[Freeipa-users] Trouble installing F21 4.1.2 replica from F20 3.3.5 master

Anthony Messina amessina at messinet.com
Mon Jan 5 21:55:55 UTC 2015 

On Monday, January 05, 2015 10:40:08 PM Endi Sukma Dewata wrote:
> On 1/5/2015 8:53 PM, Martin Kosek wrote:
> > On 01/05/2015 02:05 PM, Anthony Messina wrote:
> >>>> I was hoping to "migrate" from F20 to F21 using:
> >>>> http://www.freeipa.org/page/Howto/Migration
> >>>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
> >>> 
> >>> The migration procedure is only needed if you run FreeIPA server with
> >>> PKI based on Dogtag (pki-ca package) 9. Do you? Is your Fedora 20
> >>> FreeIPA&PKI instance functional? FreeIPA+Dogtag 9 is not supported
> >>> since Fedora 18, so I was surprised such setup worked in Fedora 20.
> >> 
> >> I don't use Dogtag 9.  I installed FreeIPA freshly on a F19 VM, then yum
> >> upgraded to F20.  With the significant changes for Fedora.next,
> >> systemd-216, and FreeIPA 4, I wanted to create a new "master" (amd
> >> retire the old) by replicating the current F20 3.3.5 master to what
> >> would become an F21 4.1.2 master.> 
> > Ah, makes more sense then. The PKI error below gets more serious then -
> > Fraser and Endi, please help Anthony.
> 
> I'm discussing this with Ade (CC'd). Based on the stack trace it looks 
> like the replica thinks the master returns an incomplete information 
> about the security domain, probably due to the different Dogtag versions 
> used in master and replica.
> 
> We need some additional info:
> 
> 1. What is the pki-ca version on the master (F20)?

pki-ca-10.1.2-7.fc20.noarch

> 2. What is the pki-ca version on the replica (F21)?

pki-ca-10.2.0-5.fc21.noarch

> 3. What is the output of this URL on the master?
>     https://<master>:8443/ca/rest/securityDomain/domainInfo

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<DomainInfo id="IPA">
  <Subsystem id="CA">
    <Host id="CA ipa1.example.com 443">
      <Clone>FALSE</Clone>
      <DomainManager>TRUE</DomainManager>
      <Hostname>ipa1.example.com</Hostname>
      <Port>80</Port>
      <SecureAdminPort>443</SecureAdminPort>
      <SecureAgentPort>443</SecureAgentPort>
      <SecureEEClientAuthPort>443</SecureEEClientAuthPort>
      <SecurePort>443</SecurePort>
      <SubsystemName>CA ipa1.example.com 8443</SubsystemName>
    </Host>
    <Host id="CA ipa2.example.com 443">
      <Clone>TRUE</Clone>
      <DomainManager>TRUE</DomainManager>
      <Hostname>ipa2.example.com</Hostname>
      <Port>80</Port>
      <SecureAdminPort>443</SecureAdminPort>
      <SecureAgentPort>443</SecureAgentPort>
      <SecureEEClientAuthPort>443</SecureEEClientAuthPort>
      <SecurePort>443</SecurePort>
      <SubsystemName>CA ipa2.example.com 8443</SubsystemName>
    </Host>
  </Subsystem>
</DomainInfo>

-- 
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150105/1ae2a8c1/attachment.sig>

More information about the Freeipa-users mailing list