[Freeipa-users] Migration fails from 3.0.0 to 3.3.3 on Centos 6/7
Dmitri Pal
dpal at redhat.com
Thu Feb 19 16:14:45 UTC 2015
On 02/19/2015 10:07 AM, Jani West wrote:
> Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0
> with FreeIPA 3.3.3-28 by using replication.
>
> I have prepared replication file and moved it to the new replica
> server. Configured the firewalld and installed Ipa and other needed
> packages via yum.
>
> When running "ipa-replica-install --setup-ca -d" installation will
> always stuck on:
>
> ----------------------------------------------------------------------
> "Configuring certificate server (pki-tomcatd): Estimated time 3
> minutes 30 seconds
> [2/19]: configuring certificate server instance
> ipa : DEBUG Starting external process
> ipa : DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5
> ipa : DEBUG Process finished, return code=1
> ipa : DEBUG stdout=Loading deployment configuration from
> /tmp/tmpHJBhR5.
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
> Installation failed.
>
>
> ipa : DEBUG stderr=pkispawn : WARNING ....... unable to
> validate security domain user/password through REST interface.
> Interface not available
> pkispawn : ERROR ....... Exception from Java Configuration
> Servlet: Error while updating security domain: java.io.IOException:
> java.io.IOException: SocketException cannot read on socket
>
> ipa : CRITICAL failed to configure ca instance Command
> '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit
> status 1
> ----------------------------------------------------------------------
>
> Betwee the attempts I have cleaned yu ipa and pki configurations and
> deleteted the old replication agreement.
>
>
> Apache logs on old CentOS 6 server have these errors.
> ----------------------------------------------------------------------
> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST
> /ca/admin/ca/getDomainXML HTTP/1.0" 200 1158
> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST
> /ca/admin/ca/updateDomainXML HTTP/1.0" 404 -
> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST
> /ca/agent/ca/updateDomainXML HTTP/1.0" 403 323
> [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181
> [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181
> Certificate has expired
> [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed:
> Not accepted by client!?
> ----------------------------------------------------------------------
>
> What certificate this means? ca.crt have more than five years left.
>
> Clocks are synced, /ca/admin/ca/updateDomainXML can be found on
> ipa-pki-proxy.conf and there are no obvious reason. Any hints?
Are CA ports accessible on your master? Can you check your FW please?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list