subject:"\[Freeipa\-users\] ipa\-replica\-prepare failing"

[Freeipa-users] ipa-replica-prepare failing

2015-04-07 Thread David Dejaeghere

Hello,

I am trying to setup a replica for my master which has been setup with an
external CA to use our godaddy wildcard certificate.
The ipa-replica-prepare is failing with the following debug information.
I am using --http-cert  and --dirsrv-cert with my pk12 server certificate.
What can I verify to get an idea of what is going wrong?

ipa: DEBUG: stderr=
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in
execute
self.ask_for_options()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
line 276, in ask_for_options
options.http_cert_name)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
line 176, in load_pkcs12
host_name=self.replica_fqdn)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
785, in load_pkcs12
nss_cert = x509.load_certificate(cert, x509.DER)
  File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128, in
load_certificate
return nss.Certificate(buffer(data))

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: NSPRError:
(SEC_ERROR_LIBRARY_FAILURE) security library failure.
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
(SEC_ERROR_LIBRARY_FAILURE) security library failure.

Regards,

D
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-replica-prepare failing

2016-10-26 Thread Joshua Ruybal

While trying to run IPA replica prepare with debug, we see an unexplained
failure.

Debug seems to show the process running smoothly, then I see: "Certificate
issuance failed".

Looking at previous mail-archives, I see that someone has run into this
before, however all permissions on caIPAserviceCert.cfg are correct (the
solution for him).

Is there any method to get more details on the failure from
ipa-replica-prepare?

Thanks

-- 


*Joshua Ruybal | Systems Engineer*
o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549>
e: jruy...@owneriq.com


  

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-10 Thread Rob Crittenden

David Dejaeghere wrote:
> Hi,
> 
> I even tried the command using an export from the http service nss db,
> same issue.
> 
> regarding SElinux:
> ausearch -m AVC -ts recent
> 
> 
> Sending you the log personally.

Ok, so the way the certs are imported is all the certs in the PKCS#12
file are loaded in, then marked as untrusted.

certutil -O is executed against the server cert which prints out what
the trust chain should be and those certs marked as trusted CA's.

That part is working fine.

Finally it makes another pass through the database to verify the chain.

Looking at the output there are two certs with the subject CN=Go Daddy
Root Certificate Authority - G2,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US and different serial numbers. I
wonder if this is confusing the cert loader. These certs are included in
the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which one
is the "right' one, or if there even is one.

rob


> 
> Regards,
> 
> D
> 
> 2015-04-10 17:03 GMT+02:00 Rob Crittenden  >:
> 
> David Dejaeghere wrote:
> > Hi Rob,
> >
> > Without the --http-pin the command will give a prompt to enter the 
> password.
> > Tried both.
> >
> > I am sending the output of the pk12util -l to you in another email.
> > It holds the wildcard certificate and the godaddy bundle for as far as I
> > can tell.
> 
> I have to admit, I'm a bit stumped. (SEC_ERROR_LIBRARY_FAILURE) is a
> rather generic NSS error which can mean any number of things. It often
> means that the NSS database it is using is bad in some way but given
> that this is a temporary database created just for this purpose I doubt
> that's it. You may want to look for SELinux AVCs though: ausearch -m AVC
> -ts recent.
> 
> At the point where it is blowing up, the PKCS#12 file has already been
> imported and IPA is walking through the results trying to ensure that
> the full cert trust chain is available. It does this by reading the
> certs out of the database, and at that point it's blowing up.
> 
> The PKCS#12 output you sent me looks ok. I don't believe this is an
> issue with trust or missing parts of the chain.
> 
> I created a simple PKCS#12 file and was able to prepare a replica using
> it, so AFAICT the code isn't completely broken.
> 
> Can you provide the full output from ipa-replica-prepare?
> 
> rob
> >
> > Regards,
> >
> > D
> >
> > 2015-04-09 21:39 GMT+02:00 Rob Crittenden  
> > >>:
> >
> > David Dejaeghere wrote:
> > > Hi,
> > >
> > > Sorry for the lack of details!
> > > You are indeed  correct about the version its 4.1
> > > The command I am using is this:
> > > ipa-replica-prepare ipa-r1.myobscureddomain.com 
> 
> 
> > >  --http-cert-file
> > > /home/fedora/newcert.pk12 --dirsrv-cert-file 
> /home/fedora/newcert.pk12
> > > --ip-address 172.31.16.31 -v
> >
> > I was pretty sure a pin was required with those options as well.
> >
> > What do the PKCS#12 files look like: pk12util -l
> > /home/fedora/newcert.pk12
> >
> > rob
> >
> > >
> > > Regards,
> > >
> > > D
> > >
> > > 2015-04-09 16:16 GMT+02:00 Rob Crittenden  
> >
> > > 
>  > >
> > > David Dejaeghere wrote:
> > > > Hi,
> > > >
> > > > Does somebody have any pointers for me regarding this
> issue?
> > >
> > > It would help very much if you'd include the version
> you're working
> > > with. Based on line numbers I'll assume IPA 4.1.
> > >
> > > It's hard to say since you don't include the
> command-line you're using,
> > > or what those files consist of.
> > >
> > > It looks like it is blowing up trying to verify that the
> whole
> > > certificate chain is available. NSS unfortunately
> doesn't always provide
> > > the best error messages so it's hard to say why this
> particular cert
> > > can't be loaded.
> > >
> > > rob
> > >
> > > >
> > > > Regards,
> > > >
> > > > D
> > > >
> > > > 2015-04-07 13:34 GMT+02:00 David Dejaeghere
> mailto:david.dejaegh...@gmail.com>
>

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-10 Thread David Dejaeghere

Hi,

I get the same error when I use a pk12 with only the server certificate
(and key) in it.
Not sure what else I can try.

Regards,

D

2015-04-11 0:23 GMT+02:00 Rob Crittenden :

> David Dejaeghere wrote:
> > Hi,
> >
> > I even tried the command using an export from the http service nss db,
> > same issue.
> >
> > regarding SElinux:
> > ausearch -m AVC -ts recent
> > 
> >
> > Sending you the log personally.
>
> Ok, so the way the certs are imported is all the certs in the PKCS#12
> file are loaded in, then marked as untrusted.
>
> certutil -O is executed against the server cert which prints out what
> the trust chain should be and those certs marked as trusted CA's.
>
> That part is working fine.
>
> Finally it makes another pass through the database to verify the chain.
>
> Looking at the output there are two certs with the subject CN=Go Daddy
> Root Certificate Authority - G2,O="GoDaddy.com,
> Inc.",L=Scottsdale,ST=Arizona,C=US and different serial numbers. I
> wonder if this is confusing the cert loader. These certs are included in
> the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which one
> is the "right' one, or if there even is one.
>
> rob
>
>
> >
> > Regards,
> >
> > D
> >
> > 2015-04-10 17:03 GMT+02:00 Rob Crittenden  > >:
> >
> > David Dejaeghere wrote:
> > > Hi Rob,
> > >
> > > Without the --http-pin the command will give a prompt to enter the
> password.
> > > Tried both.
> > >
> > > I am sending the output of the pk12util -l to you in another email.
> > > It holds the wildcard certificate and the godaddy bundle for as
> far as I
> > > can tell.
> >
> > I have to admit, I'm a bit stumped. (SEC_ERROR_LIBRARY_FAILURE) is a
> > rather generic NSS error which can mean any number of things. It
> often
> > means that the NSS database it is using is bad in some way but given
> > that this is a temporary database created just for this purpose I
> doubt
> > that's it. You may want to look for SELinux AVCs though: ausearch -m
> AVC
> > -ts recent.
> >
> > At the point where it is blowing up, the PKCS#12 file has already
> been
> > imported and IPA is walking through the results trying to ensure that
> > the full cert trust chain is available. It does this by reading the
> > certs out of the database, and at that point it's blowing up.
> >
> > The PKCS#12 output you sent me looks ok. I don't believe this is an
> > issue with trust or missing parts of the chain.
> >
> > I created a simple PKCS#12 file and was able to prepare a replica
> using
> > it, so AFAICT the code isn't completely broken.
> >
> > Can you provide the full output from ipa-replica-prepare?
> >
> > rob
> > >
> > > Regards,
> > >
> > > D
> > >
> > > 2015-04-09 21:39 GMT+02:00 Rob Crittenden  
> > > >>:
> > >
> > > David Dejaeghere wrote:
> > > > Hi,
> > > >
> > > > Sorry for the lack of details!
> > > > You are indeed  correct about the version its 4.1
> > > > The command I am using is this:
> > > > ipa-replica-prepare ipa-r1.myobscureddomain.com <
> http://ipa-r1.myobscureddomain.com>
> > 
> > > >  --http-cert-file
> > > > /home/fedora/newcert.pk12 --dirsrv-cert-file
> /home/fedora/newcert.pk12
> > > > --ip-address 172.31.16.31 -v
> > >
> > > I was pretty sure a pin was required with those options as
> well.
> > >
> > > What do the PKCS#12 files look like: pk12util -l
> > > /home/fedora/newcert.pk12
> > >
> > > rob
> > >
> > > >
> > > > Regards,
> > > >
> > > > D
> > > >
> > > > 2015-04-09 16:16 GMT+02:00 Rob Crittenden <
> rcrit...@redhat.com 
> > >
> > > > 
> >  > > >
> > > > David Dejaeghere wrote:
> > > > > Hi,
> > > > >
> > > > > Does somebody have any pointers for me regarding this
> > issue?
> > > >
> > > > It would help very much if you'd include the version
> > you're working
> > > > with. Based on line numbers I'll assume IPA 4.1.
> > > >
> > > > It's hard to say since you don't include the
> > command-line you're using,
> > > > or what those files consist of.
> > > >
> > > > It looks like it is blowing up trying to verify that the
> > whole
> > > > certificate chain is available. NSS unfortunately
> > doesn't always provide
> > > >

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-09 Thread David Dejaeghere

Hi,

Does somebody have any pointers for me regarding this issue?

Regards,

D

2015-04-07 13:34 GMT+02:00 David Dejaeghere :

> Hello,
>
> I am trying to setup a replica for my master which has been setup with an
> external CA to use our godaddy wildcard certificate.
> The ipa-replica-prepare is failing with the following debug information.
> I am using --http-cert  and --dirsrv-cert with my pk12 server certificate.
> What can I verify to get an idea of what is going wrong?
>
> ipa: DEBUG: stderr=
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:   File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in
> execute
> self.ask_for_options()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> line 276, in ask_for_options
> options.http_cert_name)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> line 176, in load_pkcs12
> host_name=self.replica_fqdn)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
> 785, in load_pkcs12
> nss_cert = x509.load_certificate(cert, x509.DER)
>   File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128, in
> load_certificate
> return nss.Certificate(buffer(data))
>
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
> ipa-replica-prepare command failed, exception: NSPRError:
> (SEC_ERROR_LIBRARY_FAILURE) security library failure.
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
> (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>
> Regards,
>
> D
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-09 Thread Rob Crittenden

David Dejaeghere wrote:
> Hi,
> 
> Does somebody have any pointers for me regarding this issue?

It would help very much if you'd include the version you're working
with. Based on line numbers I'll assume IPA 4.1.

It's hard to say since you don't include the command-line you're using,
or what those files consist of.

It looks like it is blowing up trying to verify that the whole
certificate chain is available. NSS unfortunately doesn't always provide
the best error messages so it's hard to say why this particular cert
can't be loaded.

rob

> 
> Regards,
> 
> D
> 
> 2015-04-07 13:34 GMT+02:00 David Dejaeghere  >:
> 
> Hello,
> 
> I am trying to setup a replica for my master which has been setup
> with an external CA to use our godaddy wildcard certificate.
> The ipa-replica-prepare is failing with the following debug information.
> I am using --http-cert  and --dirsrv-cert with my pk12 server
> certificate.
> What can I verify to get an idea of what is going wrong?
> 
> ipa: DEBUG: stderr=
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:  
> File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
> 169, in execute
> self.ask_for_options()
>   File
> 
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> line 276, in ask_for_options
> options.http_cert_name)
>   File
> 
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> line 176, in load_pkcs12
> host_name=self.replica_fqdn)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
> 785, in load_pkcs12
> nss_cert = x509.load_certificate(cert, x509.DER)
>   File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128,
> in load_certificate
> return nss.Certificate(buffer(data))
> 
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
> ipa-replica-prepare command failed, exception: NSPRError:
> (SEC_ERROR_LIBRARY_FAILURE) security library failure.
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
> (SEC_ERROR_LIBRARY_FAILURE) security library failure.
> 
> Regards,
> 
> D
> 
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-09 Thread David Dejaeghere

Hi,

Sorry for the lack of details!
You are indeed  correct about the version its 4.1
The command I am using is this:
ipa-replica-prepare ipa-r1.myobscureddomain.com --http-cert-file
/home/fedora/newcert.pk12 --dirsrv-cert-file /home/fedora/newcert.pk12
--ip-address 172.31.16.31 -v

Regards,

D

2015-04-09 16:16 GMT+02:00 Rob Crittenden :

> David Dejaeghere wrote:
> > Hi,
> >
> > Does somebody have any pointers for me regarding this issue?
>
> It would help very much if you'd include the version you're working
> with. Based on line numbers I'll assume IPA 4.1.
>
> It's hard to say since you don't include the command-line you're using,
> or what those files consist of.
>
> It looks like it is blowing up trying to verify that the whole
> certificate chain is available. NSS unfortunately doesn't always provide
> the best error messages so it's hard to say why this particular cert
> can't be loaded.
>
> rob
>
> >
> > Regards,
> >
> > D
> >
> > 2015-04-07 13:34 GMT+02:00 David Dejaeghere  > >:
> >
> > Hello,
> >
> > I am trying to setup a replica for my master which has been setup
> > with an external CA to use our godaddy wildcard certificate.
> > The ipa-replica-prepare is failing with the following debug
> information.
> > I am using --http-cert  and --dirsrv-cert with my pk12 server
> > certificate.
> > What can I verify to get an idea of what is going wrong?
> >
> > ipa: DEBUG: stderr=
> > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
> > File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
> > 169, in execute
> > self.ask_for_options()
> >   File
> >
>  "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> > line 276, in ask_for_options
> > options.http_cert_name)
> >   File
> >
>  "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> > line 176, in load_pkcs12
> > host_name=self.replica_fqdn)
> >   File
> >
>  "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
> > 785, in load_pkcs12
> > nss_cert = x509.load_certificate(cert, x509.DER)
> >   File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128,
> > in load_certificate
> > return nss.Certificate(buffer(data))
> >
> > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
> > ipa-replica-prepare command failed, exception: NSPRError:
> > (SEC_ERROR_LIBRARY_FAILURE) security library failure.
> > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
> > (SEC_ERROR_LIBRARY_FAILURE) security library failure.
> >
> > Regards,
> >
> > D
> >
> >
> >
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-09 Thread Rob Crittenden

David Dejaeghere wrote:
> Hi,
> 
> Sorry for the lack of details!
> You are indeed  correct about the version its 4.1
> The command I am using is this:
> ipa-replica-prepare ipa-r1.myobscureddomain.com
>  --http-cert-file
> /home/fedora/newcert.pk12 --dirsrv-cert-file /home/fedora/newcert.pk12
> --ip-address 172.31.16.31 -v

I was pretty sure a pin was required with those options as well.

What do the PKCS#12 files look like: pk12util -l /home/fedora/newcert.pk12

rob

> 
> Regards,
> 
> D
> 
> 2015-04-09 16:16 GMT+02:00 Rob Crittenden  >:
> 
> David Dejaeghere wrote:
> > Hi,
> >
> > Does somebody have any pointers for me regarding this issue?
> 
> It would help very much if you'd include the version you're working
> with. Based on line numbers I'll assume IPA 4.1.
> 
> It's hard to say since you don't include the command-line you're using,
> or what those files consist of.
> 
> It looks like it is blowing up trying to verify that the whole
> certificate chain is available. NSS unfortunately doesn't always provide
> the best error messages so it's hard to say why this particular cert
> can't be loaded.
> 
> rob
> 
> >
> > Regards,
> >
> > D
> >
> > 2015-04-07 13:34 GMT+02:00 David Dejaeghere  
> >  >>:
> >
> > Hello,
> >
> > I am trying to setup a replica for my master which has been setup
> > with an external CA to use our godaddy wildcard certificate.
> > The ipa-replica-prepare is failing with the following debug
> information.
> > I am using --http-cert  and --dirsrv-cert with my pk12 server
> > certificate.
> > What can I verify to get an idea of what is going wrong?
> >
> > ipa: DEBUG: stderr=
> > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
> > File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
> > 169, in execute
> > self.ask_for_options()
> >   File
> >   
>  
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> > line 276, in ask_for_options
> > options.http_cert_name)
> >   File
> >   
>  
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> > line 176, in load_pkcs12
> > host_name=self.replica_fqdn)
> >   File
> >   
>  "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line
> > 785, in load_pkcs12
> > nss_cert = x509.load_certificate(cert, x509.DER)
> >   File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line
> 128,
> > in load_certificate
> > return nss.Certificate(buffer(data))
> >
> > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare:
> DEBUG: The
> > ipa-replica-prepare command failed, exception: NSPRError:
> > (SEC_ERROR_LIBRARY_FAILURE) security library failure.
> > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
> > (SEC_ERROR_LIBRARY_FAILURE) security library failure.
> >
> > Regards,
> >
> > D
> >
> >
> >
> >
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-13 Thread Rob Crittenden

David Dejaeghere wrote:
> Hi,
> 
> I get the same error when I use a pk12 with only the server certificate
> (and key) in it.
> Not sure what else I can try.

I'd need to see the full output again.

rob

> 
> Regards,
> 
> D
> 
> 2015-04-11 0:23 GMT+02:00 Rob Crittenden  >:
> 
> David Dejaeghere wrote:
> > Hi,
> >
> > I even tried the command using an export from the http service nss db,
> > same issue.
> >
> > regarding SElinux:
> > ausearch -m AVC -ts recent
> > 
> >
> > Sending you the log personally.
> 
> Ok, so the way the certs are imported is all the certs in the PKCS#12
> file are loaded in, then marked as untrusted.
> 
> certutil -O is executed against the server cert which prints out what
> the trust chain should be and those certs marked as trusted CA's.
> 
> That part is working fine.
> 
> Finally it makes another pass through the database to verify the chain.
> 
> Looking at the output there are two certs with the subject CN=Go Daddy
> Root Certificate Authority - G2,O="GoDaddy.com,
> Inc.",L=Scottsdale,ST=Arizona,C=US and different serial numbers. I
> wonder if this is confusing the cert loader. These certs are included in
> the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which one
> is the "right' one, or if there even is one.
> 
> rob
> 
> 
> >
> > Regards,
> >
> > D
> >
> > 2015-04-10 17:03 GMT+02:00 Rob Crittenden  
> > >>:
> >
> > David Dejaeghere wrote:
> > > Hi Rob,
> > >
> > > Without the --http-pin the command will give a prompt to
> enter the password.
> > > Tried both.
> > >
> > > I am sending the output of the pk12util -l to you in another
> email.
> > > It holds the wildcard certificate and the godaddy bundle for
> as far as I
> > > can tell.
> >
> > I have to admit, I'm a bit stumped.
> (SEC_ERROR_LIBRARY_FAILURE) is a
> > rather generic NSS error which can mean any number of things.
> It often
> > means that the NSS database it is using is bad in some way but
> given
> > that this is a temporary database created just for this
> purpose I doubt
> > that's it. You may want to look for SELinux AVCs though:
> ausearch -m AVC
> > -ts recent.
> >
> > At the point where it is blowing up, the PKCS#12 file has
> already been
> > imported and IPA is walking through the results trying to
> ensure that
> > the full cert trust chain is available. It does this by
> reading the
> > certs out of the database, and at that point it's blowing up.
> >
> > The PKCS#12 output you sent me looks ok. I don't believe this
> is an
> > issue with trust or missing parts of the chain.
> >
> > I created a simple PKCS#12 file and was able to prepare a
> replica using
> > it, so AFAICT the code isn't completely broken.
> >
> > Can you provide the full output from ipa-replica-prepare?
> >
> > rob
> > >
> > > Regards,
> > >
> > > D
> > >
> > > 2015-04-09 21:39 GMT+02:00 Rob Crittenden
> mailto:rcrit...@redhat.com>
> >
> > > 
>  > >
> > > David Dejaeghere wrote:
> > > > Hi,
> > > >
> > > > Sorry for the lack of details!
> > > > You are indeed  correct about the version its 4.1
> > > > The command I am using is this:
> > > > ipa-replica-prepare ipa-r1.myobscureddomain.com
> 
> 
> > 
> > > >  --http-cert-file
> > > > /home/fedora/newcert.pk12 --dirsrv-cert-file
> /home/fedora/newcert.pk12
> > > > --ip-address 172.31.16.31 -v
> > >
> > > I was pretty sure a pin was required with those options
> as well.
> > >
> > > What do the PKCS#12 files look like: pk12util -l
> > > /home/fedora/newcert.pk12
> > >
> > > rob
> > >
> > > >
> > > > Regards,
> > > >
> > > > D
> > > >
> > > > 2015-04-09 16:16 GMT+02:00 Rob Crittenden
> mailto:rcrit...@redhat.com>
> >
> > 
>

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-13 Thread David Dejaeghere

Hi Rob,

So you want to output of the command using pk12 with server cert and key?
or with the ca chain in there too?

Regards,

David

2015-04-13 16:28 GMT+02:00 Rob Crittenden :

> David Dejaeghere wrote:
> > Hi,
> >
> > I get the same error when I use a pk12 with only the server certificate
> > (and key) in it.
> > Not sure what else I can try.
>
> I'd need to see the full output again.
>
> rob
>
> >
> > Regards,
> >
> > D
> >
> > 2015-04-11 0:23 GMT+02:00 Rob Crittenden  > >:
> >
> > David Dejaeghere wrote:
> > > Hi,
> > >
> > > I even tried the command using an export from the http service nss
> db,
> > > same issue.
> > >
> > > regarding SElinux:
> > > ausearch -m AVC -ts recent
> > > 
> > >
> > > Sending you the log personally.
> >
> > Ok, so the way the certs are imported is all the certs in the PKCS#12
> > file are loaded in, then marked as untrusted.
> >
> > certutil -O is executed against the server cert which prints out what
> > the trust chain should be and those certs marked as trusted CA's.
> >
> > That part is working fine.
> >
> > Finally it makes another pass through the database to verify the
> chain.
> >
> > Looking at the output there are two certs with the subject CN=Go
> Daddy
> > Root Certificate Authority - G2,O="GoDaddy.com,
> > Inc.",L=Scottsdale,ST=Arizona,C=US and different serial numbers. I
> > wonder if this is confusing the cert loader. These certs are
> included in
> > the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which
> one
> > is the "right' one, or if there even is one.
> >
> > rob
> >
> >
> > >
> > > Regards,
> > >
> > > D
> > >
> > > 2015-04-10 17:03 GMT+02:00 Rob Crittenden  
> > > >>:
> > >
> > > David Dejaeghere wrote:
> > > > Hi Rob,
> > > >
> > > > Without the --http-pin the command will give a prompt to
> > enter the password.
> > > > Tried both.
> > > >
> > > > I am sending the output of the pk12util -l to you in another
> > email.
> > > > It holds the wildcard certificate and the godaddy bundle for
> > as far as I
> > > > can tell.
> > >
> > > I have to admit, I'm a bit stumped.
> > (SEC_ERROR_LIBRARY_FAILURE) is a
> > > rather generic NSS error which can mean any number of things.
> > It often
> > > means that the NSS database it is using is bad in some way but
> > given
> > > that this is a temporary database created just for this
> > purpose I doubt
> > > that's it. You may want to look for SELinux AVCs though:
> > ausearch -m AVC
> > > -ts recent.
> > >
> > > At the point where it is blowing up, the PKCS#12 file has
> > already been
> > > imported and IPA is walking through the results trying to
> > ensure that
> > > the full cert trust chain is available. It does this by
> > reading the
> > > certs out of the database, and at that point it's blowing up.
> > >
> > > The PKCS#12 output you sent me looks ok. I don't believe this
> > is an
> > > issue with trust or missing parts of the chain.
> > >
> > > I created a simple PKCS#12 file and was able to prepare a
> > replica using
> > > it, so AFAICT the code isn't completely broken.
> > >
> > > Can you provide the full output from ipa-replica-prepare?
> > >
> > > rob
> > > >
> > > > Regards,
> > > >
> > > > D
> > > >
> > > > 2015-04-09 21:39 GMT+02:00 Rob Crittenden
> > mailto:rcrit...@redhat.com>
> > >
> > > > 
> >  > > >
> > > > David Dejaeghere wrote:
> > > > > Hi,
> > > > >
> > > > > Sorry for the lack of details!
> > > > > You are indeed  correct about the version its 4.1
> > > > > The command I am using is this:
> > > > > ipa-replica-prepare ipa-r1.myobscureddomain.com
> > 
> > 
> > > 
> > > > >  --http-cert-file
> > > > > /home/fedora/newcert.pk12 --dirsrv-cert-file
> > /home/fedora/newcert.pk12
> > > > > --ip-address 172.31.16.31 -v
> > > >
> > > > I was pretty sure a pin was required with those options
> > as well.
> > > >
> > > > What do the PKCS#12 files look like: pk12util -l
> > > > /home/fedora/

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-14 Thread Rob Crittenden

David Dejaeghere wrote:
> Hi Rob,
> 
> So you want to output of the command using pk12 with server cert and
> key? or with the ca chain in there too?
> 

Oddly enough it is failing in exactly the same place. Those GoDaddy CA
certs are still being loaded from somewhere, I'm not sure where, and I
suspect that is the source of the problem.

I'm going to forward the log to a colleague who has worked on this code
more recently than I have. Maybe he will have an idea.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-14 Thread Jan Cholasta


Hi,

Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a):

David Dejaeghere wrote:

Hi Rob,

So you want to output of the command using pk12 with server cert and
key? or with the ca chain in there too?



Oddly enough it is failing in exactly the same place. Those GoDaddy CA
certs are still being loaded from somewhere, I'm not sure where, and I
suspect that is the source of the problem.


They are in the default CA certificate bundle (in the ca-certificate 
package). I guess NSS loads it automatically.




I'm going to forward the log to a colleague who has worked on this code
more recently than I have. Maybe he will have an idea.


Could you try if the following works?

# mv /usr/share/pki/ca-trust-source/ca-bundle.trust.crt 
/root/ca-bundle.trust.crt


# update-ca-trust

# ipa-replica-prepare ...

# mv /root/ca-bundle.trust.crt 
/usr/share/pki/ca-trust-source/ca-bundle.trust.crt


# update-ca-trust



rob



Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-15 Thread David Dejaeghere

Hi Honza,

That gave me the exact same output.  Any ideas?

Regards,

D

2015-04-15 7:33 GMT+02:00 Jan Cholasta :

> Hi,
>
> Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a):
>
>> David Dejaeghere wrote:
>>
>>> Hi Rob,
>>>
>>> So you want to output of the command using pk12 with server cert and
>>> key? or with the ca chain in there too?
>>>
>>>
>> Oddly enough it is failing in exactly the same place. Those GoDaddy CA
>> certs are still being loaded from somewhere, I'm not sure where, and I
>> suspect that is the source of the problem.
>>
>
> They are in the default CA certificate bundle (in the ca-certificate
> package). I guess NSS loads it automatically.
>
>
>> I'm going to forward the log to a colleague who has worked on this code
>> more recently than I have. Maybe he will have an idea.
>>
>
> Could you try if the following works?
>
> # mv /usr/share/pki/ca-trust-source/ca-bundle.trust.crt
> /root/ca-bundle.trust.crt
>
> # update-ca-trust
>
> # ipa-replica-prepare ...
>
> # mv /root/ca-bundle.trust.crt /usr/share/pki/ca-trust-
> source/ca-bundle.trust.crt
>
> # update-ca-trust
>
>
>> rob
>>
>>
> Honza
>
> --
> Jan Cholasta
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-17 Thread David Dejaeghere

Hi,

Any more things I can try out? How do we proceed?

Kind Regards,

D

2015-04-15 11:48 GMT+02:00 David Dejaeghere :

> Hi Honza,
>
> That gave me the exact same output.  Any ideas?
>
> Regards,
>
> D
>
> 2015-04-15 7:33 GMT+02:00 Jan Cholasta :
>
>> Hi,
>>
>> Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a):
>>
>>> David Dejaeghere wrote:
>>>
 Hi Rob,

 So you want to output of the command using pk12 with server cert and
 key? or with the ca chain in there too?


>>> Oddly enough it is failing in exactly the same place. Those GoDaddy CA
>>> certs are still being loaded from somewhere, I'm not sure where, and I
>>> suspect that is the source of the problem.
>>>
>>
>> They are in the default CA certificate bundle (in the ca-certificate
>> package). I guess NSS loads it automatically.
>>
>>
>>> I'm going to forward the log to a colleague who has worked on this code
>>> more recently than I have. Maybe he will have an idea.
>>>
>>
>> Could you try if the following works?
>>
>> # mv /usr/share/pki/ca-trust-source/ca-bundle.trust.crt
>> /root/ca-bundle.trust.crt
>>
>> # update-ca-trust
>>
>> # ipa-replica-prepare ...
>>
>> # mv /root/ca-bundle.trust.crt /usr/share/pki/ca-trust-
>> source/ca-bundle.trust.crt
>>
>> # update-ca-trust
>>
>>
>>> rob
>>>
>>>
>> Honza
>>
>> --
>> Jan Cholasta
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-17 Thread Jan Cholasta


Hi,

I don't have any new information. I'm trying to reproduce the problem 
but had no luck so far.


Honza

Dne 17.4.2015 v 15:23 David Dejaeghere napsal(a):

Hi,

Any more things I can try out? How do we proceed?

Kind Regards,

D

2015-04-15 11:48 GMT+02:00 David Dejaeghere mailto:david.dejaegh...@gmail.com>>:

Hi Honza,

That gave me the exact same output.  Any ideas?

Regards,

D

2015-04-15 7:33 GMT+02:00 Jan Cholasta mailto:jchol...@redhat.com>>:

Hi,

Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a):

David Dejaeghere wrote:

Hi Rob,

So you want to output of the command using pk12 with
server cert and
key? or with the ca chain in there too?


Oddly enough it is failing in exactly the same place. Those
GoDaddy CA
certs are still being loaded from somewhere, I'm not sure
where, and I
suspect that is the source of the problem.


They are in the default CA certificate bundle (in the
ca-certificate package). I guess NSS loads it automatically.


I'm going to forward the log to a colleague who has worked
on this code
more recently than I have. Maybe he will have an idea.


Could you try if the following works?

 # mv /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt
/root/ca-bundle.trust.crt

 # update-ca-trust

 # ipa-replica-prepare ...

 # mv /root/ca-bundle.trust.crt
/usr/share/pki/ca-trust-__source/ca-bundle.trust.crt

 # update-ca-trust


rob


Honza

--
Jan Cholasta






--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-20 Thread David Dejaeghere

Hi,

Let me know how I can assist.
In the meantime could I setup a replica using a different certificate? Self
signed or anything like that?

Regards,

D

2015-04-17 15:27 GMT+02:00 Jan Cholasta :

> Hi,
>
> I don't have any new information. I'm trying to reproduce the problem but
> had no luck so far.
>
> Honza
>
> Dne 17.4.2015 v 15:23 David Dejaeghere napsal(a):
>
>> Hi,
>>
>> Any more things I can try out? How do we proceed?
>>
>> Kind Regards,
>>
>> D
>>
>> 2015-04-15 11:48 GMT+02:00 David Dejaeghere > >:
>>
>> Hi Honza,
>>
>> That gave me the exact same output.  Any ideas?
>>
>> Regards,
>>
>> D
>>
>> 2015-04-15 7:33 GMT+02:00 Jan Cholasta > >:
>>
>> Hi,
>>
>> Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a):
>>
>> David Dejaeghere wrote:
>>
>> Hi Rob,
>>
>> So you want to output of the command using pk12 with
>> server cert and
>> key? or with the ca chain in there too?
>>
>>
>> Oddly enough it is failing in exactly the same place. Those
>> GoDaddy CA
>> certs are still being loaded from somewhere, I'm not sure
>> where, and I
>> suspect that is the source of the problem.
>>
>>
>> They are in the default CA certificate bundle (in the
>> ca-certificate package). I guess NSS loads it automatically.
>>
>>
>> I'm going to forward the log to a colleague who has worked
>> on this code
>> more recently than I have. Maybe he will have an idea.
>>
>>
>> Could you try if the following works?
>>
>>  # mv /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt
>> /root/ca-bundle.trust.crt
>>
>>  # update-ca-trust
>>
>>  # ipa-replica-prepare ...
>>
>>  # mv /root/ca-bundle.trust.crt
>> /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt
>>
>>  # update-ca-trust
>>
>>
>> rob
>>
>>
>> Honza
>>
>> --
>> Jan Cholasta
>>
>>
>>
>>
>
> --
> Jan Cholasta
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-22 Thread Jan Cholasta

Hi,

yes, you can definitely use a different certificate in the meantime, 
although it can't be self-signed.

Honza

Dne 20.4.2015 v 14:17 David Dejaeghere napsal(a):

Hi,

Let me know how I can assist.
In the meantime could I setup a replica using a different certificate?
Self signed or anything like that?

Regards,

D

2015-04-17 15:27 GMT+02:00 Jan Cholasta mailto:jchol...@redhat.com>>:

Hi,

I don't have any new information. I'm trying to reproduce the
problem but had no luck so far.

Honza

Dne 17.4.2015 v 15:23 David Dejaeghere napsal(a):

Hi,

Any more things I can try out? How do we proceed?

Kind Regards,

D

2015-04-15 11:48 GMT+02:00 David Dejaeghere
mailto:david.dejaegh...@gmail.com>
>>:

 Hi Honza,

 That gave me the exact same output.  Any ideas?

 Regards,

 D

 2015-04-15 7:33 GMT+02:00 Jan Cholasta mailto:jchol...@redhat.com>
 >>:

 Hi,

 Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a):

 David Dejaeghere wrote:

 Hi Rob,

 So you want to output of the command using pk12
with
 server cert and
 key? or with the ca chain in there too?

 Oddly enough it is failing in exactly the same
place. Those
 GoDaddy CA
 certs are still being loaded from somewhere, I'm
not sure
 where, and I
 suspect that is the source of the problem.

 They are in the default CA certificate bundle (in the
 ca-certificate package). I guess NSS loads it
automatically.

 I'm going to forward the log to a colleague who has
worked
 on this code
 more recently than I have. Maybe he will have an idea.

 Could you try if the following works?

  # mv
/usr/share/pki/ca-trust-__source/ca-bundle.trust.crt
 /root/ca-bundle.trust.crt

  # update-ca-trust

  # ipa-replica-prepare ...

  # mv /root/ca-bundle.trust.crt
 /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt

  # update-ca-trust

 rob

 Honza

 --
 Jan Cholasta

--
Jan Cholasta

--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-08-06 Thread David Dejaeghere

Hello Guys,

I was able to resolve this today.
My webserver and dirsrv certificate were expired yesterday and trying to
replace them gave me the same error "ERROR: (SEC_ERROR_LIBRARY_FAILURE)
security library failure."
So I tried some things to resolve this.
The trick was to replace /etc/ipa/ca.crt with the godaddy file "gdig2"
which only has 1 certificare. This file you can get while downloading your
certificate from godaddy. Then I had to add the bundle from godaddy, file
gd_bundle-g2-g1 into my server cert.
This made both the command ipa-server-certinstall and ipa-replicate-prepare
finish as expected!

Hope this helps. I saw somebody else with a very similar issue.

Kind Regards,

D

2015-04-23 7:40 GMT+02:00 Jan Cholasta :

> Hi,
>
> yes, you can definitely use a different certificate in the meantime,
> although it can't be self-signed.
>
> Honza
>
> Dne 20.4.2015 v 14:17 David Dejaeghere napsal(a):
>
>> Hi,
>>
>> Let me know how I can assist.
>> In the meantime could I setup a replica using a different certificate?
>> Self signed or anything like that?
>>
>> Regards,
>>
>> D
>>
>> 2015-04-17 15:27 GMT+02:00 Jan Cholasta > >:
>>
>> Hi,
>>
>> I don't have any new information. I'm trying to reproduce the
>> problem but had no luck so far.
>>
>> Honza
>>
>> Dne 17.4.2015 v 15:23 David Dejaeghere napsal(a):
>>
>> Hi,
>>
>> Any more things I can try out? How do we proceed?
>>
>> Kind Regards,
>>
>> D
>>
>> 2015-04-15 11:48 GMT+02:00 David Dejaeghere
>> mailto:david.dejaegh...@gmail.com>
>> > >>:
>>
>>  Hi Honza,
>>
>>  That gave me the exact same output.  Any ideas?
>>
>>  Regards,
>>
>>  D
>>
>>  2015-04-15 7:33 GMT+02:00 Jan Cholasta > 
>>  >>:
>>
>>
>>  Hi,
>>
>>  Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a):
>>
>>  David Dejaeghere wrote:
>>
>>  Hi Rob,
>>
>>  So you want to output of the command using pk12
>> with
>>  server cert and
>>  key? or with the ca chain in there too?
>>
>>
>>  Oddly enough it is failing in exactly the same
>> place. Those
>>  GoDaddy CA
>>  certs are still being loaded from somewhere, I'm
>> not sure
>>  where, and I
>>  suspect that is the source of the problem.
>>
>>
>>  They are in the default CA certificate bundle (in the
>>  ca-certificate package). I guess NSS loads it
>> automatically.
>>
>>
>>  I'm going to forward the log to a colleague who has
>> worked
>>  on this code
>>  more recently than I have. Maybe he will have an
>> idea.
>>
>>
>>  Could you try if the following works?
>>
>>   # mv
>> /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt
>>  /root/ca-bundle.trust.crt
>>
>>   # update-ca-trust
>>
>>   # ipa-replica-prepare ...
>>
>>   # mv /root/ca-bundle.trust.crt
>>  /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt
>>
>>   # update-ca-trust
>>
>>
>>  rob
>>
>>
>>  Honza
>>
>>  --
>>  Jan Cholasta
>>
>>
>>
>>
>>
>> --
>> Jan Cholasta
>>
>>
>>
>
> --
> Jan Cholasta
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2015-08-17 Thread Orion Poplawski

On 08/06/2015 04:10 PM, David Dejaeghere wrote:
> Hello Guys,
> 
> I was able to resolve this today.
> My webserver and dirsrv certificate were expired yesterday and trying to
> replace them gave me the same error "ERROR: (SEC_ERROR_LIBRARY_FAILURE)
> security library failure."
> So I tried some things to resolve this.
> The trick was to replace /etc/ipa/ca.crt with the godaddy file "gdig2" which
> only has 1 certificare. This file you can get while downloading your
> certificate from godaddy. Then I had to add the bundle from godaddy, file
> gd_bundle-g2-g1 into my server cert.
> This made both the command ipa-server-certinstall and ipa-replicate-prepare
> finish as expected!
> 
> Hope this helps. I saw somebody else with a very similar issue.
> 
> Kind Regards,
> 
> D

Yeah, the source of this issue appears to be a wrong /etc/ipa/ca.crt created
during ipa-server-install.  I was able to work around it with:

ipa-certupdate

Which wrote out a correct /etc/ipa/ca.crt.

See https://fedorahosted.org/freeipa/ticket/5117#comment:16


-- 
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane   or...@nwra.com
Boulder, CO 80301   http://www.nwra.com

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2016-10-26 Thread Fraser Tweedale

On Wed, Oct 26, 2016 at 04:18:12PM -0700, Joshua Ruybal wrote:
> While trying to run IPA replica prepare with debug, we see an unexplained
> failure.
> 
> Debug seems to show the process running smoothly, then I see: "Certificate
> issuance failed".
> 
> Looking at previous mail-archives, I see that someone has run into this
> before, however all permissions on caIPAserviceCert.cfg are correct (the
> solution for him).
> 
> Is there any method to get more details on the failure from
> ipa-replica-prepare?
> 
> Thanks
> 
Need some more information to be able to render assistance :)

Do you have any logs pertaining to the failure?  Is certificate
issuance working e.g. via `ipa cert-request'?  Are all certificates
in your infrastructure currently valid?

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2016-10-27 Thread Rob Crittenden


Joshua Ruybal wrote:

While trying to run IPA replica prepare with debug, we see an
unexplained failure.

Debug seems to show the process running smoothly, then I see:
"Certificate issuance failed".

Looking at previous mail-archives, I see that someone has run into this
before, however all permissions on caIPAserviceCert.cfg are correct (the
solution for him).

Is there any method to get more details on the failure from
ipa-replica-prepare?


I'd check the dogtag logs. This error is thrown when no certificate is 
issued by the CA.


There is no way other than instrumenting the code to get more details 
about the error from ipa-replica-prepare.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-prepare failing

2016-10-27 Thread Joshua Ruybal

Took a look at the dogtag logs, the debug log only shows the following
every time I run ipa-replica-prepare.

[27/Oct/2016:12:55:02][http-9444-1]: CMSServlet: curDate=Thu Oct 27
12:55:02 EDT 2016 id=caProfileSubmitSSLClient time=10

The other logs don't appear to have anything.

I tried to run ipa cert-request on one of the servers and get:
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.

I've check that the cert is in /etc/httpd/alias, /etc/pki/nssdb,
/etc/dirsrv/slapd-EXAMPLE-COM, and /etc/dirsrv/slapd-PKI-IPA

Is there anywhere else I would need to add the CA cert?


On Thu, Oct 27, 2016 at 5:23 AM, Rob Crittenden  wrote:

> Joshua Ruybal wrote:
>
>> While trying to run IPA replica prepare with debug, we see an
>> unexplained failure.
>>
>> Debug seems to show the process running smoothly, then I see:
>> "Certificate issuance failed".
>>
>> Looking at previous mail-archives, I see that someone has run into this
>> before, however all permissions on caIPAserviceCert.cfg are correct (the
>> solution for him).
>>
>> Is there any method to get more details on the failure from
>> ipa-replica-prepare?
>>
>
> I'd check the dogtag logs. This error is thrown when no certificate is
> issued by the CA.
>
> There is no way other than instrumenting the code to get more details
> about the error from ipa-replica-prepare.
>
> rob
>
>


-- 


*Joshua Ruybal | Systems Engineer*
o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549>
e: jruy...@owneriq.com


  

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-replica-prepare failing

[Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

Re: [Freeipa-users] ipa-replica-prepare failing

22 matches

Site Navigation

Mail list logo

Footer information