[Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Jani West
jwest at iki.fi
Thu Feb 19 15:07:41 UTC 2015
Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0
with FreeIPA 3.3.3-28 by using replication.
I have prepared replication file and moved it to the new replica server.
Configured the firewalld and installed Ipa and other needed packages via
yum.
When running "ipa-replica-install --setup-ca -d" installation will
always stuck on:
----------------------------------------------------------------------
"Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
30 seconds
[2/19]: configuring certificate server instance
ipa : DEBUG Starting external process
ipa : DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5
ipa : DEBUG Process finished, return code=1
ipa : DEBUG stdout=Loading deployment configuration from
/tmp/tmpHJBhR5.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
ipa : DEBUG stderr=pkispawn : WARNING ....... unable to
validate security domain user/password through REST interface. Interface
not available
pkispawn : ERROR ....... Exception from Java Configuration
Servlet: Error while updating security domain: java.io.IOException:
java.io.IOException: SocketException cannot read on socket
ipa : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1
----------------------------------------------------------------------
Betwee the attempts I have cleaned yu ipa and pki configurations and
deleteted the old replication agreement.
Apache logs on old CentOS 6 server have these errors.
----------------------------------------------------------------------
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST
/ca/admin/ca/getDomainXML HTTP/1.0" 200 1158
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST
/ca/admin/ca/updateDomainXML HTTP/1.0" 404 -
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST
/ca/agent/ca/updateDomainXML HTTP/1.0" 403 323
[Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181
[Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate
has expired
[Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not
accepted by client!?
----------------------------------------------------------------------
What certificate this means? ca.crt have more than five years left.
Clocks are synced, /ca/admin/ca/updateDomainXML can be found on
ipa-pki-proxy.conf and there are no obvious reason. Any hints?
--
-- Jani West
More information about the Freeipa-users
mailing list