Dne 29.7.2015 v 00:56 Mike Oliver napsal(a):
Hi folks,

We're trying to add a FreeIPA  (4.1; CentOS 7) replica to our
infrastructure and keep running into an issue that prevents us from
preparing the replica.

We're using the CA-less setup where FreeIPA is using a wildcard
certificate provided by RapidSSL. I started trying to create the replica
using the information provided here :

But since we're not using a CA, it tells me that I need to specify
--http-cert-file and --dirsrv-cert-file. I create a p12 file that
includes the wildcard cert and the rest of the certs in the chain with:
$ openssl pkcs12 -export -in wildcard-with-intermediates.crt -inkey
wildcard.key -name "replica01" -out replica01.mydomain.com.p12

I then check to see if all the necessary certs were added to the p12 file:
$ pk12util -l replica01.mydomain.com.p12

I see our wildcard certificate, RapidSSL's intermediate certificate, and
the entry for Equifax/GeoTrust, that signed RapidSSL's certificate.

Then I run 'ipa-replica-prepare' on the existing FreeIPA server.
$ ipa-replica-prepare replica01.mydomain.com \
     --http-cert-file=replica01.mydomain.com.p12 \
     --dirsrv-cert-file=replica01.mydomain.com.p12 \
     --ca /etc/ipa/ca.crt \

Note that you can use the .crt and .key files directly:

$ ipa-replica-prepare replica01.mydomain.com --http-cert-file=wildcard-with-intermediates.crt --http-cert-file=wildcard.key --dirsrv-cert-file=wildcard-with-intermediates.crt --dirsrv-cert-file=wildcard.key

I get the following error after the debug output reports  a series of
calls to certutil:
ipa: DEBUG: stderr=
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in
line 262, in ask_for_options
line 162, in load_pkcs12
line 799, in load_pkcs12
     (", ".join(cert_files)))

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: ScriptError: The full
certificate chain is not present in replica01.mydomain.com.p12
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The
full certificate chain is not present in replicate01.mydomain.com.p12

The chain certainly looks to be complete given the output of pk12util,
but it's possible I'm just building the file wrong for use with FreeIPA.
What exactly is '--http-cert-file' and '--dirsrv-cert-file' expecting
and how should I go about generating the certificate used by
'ipa-replica-prepare' with a CA-less configuration?

If the chain is complete, there should be a self-signed CA certificate at the top. For you that would be the Equifax/GeoTrust certificate. If it's not self-signed, it means the chain is in fact not complete.

Thanks all,


Jan Cholasta

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to