ipa-server-certinstall -d ..... assumes CA certificate is located in: /etc/dirsrv/slapd-DOMAIN.COM/ but IPA installation routines put it in: /etc/dirsrv/slapd-DOMAIN-COM/ ('.' vs '-').
The fix for this is: diff --git a/ipa-server/ipa-install/ipa-server-certinstall b/ipa-server/ipa-inst all/ipa-server-certinstall index e769627..90130e4 100644 --- a/ipa-server/ipa-install/ipa-server-certinstall +++ b/ipa-server/ipa-install/ipa-server-certinstall @@ -134,7 +134,7 @@ def main(): if options.dirsrv: dm_password = getpass.getpass("Directory Manager password: ") realm = get_realm_name() - dirname = dsinstance.config_dirname(realm) + dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(re alm)) server_cert = import_cert(dirname, pkcs12_fname) set_ds_cert_name(server_cert[0], dm_password)
Created attachment 310674 [details] properly convert realm name into DS instance name
master: e9196e2d9311f4de0423745568fe72f69dc4fa52
Need to commit to ipa-1-0 branch as well
*** Bug 452300 has been marked as a duplicate of this bug. ***
ipa-1-0: 23a9b65c9c0c82985cdc0efbe15c9530ab9da72d
Bug verification: passed test: step 1: generate self-sign cert step 2: run ipa-server-certinstall -d to import cert test output is below: -------------------------------------- [step 1] server64[07/22/08 19:48]/tmp/nss >certutil -L -d . -n yi-cert-01 Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Certificate: Data: Version: 3 (0x2) Serial Number: 123 (0x7b) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=ipaqa.ipa.com,O=redhat" Validity: Not Before: Wed Jul 23 02:48:18 2008 Not After : Sat Jan 23 02:48:18 2010 Subject: "CN=ipaqa.ipa.com,O=redhat" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: e9:8e:ad:c0:cf:ac:f9:64:7e:85:73:7f:45:88:e0:21: cf:68:00:e9:5c:cd:ac:71:ea:9a:6f:87:72:1f:d5:d1: 7b:de:34:70:e0:c6:db:60:c5:41:74:e1:38:0c:59:54: 53:27:e7:78:41:dd:d0:42:65:97:dc:8c:b1:60:70:df: b1:c5:dd:4f:bf:a9:74:ed:f9:a9:a6:4a:7a:db:f2:18: 08:8f:b7:84:5b:74:eb:9e:7f:f9:af:51:54:ce:f0:a3: 4d:5d:4c:eb:51:b1:ea:69:c8:4f:d2:2c:40:91:21:3a: bf:e2:00:89:6e:cc:3e:39:35:f9:62:0d:7b:3f:2d:e1 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Basic Constraints Critical: True Data: Is a CA with no maximum path length. Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Data Encipherment Key Agreement Certificate Signing CRL Signing Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: 9e:7c:31:64:f3:98:7e:08:d5:2a:97:26:ef:5c:8b:5c: fb:0d:22:18:e4:68:1a:31:02:18:3e:d0:52:80:c7:99: ff:3a:17:b5:85:00:5a:26:46:1b:ed:ae:d8:98:ad:70: ab:a5:06:a3:e4:6a:fd:ce:c5:cf:65:9a:14:17:0d:54: 71:10:aa:95:e0:45:d3:a9:35:68:e6:4c:33:c2:00:11: 7b:17:96:1d:2b:e8:e5:c8:9a:19:dc:b7:c4:48:87:01: b8:f2:1b:cd:4a:74:19:13:2f:6b:34:36:a5:41:d7:11: 5b:9f:cb:ed:c4:72:c6:03:b2:3c:7d:ed:eb:24:9e:26 Fingerprint (MD5): 7B:45:85:22:6B:7C:D7:31:67:DD:22:AD:70:EC:04:9B Fingerprint (SHA1): DA:1A:DB:0D:C4:26:99:B9:F4:D2:E3:A6:53:3B:EE:74:82:DF:91:71 Certificate Trust Flags: SSL Flags: Valid CA Trusted CA User Trusted Client CA Email Flags: Valid CA Trusted CA User Object Signing Flags: Valid CA Trusted CA User ---------------------------------- [step 2] server64[07/22/08 19:48]/tmp/nss >ipa-server-certinstall -d --dirsrv_pin=netscape /tmp/nss/yi.p12 Directory Manager password: Please select the certificate to use: 1. Certificate Nickname Trust 2. yi-cert-01 Certificate number [1]: 2 You have new mail in /var/spool/mail/root server64[07/22/08 19:48]/tmp/nss >certutil -L -d /etc/dirsrv/slapd-IPAQA-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI yi-cert-01 CTu,Cu,u
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0643.html