Hello Guys,

I was able to resolve this today.
My webserver and dirsrv certificate were expired yesterday and trying to
replace them gave me the same error "ERROR: (SEC_ERROR_LIBRARY_FAILURE)
security library failure."
So I tried some things to resolve this.
The trick was to replace /etc/ipa/ca.crt with the godaddy file "gdig2"
which only has 1 certificare. This file you can get while downloading your
certificate from godaddy. Then I had to add the bundle from godaddy, file
gd_bundle-g2-g1 into my server cert.
This made both the command ipa-server-certinstall and ipa-replicate-prepare
finish as expected!

Hope this helps. I saw somebody else with a very similar issue.

Kind Regards,

D

2015-04-23 7:40 GMT+02:00 Jan Cholasta <jchol...@redhat.com>:

> Hi,
>
> yes, you can definitely use a different certificate in the meantime,
> although it can't be self-signed.
>
> Honza
>
> Dne 20.4.2015 v 14:17 David Dejaeghere napsal(a):
>
>> Hi,
>>
>> Let me know how I can assist.
>> In the meantime could I setup a replica using a different certificate?
>> Self signed or anything like that?
>>
>> Regards,
>>
>> D
>>
>> 2015-04-17 15:27 GMT+02:00 Jan Cholasta <jchol...@redhat.com
>> <mailto:jchol...@redhat.com>>:
>>
>>     Hi,
>>
>>     I don't have any new information. I'm trying to reproduce the
>>     problem but had no luck so far.
>>
>>     Honza
>>
>>     Dne 17.4.2015 v 15:23 David Dejaeghere napsal(a):
>>
>>         Hi,
>>
>>         Any more things I can try out? How do we proceed?
>>
>>         Kind Regards,
>>
>>         D
>>
>>         2015-04-15 11:48 GMT+02:00 David Dejaeghere
>>         <david.dejaegh...@gmail.com <mailto:david.dejaegh...@gmail.com>
>>         <mailto:david.dejaegh...@gmail.com
>>         <mailto:david.dejaegh...@gmail.com>>>:
>>
>>              Hi Honza,
>>
>>              That gave me the exact same output.  Any ideas?
>>
>>              Regards,
>>
>>              D
>>
>>              2015-04-15 7:33 GMT+02:00 Jan Cholasta <jchol...@redhat.com
>>         <mailto:jchol...@redhat.com>
>>              <mailto:jchol...@redhat.com <mailto:jchol...@redhat.com>>>:
>>
>>
>>                  Hi,
>>
>>                  Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a):
>>
>>                      David Dejaeghere wrote:
>>
>>                          Hi Rob,
>>
>>                          So you want to output of the command using pk12
>>         with
>>                          server cert and
>>                          key? or with the ca chain in there too?
>>
>>
>>                      Oddly enough it is failing in exactly the same
>>         place. Those
>>                      GoDaddy CA
>>                      certs are still being loaded from somewhere, I'm
>>         not sure
>>                      where, and I
>>                      suspect that is the source of the problem.
>>
>>
>>                  They are in the default CA certificate bundle (in the
>>                  ca-certificate package). I guess NSS loads it
>>         automatically.
>>
>>
>>                      I'm going to forward the log to a colleague who has
>>         worked
>>                      on this code
>>                      more recently than I have. Maybe he will have an
>> idea.
>>
>>
>>                  Could you try if the following works?
>>
>>                       # mv
>>         /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt
>>                  /root/ca-bundle.trust.crt
>>
>>                       # update-ca-trust
>>
>>                       # ipa-replica-prepare ...
>>
>>                       # mv /root/ca-bundle.trust.crt
>>                  /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt
>>
>>                       # update-ca-trust
>>
>>
>>                      rob
>>
>>
>>                  Honza
>>
>>                  --
>>                  Jan Cholasta
>>
>>
>>
>>
>>
>>     --
>>     Jan Cholasta
>>
>>
>>
>
> --
> Jan Cholasta
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to