[Freeipa-users] ipa-replica-prepare failed

Rob Crittenden rcritten at redhat.com
Fri Feb 8 13:44:02 UTC 2013 

James James wrote:
> I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12,
> --http_pin and the ipa-replica-prepare command runs without failure.
>
> Thanks for your help.

Yes, this is what I was going to suggest. Using ipa-server-certinstall 
replace the IPA CA with an external one.

I should note that we're deprecating this tool and do not recommend that 
it be used. We instead suggest that if you need certificates from an 
external CA you get the IPA CA signed as a subordinate.

rob

>
>
> 2013/2/8 James James <jreg2k at gmail.com <mailto:jreg2k at gmail.com>>
>
>     My ipa version is ipa-server-2.2.0-17.el6_3.1.x86_64 and the distro
>     is  Scientific Linux 6.3.  I have used ipa-server-certinstall to
>     replace the default IPA certs.
>
>
>
>
>     2013/2/8 Rob Crittenden <rcritten at redhat.com
>     <mailto:rcritten at redhat.com>>
>
>         James James wrote:
>
>             Hi,
>             today I wanted to install a ipa replica. When I used the
>             ipa-replica-prepare command, I've got this error :
>
>             [root at ipa ~]# ipa-replica-prepare ipa2-example.com
>             <http://ipa2-example.com> <http://ipa2-example.com>
>
>             Directory Manager (existing master) password:
>
>             Preparing replica for ipa-EXAMPLE.COM from ipa.EXAMPLE.COM
>             <http://ipa.EXAMPLE.COM>
>             <http://ipa.EXAMPLE.COM>
>
>             Creating SSL certificate for the Directory Server
>             certutil: could not find certificate named "CN=EXAMPLE.COM
>             <http://EXAMPLE.COM>
>             <http://EXAMPLE.COM> Certificate Authority": security
>             library: bad database.
>
>             certutil: unable to create cert (security library: bad
>             database.)
>             preparation of replica failed: Command '/usr/bin/certutil -d
>             /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i
>             /var/lib/ipa/ipa-6qKbha/__tmpcert.der -f
>             /tmp/tmpoUpN72ipa/realm_info/__pwdfile.txt' returned
>             non-zero exit status 255
>             Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n
>             Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/__tmpcert.der -f
>             /tmp/tmpoUpN72ipa/realm_info/__pwdfile.txt' returned
>             non-zero exit status 255
>                 File "/usr/sbin/ipa-replica-__prepare", line 459, in
>             <module>
>                   main()
>
>                 File "/usr/sbin/ipa-replica-__prepare", line 345, in main
>                   export_certdb(api.env.realm, ds_dir, dir,
>             passwd_fname, "dscert",
>             replica_fqdn, subject_base)
>
>                 File "/usr/sbin/ipa-replica-__prepare", line 143, in
>             export_certdb
>                   raise e
>
>
>             I have a certificate generated by a custom certificate
>             authority in the
>             ipa server.
>
>
>         Need more information on your installation. What version of IPA,
>         what distro?
>
>         Did you use ipa-server-certinstall to replace the default IPA certs?
>
>         rob
>
>
>

More information about the Freeipa-users mailing list