[Freeipa-users] How to remove the CA cert from an IDM replica

Simo Sorce simo at redhat.com
Thu Mar 13 01:04:28 UTC 2014 

On Wed, 2014-03-12 at 22:03 +0000, Todd Maugh wrote:
> skipping the con check due to a clock skew error

If your clock is wrong you won't have a functional replica anyway.
Fix the clock.

Simo.

> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, March 12, 2014 2:39 PM
> To: Todd Maugh; Simo Sorce; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] How to remove the CA cert from an IDM replica
> 
> Todd Maugh wrote:
> > Im seeing this error:
> >
> > where is the install log located
> >
> > [root at idm-rep02-w1c-aws ipa]# ipa-replica-install --setup-ca /var/lib/ipa/replica-info-idm-rep02-w1c-aws.ops.boingo.com.gpg --skip-conncheck
> > Directory Manager (existing master) password:
> >
> > Configuring NTP daemon (ntpd)
> >    [1/4]: stopping ntpd
> >    [2/4]: writing configuration
> >    [3/4]: configuring ntpd to start on boot
> >    [4/4]: starting ntpd
> > Done configuring NTP daemon (ntpd).
> > A CA is already configured on this system.
> 
> # /usr/bin/pkiremove -pki_instance_root=/var/lib
> -pki_instance_name=pki-ca --force
> 
> > [root at idm-rep02-w1c-aws ipa]# ipa-replica-install  /var/lib/ipa/replica-info-idm-rep02-w1c-aws.ops.boingo.com.gpg --skip-conncheck
> > Directory Manager (existing master) password:
> >
> > Configuring NTP daemon (ntpd)
> >    [1/4]: stopping ntpd
> >    [2/4]: writing configuration
> >    [3/4]: configuring ntpd to start on boot
> >    [4/4]: starting ntpd
> > Done configuring NTP daemon (ntpd).
> > Configuring directory server (dirsrv): Estimated time 1 minute
> >    [1/31]: creating directory server user
> >    [2/31]: creating directory server instance
> >    [3/31]: adding default schema
> >    [4/31]: enabling memberof plugin
> >    [5/31]: enabling winsync plugin
> >    [6/31]: configuring replication version plugin
> >    [7/31]: enabling IPA enrollment plugin
> >    [8/31]: enabling ldapi
> >    [9/31]: disabling betxn plugins
> >    [10/31]: configuring uniqueness plugin
> >    [11/31]: configuring uuid plugin
> >    [12/31]: configuring modrdn plugin
> >    [13/31]: enabling entryUSN plugin
> >    [14/31]: configuring lockout plugin
> >    [15/31]: creating indices
> >    [16/31]: enabling referential integrity plugin
> >    [17/31]: configuring ssl for ds instance
> >    [18/31]: configuring certmap.conf
> >    [19/31]: configure autobind for root
> >    [20/31]: configure new location for managed entries
> >    [21/31]: restarting directory server
> >    [22/31]: setting up initial replication
> > Starting replication, please wait until this has completed.
> > [idm-master-els.ops.boingo.com] reports: Update failed! Status: [-1  - LDAP error: Can't contact LDAP server]
> 
> Why are you skipping the conncheck? It looks like there is a firewall issue.
> 
> rob
> 


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list