Hi Rob,

So you want to output of the command using pk12 with server cert and key?
or with the ca chain in there too?

Regards,

David

2015-04-13 16:28 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>:

> David Dejaeghere wrote:
> > Hi,
> >
> > I get the same error when I use a pk12 with only the server certificate
> > (and key) in it.
> > Not sure what else I can try.
>
> I'd need to see the full output again.
>
> rob
>
> >
> > Regards,
> >
> > D
> >
> > 2015-04-11 0:23 GMT+02:00 Rob Crittenden <rcrit...@redhat.com
> > <mailto:rcrit...@redhat.com>>:
> >
> >     David Dejaeghere wrote:
> >     > Hi,
> >     >
> >     > I even tried the command using an export from the http service nss
> db,
> >     > same issue.
> >     >
> >     > regarding SElinux:
> >     > ausearch -m AVC -ts recent
> >     > <no matches>
> >     >
> >     > Sending you the log personally.
> >
> >     Ok, so the way the certs are imported is all the certs in the PKCS#12
> >     file are loaded in, then marked as untrusted.
> >
> >     certutil -O is executed against the server cert which prints out what
> >     the trust chain should be and those certs marked as trusted CA's.
> >
> >     That part is working fine.
> >
> >     Finally it makes another pass through the database to verify the
> chain.
> >
> >     Looking at the output there are two certs with the subject CN=Go
> Daddy
> >     Root Certificate Authority - G2,O="GoDaddy.com,
> >     Inc.",L=Scottsdale,ST=Arizona,C=US and different serial numbers. I
> >     wonder if this is confusing the cert loader. These certs are
> included in
> >     the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which
> one
> >     is the "right' one, or if there even is one.
> >
> >     rob
> >
> >
> >     >
> >     > Regards,
> >     >
> >     > D
> >     >
> >     > 2015-04-10 17:03 GMT+02:00 Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>
> >     > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>:
> >     >
> >     >     David Dejaeghere wrote:
> >     >     > Hi Rob,
> >     >     >
> >     >     > Without the --http-pin the command will give a prompt to
> >     enter the password.
> >     >     > Tried both.
> >     >     >
> >     >     > I am sending the output of the pk12util -l to you in another
> >     email.
> >     >     > It holds the wildcard certificate and the godaddy bundle for
> >     as far as I
> >     >     > can tell.
> >     >
> >     >     I have to admit, I'm a bit stumped.
> >     (SEC_ERROR_LIBRARY_FAILURE) is a
> >     >     rather generic NSS error which can mean any number of things.
> >     It often
> >     >     means that the NSS database it is using is bad in some way but
> >     given
> >     >     that this is a temporary database created just for this
> >     purpose I doubt
> >     >     that's it. You may want to look for SELinux AVCs though:
> >     ausearch -m AVC
> >     >     -ts recent.
> >     >
> >     >     At the point where it is blowing up, the PKCS#12 file has
> >     already been
> >     >     imported and IPA is walking through the results trying to
> >     ensure that
> >     >     the full cert trust chain is available. It does this by
> >     reading the
> >     >     certs out of the database, and at that point it's blowing up.
> >     >
> >     >     The PKCS#12 output you sent me looks ok. I don't believe this
> >     is an
> >     >     issue with trust or missing parts of the chain.
> >     >
> >     >     I created a simple PKCS#12 file and was able to prepare a
> >     replica using
> >     >     it, so AFAICT the code isn't completely broken.
> >     >
> >     >     Can you provide the full output from ipa-replica-prepare?
> >     >
> >     >     rob
> >     >     >
> >     >     > Regards,
> >     >     >
> >     >     > D
> >     >     >
> >     >     > 2015-04-09 21:39 GMT+02:00 Rob Crittenden
> >     <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
> >     <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
> >     >     > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>
> >     <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>>:
> >     >     >
> >     >     >     David Dejaeghere wrote:
> >     >     >     > Hi,
> >     >     >     >
> >     >     >     > Sorry for the lack of details!
> >     >     >     > You are indeed  correct about the version its 4.1
> >     >     >     > The command I am using is this:
> >     >     >     > ipa-replica-prepare ipa-r1.myobscureddomain.com
> >     <http://ipa-r1.myobscureddomain.com>
> >     <http://ipa-r1.myobscureddomain.com>
> >     >     <http://ipa-r1.myobscureddomain.com>
> >     >     >     > <http://ipa-r1.myobscureddomain.com> --http-cert-file
> >     >     >     > /home/fedora/newcert.pk12 --dirsrv-cert-file
> >     /home/fedora/newcert.pk12
> >     >     >     > --ip-address 172.31.16.31 -v
> >     >     >
> >     >     >     I was pretty sure a pin was required with those options
> >     as well.
> >     >     >
> >     >     >     What do the PKCS#12 files look like: pk12util -l
> >     >     >     /home/fedora/newcert.pk12
> >     >     >
> >     >     >     rob
> >     >     >
> >     >     >     >
> >     >     >     > Regards,
> >     >     >     >
> >     >     >     > D
> >     >     >     >
> >     >     >     > 2015-04-09 16:16 GMT+02:00 Rob Crittenden
> >     <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
> >     <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
> >     >     <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>
> >     <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>
> >     >     >     > <mailto:rcrit...@redhat.com
> >     <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com
> >     <mailto:rcrit...@redhat.com>>
> >     >     <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>
> >     <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>>>:
> >     >     >     >
> >     >     >     >     David Dejaeghere wrote:
> >     >     >     >     > Hi,
> >     >     >     >     >
> >     >     >     >     > Does somebody have any pointers for me regarding
> >     this
> >     >     issue?
> >     >     >     >
> >     >     >     >     It would help very much if you'd include the
> version
> >     >     you're working
> >     >     >     >     with. Based on line numbers I'll assume IPA 4.1.
> >     >     >     >
> >     >     >     >     It's hard to say since you don't include the
> >     >     command-line you're using,
> >     >     >     >     or what those files consist of.
> >     >     >     >
> >     >     >     >     It looks like it is blowing up trying to verify
> >     that the
> >     >     whole
> >     >     >     >     certificate chain is available. NSS unfortunately
> >     >     doesn't always provide
> >     >     >     >     the best error messages so it's hard to say why
> this
> >     >     particular cert
> >     >     >     >     can't be loaded.
> >     >     >     >
> >     >     >     >     rob
> >     >     >     >
> >     >     >     >     >
> >     >     >     >     > Regards,
> >     >     >     >     >
> >     >     >     >     > D
> >     >     >     >     >
> >     >     >     >     > 2015-04-07 13:34 GMT+02:00 David Dejaeghere
> >     >     <david.dejaegh...@gmail.com
> >     <mailto:david.dejaegh...@gmail.com>
> >     <mailto:david.dejaegh...@gmail.com <mailto:
> david.dejaegh...@gmail.com>>
> >     >     <mailto:david.dejaegh...@gmail.com
> >     <mailto:david.dejaegh...@gmail.com>
> >     <mailto:david.dejaegh...@gmail.com <mailto:
> david.dejaegh...@gmail.com>>>
> >     >     >     <mailto:david.dejaegh...@gmail.com
> >     <mailto:david.dejaegh...@gmail.com>
> >     >     <mailto:david.dejaegh...@gmail.com
> >     <mailto:david.dejaegh...@gmail.com>>
> >     >     <mailto:david.dejaegh...@gmail.com
> >     <mailto:david.dejaegh...@gmail.com>
> >     <mailto:david.dejaegh...@gmail.com
> >     <mailto:david.dejaegh...@gmail.com>>>>
> >     >     >     >     > <mailto:david.dejaegh...@gmail.com
> >     <mailto:david.dejaegh...@gmail.com>
> >     >     <mailto:david.dejaegh...@gmail.com
> >     <mailto:david.dejaegh...@gmail.com>>
> >     >     >     <mailto:david.dejaegh...@gmail.com
> >     <mailto:david.dejaegh...@gmail.com>
> >     >     <mailto:david.dejaegh...@gmail.com
> >     <mailto:david.dejaegh...@gmail.com>>>
> >     >     >     >     <mailto:david.dejaegh...@gmail.com
> >     <mailto:david.dejaegh...@gmail.com>
> >     >     <mailto:david.dejaegh...@gmail.com
> >     <mailto:david.dejaegh...@gmail.com>>
> >     >     >     <mailto:david.dejaegh...@gmail.com
> >     <mailto:david.dejaegh...@gmail.com>
> >     >     <mailto:david.dejaegh...@gmail.com
> >     <mailto:david.dejaegh...@gmail.com>>>>>>:
> >     >     >     >     >
> >     >     >     >     >     Hello,
> >     >     >     >     >
> >     >     >     >     >     I am trying to setup a replica for my master
> >     which has
> >     >     >     been setup
> >     >     >     >     >     with an external CA to use our godaddy
> wildcard
> >     >     certificate.
> >     >     >     >     >     The ipa-replica-prepare is failing with the
> >     >     following debug
> >     >     >     >     information.
> >     >     >     >     >     I am using --http-cert  and --dirsrv-cert
> >     with my pk12
> >     >     >     server
> >     >     >     >     >     certificate.
> >     >     >     >     >     What can I verify to get an idea of what is
> >     going
> >     >     wrong?
> >     >     >     >     >
> >     >     >     >     >     ipa: DEBUG: stderr=
> >     >     >     >     >
> >     >     >
> >     ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
> >     >     >     >     >     File
> >     >     >     >
> >     >      "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
> line
> >     >     >     >     >     169, in execute
> >     >     >     >     >         self.ask_for_options()
> >     >     >     >     >       File
> >     >     >     >     >
> >     >     >     >
> >     >     >
> >     >
> >
>  "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> >     >     >     >     >     line 276, in ask_for_options
> >     >     >     >     >         options.http_cert_name)
> >     >     >     >     >       File
> >     >     >     >     >
> >     >     >     >
> >     >     >
> >     >
> >
>  "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> >     >     >     >     >     line 176, in load_pkcs12
> >     >     >     >     >         host_name=self.replica_fqdn)
> >     >     >     >     >       File
> >     >     >     >     >
> >     >     >     >
> >     >     >
> >     >
> >     "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> >     >     >     >     line
> >     >     >     >     >     785, in load_pkcs12
> >     >     >     >     >         nss_cert = x509.load_certificate(cert,
> >     x509.DER)
> >     >     >     >     >       File
> >     >     >     "/usr/lib/python2.7/site-packages/ipalib/x509.py", line
> >     >     >     >     128,
> >     >     >     >     >     in load_certificate
> >     >     >     >     >         return nss.Certificate(buffer(data))
> >     >     >     >     >
> >     >     >     >     >
> >     >      ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare:
> >     >     >     >     DEBUG: The
> >     >     >     >     >     ipa-replica-prepare command failed,
> exception:
> >     >     NSPRError:
> >     >     >     >     >     (SEC_ERROR_LIBRARY_FAILURE) security library
> >     failure.
> >     >     >     >     >
> >     >     >
> >     ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
> >     >     >     >     >     (SEC_ERROR_LIBRARY_FAILURE) security library
> >     failure.
> >     >     >     >     >
> >     >     >     >     >     Regards,
> >     >     >     >     >
> >     >     >     >     >     D
> >     >     >     >     >
> >     >     >     >     >
> >     >     >     >     >
> >     >     >     >     >
> >     >     >     >
> >     >     >     >
> >     >     >
> >     >     >
> >     >
> >     >
> >
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to