Orion Poplawski wrote:
We did a CAless install:

ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat
/etc/ldap.secret` --root-ca-file=PositiveSSLCA2.crt
--dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XXXX --http_pkcs12=nwra.com.p12
--http_pin=XXXX --idstart=8000

But now when we try to setup a replica:

# ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
--dirsrv_pin=XXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXX
Directory Manager (existing master) password:

The full certificate chain is not present in nwra.com.p12


p12 file was created with:

openssl pkcs12 -export -in /etc/pki/tls/certs/nwra.com.crt -inkey
/etc/pki/tls/private/nwra.com.key -certfile
/etc/pki/tls/certs/PositiveSSLCA2.crt -out nwra.com.p12

ipa-server-4.1.0-18.sl7_1.3.x86_64

Any thoughts?


At a glance your creation steps look ok. Strangely, the same code that loads the PKCS#12 files are used both in the server install and replica prepare, the only difference it seems is that with the server install we get a copy of the CA separately too.

Can you provide the output of: pk12util -l nwra.com.p12

Maybe we can work out what it thinks is missing.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to