Red Hat Bugzilla – Bug 431493
error in ipa-replica-prepare script
Last modified: 2015-01-04 18:30:34 EST
Description of problem: > When I run this it tells me that /etc/dirsrv/slapd-AUSTRALIA.COM/ doesn't exist. The directory is actually /etc/dirsrv/slapd-AUSTRALIA-COM/ > edit /usr/lib/python2.5/site-packages/ipaserver/dsinstance.py and make config_dirname() look like: def config_dirname(serverid): return "/etc/dirsrv/slapd-" + realm_to_serverid(serverid) + "/" Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. On a functioning ipa server, run the ipa-replica-prepare script. Actual results: Expected results: Additional info:
I made the recommended changes to the script and it appears to work now. It would be nice, however, if the script: 1. Told you what it was going to do 2. Provided feedback and info on what to do next (similar to what ipa-server-install does) Is there no "ipaconfig" directory where we could write the replica info file, instead of just into the dir where the command was run (in this particular case /root)?
Created attachment 294008 [details] make replication preparation and installation work again This bug opened a real can of worms. It turns out that the way the SSL certificates are created is that the CA, private key and all, is shipped off to each replica so that the certificates can be generated. Beyond not wanting to share the CA all over the place the certificates that will be generated will all have duplicate serial numbers. That led to the following changes: Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
Created attachment 294022 [details] keep the CA PKCS#12 creation with this patch Same patch as before just keeping the CA PKCS#12 file creation and added a message at the end of install to remind user to back this file up.
Committed in changeset 621
qa verified, bug closed build used: 4-8-2008 daily build The following cmd performed to verify the certs: on ipa master: ipaserver-wrong[04/08/08 17:01] certutil -L -d /etc/dirsrv/slapd-IPAQA-COM/ -n "Server-Cert" | grep "Serial" Serial Number: 1001 (0x3e9) ipaserver-wrong[04/08/08 17:02] certutil -L -d /etc/httpd/alias/ -n "Server-Cert" | grep "Serial" Serial Number: 1002 (0x3ea) ipaserver-wrong[04/08/08 17:02] certutil -L -d /etc/httpd/alias/ -n "Signing-Cert" | grep Serial on replica server [root@replica64-1 alias]# certutil -L -d /etc/dirsrv/slapd-IPAQA-COM/ -n "Server-Cert" | grep "Serial" Serial Number: 1004 (0x3ec) [root@replica64-1 alias]# certutil -L -d /etc/httpd/alias/ -n "Server-Cert" | grep "Serial" Serial Number: 1005 (0x3ed)