[Freeipa-users] ipa-replica-prepare clarification
Rob Crittenden
rcritten at redhat.com
Tue Sep 15 12:50:01 UTC 2009
James Roman wrote:
> I installed the 1.2.2-1 version from the test repo. I get really close
> to the end, but it is still bombing when trying to set the trust
> permissions on the web server cert. For some reason the final cert in
> the chain did not get installed into the /etc/httpd/alias directory. All
> worked fine for the directory server.
Strange, Does the valicert.com certificate exist in the DS database?
I guess I assumed that if the certificate was in the PKCS#12 file then
it would be loaded by NSS. That doesn't seem to be the case.
This patch should help. It will log the failure of setting trust but
will continue. If the certificate is indeed not needed then it shouldn't
hurt anything.
diff --git a/ipa-server/ipaserver/certs.py b/ipa-server/ipaserver/certs.py
index 95e6ac7..3782acf 100644
--- a/ipa-server/ipaserver/certs.py
+++ b/ipa-server/ipaserver/certs.py
@@ -386,8 +386,11 @@ class CertDB(object):
if root_nickname[:7] == "Builtin":
logging.debug("No need to add trust for built-in root
CA's, skippi
else:
- self.run_certutil(["-M", "-n", root_nickname,
- "-t", "CT,CT,"])
+ try:
+ self.run_certutil(["-M", "-n", root_nickname,
+ "-t", "CT,CT,"])
+ except ipautil.CalledProcessError, e:
+ logging.error("Setting trust on %s failed" %
root_nickname)
def find_server_certs(self):
p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
The file to modify on an installed system is
/usr/lib[64]/python*/site-packages/ipaserver/certs.py
Let me know if this fixes it for you and I'll see about getting this
committed.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090915/2c03bdce/attachment.bin>
More information about the Freeipa-users
mailing list