Description of problem: I use a certificate signed by a third party. ipa-replica-prepare requests CA key. Instruction: ipa-replica-prepare ft01.fronteranet.com Result: Determining current realm name Getting domain name from LDAP Preparing replica for ft01.fronteranet.com from directory.fronteranet.com Creating SSL certificate for the Directory Server certutil: unable to retrieve key CA certificate: The private key for this certificate cannot be found in key database preparation of replica failed: Command '/usr/bin/certutil -d /tmp/tmplbnH0pipa/realm_info -A -n Server-Cert -t u,u,u -i /tmp/tmplbnH0pipa/realm_info/tmpcert.der -f /tmp/tmplbnH0pipa/realm_info/tmpcert.der' returned non-zero exit status 255 Command '/usr/bin/certutil -d /tmp/tmplbnH0pipa/realm_info -A -n Server-Cert -t u,u,u -i /tmp/tmplbnH0pipa/realm_info/tmpcert.der -f /tmp/tmplbnH0pipa/realm_info/tmpcert.der' returned non-zero exit status 255 File "/usr/sbin/ipa-replica-prepare", line 201, in <module> main() File "/usr/sbin/ipa-replica-prepare", line 181, in main export_certdb(realm_name, ds_dir, dir, "dscert", "cn=%s,ou=Fedora Directory Server" % replica_fqdn) .....
Someone's taking care of this bug?
Yes. Some bugs are more complex than others and take more time. Please be patient.
Created attachment 311595 [details] Rework the way PKCS#12 files are imported
master: 6980b073035cdd43b30b58aba3ce7f84f16a14ad
My test failed. I did 2 test, one is regular ipa-replica-prepare, one is install with new server certs. The both failed and output same error msg. test 1: regular: [root@client64 alias]# ipa-replica-prepare ipaserver.ipaqa.com Determining current realm name Getting domain name from LDAP Preparing replica for ipaserver.ipaqa.com from client64.ipaqa.com Creating SSL certificate for the Directory Server Creating SSL certificate for the Web Server Copying additional files error copying files: [Errno 2] No such file or directory: '/usr/share/ipa/html/preferences.html' test 2: with certs [root@client64 alias]# ipa-replica-prepare --http_pkcs12="/root/yi.server.cert.p12" --http_pin="redhat123" server64.ipaqa.com --dirsrv_pkcs12="/root/yi.server.cert.p12" --dirsrv_pin="redhat123" Determining current realm name Getting domain name from LDAP Preparing replica for server64.ipaqa.com from client64.ipaqa.com Copying SSL certificate for the Directory Server from /root/yi.server.cert.p12 Copying SSL certificate for the Web Server from /root/yi.server.cert.p12 Copying additional files error copying files: [Errno 2] No such file or directory: '/usr/share/ipa/html/preferences.html'
Created attachment 312683 [details] Don't assume that the Firefox autoconfig files exist.
masteer: cf06dd9f845c51e9b193a6b1612887acfc690f80
Bug verified. Test platform: ipa master server: rhel 5.2 64bit, ipa replica server: rhel 5.2 32bit Actual test (steps) ---------------------------------------- server64[06/09/08 00:33]~ >ipa-server-certinstall -d ./yi.server.cert.p12 --dirsrv_pin=redhat123 Directory Manager password: server64[06/09/08 00:33]~ >certutil -L /etc/dirsrv/slapd-IPAQA-COM/ cacert.asc certmap.conf dse_original.ldif pin.txt secmod.db cacert.p12 dse.ldif key3.db pwdfile.txt secmod.db.orig cert8.db dse.ldif.bak key3.db.orig pwdfile.txt.orig slapd-collations.conf cert8.db.orig dse.ldif.startOK noise.txt schema/ server64[06/09/08 00:33]~ >certutil -L -d /etc/dirsrv/slapd-IPAQA-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI yi-cert-01 CT,C, yi-server-cert u,u,u server64[06/09/08 00:33]~ >ipa-server-certinstall -w ./yi.p12 --http_pin=redhat123 server64[06/09/08 00:33]~ >ipa-server-certinstall -w ./yi. yi.p12 yi.server.cert.p12 server64[06/09/08 00:33]~ >ipa-server-certinstall -w ./yi.server.cert.p12 --http_pin=redhat123 server64[06/09/08 00:33]~ >certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI yi-cert-01 CT,C, yi-server-cert u,u,u server64[06/09/08 00:33]~ >ipa-replica-prepare ipaclient.ipaqa.com --http_pkcs12=/root/yi.server.cert.p12 --http_pin=redhat123 --dirsrv_pkcs12=/root/yi.server.cert.p12 --dirsrv_pin=redhat123 Determining current realm name Getting domain name from LDAP Preparing replica for ipaclient.ipaqa.com from server64.ipaqa.com Copying SSL certificate for the Directory Server from /root/yi.server.cert.p12 Copying SSL certificate for the Web Server from /root/yi.server.cert.p12 Copying additional files Finalizing configuration Packaging the replica into /var/lib/ipa/replica-info-ipaclient.ipaqa.com
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0643.html