Steven Jones wrote: > ===== > cACertificate;binary:: TUlJQ0NUQ0NBWEtnQX........8><---
Now you need to replace the contents of this double-encoded value with an actual binary value. First create the necessary file: $ openssl x509 -inform pem -outform der -in /etc/ipa/ca.crt -out /tmp/ca.der Now replace what is there with the contents of the file, replacing dc=example,dc=com with your basedn: $ kinit admin $ ldapmodify -Y GSSAPI dn: cn=CACert,cn=ipa,cn=etc,dc=example,dc=com changetype: modify replace: cacertificate;binary cacertificate;binary:< file:///tmp/ca.der <hit return to signal you are done> modifying entry "cn=CACert,cn=ipa,cn=etc,dc=example,dc=com" ctrl-D to quit This is assuming that you have a single CA certificate in /etc/ipa/ca.crt. This is *not* the best assumption to make. Be careful. rob > ===== > > :( > > So now what? > > regards > > Steven > ________________________________________ > From: Rob Crittenden <[email protected]> > Sent: Tuesday, 17 February 2015 12:08 p.m. > To: Steven Jones > Cc: [email protected] > Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into > a RHEL6.6 cluster so I can upgrade. > > Steven Jones wrote: >> ? >> >> ==== >> [root@xx ipa]# ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX >> SASL/GSSAPI authentication started >> SASL username: xxxx >> SASL SSF: 56 >> SASL data security layer installed. >> # extended LDIF >> # >> # LDAPv3 >> # base <cn=CAcert,cn=ipa,cn=etc,> with scope subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # search result >> search: 4 >> result: 32 No such object >> >> # numResponses: 1 > > Did you literally use $SUFFIX? You need to use dc=example,dc=com, > whatever is appropriate for your install. > > rob > >> >> ==== >> >> regards >> >> Steven >> ________________________________________ >> From: Rob Crittenden <[email protected]> >> Sent: Tuesday, 17 February 2015 10:59 a.m. >> To: Steven Jones >> Cc: [email protected] >> Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into >> a RHEL6.6 cluster so I can upgrade. >> >> Steven Jones wrote: >>> Hi, >>> >>> I have no idea how. >> >> $ kinit admin >> $ ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX >> >> It should have an attribuete cACertificate;binary likely beginning with >> MII. If it begins with TU then it is likely double-encoded. >> >> And remember, this may be a red herring. >> >> rob >> >>> >>> regards >>> >>> Steven >>> ________________________________________ >>> From: Rob Crittenden <[email protected]> >>> Sent: Tuesday, 17 February 2015 10:40 a.m. >>> To: Steven Jones >>> Cc: [email protected] >>> Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master >>> into a RHEL6.6 cluster so I can upgrade. >>> >>> Steven Jones wrote: >>>> While attempting to initialise the new server I am getting, >>>> >>>> >>>> [root@xx <mailto:root@vuwunicoipam001> replica-files]# ipa-replica-install >>>> --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg >>>> --skip-conncheck --debug >>>> >>>> >>>> =====8><---- >>>> packages/ipaserver/install/plugins/update_uniqueness.py' >>>> ipa : DEBUG importing plugin module >>>> '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py' >>>> ipa : DEBUG importing plugin module >>>> '/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py' >>>> ipa.ipaserver.install.installutils: DEBUG group dirsrv exists >>>> ipa.ipaserver.install.installutils: DEBUG user dirsrv exists >>>> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection >>>> context.ldap2_59928528 >>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG flushing >>>> ldaps://vuwunicoipam002.ods.vuw.ac.nz from SchemaCache >>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for >>>> SchemaCache url=ldaps://vuwunicoipam002.ods.vuw.ac.nz >>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x39d9ef0> >>>> error copying files: failed to decode certificate: >>>> (SEC_ERROR_LIBRARY_FAILURE) security library failure. >>>> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Destroyed connection >>>> context.ldap2_59928528 >>>> ipa : DEBUG File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line >>>> 646, in run_script >>>> return_value = main_function() >>>> >>>> File "/sbin/ipa-replica-install", line 658, in main >>>> install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) >>>> >>>> File "/sbin/ipa-replica-install", line 227, in install_ca_cert >>>> sys.exit(1) >>>> >>>> ipa : DEBUG The ipa-replica-install command failed, exception: >>>> SystemExit: 1 >>>> >>>> ======== >>>> >>>> >>>> Any idea what is wrong please? >>> >>> What a strange error. My initial thought was that it couldn't read or >>> parse the CA cert from the 3.0 master, but this security library error >>> is unexpected. >>> >>> I might be sending you on a wild goose chase but take a look at the CA >>> cert in cn=CAcert,cn=ipa,cn=etc,$SUFFIX >>> >>> There was a bug quite a while back where the cert value was >>> double-base64-encoded. I wouldn't expect this error from this problem >>> but who knows. >>> >>> rob >>> >> >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
