[Freeipa-users] ipa-replica-prepare clarification
James Roman
james.roman at ssaihq.com
Mon Sep 14 18:05:13 UTC 2009
I installed the 1.2.2-1 version from the test repo. I get really close
to the end, but it is still bombing when trying to set the trust
permissions on the web server cert. For some reason the final cert in
the chain did not get installed into the /etc/httpd/alias directory. All
worked fine for the directory server.
root : DEBUG [6/9]: Setting up ssl
[6/9]: Setting up ssl
root : DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
root : DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
root : INFO
root : INFO
root : INFO pk12util: PKCS12 IMPORT SUCCESSFUL
root : INFO
root : INFO Key(shrouded):
Friendly Name: Server-Cert
Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
Parameters:
Salt:
60:9a:79:e9:17:26:64:78:84:fc:4a:99:8f:19:ad:da
Iteration Count: 1 (0x1)
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 769 (0x301)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "OU=Go Daddy Class 2 Certification Authority,O="The Go
Daddy
Group, Inc.",C=US"
Validity:
Not Before: Thu Nov 16 01:54:37 2006
Not After : Mon Nov 16 01:54:37 2026
Subject: "serialNumber=07969287,CN=Go Daddy Secure Certification
Auth
ority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.co
m, Inc.",L=Scottsdale,ST=Arizona,C=US"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
c4:2d:d5:15:8c:9c:26:4c:ec:32:35:eb:5f:b8:59:01:
5a:a6:61:81:59:3b:70:63:ab:e3:dc:3d:c7:2a:b8:c9:
33:d3:79:e4:3a:ed:3c:30:23:84:8e:b3:30:14:b6:b2:
87:c3:3d:95:54:04:9e:df:99:dd:0b:25:1e:21:de:65:
29:7e:35:a8:a9:54:eb:f6:f7:32:39:d4:26:55:95:ad:
ef:fb:fe:58:86:d7:9e:f4:00:8d:8c:2a:0c:bd:42:04:
ce:a7:3f:04:f6:ee:80:f2:aa:ef:52:a1:69:66:da:be:
1a:ad:5d:da:2c:66:ea:1a:6b:bb:e5:1a:51:4a:00:2f:
48:c7:98:75:d8:b9:29:c8:ee:f8:66:6d:0a:9c:b3:f3:
fc:78:7c:a2:f8:a3:f2:b5:c3:f3:b9:7a:91:c1:a7:e6:
25:2e:9c:a8:ed:12:65:6e:6a:f6:12:44:53:70:30:95:
c3:9c:2b:58:2b:3d:08:74:4a:f2:be:51:b0:bf:87:d0:
4c:27:58:6b:b5:35:c5:9d:af:17:31:f8:0b:8f:ee:ad:
81:36:05:89:08:98:cf:3a:af:25:87:c0:49:ea:a7:fd:
67:f7:45:8e:97:cc:14:39:e2:36:85:b5:7e:1a:37:fd:
16:f6:71:11:9a:74:30:16:fe:13:94:a3:3f:84:0d:4f
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Subject Key ID
Data:
fd:ac:61:32:93:6c:45:d6:e2:ee:85:5f:9a:ba:e7:76:
99:68:cc:e7
Name: Certificate Authority Key Identifier
Key ID:
d2:c4:b0:d2:91:d4:4c:11:71:b3:61:cb:3d:a1:fe:dd:
a8:6a:d4:e3
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with a maximum path length of 0.
Name: Authority Information Access
Method: PKIX Online Certificate Status Protocol
Location:
URI: "http://ocsp.godaddy.com"
Name: CRL Distribution Points
URI: "http://certificates.godaddy.com/repository/gdroot.crl"
Name: Certificate Policies
Data:
Policy Name: Certificate Policies AnyPolicy
Policy Qualifier Name: PKIX CPS Pointer Qualifier
Policy Qualifier Data:
"http://certificates.godaddy.com/r
epository"
Name: Certificate Key Usage
Critical: True
Usages: Certificate Signing
CRL Signing
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
d2:86:c0:ec:bd:f9:a1:b6:67:ee:66:0b:a2:06:3a:04:
50:8e:15:72:ac:4a:74:95:53:cb:37:cb:44:49:ef:07:
90:6b:33:d9:96:f0:94:56:a5:13:30:05:3c:85:32:21:
7b:c9:c7:0a:a8:24:a4:90:de:46:d3:25:23:14:03:67:
c2:10:d6:6f:0f:5d:7b:7a:cc:9f:c5:58:2a:c1:c4:9e:
21:a8:5a:f3:ac:a4:46:f3:9e:e4:63:cb:2f:90:a4:29:
29:01:d9:72:2c:29:df:37:01:27:bc:4f:ee:68:d3:21:
8f:c0:b3:e4:f5:09:ed:d2:10:aa:53:b4:be:f0:cc:59:
0b:d6:3b:96:1c:95:24:49:df:ce:ec:fd:a7:48:91:14:
45:0e:3a:36:6f:da:45:b3:45:a2:41:c9:d4:d7:44:4e:
3e:b9:74:76:d5:a2:13:55:2c:c6:87:a3:b5:99:ac:06:
84:87:7f:75:06:fc:bf:14:4c:0e:cc:6e:c4:df:3d:b7:
12:71:f4:e8:f1:51:40:22:28:49:e0:1d:4b:87:a8:34:
cc:06:a2:dd:12:5a:d1:86:36:64:03:35:6f:6f:77:6e:
eb:f2:85:50:98:5e:ab:03:53:ad:91:23:63:1f:16:9c:
cd:b9:b2:05:63:3a:e1:f4:68:1b:17:05:35:95:53:ee
Fingerprint (MD5):
D5:DF:85:B7:9A:52:87:D1:8C:D5:0F:90:23:2D:B5:34
Fingerprint (SHA1):
7C:46:56:C3:06:1F:7F:4C:0D:67:B3:19:A8:55:F6:0E:BC:11:FC:44
Friendly Name: Go Daddy Secure Certification Authority
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 269 (0x10d)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer:
"E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert
Class 2 Policy Validation Authority,O="ValiCert,
Inc.",L=ValiCert
Validation Network"
Validity:
Not Before: Tue Jun 29 17:06:20 2004
Not After : Sat Jun 29 17:06:20 2024
Subject: "OU=Go Daddy Class 2 Certification Authority,O="The Go
Daddy
Group, Inc.",C=US"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
de:9d:d7:ea:57:18:49:a1:5b:eb:d7:5f:48:86:ea:be:
dd:ff:e4:ef:67:1c:f4:65:68:b3:57:71:a0:5e:77:bb:
ed:9b:49:e9:70:80:3d:56:18:63:08:6f:da:f2:cc:d0:
3f:7f:02:54:22:54:10:d8:b2:81:d4:c0:75:3d:4b:7f:
c7:77:c3:3e:78:ab:1a:03:b5:20:6b:2f:6a:2b:b1:c5:
88:7e:c4:bb:1e:b0:c1:d8:45:27:6f:aa:37:58:f7:87:
26:d7:d8:2d:f6:a9:17:b7:1f:72:36:4e:a6:17:3f:65:
98:92:db:2a:6e:5d:a2:fe:88:e0:0b:de:7f:e5:8d:15:
e1:eb:cb:3a:d5:e2:12:a2:13:2d:d8:8e:af:5f:12:3d:
a0:08:05:08:b6:5c:a5:65:38:04:45:99:1e:a3:60:60:
74:c5:41:a5:72:62:1b:62:c5:1f:6f:5f:1a:42:be:02:
51:65:a8:ae:23:18:6a:fc:78:03:a9:4d:7f:80:c3:fa:
ab:5a:fc:a1:40:a4:ca:19:16:fe:b2:c8:ef:5e:73:0d:
ee:77:bd:9a:f6:79:98:bc:b1:07:67:a2:15:0d:dd:a0:
58:c6:44:7b:0a:3e:62:28:5f:ba:41:07:53:58:cf:11:
7e:38:74:c5:f8:ff:b5:69:90:8f:84:74:ea:97:1b:af
Exponent: 3 (0x3)
Signed Extensions:
Name: Certificate Subject Key ID
Data:
d2:c4:b0:d2:91:d4:4c:11:71:b3:61:cb:3d:a1:fe:dd:
a8:6a:d4:e3
Name: Certificate Authority Key Identifier
Issuer:
Directory Name:
"E=info at valicert.com,CN=http://www.valicert.c
om/,OU=ValiCert Class 2 Policy Validation
Authority,O="Va
liCert, Inc.",L=ValiCert Validation Network"
Serial Number: 1 (0x1)
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.
Name: Authority Information Access
Method: PKIX Online Certificate Status Protocol
Location:
URI: "http://ocsp.godaddy.com"
Name: CRL Distribution Points
URI: "http://certificates.godaddy.com/repository/root.crl"
Name: Certificate Policies
Data:
Policy Name: Certificate Policies AnyPolicy
Policy Qualifier Name: PKIX CPS Pointer Qualifier
Policy Qualifier Data:
"http://certificates.godaddy.com/r
epository"
Name: Certificate Key Usage
Critical: True
Usages: Certificate Signing
CRL Signing
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
b5:40:f9:a7:1d:f6:ea:fe:a4:1a:42:5a:44:f7:15:d4:
85:46:89:c0:be:9e:e3:e3:eb:c5:e3:58:89:8f:92:9f:
57:a8:71:2c:48:d1:81:b2:79:1f:ac:06:35:19:b0:4e:
0e:58:1b:14:b3:98:81:d1:04:1e:c8:07:c9:83:9f:78:
44:0a:18:0b:98:dc:76:7a:65:0d:0d:6d:80:c4:0b:01:
1c:cb:ad:47:3e:71:be:77:4b:cc:06:77:d0:f4:56:6b:
1f:4b:13:9a:14:8a:88:23:a8:51:f0:83:4c:ab:35:bf:
46:7e:39:dc:75:a4:ae:e8:29:fb:ef:39:8f:4f:55:67
Fingerprint (MD5):
82:BD:9A:0B:82:6A:0E:3E:91:AD:3E:27:04:2B:3F:45
Fingerprint (SHA1):
DE:70:F4:E2:11:6F:7F:DC:E7:5F:9D:13:01:2B:7E:68:7A:3B:2C:62
Friendly Name: Go Daddy Class 2 Certification Authority
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer:
"E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert
Class 2 Policy Validation Authority,O="ValiCert,
Inc.",L=ValiCert
Validation Network"
Validity:
Not Before: Sat Jun 26 00:19:54 1999
Not After : Wed Jun 26 00:19:54 2019
Subject:
"E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert
Class 2 Policy Validation Authority,O="ValiCert,
Inc.",L=ValiCer
t Validation Network"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
ce:3a:71:ca:e5:ab:c8:59:92:55:d7:ab:d8:74:0e:f9:
ee:d9:f6:55:47:59:65:47:0e:05:55:dc:eb:98:36:3c:
5c:53:5d:d3:30:cf:38:ec:bd:41:89:ed:25:42:09:24:
6b:0a:5e:b3:7c:dd:52:2d:4c:e6:d4:d6:7d:5a:59:a9:
65:d4:49:13:2d:24:4d:1c:50:6f:b5:c1:85:54:3b:fe:
71:e4:d3:5c:42:f9:80:e0:91:1a:0a:5b:39:36:67:f3:
3f:55:7c:1b:3f:b4:5f:64:73:34:e3:b4:12:bf:87:64:
f8:da:12:ff:37:27:c1:b3:43:bb:ef:7b:6e:2e:69:f7
Exponent: 65537 (0x10001)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
3b:7f:50:6f:6f:50:94:99:49:62:38:38:1f:4b:f8:a5:
c8:3e:a7:82:81:f6:2b:c7:e8:c5:ce:e8:3a:10:82:cb:
18:00:8e:4d:bd:a8:58:7f:a1:79:00:b5:bb:e9:8d:af:
41:d9:0f:34:ee:21:81:19:a0:32:49:28:f4:c4:8e:56:
d5:52:33:fd:50:d5:7e:99:6c:03:e4:c9:4c:fc:cb:6c:
ab:66:b3:4a:21:8c:e5:b5:0c:32:3e:10:b2:cc:6c:a1:
dc:9a:98:4c:02:5b:f3:ce:b9:9e:a5:72:0e:4a:b7:3f:
3c:e6:16:68:f8:be:ed:74:4c:bc:5b:d5:62:1f:43:dd
Fingerprint (MD5):
A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
Fingerprint (SHA1):
31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
Friendly Name: valicert.com
Certificate(has private key):
Data:
Version: 3 (0x2)
Serial Number:
04:71:37:7b:34:f8:99
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "serialNumber=07969287,CN=Go Daddy Secure Certification
Autho
rity,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com
, Inc.",L=Scottsdale,ST=Arizona,C=US"
...... Details about my server key removed .........
root : INFO
root : INFO
root : INFO
root : INFO
root : INFO
root : INFO
root : INFO certutil: could not find certificate named
"valicert.com": security library: bad database.
creation of replica failed: Command '/usr/bin/certutil -d
/etc/httpd/alias -M -n valicert.com -t CT,CT,' returned non-zero exit
status 255
root : DEBUG Command '/usr/bin/certutil -d /etc/httpd/alias -M
-n valicert.com -t CT,CT,' returned non-zero exit status 255
File "/usr/sbin/ipa-replica-install", line 294, in <module>
main()
File "/usr/sbin/ipa-replica-install", line 259, in main
install_http(config)
File "/usr/sbin/ipa-replica-install", line 146, in install_http
http.create_instance(config.realm_name, config.host_name,
config.domain_name, False, pkcs12_info)
File "/usr/lib/python2.5/site-packages/ipaserver/httpinstance.py",
line 81, in create_instance
self.start_creation("Configuring the web interface")
File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line
139, in start_creation
method()
File "/usr/lib/python2.5/site-packages/ipaserver/httpinstance.py",
line 160, in __setup_ssl
ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
passwd="")
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 476,
in create_from_pkcs12
self.trust_root_cert(nickname)
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 390,
in trust_root_cert
"-t", "CT,CT,"])
File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 133,
in run_certutil
return ipautil.run(new_args, stdin)
File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
raise CalledProcessError(p.returncode, ' '.join(args))
[root at replica ~]# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
Go Daddy Secure Certification Authority CT,C,
Go Daddy Class 2 Certification Authority CT,C,
Rob Crittenden wrote:
> James Roman wrote:
>> OK I am still running into a similar problem when installing the
>> replica server. It appears that the problem stems from the chained CA
>> certificates from GoDaddy again. On the replica server, all the certs
>> appear to be installed properly. The script is choking when modifying
>> the trust arguments. It looks like it is grabbing the certificate
>> name from the wrong place again.
>
> This should be fixed in ipa v1.2.2 which is in the Fedora
> updates-testing repo.
>
> rob
>
>>
>>
>> ipa-replica-install Error:
>>
>> NOTE: Take a look at where the quotes are showing up in the "certutil
>> -d" lines.
>>
>> root : DEBUG [10/17]: configuring ssl for ds instance
>> [10/17]: configuring ssl for ds instance
>> root : DEBUG Loading Index file from
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>> root : INFO root : INFO root : INFO
>> pk12util: PKCS12 IMPORT SUCCESSFUL
>>
>> root : INFO root : INFO root : INFO
>> certutil: could not find certificate named "valicert.com"
>> [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
>> Policy Validation Authority,O="ValiCert, Inc.": The security card or
>> token does not exist, needs to be initialized, or has been removed.
>>
>> creation of replica failed: Command '/usr/bin/certutil -d
>> /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com"
>> [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
>> Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned
>> non-zero exit status 255
>> root : DEBUG Command '/usr/bin/certutil -d
>> /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com"
>> [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
>> Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned
>> non-zero exit status 255
>> File "/usr/sbin/ipa-replica-install", line 294, in <module>
>> main()
>>
>> File "/usr/sbin/ipa-replica-install", line 244, in main
>> ds = install_ds(config)
>>
>> File "/usr/sbin/ipa-replica-install", line 115, in install_ds
>> ds.create_instance(config.ds_user, config.realm_name,
>> config.host_name, config.domain_name, config.dirman_password,
>> pkcs12_info)
>>
>> File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py",
>> line 193, in create_instance
>> self.start_creation("Configuring directory server:")
>>
>> File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line
>> 139, in start_creation
>> method()
>>
>> File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py",
>> line 345, in __enable_ssl
>> ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
>>
>> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line
>> 403, in create_from_pkcs12
>> self.trust_root_cert(nickname)
>>
>> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line
>> 322, in trust_root_cert
>> "-t", "CT,CT,"])
>>
>> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line
>> 126, in run_certutil
>> return ipautil.run(new_args, stdin)
>>
>> File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run
>> raise CalledProcessError(p.returncode, ' '.join(args))
>>
>>
>> Replica server Cert DB:
>>
>> [root at replica slapd-REALM-COM]# certutil -L -d .
>>
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> Server-Cert u,u,u
>> Go Daddy Secure Certification Authority ,, Go
>> Daddy Class 2 Certification Authority ,,
>> valicert.com ,,
>>
>> Rob Crittenden wrote:
>>> James Roman wrote:
>>>> Can anyone elaborate on the options for the ipa-replica-prepare
>>>> command? I have a third party signed certificate for both my master
>>>> and replica server. Am I supposed to provide the PKCS12 file for
>>>> the master server or the replica? If it is looking for the master
>>>> server, I really don't want the script generating a new certificate
>>>> for the replica. I already have one. Any way to by-pass that option?
>>>
>>> The PKCS#12 file(s) are for the replica server. If you provide both
>>> then IPA will not attempt to generate one.
>>>
>>> rob
>>
>
More information about the Freeipa-users
mailing list