When ipa-replica-prepare is run on a replica (not the original master), it crashes. In my case, the servers were self-signed.
ipa-replica-prepare
# ipa-replica-prepare foo1.idm.lab.bos.redhat.com --ip-address=10.16.81.1 Directory Manager (existing master) password: Preparing replica for foo1.idm.lab.bos.redhat.com from vm-102.idm.lab.bos.redhat.com Creating SSL certificate for the Directory Server certutil: unable to retrieve key IDM.LAB.BOS.REDHAT.COM IPA CA: The private key for this certificate cannot be found in key database preparation of replica failed: Command '/usr/bin/certutil -d /tmp/tmp9FgUOuipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-lJu4tj/tmpcert.der -f /tmp/tmp9FgUOuipa/realm_info/pwdfile.txt' returned non-zero exit status 255 Command '/usr/bin/certutil -d /tmp/tmp9FgUOuipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-lJu4tj/tmpcert.der -f /tmp/tmp9FgUOuipa/realm_info/pwdfile.txt' returned non-zero exit status 255 File "/usr/sbin/ipa-replica-prepare", line 468, in <module> main() File "/usr/sbin/ipa-replica-prepare", line 343, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base) File "/usr/sbin/ipa-replica-prepare", line 136, in export_certdb raise e
This happens only on a self-signed server.
We should fix it so it won't crash but with self-signed the CA exists only on the original install. We should probably reject cert requests on replicas for the same reason.
I can't reproduce this:
A selfsign CA backend can only prepare on the original master
In that case, I think we can close this ticket as invalid. It may have been fixed as a "side-effect" in another ticket.
Metadata Update from @mkosek: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/01
Login to comment on this ticket.