Hi folks,
I have one IPA server in production for my small environment. There I set Let’s Encrypt CA root and issue .p12 cert without problem.
Now, I want to install FreeIPA on VPS, but I have problem with Let’s encrypt SSL. I can’t import SSL.
First, I imported CA certficates:
ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem
ipa-cacert-manage -n LetsEncryptX3 -t C,, install ca.cer
ipa-certupdate -v
That’s all ok.
But than, I generate new p12
with command:
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out ipa.p12 -certfile fullchain.pem
Than, ask me for pass and that all is ok.
When I run:
ipa-server-certinstall -w ipa.p12 -v
ask me for Directory pass and pass which I enter in step above, than I get error:
ipalib.backend: DEBUG: Created connection context.ldap2_140380174158736 ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', '/tmp/tmpauWQ5Z', '-N', '-f', '/tmp/tmpauWQ5Z/pwdfile.txt', '-@', '/tmp/tmpauWQ5Z/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/pk12util', '-d', 'dbm:/tmp/tmpauWQ5Z', '-i', 'ipa.p12', '-k', '/tmp/tmpauWQ5Z/pwdfile.txt', '-v', '-w', '/tmp/tmp66gfLt'] ipapython.ipautil: DEBUG: Process finished, return code=10 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=pk12util: File Open failed: ipa.p12: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.admintool: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 116, in run self.replace_http_cert() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 156, in replace_http_cert host_name=api.env.host File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 201, in load_pkcs12 **kwargs) File "/usr/lib/python2.7/dist-packages/ipaserver/install/installutils.py", line 1151, in load_pkcs12 raise ScriptError(str(e))
ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: ScriptError: Failed to load ipa.p12 ipapython.admintool: ERROR: Failed to load ipa.p12 ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
Some ideas ?
*—*
*Petar Kozić* System Administrator
*mobile: *+381 6 callto:+381%2060%2006%2088%200084 83 44 310 *e-mail:* petar.kozic@mint.rs
Mint Services | Jove Ilića 140 | 11000 Beograd | Srbija
On 12/23/19 4:52 PM, Petar Kozić via FreeIPA-users wrote:
Hi folks,
I have one IPA server in production for my small environment. There I set Let’s Encrypt CA root and issue .p12 cert without problem.
Now, I want to install FreeIPA on VPS, but I have problem with Let’s encrypt SSL. I can’t import SSL.
First, I imported CA certficates:
ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem
ipa-cacert-manage -n LetsEncryptX3 -t C,, install ca.cer
ipa-certupdate -v
That’s all ok.
But than, I generate new p12
with command:
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out ipa.p12 -certfile fullchain.pem
Than, ask me for pass and that all is ok.
When I run:
ipa-server-certinstall -w ipa.p12 -v
ask me for Directory pass and pass which I enter in step above, than I get error:
ipalib.backend: DEBUG: Created connection context.ldap2_140380174158736 ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', '/tmp/tmpauWQ5Z', '-N', '-f', '/tmp/tmpauWQ5Z/pwdfile.txt', '-@', '/tmp/tmpauWQ5Z/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/pk12util', '-d', 'dbm:/tmp/tmpauWQ5Z', '-i', 'ipa.p12', '-k', '/tmp/tmpauWQ5Z/pwdfile.txt', '-v', '-w', '/tmp/tmp66gfLt'] ipapython.ipautil: DEBUG: Process finished, return code=10 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=pk12util: File Open failed: ipa.p12: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.admintool: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 116, in run self.replace_http_cert() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 156, in replace_http_cert host_name=api.env.host File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 201, in load_pkcs12 **kwargs) File "/usr/lib/python2.7/dist-packages/ipaserver/install/installutils.py", line 1151, in load_pkcs12 raise ScriptError(str(e))
ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: ScriptError: Failed to load ipa.p12 ipapython.admintool: ERROR: Failed to load ipa.p12 ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
Some ideas ?
Hi, Did you try to provide the full path to ipa.p12? Check the file permissions?
flo
*—*
*Petar Kozić* System Administrator
*mobile: *+381 6 callto:+381%2060%2006%2088%200084 83 44 310*
*e-mail:* petar.kozic@mint.rs mailto:petar.kozic@mint.rs
Mint Services | Jove Ilića 140 | 11000 Beograd | Srbija
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thank you, when I put path looks different, but with new error :(
<TagSet object at 0x7f0e0fffed50 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7f0e0fe17b50 tagSet <TagSet object at 0x7f0e1d9323d0 tags 0:0:4> encoding iso-8859-1> The ipa-server-certinstall command failed.
On December 23, 2019 at 5:45:51 PM, Florence Blanc-Renaud (flo@redhat.com) wrote:
On 12/23/19 4:52 PM, Petar Kozić via FreeIPA-users wrote:
Hi folks,
I have one IPA server in production for my small environment. There I set Let’s Encrypt CA root and issue .p12 cert without problem.
Now, I want to install FreeIPA on VPS, but I have problem with Let’s encrypt SSL. I can’t import SSL.
First, I imported CA certficates:
ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem
ipa-cacert-manage -n LetsEncryptX3 -t C,, install ca.cer
ipa-certupdate -v
That’s all ok.
But than, I generate new p12
with command:
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out ipa.p12 -certfile fullchain.pem
Than, ask me for pass and that all is ok.
When I run:
ipa-server-certinstall -w ipa.p12 -v
ask me for Directory pass and pass which I enter in step above, than I get error:
ipalib.backend: DEBUG: Created connection context.ldap2_140380174158736 ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', '/tmp/tmpauWQ5Z', '-N', '-f', '/tmp/tmpauWQ5Z/pwdfile.txt', '-@', '/tmp/tmpauWQ5Z/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/pk12util', '-d', 'dbm:/tmp/tmpauWQ5Z', '-i', 'ipa.p12', '-k', '/tmp/tmpauWQ5Z/pwdfile.txt', '-v', '-w', '/tmp/tmp66gfLt'] ipapython.ipautil: DEBUG: Process finished, return code=10 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=pk12util: File Open failed: ipa.p12: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.admintool: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py",
line 116, in run self.replace_http_cert() File
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py",
line 156, in replace_http_cert host_name=api.env.host File
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py",
line 201, in load_pkcs12 **kwargs) File "/usr/lib/python2.7/dist-packages/ipaserver/install/installutils.py", line 1151, in load_pkcs12 raise ScriptError(str(e))
ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: ScriptError: Failed to load ipa.p12 ipapython.admintool: ERROR: Failed to load ipa.p12 ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
Some ideas ?
Hi, Did you try to provide the full path to ipa.p12? Check the file permissions?
flo
*—*
*Petar Kozić* System Administrator
*mobile: *+381 6 callto:+381%2060%2006%2088%200084 83 44 310*
*e-mail:* petar.kozic@mint.rs mailto:petar.kozic@mint.rs
Mint Services | Jove Ilića 140 | 11000 Beograd | Srbija
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Full debug log:
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'dbm:/tmp/tmpBxKREw', '-V', '-n', "my.real.domain.name.is.here - Let's Encrypt", '-u', 'V', '-f', '/tmp/tmpBxKREw/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=certutil: certificate is valid
ipapython.ipautil: DEBUG: stderr= ipapython.admintool: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 116, in run self.replace_http_cert() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 156, in replace_http_cert host_name=api.env.host File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 201, in load_pkcs12 **kwargs) File "/usr/lib/python2.7/dist-packages/ipaserver/install/installutils.py", line 1193, in load_pkcs12 nssdb.verify_server_cert_validity(key_nickname, host_name) File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 858, in verify_server_cert_validity cert.match_hostname(hostname) File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 377, in match_hostname values = self.san_a_label_dns_names File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 357, in san_a_label_dns_names gns = self.__pyasn1_get_san_general_names() File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 350, in __pyasn1_get_san_general_names ext['extnValue'], asn1Spec=univ.OctetString())[0] File "/usr/lib/python2.7/dist-packages/pyasn1/codec/ber/decoder.py", line 1318, in __call__ '%s not in asn1Spec: %r' % (tagSet, asn1Spec)
ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: PyAsn1Error: <TagSet object at 0x7f8213de2bd0 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7f8213d827d0 tagSet <TagSet object at 0x7f8221816390 tags 0:0:4> encoding iso-8859-1> ipapython.admintool: ERROR: <TagSet object at 0x7f8213de2bd0 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7f8213d827d0 tagSet <TagSet object at 0x7f8221816390 tags 0:0:4> encoding iso-8859-1> ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
Thank you, when I put path looks different, but with new error :(
<TagSet object at 0x7f0e0fffed50 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7f0e0fe17b50 tagSet <TagSet object at 0x7f0e1d9323d0 tags 0:0:4> encoding iso-8859-1> The ipa-server-certinstall command failed.
On December 23, 2019 at 5:45:51 PM, Florence Blanc-Renaud (flo@redhat.com) wrote:
On 12/23/19 4:52 PM, Petar Kozić via FreeIPA-users wrote:
Hi folks,
I have one IPA server in production for my small environment. There I set Let’s Encrypt CA root and issue .p12 cert without problem.
Now, I want to install FreeIPA on VPS, but I have problem with Let’s encrypt SSL. I can’t import SSL.
First, I imported CA certficates:
ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem
ipa-cacert-manage -n LetsEncryptX3 -t C,, install ca.cer
ipa-certupdate -v
That’s all ok.
But than, I generate new p12
with command:
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out ipa.p12 -certfile fullchain.pem
Than, ask me for pass and that all is ok.
When I run:
ipa-server-certinstall -w ipa.p12 -v
ask me for Directory pass and pass which I enter in step above, than I get error:
ipalib.backend: DEBUG: Created connection context.ldap2_140380174158736 ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', '/tmp/tmpauWQ5Z', '-N', '-f', '/tmp/tmpauWQ5Z/pwdfile.txt', '-@', '/tmp/tmpauWQ5Z/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/pk12util', '-d', 'dbm:/tmp/tmpauWQ5Z', '-i', 'ipa.p12', '-k', '/tmp/tmpauWQ5Z/pwdfile.txt', '-v', '-w', '/tmp/tmp66gfLt'] ipapython.ipautil: DEBUG: Process finished, return code=10 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=pk12util: File Open failed: ipa.p12: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.admintool: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py",
line 116, in run self.replace_http_cert() File
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py",
line 156, in replace_http_cert host_name=api.env.host File
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py",
line 201, in load_pkcs12 **kwargs) File "/usr/lib/python2.7/dist-packages/ipaserver/install/installutils.py", line 1151, in load_pkcs12 raise ScriptError(str(e))
ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: ScriptError: Failed to load ipa.p12 ipapython.admintool: ERROR: Failed to load ipa.p12 ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
Some ideas ?
Hi, Did you try to provide the full path to ipa.p12? Check the file permissions?
flo
*—*
*Petar Kozić* System Administrator
*mobile: *+381 6 callto:+381%2060%2006%2088%200084 83 44 310*
*e-mail:* petar.kozic@mint.rs mailto:petar.kozic@mint.rs
Mint Services | Jove Ilića 140 | 11000 Beograd | Srbija
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I found that is bug in python module. I solved and installed my SSL when I do this:
https://bugs.launchpad.net/ubuntu/+source/pyasn1/+bug/1785157
Can this be a problem in the future if I continue to using Let’s encrypt?
Full debug log:
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'dbm:/tmp/tmpBxKREw', '-V', '-n', "my.real.domain.name.is.here - Let's Encrypt", '-u', 'V', '-f', '/tmp/tmpBxKREw/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=certutil: certificate is valid
ipapython.ipautil: DEBUG: stderr= ipapython.admintool: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 116, in run self.replace_http_cert() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 156, in replace_http_cert host_name=api.env.host File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 201, in load_pkcs12 **kwargs) File "/usr/lib/python2.7/dist-packages/ipaserver/install/installutils.py", line 1193, in load_pkcs12 nssdb.verify_server_cert_validity(key_nickname, host_name) File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 858, in verify_server_cert_validity cert.match_hostname(hostname) File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 377, in match_hostname values = self.san_a_label_dns_names File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 357, in san_a_label_dns_names gns = self.__pyasn1_get_san_general_names() File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 350, in __pyasn1_get_san_general_names ext['extnValue'], asn1Spec=univ.OctetString())[0] File "/usr/lib/python2.7/dist-packages/pyasn1/codec/ber/decoder.py", line 1318, in __call__ '%s not in asn1Spec: %r' % (tagSet, asn1Spec)
ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: PyAsn1Error: <TagSet object at 0x7f8213de2bd0 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7f8213d827d0 tagSet <TagSet object at 0x7f8221816390 tags 0:0:4> encoding iso-8859-1> ipapython.admintool: ERROR: <TagSet object at 0x7f8213de2bd0 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7f8213d827d0 tagSet <TagSet object at 0x7f8221816390 tags 0:0:4> encoding iso-8859-1> ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
Thank you, when I put path looks different, but with new error :(
<TagSet object at 0x7f0e0fffed50 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7f0e0fe17b50 tagSet <TagSet object at 0x7f0e1d9323d0 tags 0:0:4> encoding iso-8859-1> The ipa-server-certinstall command failed.
On December 23, 2019 at 5:45:51 PM, Florence Blanc-Renaud (flo@redhat.com) wrote:
On 12/23/19 4:52 PM, Petar Kozić via FreeIPA-users wrote:
Hi folks,
I have one IPA server in production for my small environment. There I set Let’s Encrypt CA root and issue .p12 cert without problem.
Now, I want to install FreeIPA on VPS, but I have problem with Let’s encrypt SSL. I can’t import SSL.
First, I imported CA certficates:
ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem
ipa-cacert-manage -n LetsEncryptX3 -t C,, install ca.cer
ipa-certupdate -v
That’s all ok.
But than, I generate new p12
with command:
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out ipa.p12 -certfile fullchain.pem
Than, ask me for pass and that all is ok.
When I run:
ipa-server-certinstall -w ipa.p12 -v
ask me for Directory pass and pass which I enter in step above, than I get error:
ipalib.backend: DEBUG: Created connection context.ldap2_140380174158736 ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', '/tmp/tmpauWQ5Z', '-N', '-f', '/tmp/tmpauWQ5Z/pwdfile.txt', '-@', '/tmp/tmpauWQ5Z/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/pk12util', '-d', 'dbm:/tmp/tmpauWQ5Z', '-i', 'ipa.p12', '-k', '/tmp/tmpauWQ5Z/pwdfile.txt', '-v', '-w', '/tmp/tmp66gfLt'] ipapython.ipautil: DEBUG: Process finished, return code=10 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=pk12util: File Open failed: ipa.p12: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.admintool: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py",
line 116, in run self.replace_http_cert() File
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py",
line 156, in replace_http_cert host_name=api.env.host File
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py",
line 201, in load_pkcs12 **kwargs) File "/usr/lib/python2.7/dist-packages/ipaserver/install/installutils.py", line 1151, in load_pkcs12 raise ScriptError(str(e))
ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: ScriptError: Failed to load ipa.p12 ipapython.admintool: ERROR: Failed to load ipa.p12 ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
Some ideas ?
Hi, Did you try to provide the full path to ipa.p12? Check the file permissions?
flo
*—*
*Petar Kozić* System Administrator
*mobile: *+381 6 callto:+381%2060%2006%2088%200084 83 44 310*
*e-mail:* petar.kozic@mint.rs mailto:petar.kozic@mint.rs
Mint Services | Jove Ilića 140 | 11000 Beograd | Srbija
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 12/24/19 10:26 AM, Petar Kozić via FreeIPA-users wrote:
I found that is bug in python module. I solved and installed my SSL when I do this:
https://bugs.launchpad.net/ubuntu/+source/pyasn1/+bug/1785157
Can this be a problem in the future if I continue to using Let’s encrypt?
Full debug log:
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'dbm:/tmp/tmpBxKREw', '-V', '-n', "my.real.domain.name.is.here - Let's Encrypt", '-u', 'V', '-f', '/tmp/tmpBxKREw/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=certutil: certificate is valid
ipapython.ipautil: DEBUG: stderr= ipapython.admintool: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 116, in run self.replace_http_cert() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 156, in replace_http_cert host_name=api.env.host File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 201, in load_pkcs12 **kwargs) File "/usr/lib/python2.7/dist-packages/ipaserver/install/installutils.py", line 1193, in load_pkcs12 nssdb.verify_server_cert_validity(key_nickname, host_name) File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 858, in verify_server_cert_validity cert.match_hostname(hostname) File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 377, in match_hostname values = self.san_a_label_dns_names File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 357, in san_a_label_dns_names gns = self.__pyasn1_get_san_general_names() File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 350, in __pyasn1_get_san_general_names ext['extnValue'], asn1Spec=univ.OctetString())[0] File "/usr/lib/python2.7/dist-packages/pyasn1/codec/ber/decoder.py", line 1318, in __call__ '%s not in asn1Spec: %r' % (tagSet, asn1Spec)
Hi, the message looks similar to the one from issue 7685 (https://pagure.io/freeipa/issue/7685), which was solved in ipa 4.7.1. Which version of freeipa are you using? And which version of python3-pyasn1?
flo
ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: PyAsn1Error: <TagSet object at 0x7f8213de2bd0 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7f8213d827d0 tagSet <TagSet object at 0x7f8221816390 tags 0:0:4> encoding iso-8859-1> ipapython.admintool: ERROR: <TagSet object at 0x7f8213de2bd0 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7f8213d827d0 tagSet <TagSet object at 0x7f8221816390 tags 0:0:4> encoding iso-8859-1> ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
Thank you, when I put path looks different, but with new error :(
<TagSet object at 0x7f0e0fffed50 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7f0e0fe17b50 tagSet <TagSet object at 0x7f0e1d9323d0 tags 0:0:4> encoding iso-8859-1> The ipa-server-certinstall command failed.
On December 23, 2019 at 5:45:51 PM, Florence Blanc-Renaud (flo@redhat.com mailto:flo@redhat.com) wrote:
On 12/23/19 4:52 PM, Petar Kozić via FreeIPA-users wrote:
Hi folks,
I have one IPA server in production for my small environment. There I set Let’s Encrypt CA root and issue .p12 cert without problem.
Now, I want to install FreeIPA on VPS, but I have problem with Let’s encrypt SSL. I can’t import SSL.
First, I imported CA certficates:
ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem
ipa-cacert-manage -n LetsEncryptX3 -t C,, install ca.cer
ipa-certupdate -v
That’s all ok.
But than, I generate new p12
with command:
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out ipa.p12 -certfile fullchain.pem
Than, ask me for pass and that all is ok.
When I run:
ipa-server-certinstall -w ipa.p12 -v
ask me for Directory pass and pass which I enter in step above, than I get error:
ipalib.backend: DEBUG: Created connection context.ldap2_140380174158736 ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', '/tmp/tmpauWQ5Z', '-N', '-f', '/tmp/tmpauWQ5Z/pwdfile.txt', '-@', '/tmp/tmpauWQ5Z/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/pk12util', '-d', 'dbm:/tmp/tmpauWQ5Z', '-i', 'ipa.p12', '-k', '/tmp/tmpauWQ5Z/pwdfile.txt', '-v', '-w', '/tmp/tmp66gfLt'] ipapython.ipautil: DEBUG: Process finished, return code=10 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=pk12util: File Open failed: ipa.p12: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.admintool: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 116, in run self.replace_http_cert() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 156, in replace_http_cert host_name=api.env.host File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 201, in load_pkcs12 **kwargs) File "/usr/lib/python2.7/dist-packages/ipaserver/install/installutils.py", line 1151, in load_pkcs12 raise ScriptError(str(e))
ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: ScriptError: Failed to load ipa.p12 ipapython.admintool: ERROR: Failed to load ipa.p12 ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
Some ideas ?
Hi, Did you try to provide the full path to ipa.p12? Check the file permissions?
flo
*—*
*Petar Kozić* System Administrator
*mobile: *+381 6 callto:+381%2060%2006%2088%200084 83 44 310*
*e-mail:* petar.kozic@mint.rs mailto:petar.kozic@mint.rs
<mailto:petar.kozic@mint.rs mailto:petar.kozic@mint.rs>
Mint Services | Jove Ilića 140 | 11000 Beograd | Srbija
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org