ipa-replica-install fails with cert errors while adding externally signed CA cert

Solution Verified - Updated -

Issue

While issuing ipa-replica-install command, using externally signed certificates files for dirsrv and http, the installation fails (after dirsrv is configured and initial replication has completed) with the below errors captured in the ipareplica-install.log file:

35877   File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 364, in decorated
35878     func(installer)
35879   File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1530, in promote
35880     custodia.import_dm_password(config.master_host_name)
35881   File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 116, in import_dm_password
35882     cli.fetch_key('dm/DMHash')
35883   File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 97, in fetch_key
35884     params={'type': 'kem', 'value': request})
35885   File "/usr/lib/python2.7/site-packages/requests/api.py", line 68, in get
35886     return request('get', url, **kwargs)
35887   File "/usr/lib/python2.7/site-packages/requests/api.py", line 50, in request
35888     response = session.request(method=method, url=url, **kwargs)
35889   File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 464, in request
35890     resp = self.send(prep, **send_kwargs)
35891   File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
35892     r = adapter.send(request, **kwargs)
35893   File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
35894     raise SSLError(e, request=request)
35895 
35896 2017-02-28T12:46:32Z DEBUG The ipa-replica-install command failed, exception: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
35897 2017-02-28T12:46:32Z ERROR [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
35898 2017-02-28T12:46:32Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Environment

Red Hat Enterprise Linux Server release 7.3 (Maipo)
ipa-server-4.4.0-12.el7.x86_64

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content