[Freeipa-devel] [PATCH] Patch to allow IPA to work with dogtag 10 on f18
Martin Kosek
mkosek at redhat.com
Thu Aug 16 06:03:35 UTC 2012
On 08/16/2012 05:41 AM, Ade Lee wrote:
> On Wed, 2012-08-15 at 16:34 +0200, Martin Kosek wrote:
..
>>>> 3) I had installed IPA with dogtag10 on master. Replica had dogtag10 as well
>>>> and I got the following error:
>>>>
>>>> # ipa-ca-install /home/mkosek/replica-info-vm-114.idm.lab.bos.redhat.com.gpg
>>>> ...
>>>> Configuring certificate server: Estimated time 3 minutes 30 seconds
>>>> [1/14]: creating certificate server user
>>>> [2/14]: configuring certificate server instance
>>>>
>>>> Your system may be partly configured.
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>
>>>> Unexpected error - see /var/log/ipareplica-ca-install.log for details:
>>>> IOError: [Errno 2] No such file or directory:
>>>> '/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12'
>>>>
>>>> Root cause:
>>>> ...
>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>>>> 625, in __spawn_instance
>>>> "/root/cacert.p12")
>>>> ...
>>>>
>>> I need to look into this. I had fixed ipa-replica-install, rather than
>>> ipa-ca-install to create replicas. I didn't know ipa-ca-install
>>> existed! Should not be too bad to fix though - most likely just need to
>>> move files to the right place.
>>
>> Ok, thanks! Btw. CA on replica can be either installed during
>> ipa-replica-install time (when --setup-ca option is passed, you probably used
>> that one) and the aforementioned ipa-ca-install run after ipa-replica-install.
>>
> I will be testing this out again. As ipa-ca-install uses the same code
> as ipa-replica-install, I would have expected it to work. Did you try
> it with selinux in permissive mode?
I had SELinux en enforcing mode. ipa-server-install with SELinux worked fine,
so I thought that replica installation will work fine too. I will re-test with
SELinux turned off.
...
>> 7) pki-deploy package does not require any other pki-* package, this does not
>> look ok. This way I was able to have pki-ca-9.* and pki-deploy-10.* installed
>> at one time. I doubt it would work that way.
>>
> We have opened a dogtag ticket to address this. Some kind of dependency
> will be added so that pki-deploy and pki-common-10 are co-dependencies.
>
>> 8) Did you test upgrade from installed IPA+dogtag9 to patchedIPA+dogtag10? I
>> did that on Fedora 17 and pki-ca did not start after upgrade. Attaching logs my
>> VM after I tried to (re)start pki-ca.
>>
> I did test this. From the logs though, this looks very much like it is
> not starting because of selinux. Can you try to restart with selinux
> permissive? I fully expect there to be selinux issues here as some
> changes are required in the base policy where the default ports are
> defined.
>
Ok then. I will test it with permissive SELinux as well.
Thanks,
Martin
More information about the Freeipa-devel
mailing list