     >     >     >     D
>     >     >     >     >
>     >     >     >     >
>     >     >     >     >
>     >     >     >     >
>     >     >     >
>     >     >     >
>     >     >
>     >     >
>     >
>     >
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to