<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Yes, I have followed <a rel="nofollow"
href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html"
style="font-family:
"411a88fe_e483_4fb8_af42_8369ebb1138d"; font-size:
medium; font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: normal; letter-spacing:
normal; orphans: 2; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html</a>
to the letter. <br>
The only reason I had to recreate the cacert.p12 file is because it
is not renewed automatically in v3, so the cacert.p12 was outdated
and the CA was throwing an "p12 invalid digest" error.<br>
<br>
<ul>
<li>I opened all necessary ports</li>
<li>I checked all certs and they are valid for another year </li>
</ul>
<br>
<i>Run connection check to master</i><i><br>
</i><i>Check connection from replica to remote master
'ipa-server.nelios':</i><i><br>
</i><i> Directory Service: Unsecure port (389): OK</i><i><br>
</i><i> Directory Service: Secure port (636): OK</i><i><br>
</i><i> Kerberos KDC: TCP (88): OK</i><i><br>
</i><i> Kerberos Kpasswd: TCP (464): OK</i><i><br>
</i><i> HTTP Server: Unsecure port (80): OK</i><i><br>
</i><i> HTTP Server: Secure port (443): OK</i><i><br>
</i><i> PKI-CA: Directory Service port (7389): OK</i><i><br>
</i><i><br>
</i><i>The following list of ports use UDP protocol and would need
to be</i><i><br>
</i><i>checked manually:</i><i><br>
</i><i> Kerberos KDC: UDP (88): SKIPPED</i><i><br>
</i><i> Kerberos Kpasswd: UDP (464): SKIPPED</i><i><br>
</i><i><br>
</i><i>Connection from replica to master is OK.</i><i><br>
</i><i>Start listening on required ports for remote master check</i><i><br>
</i><i>Get credentials to log in to remote master</i><i><br>
</i><i>Check SSH connection to remote master</i><i><br>
</i><i>Execute check on remote master</i><i><br>
</i><i>Check connection from master to remote replica
'ipa2-server2.nelios':</i><i><br>
</i><i> Directory Service: Unsecure port (389): OK</i><i><br>
</i><i> Directory Service: Secure port (636): OK</i><i><br>
</i><i> Kerberos KDC: TCP (88): OK</i><i><br>
</i><i> Kerberos KDC: UDP (88): OK</i><i><br>
</i><i> Kerberos Kpasswd: TCP (464): OK</i><i><br>
</i><i> Kerberos Kpasswd: UDP (464): OK</i><i><br>
</i><i> HTTP Server: Unsecure port (80): OK</i><i><br>
</i><i> HTTP Server: Secure port (443): OK</i><i><br>
</i><i><br>
</i><i>Connection from master to replica is OK.</i><i><br>
</i><i><br>
</i><i>Connection check OK</i><br>
<br>
<b>Even with a fresh install of centos 7 with different hostname and
ip and I still get the the error below</b><br>
<br>
Configuring certificate server (pki-tomcatd). Estimated time: 3
minutes 30 seconds<br>
[1/24]: creating certificate server user<br>
[2/24]: configuring certificate server instance<br>
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpbMwmp_'' returned non-zero exit status 1<br>
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs and the following files/directories for more
information:<br>
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log<br>
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat<br>
[error] RuntimeError: CA configuration failed.<br>
Your system may be partly configured.<br>
Run /usr/sbin/ipa-server-install --uninstall to clean up.<br>
<br>
ipa.ipapython.install.cli.install_tool(Replica): ERROR CA
configuration failed.<br>
<br>
<b><br>
</b><b>With debug enabled I get: </b><br>
<br>
pa : DEBUG Starting external process<br>
ipa : DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpwY8XjR'<br>
ipa : DEBUG Process finished, return code=1<br>
ipa : DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20160909044214.log<br>
Loading deployment configuration from /tmp/tmpwY8XjR.<br>
Installing CA into /var/lib/pki/pki-tomcat.<br>
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.<br>
<br>
Installation failed.<br>
<br>
<br>
ipa : DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made.
Adding certificate verification is strongly advised. See:
<a class="moz-txt-link-freetext" href="https://urllib3.readthedocs.org/en/latest/security.html">https://urllib3.readthedocs.org/en/latest/security.html</a><br>
InsecureRequestWarning)<br>
pkispawn : WARNING ....... unable to validate security domain
user/password through REST interface. Interface not available<br>
pkispawn : ERROR ....... Exception from Java Configuration
Servlet: 500 Server Error: Internal Server Error<br>
pkispawn : ERROR ....... ParseError: not well-formed (invalid
token): line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed
to obtain installation token from security domain"} <br>
<br>
<br>
Is there a way to validate the repilca .gpg file from a v3
installation against a v4.2 freeipa installation to check for any
errors before going through the ipa-replica-install?<br>
The ipa-replica-install completes if I don't include the --setup-ca
flag but I don't want that<br>
</body>
</html>