Dne 20.7.2015 v 19:52 Orion Poplawski napsal(a):
On 07/20/2015 12:57 AM, Jan Cholasta wrote:
Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a):
On 07/14/2015 11:53 PM, Jan Cholasta wrote:
# ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
--dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX
Directory Manager (existing master) password:
(SEC_ERROR_LIBRARY_FAILURE) security library failure.
Not much :(
Seems to be very early.
I can't find an ipa-replica-prepare.log file.
That's weird, there should be ~50 lines of output before ipa-replica-prepare
prompts you for directory manager password.
I didn't have any luck in reproducing the issue so far.
Could you please try this:
$ mkdir tmpdb
$ certutil -N -d tmpdb
$ pk12util -i nwra.com.p12
$ certutil -L -d tmpdb # look for nickname of certificate
which has trust attributes of u,u,u
$ certutil -O -d tmpdb -n nickname # use the nickname from above
I would like to see the output of the last 2 commands.
[root@europa ~]# pk12util -i nwra.com.p12 -d tmpdb
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
pk12util: no nickname for cert in PKCS12 file.
pk12util: using nickname: *.nwra.com - COMODO CA Limited
pk12util: PKCS12 IMPORT SUCCESSFUL
[root@europa ~]# certutil -L -d tmpdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
COMODO RSA Domain Validation Secure Server CA - COMODO CA Limited ,,
AddTrust External CA Root - AddTrust AB ,,
*.nwra.com - COMODO CA Limited u,u,u
COMODO RSA Certification Authority - AddTrust AB ,,
[root@europa ~]# certutil -O -d tmpdb -n '*.nwra.com - COMODO CA Limited'
"AddTrust External CA Root - AddTrust AB" [CN=AddTrust External CA
Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE]
"COMODO RSA Certification Authority - AddTrust AB" [CN=COMODO RSA
Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater
Manchester,C=GB]
"COMODO RSA Domain Validation Secure Server CA - COMODO CA Limited"
[CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB]
"*.nwra.com - COMODO CA Limited" [CN=*.nwra.com,OU=PositiveSSL
Wildcard,OU=Domain Control Validated]
Thanks. Unfortunately it looks perfectly fine, so I still have no idea
what's wrong.
This is a long shot, but coult you try running ipa-replica-prepare in
strace and post the log of that?
# strace -o ipa-replica-prepare-strace.log ipa-replica-prepare
ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XXXXXX
--http_pkcs12=nwra.com.p12 --http_pin=XXXXXX
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project