Hi folks,

We're trying to add a FreeIPA (4.1; CentOS 7) replica to our infrastructure and keep running into an issue that prevents us from preparing the replica.

We're using the CA-less setup where FreeIPA is using a wildcard certificate provided by RapidSSL. I started trying to create the replica using the information provided here : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html

But since we're not using a CA, it tells me that I need to specify --http-cert-file and --dirsrv-cert-file. I create a p12 file that includes the wildcard cert and the rest of the certs in the chain with: $ openssl pkcs12 -export -in wildcard-with-intermediates.crt -inkey wildcard.key -name "replica01" -out replica01.mydomain.com.p12

I then check to see if all the necessary certs were added to the p12 file:
$ pk12util -l replica01.mydomain.com.p12

I see our wildcard certificate, RapidSSL's intermediate certificate, and the entry for Equifax/GeoTrust, that signed RapidSSL's certificate.

Then I run 'ipa-replica-prepare' on the existing FreeIPA server.
$ ipa-replica-prepare replica01.mydomain.com \
    --http-cert-file=replica01.mydomain.com.p12 \
    --dirsrv-cert-file=replica01.mydomain.com.p12 \
    --ca /etc/ipa/ca.crt \
    -v

I get the following error after the debug output reports a series of calls to certutil:
ipa: DEBUG: stderr=
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in execute
    self.ask_for_options()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 262, in ask_for_options
    options.http_cert_name)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 162, in load_pkcs12
    host_name=self.replica_fqdn)
File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 799, in load_pkcs12
    (", ".join(cert_files)))

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: ScriptError: The full certificate chain is not present in replica01.mydomain.com.p12 ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The full certificate chain is not present in replicate01.mydomain.com.p12


The chain certainly looks to be complete given the output of pk12util, but it's possible I'm just building the file wrong for use with FreeIPA. What exactly is '--http-cert-file' and '--dirsrv-cert-file' expecting and how should I go about generating the certificate used by 'ipa-replica-prepare' with a CA-less configuration?

Thanks all,

--
Mike Oliver

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to