[Freeipa-users] Redhat/Centos iDM 3.0 to 3.1 upgrade fail
Jim Richard
jrichard at placeiq.com
Wed Jan 14 01:59:36 UTC 2015
Carefully following the instructions here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html>
I have split one of my Centis 6.6 based replicas from the main cluster of 4 IDM servers, fully disconnected it from current IDM infrastructure, converted it to a master CA, double checked that I have no dangling/tombstone entries pointing back to other cluster members, ipa-replica-manage list and ipa-replica-manage list-ruv both show no other masters, in short, made absolutely sure that this replica is now a standalone.
I then applied the schema updates via the python script per the above referenced instructions, did “ipa-replica-prepare”, deployed a new Centos 7 vm, yum install ipa-server there, scp’d over the replica file.
Next up, "ipa-replica-install --setup-ca”.
And that’s where the story ends…..
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
[1/19]: creating certificate server user
[2/19]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpM9BzPz' returned non-zero exit status 1
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Configuration of CA failed
I tried the workaround mentioned here:
https://fedorahosted.org/pki/ticket/816 <https://fedorahosted.org/pki/ticket/816>
updated /usr/share/pki/ca/conf/CS.cfg before running ipa-replica-install
But not luck.
Anybody have a clue where I should look?
From pki-ca-spawn.20150114014019.log:
2015-01-14 01:40:32 pkispawn : ERROR ....... Exception from Java Configuration Servlet: Failed to obtain installation token from security domain
and in /var/log/pki/pki-tomcat/ca/server I have:
2754.localhost-startStop-1 - [14/Jan/2015:01:40:29 UTC] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate
2754.localhost-startStop-1 - [14/Jan/2015:01:40:29 UTC] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value
more info that might help…….
[root at sso-centos7 pki]# certutil -L -d /var/lib/pki/pki-tomcat/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca CTu,Cu,Cu
Certificate Authority - PLACEIQ.NET CT,c,
My CS.cfg is attached.
Maybe the fact that my new server is looking at the same DNS and can see the SRV records for the current Centos 6.6/IDM 3.0 cluster is causing a problem ??
Of course I have uninstalled and done this a zillion times:
pkidestroy -s CA -i pki-tomcat
rm -rf /var/log/pki/pki-tomcat
rm -rf /etc/sysconfig/pki-tomcat
rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
rm -rf /var/lib/pki/pki-tomcat
rm -rf /etc/pki/pki-tomcat
I’m at a loss, no idea even where to look at this point.
Thanks in advance for any clues you can provide.
Jim Richard | PlaceIQ <http://www.google.com/url?q=http%3A%2F%2Fwww.placeiq.com%2F&sa=D&sntz=1&usg=AFrqEzcYjZpDPyqW7feNK9EgLq-c9JlHiw> | Systems Administrator | jrichard at placeiq.com <mailto:name at placeiq.com> | +1 (646) 338-8905 <>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150113/bc3e2869/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CS.cfg
Type: application/octet-stream
Size: 72966 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150113/bc3e2869/attachment.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150113/bc3e2869/attachment-0001.htm>
More information about the Freeipa-users
mailing list