<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Carefully following the instructions here:<div class=""><br class=""></div><div class=""><a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html" class="">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html</a></div><div class=""><br class=""></div><div class="">I have split one of my Centis 6.6 based replicas from the main cluster of 4 IDM servers, fully disconnected it from current IDM infrastructure, converted it to a master CA, double checked that I have no dangling/tombstone entries pointing back to other cluster members, ipa-replica-manage list and ipa-replica-manage list-ruv both show no other masters, in short, made absolutely sure that this replica is now a standalone.</div><div class=""><br class=""></div><div class="">I then applied the schema updates via the python script per the above referenced instructions, did “ipa-replica-prepare”, deployed a new Centos 7 vm, yum install ipa-server there, scp’d over the replica file.</div><div class=""><br class=""></div><div class="">Next up, "ipa-replica-install --setup-ca”.</div><div class=""><br class=""></div><div class="">And that’s where the story ends…..</div><div class=""><br class=""></div><div class=""><div class="">Done configuring directory server (dirsrv).</div><div class="">Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds</div><div class="">  [1/19]: creating certificate server user</div><div class="">  [2/19]: configuring certificate server instance</div><div class="">ipa         : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpM9BzPz' returned non-zero exit status 1</div><div class=""><br class=""></div><div class="">Your system may be partly configured.</div><div class="">Run /usr/sbin/ipa-server-install --uninstall to clean up.</div><div class=""><br class=""></div><div class="">Configuration of CA failed</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">I tried the workaround mentioned here:</div><div class=""><br class=""></div><div class=""><a href="https://fedorahosted.org/pki/ticket/816" class="">https://fedorahosted.org/pki/ticket/816</a></div><div class=""><br class=""></div><div class="">updated /usr/share/pki/ca/conf/CS.cfg before running ipa-replica-install</div><div class=""><br class=""></div><div class="">But not luck.</div><div class=""><br class=""></div><div class="">Anybody have a clue where I should look?</div><div class=""><br class=""></div><div class="">From pki-ca-spawn.20150114014019.log:</div><div class="">2015-01-14 01:40:32 pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: Failed to obtain installation token from security domain</div><div class=""><br class=""></div><div class="">and in /var/log/pki/pki-tomcat/ca/server I have:</div><div class=""><br class=""></div><div class=""><div class="">2754.localhost-startStop-1 - [14/Jan/2015:01:40:29 UTC] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate</div><div class="">2754.localhost-startStop-1 - [14/Jan/2015:01:40:29 UTC] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value</div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">more info that might help…….</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div class="">[root@sso-centos7 pki]# certutil -L -d /var/lib/pki/pki-tomcat/alias</div><div class=""><br class=""></div><div class="">Certificate Nickname                                         Trust Attributes</div><div class="">                                                             SSL,S/MIME,JAR/XPI</div><div class=""><br class=""></div><div class="">Server-Cert cert-pki-ca                                      CTu,Cu,Cu</div><div class="">Certificate Authority - <a href="http://PLACEIQ.NET" class="">PLACEIQ.NET</a>                          CT,c,</div></div><div class=""><br class=""></div><div class="">My CS.cfg is attached.</div><div class=""></div></div></body></html>