Hi folks,

We're trying to add a FreeIPA (4.1; CentOS 7) replica to our infrastructure and keep running into an issue that prevents us from preparing the replica.

We're using the CA-less setup where FreeIPA is using a wildcard certificate provided by RapidSSL. I started trying to create the replica using the information provided here : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html

But since we're not using a CA, it tells me that I need to specify --http-cert-file and --dirsrv-cert-file. I create a p12 file that includes the wildcard cert and the rest of the certs in the chain with: $ openssl pkcs12 -export -in wildcard-with-intermediates.crt -inkey wildcard.key -name "replica01" -out replica01.mydomain.com.p12

I then check to see if all the necessary certs were added to the p12 file:
$ pk12util -l replica01.mydomain.com.p12

I see our wildcard certificate, RapidSSL's intermediate certificate, and the entry for Equifax/GeoTrust, that signed RapidSSL's certificate.

Then I run 'ipa-replica-prepare' on the existing FreeIPA server.
$ ipa-replica-prepare replica01.mydomain.com \
    --http-cert-file=replica01.mydomain.com.p12 \
    --dirsrv-cert-file=replica01.mydomain.com.p12 \
    --ca /etc/ipa/ca.crt \

I get the following error after the debug output reports a series of calls to certutil:
ipa: DEBUG: stderr=
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in execute
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 262, in ask_for_options
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 162, in load_pkcs12
File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 799, in load_pkcs12
    (", ".join(cert_files)))

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: ScriptError: The full certificate chain is not present in replica01.mydomain.com.p12 ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The full certificate chain is not present in replicate01.mydomain.com.p12

The chain certainly looks to be complete given the output of pk12util, but it's possible I'm just building the file wrong for use with FreeIPA. What exactly is '--http-cert-file' and '--dirsrv-cert-file' expecting and how should I go about generating the certificate used by 'ipa-replica-prepare' with a CA-less configuration?

Thanks all,

Mike Oliver

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to