This bug is created as a clone of upstream ticket:
If there are multiple versions of the same certificate (e.g. before and after renewal) coming from the same or different sources (CA certificates installed in IPA, user-provided certificates, etc.), some installers may fail with NSS error. This has been observed for `ipa-replica-prepare` ([https://www.redhat.com/archives/freeipa-users/2015-April/msg00189.html link]), but other installers are affected as well:
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in execute
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 276, in ask_for_options
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 176, in load_pkcs12
File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 785, in load_pkcs12
nss_cert = x509.load_certificate(cert, x509.DER)
File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128, in load_certificate
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
This happens because we sometimes use `certutil -L -n -r` to get a DER-encoded certificate from a NSS database, and when there are multiple versions of that certificate, `certutil` returns the corresponding DER blobs concatenated, which other components are then unable to parse.
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see email@example.com with any questions
Verified using IPA version ::
Verified using automation.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.