[Freeipa-users] Replica Setup Issue

dbischof at hrz.uni-kassel.de dbischof at hrz.uni-kassel.de
Mon Dec 15 09:34:24 UTC 2014 

Hi Matt,

I ran into this a couple of months ago. I ended up creating the replica 
without "--setup-ca" which first appeared to work, but then it turned out 
that replication is (at least for me) broken, cf. Ticket #4807 
(https://fedorahosted.org/freeipa/ticket/4807).

On Fri, 12 Dec 2014, Matt Chesler wrote:

> 1. Create replica ipa-1 from old-ipa-1
> 2. Followed procedure documented at 
> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master 
> to make ipa-1 the node responsible for CRL generation and CA renewal
> 3. Prepare ipa-2 to be a replica by running 'ipa-replica-prepare 
> ipa-2.example.com' on ipa-1 and copying over the resulting gpg
> 4. Ran ipa-replica-install on ipa-2 and received the following 
> output/failure:
>
> ===================
> [root at ipa-2 ~]# ipa-replica-install --setup-ca 
> /var/lib/ipa/replica-info-ipa-2.example.com.gpg
> [...]
>  [3/17]: configuring certificate server instance ipa : CRITICAL failed 
> to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 
> ConfigureCA -cs_hostname ipa-2.example.com -cs_port 9445 
> -client_certdb_dir /tmp/tmp-ATedaS -client_certdb_pwd XXXXXXXX 
> -preop_pin SAW89xQS4ICFy5zYWv0m -domain_name IPA -admin_user admin 
> -admin_email root at localhost -admin_password XXXXXXXX -agent_name 
> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa 
> -agent_cert_subject CN=ipa-ca-agent,O=EXAMPLE.COM -ldap_host 
> ipa-2.example.com -ldap_port 7389 -bind_dn cn=Directory Manager 
> -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 
> -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 
> XXXXXXXX -subsystem_name pki-cad -token_name internal 
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM 
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM 
> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=EXAMPLE.COM 
> -ca_server_cert_subject_name CN=ipa-2.example.com,O=EXAMPLE.COM 
> -ca_audit_signing_cert_subject_name CN=CA Audit,O=EXAMPLE.COM 
> -ca_sign_cert_subject_name CN=Certificate Authority,O=EXAMPLE.COM 
> -external false -clone true -clone_p12_file ca.p12 -clone_p12_password 
> XXXXXXXX -sd_hostname ipa-1.example.com -sd_admin_port 443 
> -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true 
> -clone_uri https://ipa-1.example.com:443' returned non-zero exit status 
> 255
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Configuration of CA failed
>
> ===================
> [...]


Mit freundlichen Gruessen/With best regards,

--Daniel.

More information about the Freeipa-users mailing list