[Freeipa-users] ipa-replica install failing

Dmitri Pal dpal at redhat.com
Wed Sep 30 20:25:14 UTC 2009 

David Christensen wrote:
> When I installed my first ipa server I used the self signed ssl cert and
> soon followed up with a replica.  Shortly after installing the replica I
>  attempted to import a wild card CA signed cert and ran into an issue.
>
> I discovered (thanks to the helpful folks on the FREEIPA irc, that a
> regex in /usr/lib/python2.5/site-packages/ipaserver/certs.py for
> root_nickname was bad.  I modified root_nickname = re.match('\
> *"(.*)".*', chain[0]).groups()[0] to re.match('\ *"(.*)" \[.*',
> chain[0]).groups()[0] and was able to import the cert.
>
> I had to do the same thing to the replica and replication continued.
>
> Now I am trying to create a 3rd replica and have run into what I think
> is a similar issue.  I can export the replica package from the "master"
> ipa server using the pk12 options however the replica install fails.
>
> I ran the debug on the replica install and this is where the install
> fails:
>
> root        : INFO
> creation of replica failed: Could not find a CA cert in
> /tmp/tmplO4Bp3ipa/realm_info/dscert.p12
> root        : DEBUG    Could not find a CA cert in
> /tmp/tmplO4Bp3ipa/realm_info/dscert.p12
>   File "/usr/sbin/ipa-replica-install", line 294, in <module>
>     main()
>
>   File "/usr/sbin/ipa-replica-install", line 244, in main
>     ds = install_ds(config)
>
>   File "/usr/sbin/ipa-replica-install", line 115, in install_ds
>     ds.create_instance(config.ds_user, config.realm_name,
> config.host_name, config.domain_name, config.dirman_password, pkcs12_info)
>
>   File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line
> 193, in create_instance
>     self.start_creation("Configuring directory server:")
>
>   File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line
> 139, in start_creation
>     method()
>
>   File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line
> 345, in __enable_ssl
>     ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
>
>   File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 472,
> in create_from_pkcs12
>     raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname)
>
>
> Your system may be partly configured.
>
> Is this issue similar to what I experienced with the ssl cert import or
> is it something entirely different?
>
> David
Are you running latest 1.2.2 FreeIPA on the server?
Some of the cert issues were addressed in the recently published patch.
The issue that you see should be addressed by these patches.

-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list