[Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7

Jani West jwest at iki.fi
Thu Feb 19 15:07:41 UTC 2015 

Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 
with FreeIPA 3.3.3-28 by using replication.

I have prepared replication file and moved it to the new replica server. 
Configured the firewalld and installed Ipa and other needed packages via 
yum.

When running "ipa-replica-install --setup-ca -d" installation will 
always stuck on:

----------------------------------------------------------------------
"Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 
30 seconds
[2/19]: configuring certificate server instance
ipa         : DEBUG    Starting external process
ipa         : DEBUG    args=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5
ipa         : DEBUG    Process finished, return code=1
ipa         : DEBUG    stdout=Loading deployment configuration from 
/tmp/tmpHJBhR5.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into 
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.


ipa         : DEBUG    stderr=pkispawn    : WARNING  ....... unable to 
validate security domain user/password through REST interface. Interface 
not available
pkispawn    : ERROR    ....... Exception from Java Configuration 
Servlet: Error while updating security domain: java.io.IOException: 
java.io.IOException: SocketException cannot read on socket

ipa         : CRITICAL failed to configure ca instance Command 
'/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1
----------------------------------------------------------------------

Betwee the attempts I have cleaned yu ipa and pki configurations and 
deleteted the old replication agreement.


Apache logs on old CentOS 6 server have these errors.
----------------------------------------------------------------------
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST 
/ca/admin/ca/getDomainXML HTTP/1.0" 200 1158
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST 
/ca/admin/ca/updateDomainXML HTTP/1.0" 404 -
192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST 
/ca/agent/ca/updateDomainXML HTTP/1.0" 403 323
[Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181
[Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate 
has expired
[Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not 
accepted by client!?
----------------------------------------------------------------------

What certificate this means? ca.crt have more than five years left.

Clocks are synced, /ca/admin/ca/updateDomainXML can be found on 
ipa-pki-proxy.conf and there are no obvious reason. Any hints?
-- 
-- Jani West

More information about the Freeipa-users mailing list