Re: [Freeipa-users] ipa-replica-prepare failed - could not create forward DNS zone
On 09/09/14 09:35, Tevfik Ceydeliler wrote: Hi, I try to create replica to my IPA Server env. When I try to use : ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 At the end I have an error: [root@srv ~]# ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 Directory Manager (existing master) password: Preparing replica for rep.ipa.grp from srv.ipa.grp Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-rep.ipa.grp.gpg Adding DNS records for rep.ipa.grp Could not create forward DNS zone for the replica: Nameserver 'srv.ipa.grp.' does not have a corresponding A/ record -- Have you any idea about that? Or , is it an error? 10.1.1.183 is rep.ipa.grp (replica) 101.1.173 is srv.ipa.grp (IPA server) Hello, can you resolve the srv.ipa.grp. address? $ dig A srv.ipa.grp. -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-prepare failed
Thanks you Rob. My replica is workin now. :) 2013/2/10 Rob Crittenden rcrit...@redhat.com James James wrote: Maybe I am stupid or tired (or both ..) but I have tried many thing to include the ca cert, the ipa key and pem file in a single pkcs12 file but I am still stucked. Can you give me a more detailled help ? Well, this is one of the reasons we're deprecating this feature, because it hasn't been well-tested since v1 and is ridden with corner cases. I think the only solution is going to be to in direct code changes to the IPA python scripts to match what your PKCS#12 files contain. If it is signed by a root CA then chances are if you simply skip the step where the CA is loaded and trusted then things may just work. It is failing in ipaserver/install/certs.p12 in the call to find_root_cert_from_pkcs12(). Either it is simply an issue of our identifying the CA or one isn't being loaded at all. You can do: certutil -L -d /etc/dirsrv/slapd-YOUR_REALM to list the certificates that were loaded. It may be that the CA was loaded but we aren't detecting the nickname, in which case you could simply hardcode it into the python file for a workaround, something like: ca_names = ['CA nickname'] rob 2013/2/8 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com James James wrote: OK .. but I have to put the pkc12 file in /etc/pki/nssdb ? No. The PKCS#12 file that contains your server private key and cert needs to also contain the CA that signed it. rob 2013/2/8 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com James James wrote: Now on the replica server I've got this error : Run connection check to master Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance creation of replica failed: Could not find a CA cert in /tmp/tmp21VpT8ipa/realm_info/_**___dscert.p12 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Where I have to put the CA certficate ? It needs to be in the PKCS#12 file. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare failed
Maybe I am stupid or tired (or both ..) but I have tried many thing to include the ca cert, the ipa key and pem file in a single pkcs12 file but I am still stucked. Can you give me a more detailled help ? 2013/2/8 Rob Crittenden rcrit...@redhat.com James James wrote: OK .. but I have to put the pkc12 file in /etc/pki/nssdb ? No. The PKCS#12 file that contains your server private key and cert needs to also contain the CA that signed it. rob 2013/2/8 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com James James wrote: Now on the replica server I've got this error : Run connection check to master Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance creation of replica failed: Could not find a CA cert in /tmp/tmp21VpT8ipa/realm_info/_**_dscert.p12 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Where I have to put the CA certficate ? It needs to be in the PKCS#12 file. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare failed
James James wrote: Maybe I am stupid or tired (or both ..) but I have tried many thing to include the ca cert, the ipa key and pem file in a single pkcs12 file but I am still stucked. Can you give me a more detailled help ? Well, this is one of the reasons we're deprecating this feature, because it hasn't been well-tested since v1 and is ridden with corner cases. I think the only solution is going to be to in direct code changes to the IPA python scripts to match what your PKCS#12 files contain. If it is signed by a root CA then chances are if you simply skip the step where the CA is loaded and trusted then things may just work. It is failing in ipaserver/install/certs.p12 in the call to find_root_cert_from_pkcs12(). Either it is simply an issue of our identifying the CA or one isn't being loaded at all. You can do: certutil -L -d /etc/dirsrv/slapd-YOUR_REALM to list the certificates that were loaded. It may be that the CA was loaded but we aren't detecting the nickname, in which case you could simply hardcode it into the python file for a workaround, something like: ca_names = ['CA nickname'] rob 2013/2/8 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com James James wrote: OK .. but I have to put the pkc12 file in /etc/pki/nssdb ? No. The PKCS#12 file that contains your server private key and cert needs to also contain the CA that signed it. rob 2013/2/8 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com James James wrote: Now on the replica server I've got this error : Run connection check to master Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance creation of replica failed: Could not find a CA cert in /tmp/tmp21VpT8ipa/realm_info/dscert.p12 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Where I have to put the CA certficate ? It needs to be in the PKCS#12 file. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare failed
I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12, --http_pin and the ipa-replica-prepare command runs without failure. Thanks for your help. 2013/2/8 James James jre...@gmail.com My ipa version is ipa-server-2.2.0-17.el6_3.1.x86_64 and the distro is Scientific Linux 6.3. I have used ipa-server-certinstall to replace the default IPA certs. 2013/2/8 Rob Crittenden rcrit...@redhat.com James James wrote: Hi, today I wanted to install a ipa replica. When I used the ipa-replica-prepare command, I've got this error : [root@ipa ~]# ipa-replica-prepare ipa2-example.com http://ipa2-example.com Directory Manager (existing master) password: Preparing replica for ipa-EXAMPLE.COM from ipa.EXAMPLE.COM http://ipa.EXAMPLE.COM Creating SSL certificate for the Directory Server certutil: could not find certificate named CN=EXAMPLE.COM http://EXAMPLE.COM Certificate Authority: security library: bad database. certutil: unable to create cert (security library: bad database.) preparation of replica failed: Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/**tmpcert.der -f /tmp/tmpoUpN72ipa/realm_info/**pwdfile.txt' returned non-zero exit status 255 Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/**tmpcert.der -f /tmp/tmpoUpN72ipa/realm_info/**pwdfile.txt' returned non-zero exit status 255 File /usr/sbin/ipa-replica-**prepare, line 459, in module main() File /usr/sbin/ipa-replica-**prepare, line 345, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, dscert, replica_fqdn, subject_base) File /usr/sbin/ipa-replica-**prepare, line 143, in export_certdb raise e I have a certificate generated by a custom certificate authority in the ipa server. Need more information on your installation. What version of IPA, what distro? Did you use ipa-server-certinstall to replace the default IPA certs? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare failed
James James wrote: I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12, --http_pin and the ipa-replica-prepare command runs without failure. Thanks for your help. Yes, this is what I was going to suggest. Using ipa-server-certinstall replace the IPA CA with an external one. I should note that we're deprecating this tool and do not recommend that it be used. We instead suggest that if you need certificates from an external CA you get the IPA CA signed as a subordinate. rob 2013/2/8 James James jre...@gmail.com mailto:jre...@gmail.com My ipa version is ipa-server-2.2.0-17.el6_3.1.x86_64 and the distro is Scientific Linux 6.3. I have used ipa-server-certinstall to replace the default IPA certs. 2013/2/8 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com James James wrote: Hi, today I wanted to install a ipa replica. When I used the ipa-replica-prepare command, I've got this error : [root@ipa ~]# ipa-replica-prepare ipa2-example.com http://ipa2-example.com http://ipa2-example.com Directory Manager (existing master) password: Preparing replica for ipa-EXAMPLE.COM from ipa.EXAMPLE.COM http://ipa.EXAMPLE.COM http://ipa.EXAMPLE.COM Creating SSL certificate for the Directory Server certutil: could not find certificate named CN=EXAMPLE.COM http://EXAMPLE.COM http://EXAMPLE.COM Certificate Authority: security library: bad database. certutil: unable to create cert (security library: bad database.) preparation of replica failed: Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/__tmpcert.der -f /tmp/tmpoUpN72ipa/realm_info/__pwdfile.txt' returned non-zero exit status 255 Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/__tmpcert.der -f /tmp/tmpoUpN72ipa/realm_info/__pwdfile.txt' returned non-zero exit status 255 File /usr/sbin/ipa-replica-__prepare, line 459, in module main() File /usr/sbin/ipa-replica-__prepare, line 345, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, dscert, replica_fqdn, subject_base) File /usr/sbin/ipa-replica-__prepare, line 143, in export_certdb raise e I have a certificate generated by a custom certificate authority in the ipa server. Need more information on your installation. What version of IPA, what distro? Did you use ipa-server-certinstall to replace the default IPA certs? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare failed
On 02/08/2013 06:44 AM, Rob Crittenden wrote: James James wrote: I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12, --http_pin and the ipa-replica-prepare command runs without failure. Thanks for your help. Yes, this is what I was going to suggest. Using ipa-server-certinstall replace the IPA CA with an external one. I should note that we're deprecating this tool and do not recommend that it be used. We instead suggest that if you need certificates from an external CA you get the IPA CA signed as a subordinate. rob Is that possible to do from a commercial SSL certificate provider? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare failed
Orion Poplawski wrote: On 02/08/2013 06:44 AM, Rob Crittenden wrote: James James wrote: I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12, --http_pin and the ipa-replica-prepare command runs without failure. Thanks for your help. Yes, this is what I was going to suggest. Using ipa-server-certinstall replace the IPA CA with an external one. I should note that we're deprecating this tool and do not recommend that it be used. We instead suggest that if you need certificates from an external CA you get the IPA CA signed as a subordinate. rob Is that possible to do from a commercial SSL certificate provider? GeoTrust does, I don't know about any others. http://www.prnewswire.com/news-releases/geotrust-launches-georoot-allows-organizations-with-their-own-certificate-authority-ca-to-chain-to-geotrusts-ubiquitous-public-root-54048807.html rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare failed
Now on the replica server I've got this error : Run connection check to master Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance creation of replica failed: Could not find a CA cert in /tmp/tmp21VpT8ipa/realm_info/dscert.p12 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Where I have to put the CA certficate ? Regards (again) 2013/2/8 Rob Crittenden rcrit...@redhat.com James James wrote: I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12, --http_pin and the ipa-replica-prepare command runs without failure. Thanks for your help. Yes, this is what I was going to suggest. Using ipa-server-certinstall replace the IPA CA with an external one. I should note that we're deprecating this tool and do not recommend that it be used. We instead suggest that if you need certificates from an external CA you get the IPA CA signed as a subordinate. rob 2013/2/8 James James jre...@gmail.com mailto:jre...@gmail.com My ipa version is ipa-server-2.2.0-17.el6_3.1.**x86_64 and the distro is Scientific Linux 6.3. I have used ipa-server-certinstall to replace the default IPA certs. 2013/2/8 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com James James wrote: Hi, today I wanted to install a ipa replica. When I used the ipa-replica-prepare command, I've got this error : [root@ipa ~]# ipa-replica-prepare ipa2-example.com http://ipa2-example.com http://ipa2-example.com Directory Manager (existing master) password: Preparing replica for ipa-EXAMPLE.COM from ipa.EXAMPLE.COM http://ipa.EXAMPLE.COM http://ipa.EXAMPLE.COM Creating SSL certificate for the Directory Server certutil: could not find certificate named CN=EXAMPLE.COM http://EXAMPLE.COM http://EXAMPLE.COM Certificate Authority: security library: bad database. certutil: unable to create cert (security library: bad database.) preparation of replica failed: Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/__**tmpcert.der -f /tmp/tmpoUpN72ipa/realm_info/_**_pwdfile.txt' returned non-zero exit status 255 Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/__**tmpcert.der -f /tmp/tmpoUpN72ipa/realm_info/_**_pwdfile.txt' returned non-zero exit status 255 File /usr/sbin/ipa-replica-__**prepare, line 459, in module main() File /usr/sbin/ipa-replica-__**prepare, line 345, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, dscert, replica_fqdn, subject_base) File /usr/sbin/ipa-replica-__**prepare, line 143, in export_certdb raise e I have a certificate generated by a custom certificate authority in the ipa server. Need more information on your installation. What version of IPA, what distro? Did you use ipa-server-certinstall to replace the default IPA certs? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare failed
James James wrote: Now on the replica server I've got this error : Run connection check to master Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance creation of replica failed: Could not find a CA cert in /tmp/tmp21VpT8ipa/realm_info/dscert.p12 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Where I have to put the CA certficate ? It needs to be in the PKCS#12 file. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare failed
OK .. but I have to put the pkc12 file in /etc/pki/nssdb ? 2013/2/8 Rob Crittenden rcrit...@redhat.com James James wrote: Now on the replica server I've got this error : Run connection check to master Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance creation of replica failed: Could not find a CA cert in /tmp/tmp21VpT8ipa/realm_info/**dscert.p12 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Where I have to put the CA certficate ? It needs to be in the PKCS#12 file. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare failed
James James wrote: OK .. but I have to put the pkc12 file in /etc/pki/nssdb ? No. The PKCS#12 file that contains your server private key and cert needs to also contain the CA that signed it. rob 2013/2/8 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com James James wrote: Now on the replica server I've got this error : Run connection check to master Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance creation of replica failed: Could not find a CA cert in /tmp/tmp21VpT8ipa/realm_info/__dscert.p12 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Where I have to put the CA certficate ? It needs to be in the PKCS#12 file. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare failed
My ipa version is ipa-server-2.2.0-17.el6_3.1.x86_64 and the distro is Scientific Linux 6.3. I have used ipa-server-certinstall to replace the default IPA certs. 2013/2/8 Rob Crittenden rcrit...@redhat.com James James wrote: Hi, today I wanted to install a ipa replica. When I used the ipa-replica-prepare command, I've got this error : [root@ipa ~]# ipa-replica-prepare ipa2-example.com http://ipa2-example.com Directory Manager (existing master) password: Preparing replica for ipa-EXAMPLE.COM from ipa.EXAMPLE.COM http://ipa.EXAMPLE.COM Creating SSL certificate for the Directory Server certutil: could not find certificate named CN=EXAMPLE.COM http://EXAMPLE.COM Certificate Authority: security library: bad database. certutil: unable to create cert (security library: bad database.) preparation of replica failed: Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/**tmpcert.der -f /tmp/tmpoUpN72ipa/realm_info/**pwdfile.txt' returned non-zero exit status 255 Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/**tmpcert.der -f /tmp/tmpoUpN72ipa/realm_info/**pwdfile.txt' returned non-zero exit status 255 File /usr/sbin/ipa-replica-**prepare, line 459, in module main() File /usr/sbin/ipa-replica-**prepare, line 345, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, dscert, replica_fqdn, subject_base) File /usr/sbin/ipa-replica-**prepare, line 143, in export_certdb raise e I have a certificate generated by a custom certificate authority in the ipa server. Need more information on your installation. What version of IPA, what distro? Did you use ipa-server-certinstall to replace the default IPA certs? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users