Thanks you Rob. My replica is workin now. :)
2013/2/10 Rob Crittenden <rcrit...@redhat.com> > James James wrote: > >> Maybe I am stupid or tired (or both ..) but I have tried many thing to >> include the ca cert, the ipa key and pem file in a single pkcs12 file >> but I am still stucked. >> >> Can you give me a more detailled help ? >> > > Well, this is one of the reasons we're deprecating this feature, because > it hasn't been well-tested since v1 and is ridden with corner cases. > > I think the only solution is going to be to in direct code changes to the > IPA python scripts to match what your PKCS#12 files contain. If it is > signed by a root CA then chances are if you simply skip the step where the > CA is loaded and trusted then things may just work. > > It is failing in ipaserver/install/certs.p12 in the call to > find_root_cert_from_pkcs12(). Either it is simply an issue of our > identifying the CA or one isn't being loaded at all. > > You can do: certutil -L -d /etc/dirsrv/slapd-YOUR_REALM to list the > certificates that were loaded. It may be that the CA was loaded but we > aren't detecting the nickname, in which case you could simply hardcode it > into the python file for a workaround, something like: > > ca_names = ['CA nickname'] > > rob > >> >> >> 2013/2/8 Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com >> >> >> >> James James wrote: >> >> OK .. but I have to put the pkc12 file in /etc/pki/nssdb ? >> >> >> No. The PKCS#12 file that contains your server private key and cert >> needs to also contain the CA that signed it. >> >> rob >> >> >> >> 2013/2/8 Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com >> >> <mailto:rcrit...@redhat.com>>> >> >> >> James James wrote: >> >> Now on the replica server I've got this error : >> Run connection check to master >> Connection check OK >> Configuring ntpd >> [1/4]: stopping ntpd >> [2/4]: writing configuration >> [3/4]: configuring ntpd to start on boot >> [4/4]: starting ntpd >> done configuring ntpd. >> Configuring directory server: Estimated time 1 minute >> [1/30]: creating directory server user >> [2/30]: creating directory server instance >> [3/30]: adding default schema >> [4/30]: enabling memberof plugin >> [5/30]: enabling referential integrity plugin >> [6/30]: enabling winsync plugin >> [7/30]: configuring replication version plugin >> [8/30]: enabling IPA enrollment plugin >> [9/30]: enabling ldapi >> [10/30]: configuring uniqueness plugin >> [11/30]: configuring uuid plugin >> [12/30]: configuring modrdn plugin >> [13/30]: enabling entryUSN plugin >> [14/30]: configuring lockout plugin >> [15/30]: creating indices >> [16/30]: configuring ssl for ds instance >> creation of replica failed: Could not find a CA cert in >> /tmp/tmp21VpT8ipa/realm_info/_**___dscert.p12 >> >> >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> >> Where I have to put the CA certficate ? >> >> >> It needs to be in the PKCS#12 file. >> >> rob >> >> >> >> >> >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users