Orion Poplawski wrote:
On 05/28/2015 03:09 PM, Rob Crittenden wrote:
Orion Poplawski wrote:
We did a CAless install:

ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat
/etc/ldap.secret` --root-ca-file=PositiveSSLCA2.crt
--dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XXXX --http_pkcs12=nwra.com.p12
--http_pin=XXXX --idstart=8000

But now when we try to setup a replica:

# ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
--dirsrv_pin=XXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXX
Directory Manager (existing master) password:

The full certificate chain is not present in nwra.com.p12

p12 file was created with:

openssl pkcs12 -export -in /etc/pki/tls/certs/nwra.com.crt -inkey
/etc/pki/tls/private/nwra.com.key -certfile
/etc/pki/tls/certs/PositiveSSLCA2.crt -out nwra.com.p12


Any thoughts?

At a glance your creation steps look ok. Strangely, the same code that loads
the PKCS#12 files are used both in the server install and replica prepare, the
only difference it seems is that with the server install we get a copy of the
CA separately too.

Can you provide the output of: pk12util -l nwra.com.p12

Maybe we can work out what it thinks is missing.


I think I need to redo our install with an updated (SHA-2?) certificate, but I
wouldn't think that would affect this issue either.

I don't believe this is related to the signature.

It looks like the right certs are there so I'm not sure what is going on. It may be that the built-ins aren't being found and this is needed because the AddTrust External Root isn't included, and it shouldn't need to be.

What is really blowing my mind is the same function that loads the PKCS#12 file is called both on install and replica prepare but only failing on the later.

Maybe Honza has some ideas.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to