[Freeipa-users] Trouble in ipa-ca-install

Bret Wortman bret.wortman at damascusgrp.com
Mon Sep 9 10:33:26 UTC 2013 

Never mind. I just gave up and re-installed my original master from
scratch. We're just going to accept the pain of re-enrolling all the
clients and resetting all the user passwords. Whatever had gone wrong
inside my database was just too much. This gets us clean again.


*
*
*Bret Wortman*

http://damascusgrp.com/
http://about.me/wortmanbret


On Mon, Sep 9, 2013 at 3:30 AM, Bret Wortman
<bret.wortman at damascusgrp.com>wrote:

> I've had some great success in the past 48 hours in recovering my system.
> Here's where I stand right now:
>
> 1. I successfully stood up a new replica (ipamaster7) and transferred CA
> authority to it from my old master (ipamaster).
> 2. I shutdown ipamaster and re-baselined it.
> 3. I created a new replica file from ipamaster7 for ipamaster (to transfer
> everything back).
> 4. I reinstalled the IPA software on ipamaster. I also made a small change
> to CS.cfg to work around my earlier CA problem.
> 5. I ran "ipa-replica-install --setup-dns --no-forwarders
> replica-info-ipamaster.foo.net.gpg", which ran to completion.
> 6. I attempted to run "ipa-ca-install replica-info-ipamaster.foo.net.gpg",
> which failed due to a 403 error.
>
> /var/log/ipareplica-ca-install.log showed this:
>
> 2013-09-09T07:10:30Z DEBUG Starting external process
> 2013-09-09T07:10:30Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpyIMTdo
> 2013-09-09T07:10:31Z DEBUG Process finished, return code=1
> 2013-09-09T07:10:31Z DEBUG stdout=Loading deployment configuration from
> /tmp/tmpyIMTdo.
> ERROR: Unable to access security domain: 403 Client Error: Forbidden
>
> 2013-09-09T07:10:31Z DEBUG stderr=
> 2013-09-09T07:10:31Z CRITICAL failed to configure ca instance Command
> '/usr/sbin/pkispawn -s CA -f /tmp/tmpyIMTdo' returned non-zero exit status 1
> 2013-09-09T07:10:31Z INFO    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
> 619, in run_script
>     return_value = main_function()
>
>   File "/usr/sbin/ipa-ca-install", line 182, in main
>     config, dogtag_master_ds_port, postinstall=True)
>
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 1809, in install_replica_ca
>     subject_base=config.subject_base)
>
>   File "/usr/ib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line625, in configure_instance
>     self.start_creation(runtime=210)
>
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 358, in start_creation
>     method()
>
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 744, in __spawn_instance
>     raise RuntimeError('Configuration of CA failed')
>
> 2013-09-09T07:10:31Z INFO The ipa-ca-install command failed, exception:
> RuntimeError: Configuration of CA failed
>
> Does this look familiar to anyone? I'd like to complete the transition
> back to ipamaster so that I can then finish cleaning up the dead replicas.
> Until I can do this, I'll have to leave ipamaster7 in place as my master.
>
> Thanks!
> *
> *
> *Bret Wortman*
>
> http://damascusgrp.com/
> http://about.me/wortmanbret
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130909/40c054fa/attachment.htm>

More information about the Freeipa-users mailing list