[Freeipa-users] RHEL 7 Upgrade experience so far

Erinn Looney-Triggs erinn.looneytriggs at gmail.com
Sun Jul 27 02:12:56 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/26/2014 05:25 PM, Erinn Looney-Triggs wrote:
> Well it hasn't been all the pretty trying to move from RHEL 6.5 to 
> RHEL 7.
> 
> I have two servers providing my ipa instances ipa and ipa2. Given
> that I don't have a great deal of spare capacity the plan was to
> remove ipa2 from the replication agreement, modify DNS so that only
> IPA was available in SRV logs (IPA does not manage DNS at this
> point, was waiting for DNSSEC). As well, I would change my
> sudo-ldap config files to point to ipa and remove ipa2.
> 
> Well that all worked well, installed RHEL 7 on the system and
> began working through the steps in the upgrade guide.
> 
> First major problem was running into this bug: 
> https://fedorahosted.org/freeipa/ticket/4375 ValueError:
> nsDS5ReplicaId has 2 values, one expected.
> 
> Went and patched the replication.py file to get around that issue,
> and we moved on.
> 
> Next up is my current issue: Exception from Java Configuration 
> Servlet: Clone does not have all the required certificates.
> 
> I suspect this is because I am running the CA as a subordinate to
> an AD CS instance, but I am unsure at this point.
> 
> It has been a haul to get here, despite the short explanation. It 
> seems that my primary ipa instance is working on only a hit or
> miss basis for kerberos tickets which has made all this a bit of a
> pain. You can kinit as admin once it will fail unable to find KDC,
> try again another three times, it will work. I have even modified
> the krb5.conf file to point directly at the server, thus bypassing
> DNS SRV lookups, however, that hasn't worked.
> 
> Point is, any help would be appreciated on the aforementioned
> error.
> 
> -Erinn
> 

To reply to myself here, I believe the problem may be that I had to
renew the CA certificates and as such the certificates in
/root/cacert.p12 are no longer valid. It is this file that gets
bundled up with whatever else using ipa-replica-prepare, so I will
have to create a new one that has the valid certificates in it.

One way or another though, if it isn't already documented, during a CA
renewal this file should probably be updated with the correct
certificates.

- -Erinn

- -Erinn


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJT1GAjAAoJEFg7BmJL2iPO1BsIAIVSC2p7bR1mHSG9VVbJq6Uk
ostO/9Yh1ro8pgAWXbRnGJphDlfHhot+aauITsuFzIVSUk4rw7nTYA2jynROmjQJ
8mUEXap3i7GOnonHmZmUL3wrhiBVmkNWIizUZV3uIQ9/FKgUpTcflpeUqm/lUzxj
FeaQ3QOVeizdib2r+QkFLjF6nMYRZ7FTPIdXZiilVkG1TkEDK2V3LpZfnN5LBgNf
AzsnA0opUxNWvPeorFBD2RV20rVsTTf424S8nqseP1yALUIh4hc9xk6qivB+7DdF
MXI85uSGj30p1Wk3kIEWlUNU/mkmN0wQL2NcMTCJMrLrLbUQ9c+AvGNdmhBv8s4=
=74l8
-----END PGP SIGNATURE-----

More information about the Freeipa-users mailing list