Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1256038
Description of problem: When trying to create a replica as part of the upgrade process from RHEL 6.7 to 7.1, ipa-replica-install fails to parse the cert chain in dscert.p12. Version-Release number of selected component (if applicable): The replica information was created on RHEL 6.7 with the following ipa packages: * ipa-server et al: 3.0.0-47 * pki-ca et al: 9.0.3-43 ipa-replica-install is run on RHEL 7.1 ipa-server-4.1.0-18.el7_1.4 etc. pki-base-10.1.2-7.el7 etc. ipa-replica-install is run with the following commandline: --setup-ca --ip-address={IPADDRESS] -N --setup-dns --no-forwarders -U The problem appears to be trucation of the server-cert name in /usr/lib/python2.7/site-packages/ipaserver/install/certs.py The following patch allowed me to proceed: --- /usr/lib/python2.7/site-packages/ipaserver/install/certs.py.orig 2015-08-23 00:28:21.223510211 -0400 +++ /usr/lib/python2.7/site-packages/ipaserver/install/certs.py 2015-08-23 00:28:48.791493470 -0400 @@ -629,7 +629,7 @@ # We only handle one server cert nickname = server_certs[0][0] - ca_names = self.find_root_cert(nickname)[:-1] + ca_names = self.find_root_cert(nickname) if len(ca_names) == 0: raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname)
Related BZ was closed as insufficient data. There was multiple fixes in 7.3 regarding cert validation some enhancements in ipa-cacert-manage tool. Closing given that there is inactivity for 11 months.
Metadata Update from @jcholast: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.4.x
Login to comment on this ticket.