ipa-replica-install fails with cert errors while adding externally signed CA cert
Issue
While issuing ipa-replica-install command, using externally signed certificates files for dirsrv and http, the installation fails (after dirsrv is configured and initial replication has completed) with the below errors captured in the ipareplica-install.log file:
35877 File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 364, in decorated
35878 func(installer)
35879 File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1530, in promote
35880 custodia.import_dm_password(config.master_host_name)
35881 File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 116, in import_dm_password
35882 cli.fetch_key('dm/DMHash')
35883 File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 97, in fetch_key
35884 params={'type': 'kem', 'value': request})
35885 File "/usr/lib/python2.7/site-packages/requests/api.py", line 68, in get
35886 return request('get', url, **kwargs)
35887 File "/usr/lib/python2.7/site-packages/requests/api.py", line 50, in request
35888 response = session.request(method=method, url=url, **kwargs)
35889 File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 464, in request
35890 resp = self.send(prep, **send_kwargs)
35891 File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
35892 r = adapter.send(request, **kwargs)
35893 File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
35894 raise SSLError(e, request=request)
35895
35896 2017-02-28T12:46:32Z DEBUG The ipa-replica-install command failed, exception: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
35897 2017-02-28T12:46:32Z ERROR [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
35898 2017-02-28T12:46:32Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Environment
Red Hat Enterprise Linux Server release 7.3 (Maipo)
ipa-server-4.4.0-12.el7.x86_64
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.