IdM/IPA server install error with external CA, "certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database"

Solution Verified - Updated -

Issue

IdM / IPA server installation with external CA certificate is failing with an error:

ipa-server-install --mkhomedir -p password -a password -r EXAMPLE.COM -n example.com --dirsrv_pkcs12=/root/cert-bundle.pk12 --dirsrv_pin=password --http_pkcs12=/root/cert-bundle.pk12 --http_pin=password --root-ca-file=/root/ca-root.pem --hostname=ipaserver1.example.com -U
...
2014-07-24T21:58:26Z DEBUG stdout="Root CA" [CN=Root CA,DC=testlab,DC=local]

  "EOMLAB ADA Internal Intermediate CA - local" [CN=Intermediate CA 1,DC=testlab,DC=local]

    "EOMLAB ADA Internal Issuing CA GO01 - local" [CN=Intermediate CA 2,DC=testlab,DC=local]

      "ipaserver1.example.com - local" [CN=ipaserver1.example.com,OU=EXAMPLE]
...
2014-07-24T21:58:28Z DEBUG args=/usr/bin/certutil -d /etc/pki/nssdb -A -n External CA cert -t CT,, -a
2014-07-24T21:58:28Z DEBUG Process finished, return code=255
2014-07-24T21:58:28Z DEBUG stdout=
2014-07-24T21:58:28Z DEBUG stderr=certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database.

2014-07-24T21:58:28Z DEBUG   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 638, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 1122, in main
    'External CA cert', 'CT,,', options.root_ca_file)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 232, in import_pem_cert
    self.add_single_pem_cert(nickname, flags, cert)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 247, in add_single_pem_cert
    stdin=cert)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 119, in run_certutil
    return ipautil.run(new_args, stdin)

  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 328, in run
    raise CalledProcessError(p.returncode, arg_string, stdout)

2014-07-24T21:58:28Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command '/usr/bin/certutil -d /etc/pki/nssdb -A -n External CA cert -t CT,, -a' returned non-zero exit status 255

Environment

Red Hat Enterprise Linux 7
ipa-server 3

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content