Hello Guys, I was able to resolve this today. My webserver and dirsrv certificate were expired yesterday and trying to replace them gave me the same error "ERROR: (SEC_ERROR_LIBRARY_FAILURE) security library failure." So I tried some things to resolve this. The trick was to replace /etc/ipa/ca.crt with the godaddy file "gdig2" which only has 1 certificare. This file you can get while downloading your certificate from godaddy. Then I had to add the bundle from godaddy, file gd_bundle-g2-g1 into my server cert. This made both the command ipa-server-certinstall and ipa-replicate-prepare finish as expected!
Hope this helps. I saw somebody else with a very similar issue. Kind Regards, D 2015-04-23 7:40 GMT+02:00 Jan Cholasta <[email protected]>: > Hi, > > yes, you can definitely use a different certificate in the meantime, > although it can't be self-signed. > > Honza > > Dne 20.4.2015 v 14:17 David Dejaeghere napsal(a): > >> Hi, >> >> Let me know how I can assist. >> In the meantime could I setup a replica using a different certificate? >> Self signed or anything like that? >> >> Regards, >> >> D >> >> 2015-04-17 15:27 GMT+02:00 Jan Cholasta <[email protected] >> <mailto:[email protected]>>: >> >> Hi, >> >> I don't have any new information. I'm trying to reproduce the >> problem but had no luck so far. >> >> Honza >> >> Dne 17.4.2015 v 15:23 David Dejaeghere napsal(a): >> >> Hi, >> >> Any more things I can try out? How do we proceed? >> >> Kind Regards, >> >> D >> >> 2015-04-15 11:48 GMT+02:00 David Dejaeghere >> <[email protected] <mailto:[email protected]> >> <mailto:[email protected] >> <mailto:[email protected]>>>: >> >> Hi Honza, >> >> That gave me the exact same output. Any ideas? >> >> Regards, >> >> D >> >> 2015-04-15 7:33 GMT+02:00 Jan Cholasta <[email protected] >> <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>>: >> >> >> Hi, >> >> Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a): >> >> David Dejaeghere wrote: >> >> Hi Rob, >> >> So you want to output of the command using pk12 >> with >> server cert and >> key? or with the ca chain in there too? >> >> >> Oddly enough it is failing in exactly the same >> place. Those >> GoDaddy CA >> certs are still being loaded from somewhere, I'm >> not sure >> where, and I >> suspect that is the source of the problem. >> >> >> They are in the default CA certificate bundle (in the >> ca-certificate package). I guess NSS loads it >> automatically. >> >> >> I'm going to forward the log to a colleague who has >> worked >> on this code >> more recently than I have. Maybe he will have an >> idea. >> >> >> Could you try if the following works? >> >> # mv >> /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt >> /root/ca-bundle.trust.crt >> >> # update-ca-trust >> >> # ipa-replica-prepare ... >> >> # mv /root/ca-bundle.trust.crt >> /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt >> >> # update-ca-trust >> >> >> rob >> >> >> Honza >> >> -- >> Jan Cholasta >> >> >> >> >> >> -- >> Jan Cholasta >> >> >> > > -- > Jan Cholasta >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
