Bug 452402 - ipa-replica-prepare assumes self-signed certificate
ipa-replica-prepare assumes self-signed certificate
Status: CLOSED ERRATA
Product: freeIPA
Classification: Community
Component: ipa-admintools (Show other bugs)
1.0
All Linux
low Severity low
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
:
Depends On:
Blocks: 453489
  Show dependency treegraph
 
Reported: 2008-06-22 04:11 EDT by Eric Desgranges
Modified: 2015-01-04 18:33 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-08-04 14:21:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Rework the way PKCS#12 files are imported (29.66 KB, patch)
2008-07-11 11:46 EDT, Rob Crittenden
no flags Details | Diff
Don't assume that the Firefox autoconfig files exist. (3.20 KB, patch)
2008-07-25 17:07 EDT, Rob Crittenden
no flags Details | Diff

  None (edit)
Description Eric Desgranges 2008-06-22 04:11:53 EDT
Description of problem: I use a certificate signed by a third party.
ipa-replica-prepare requests CA key.

Instruction: 
ipa-replica-prepare ft01.fronteranet.com
Result:
Determining current realm name
Getting domain name from LDAP
Preparing replica for ft01.fronteranet.com from directory.fronteranet.com
Creating SSL certificate for the Directory Server
certutil: unable to retrieve key CA certificate: The private key for this
certificate cannot be found in key database
preparation of replica failed: Command '/usr/bin/certutil -d
/tmp/tmplbnH0pipa/realm_info -A -n Server-Cert -t u,u,u -i
/tmp/tmplbnH0pipa/realm_info/tmpcert.der -f
/tmp/tmplbnH0pipa/realm_info/tmpcert.der' returned non-zero exit status 255
Command '/usr/bin/certutil -d /tmp/tmplbnH0pipa/realm_info -A -n Server-Cert -t
u,u,u -i /tmp/tmplbnH0pipa/realm_info/tmpcert.der -f
/tmp/tmplbnH0pipa/realm_info/tmpcert.der' returned non-zero exit status 255
  File "/usr/sbin/ipa-replica-prepare", line 201, in <module>
    main()

  File "/usr/sbin/ipa-replica-prepare", line 181, in main
    export_certdb(realm_name, ds_dir, dir, "dscert", "cn=%s,ou=Fedora Directory
Server" % replica_fqdn)
 .....
Comment 1 Eric Desgranges 2008-06-27 17:01:12 EDT
Someone's taking care of this bug?
Comment 2 Rob Crittenden 2008-06-30 14:53:35 EDT
Yes. Some bugs are more complex than others and take more time. Please be patient.
Comment 4 Rob Crittenden 2008-07-11 11:46:44 EDT
Created attachment 311595 [details]
Rework the way PKCS#12 files are imported
Comment 5 Rob Crittenden 2008-07-14 09:39:00 EDT
master: 6980b073035cdd43b30b58aba3ce7f84f16a14ad
Comment 7 Yi Zhang 2008-07-25 16:01:04 EDT
My test failed. 

I did 2 test, one is regular ipa-replica-prepare, one is install with new server
certs. The both failed and output same error msg.

test 1: regular:
[root@client64 alias]# ipa-replica-prepare ipaserver.ipaqa.com
Determining current realm name
Getting domain name from LDAP
Preparing replica for ipaserver.ipaqa.com from client64.ipaqa.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the Web Server
Copying additional files
error copying files: [Errno 2] No such file or directory:
'/usr/share/ipa/html/preferences.html'

test 2: with certs
[root@client64 alias]# ipa-replica-prepare
--http_pkcs12="/root/yi.server.cert.p12" --http_pin="redhat123"
server64.ipaqa.com --dirsrv_pkcs12="/root/yi.server.cert.p12"
--dirsrv_pin="redhat123" 
Determining current realm name
Getting domain name from LDAP
Preparing replica for server64.ipaqa.com from client64.ipaqa.com
Copying SSL certificate for the Directory Server from /root/yi.server.cert.p12
Copying SSL certificate for the Web Server from /root/yi.server.cert.p12
Copying additional files
error copying files: [Errno 2] No such file or directory:
'/usr/share/ipa/html/preferences.html'
Comment 8 Rob Crittenden 2008-07-25 17:07:20 EDT
Created attachment 312683 [details]
Don't assume that the Firefox autoconfig files exist.
Comment 9 Rob Crittenden 2008-07-28 10:03:08 EDT
masteer: cf06dd9f845c51e9b193a6b1612887acfc690f80
Comment 11 Yi Zhang 2008-07-29 12:29:36 EDT
Bug verified. 
Test platform: 
    ipa master server: rhel 5.2 64bit, 
    ipa replica server: rhel 5.2 32bit

Actual test (steps)
----------------------------------------
server64[06/09/08 00:33]~ >ipa-server-certinstall -d ./yi.server.cert.p12
--dirsrv_pin=redhat123
Directory Manager password: 
server64[06/09/08 00:33]~ >certutil -L /etc/dirsrv/slapd-IPAQA-COM/
cacert.asc             certmap.conf           dse_original.ldif      pin.txt   
            secmod.db
cacert.p12             dse.ldif               key3.db                pwdfile.txt
           secmod.db.orig
cert8.db               dse.ldif.bak           key3.db.orig          
pwdfile.txt.orig       slapd-collations.conf
cert8.db.orig          dse.ldif.startOK       noise.txt              schema/   
            
server64[06/09/08 00:33]~ >certutil -L -d /etc/dirsrv/slapd-IPAQA-COM/ 

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

yi-cert-01                                                   CT,C,
yi-server-cert                                               u,u,u
server64[06/09/08 00:33]~ >ipa-server-certinstall -w ./yi.p12 --http_pin=redhat123
server64[06/09/08 00:33]~ >ipa-server-certinstall -w ./yi.
yi.p12              yi.server.cert.p12  
server64[06/09/08 00:33]~ >ipa-server-certinstall -w ./yi.server.cert.p12
--http_pin=redhat123
server64[06/09/08 00:33]~ >certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

yi-cert-01                                                   CT,C,
yi-server-cert                                               u,u,u
server64[06/09/08 00:33]~ >ipa-replica-prepare ipaclient.ipaqa.com
--http_pkcs12=/root/yi.server.cert.p12 --http_pin=redhat123
--dirsrv_pkcs12=/root/yi.server.cert.p12 --dirsrv_pin=redhat123
Determining current realm name
Getting domain name from LDAP
Preparing replica for ipaclient.ipaqa.com from server64.ipaqa.com
Copying SSL certificate for the Directory Server from /root/yi.server.cert.p12
Copying SSL certificate for the Web Server from /root/yi.server.cert.p12
Copying additional files
Finalizing configuration
Packaging the replica into /var/lib/ipa/replica-info-ipaclient.ipaqa.com
Comment 13 errata-xmlrpc 2008-08-04 14:21:32 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0643.html

Note You need to log in before you can comment on or make changes to this bug.