[Freeipa-users] ipa-replica install failing

[David Christensen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Christensen wrote:
> Dmitri Pal wrote:
>> David Christensen wrote:
>>> When I installed my first ipa server I used the self signed ssl cert and
>>> soon followed up with a replica.  Shortly after installing the replica I
>>>  attempted to import a wild card CA signed cert and ran into an issue.
>>>
>>> I discovered (thanks to the helpful folks on the FREEIPA irc, that a
>>> regex in /usr/lib/python2.5/site-packages/ipaserver/certs.py for
>>> root_nickname was bad.  I modified root_nickname = re.match('\
>>> *"(.*)".*', chain[0]).groups()[0] to re.match('\ *"(.*)" \[.*',
>>> chain[0]).groups()[0] and was able to import the cert.
>>>
>>> I had to do the same thing to the replica and replication continued.
>>>
>>> Now I am trying to create a 3rd replica and have run into what I think
>>> is a similar issue.  I can export the replica package from the "master"
>>> ipa server using the pk12 options however the replica install fails.
>>>
>>> I ran the debug on the replica install and this is where the install
>>> fails:
>>>
>>> root        : INFO
>>> creation of replica failed: Could not find a CA cert in
>>> /tmp/tmplO4Bp3ipa/realm_info/dscert.p12
>>> root        : DEBUG    Could not find a CA cert in
>>> /tmp/tmplO4Bp3ipa/realm_info/dscert.p12
>>>   File "/usr/sbin/ipa-replica-install", line 294, in <module>
>>>     main()
>>>
>>>   File "/usr/sbin/ipa-replica-install", line 244, in main
>>>     ds = install_ds(config)
>>>
>>>   File "/usr/sbin/ipa-replica-install", line 115, in install_ds
>>>     ds.create_instance(config.ds_user, config.realm_name,
>>> config.host_name, config.domain_name, config.dirman_password, pkcs12_info)
>>>
>>>   File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line
>>> 193, in create_instance
>>>     self.start_creation("Configuring directory server:")
>>>
>>>   File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line
>>> 139, in start_creation
>>>     method()
>>>
>>>   File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line
>>> 345, in __enable_ssl
>>>     ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
>>>
>>>   File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 472,
>>> in create_from_pkcs12
>>>     raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname)
>>>
>>>
>>> Your system may be partly configured.
>>>
>>> Is this issue similar to what I experienced with the ssl cert import or
>>> is it something entirely different?
>>>
>>> David
>> Are you running latest 1.2.2 FreeIPA on the server?
>> Some of the cert issues were addressed in the recently published patch.
>> The issue that you see should be addressed by these patches.
> 
> Nevermind the request for the updates, I see they are in the repo now,
> must have missed them.
> 
> Thanks for pointing it out none the less.
> 
> David
Dmitri,

After upgrading to 1.2.2 and redoing the ipa-replication packaging, I
got the same error.

David
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkrD2GwACgkQ5B+8XEnAvqtZRwCePJQK03C1ZlEPpSDkViEvQ/VJ
ecEAn1VbiGViI/+tVlQ9+dngbmmICsmf
=Kbl4
-----END PGP SIGNATURE-----