10:07 a.m.
After some plumbing and manual operations I managed to have CA running during installation
of the FreeIPA server. Currently the install fails in :
Configuring directory server (dirsrv)
[2/3]: adding CA certificate entry
args=['/usr/bin/certutil', '-d',
'dbm:/etc/dirsrv/slapd-IPA-LOCAL/', '-O', '--simple-self-signed',
'-n', 'IPA.LOCAL IPA CA', '-f',
'/etc/dirsrv/slapd-IPA-LOCAL/pwdfile.txt']
The installation seems to fail due to the fact that certutil does not support
--simple-self-signed parameter.
Does anybody know if there is a version of libnss3-tools for Ubuntu 18.04 which does
have a certutil package which support the option invoked or if the option can be
disabled/removed during install ?
11:01 a.m.
New subject: Installation fails in adding CA certificate entry - certutil does not support --seimple-self-signed
On 12/15/20 5:07 PM, iulian roman via FreeIPA-users wrote:
After some plumbing and manual operations I managed to have CA
running during installation of the FreeIPA server. Currently the install fails in :
Configuring directory server (dirsrv)
[2/3]: adding CA certificate entry
args=['/usr/bin/certutil', '-d',
'dbm:/etc/dirsrv/slapd-IPA-LOCAL/', '-O', '--simple-self-signed',
'-n', 'IPA.LOCAL IPA CA', '-f',
'/etc/dirsrv/slapd-IPA-LOCAL/pwdfile.txt']
The installation seems to fail due to the fact that certutil does not support
--simple-self-signed parameter.
Does anybody know if there is a version of libnss3-tools for Ubuntu 18.04 which does
have a certutil package which support the option invoked or if the option can be
disabled/removed during install ?
Hi,
On ubuntu I don't know which version is shipped but on fedora the option
was introduced in nss 3.38.
The option was added in IPA to fix https://pagure.io/freeipa/issue/7926
(cert renewal failing when ipa ca cert is renewed from self-signed >
external ca > self-sign). Unless you are intending to change your
certificate chaining, it won't affect your install.
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
8:15 a.m.
New subject: Installation fails in adding CA certificate entry - certutil does not support --seimple-self-signed
Thank you for the info. My problem is that the installation exists with error because
certutil does not support --simple-self-signed option.
Is there is any option i can use to workaround that and continue with the installation ?
8:26 a.m.
New subject: Installation fails in adding CA certificate entry - certutil does not support --seimple-self-signed
On ke, 16 joulu 2020, iulian roman via FreeIPA-users wrote:
Thank you for the info. My problem is that the installation exists
with
error because certutil does not support --simple-self-signed option.
Is there is any option i can use to workaround that and continue with
the installation ?
Aside from modifying ipapython/certdb.py's
NSSDatabase.get_trust_chain() to remove the option? No.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
8:38 a.m.
New subject: Installation fails in adding CA certificate entry - certutil does not support --seimple-self-signed
Yes, that is what I've already done. It was enough to complete the install . I thought
I can avoid the plumbing and there is an updated libnss3-tools in some ppa repos , in
order to have a standard installation.
1228
days inactive
1229
days old
freeipa-users@lists.fedorahosted.org
4 comments
3 participants
participants (3)
-
Alexander Bokovoy -
Florence Blanc-Renaud -
iulian roman