[Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7

Dmitri Pal dpal at redhat.com
Thu Feb 19 16:14:45 UTC 2015 

On 02/19/2015 10:07 AM, Jani West wrote:
> Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 
> with FreeIPA 3.3.3-28 by using replication.
>
> I have prepared replication file and moved it to the new replica 
> server. Configured the firewalld and installed Ipa and other needed 
> packages via yum.
>
> When running "ipa-replica-install --setup-ca -d" installation will 
> always stuck on:
>
> ----------------------------------------------------------------------
> "Configuring certificate server (pki-tomcatd): Estimated time 3 
> minutes 30 seconds
> [2/19]: configuring certificate server instance
> ipa         : DEBUG    Starting external process
> ipa         : DEBUG    args=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5
> ipa         : DEBUG    Process finished, return code=1
> ipa         : DEBUG    stdout=Loading deployment configuration from 
> /tmp/tmpHJBhR5.
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into 
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
> Installation failed.
>
>
> ipa         : DEBUG    stderr=pkispawn    : WARNING  ....... unable to 
> validate security domain user/password through REST interface. 
> Interface not available
> pkispawn    : ERROR    ....... Exception from Java Configuration 
> Servlet: Error while updating security domain: java.io.IOException: 
> java.io.IOException: SocketException cannot read on socket
>
> ipa         : CRITICAL failed to configure ca instance Command 
> '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit 
> status 1
> ----------------------------------------------------------------------
>
> Betwee the attempts I have cleaned yu ipa and pki configurations and 
> deleteted the old replication agreement.
>
>
> Apache logs on old CentOS 6 server have these errors.
> ----------------------------------------------------------------------
> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST 
> /ca/admin/ca/getDomainXML HTTP/1.0" 200 1158
> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST 
> /ca/admin/ca/updateDomainXML HTTP/1.0" 404 -
> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST 
> /ca/agent/ca/updateDomainXML HTTP/1.0" 403 323
> [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181
> [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 
> Certificate has expired
> [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: 
> Not accepted by client!?
> ----------------------------------------------------------------------
>
> What certificate this means? ca.crt have more than five years left.
>
> Clocks are synced, /ca/admin/ca/updateDomainXML can be found on 
> ipa-pki-proxy.conf and there are no obvious reason. Any hints?

Are CA ports accessible on your master? Can you check your FW please?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list