On 06/15/2016 06:40 AM, Abhijeet Kasurde wrote:
> Hi All,
> 
> I am creating master replica setup using following commands and getting error
> on replica server
> 
> 2016-06-15T03:53:31Z DEBUG The ipa-replica-install command failed, exception:
> NetworkError: cannot connect to 'ldaps://dhcp201-141.testrelm.test:636': TLS
> error -8157:Certificate extension not found.
> 
> Can anyone explain me what does this error is trying to say ?
> 
> I am performing following steps
> 
> $ mkdir /tmp/nssdb
> $ vim /tmp/nssdb/password.txt
> $ vim /tmp/nssdb/noise.txt
> $ certutil -d /tmp/nssdb/ -N -f /tmp/nssdb/password.txt
> $ certutil -d /tmp/nssdb -S -n ca -s cn=Test_CA -x -t CTu,Cu,Cu -g 2048 -v 60
> -z /tmp/nssdb/noise.txt -2 -f /tmp/nssdb/passwd.txt
> $ certutil -d /tmp/nssdb -S -n server -s cn=dhcp201-172.testrelm.test -t ,, -z
> /tmp/nssdb/noise.txt -c ca -f /tmp/nssdb/passwd.txt
> $ /usr/bin/pk12util -o /tmp/nssdb/server.p12 -n server -d /tmp/nssdb -k
> /tmp/nssdb/passwd.txt -W Secret123
> $ ipa-server-install --http-cert-file /tmp/nssdb/server.p12 --dirsrv-cert-file
> /tmp/nssdb/server.p12 --ip-address 10.65.210.89 -r TESTRELM.TEST -p Secret123
> -a Secret123 --setup-dns --forwarder 10.11.5.19 --http-pin Secret123
> --dirsrv-pin Secret123 -U
> $ certutil -d /tmp/nssdb -S -n ca -s cn=Test_CA -x -t CTu,Cu,Cu -g 2048 -v 60
> -z /tmp/nssdb/noise.txt -2 -f /tmp/nssdb/passwd.txt -m 3
> $ certutil -d /tmp/nssdb -S -n replica -s cn=dhcp201-141.testrelm.test -t ,, 
> -z
> /tmp/nssdb/noise.txt -c ca -f /tmp/nssdb/passwd.txt -m 4
> $ /usr/bin/pk12util -o /tmp/nssdb/replica.p12 -n replica -d /tmp/nssdb -k
> /tmp/nssdb/passwd.txt -W Secret123ยท
> $ ipa-replica-prepare dhcp201-141.testrelm.test --http_pkcs12
> /tmp/nssdb/replica.p12 --http_pin Secret123 --dirsrv_pkcs12
> /tmp/nssdb/replica.p12 --dirsrv_pin Secret123 --ip-address 10.65.210.91
> --reverse-zone=210.65.10.in-addr.arpa.
> $ scp /var/lib/ipa/replica-info-dhcp201-141.testrelm.test.gpg
> r...@dhcp201-141.testrelm.test:/root/
> 
> Attaching console.log and replicainstall.log

CCing Jan, he may have some CA-less related commands handy (or know if
installer is lacking some check).

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to