[Freeipa-users] Redhat/Centos iDM 3.0 to 3.1 upgrade fail

Jim Richard jrichard at placeiq.com
Wed Jan 14 01:59:36 UTC 2015 

Carefully following the instructions here:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html>

I have split one of my Centis 6.6 based replicas from the main cluster of 4 IDM servers, fully disconnected it from current IDM infrastructure, converted it to a master CA, double checked that I have no dangling/tombstone entries pointing back to other cluster members, ipa-replica-manage list and ipa-replica-manage list-ruv both show no other masters, in short, made absolutely sure that this replica is now a standalone.

I then applied the schema updates via the python script per the above referenced instructions, did “ipa-replica-prepare”, deployed a new Centos 7 vm, yum install ipa-server there, scp’d over the replica file.

Next up, "ipa-replica-install --setup-ca”.

And that’s where the story ends…..

Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/19]: creating certificate server user
  [2/19]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpM9BzPz' returned non-zero exit status 1

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed


I tried the workaround mentioned here:

https://fedorahosted.org/pki/ticket/816 <https://fedorahosted.org/pki/ticket/816>

updated /usr/share/pki/ca/conf/CS.cfg before running ipa-replica-install

But not luck.

Anybody have a clue where I should look?

From pki-ca-spawn.20150114014019.log:
2015-01-14 01:40:32 pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: Failed to obtain installation token from security domain

and in /var/log/pki/pki-tomcat/ca/server I have:

2754.localhost-startStop-1 - [14/Jan/2015:01:40:29 UTC] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate
2754.localhost-startStop-1 - [14/Jan/2015:01:40:29 UTC] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value


more info that might help…….


[root at sso-centos7 pki]# certutil -L -d /var/lib/pki/pki-tomcat/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert cert-pki-ca                                      CTu,Cu,Cu
Certificate Authority - PLACEIQ.NET                          CT,c,

My CS.cfg is attached.


Maybe the fact that my new server is looking at the same DNS and can see the SRV records for the current Centos 6.6/IDM 3.0 cluster is causing a problem ??

Of course I have uninstalled and done this a zillion times:

pkidestroy -s CA -i pki-tomcat
rm -rf /var/log/pki/pki-tomcat
rm -rf /etc/sysconfig/pki-tomcat
rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
rm -rf /var/lib/pki/pki-tomcat
rm -rf /etc/pki/pki-tomcat


I’m at a loss, no idea even where to look at this point.


Thanks in advance for any clues you can provide.




Jim Richard  |  PlaceIQ <http://www.google.com/url?q=http%3A%2F%2Fwww.placeiq.com%2F&sa=D&sntz=1&usg=AFrqEzcYjZpDPyqW7feNK9EgLq-c9JlHiw>  |  Systems Administrator  |  jrichard at placeiq.com <mailto:name at placeiq.com>  |  +1 (646) 338-8905 <>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150113/bc3e2869/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CS.cfg
Type: application/octet-stream
Size: 72966 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150113/bc3e2869/attachment.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150113/bc3e2869/attachment-0001.htm>

More information about the Freeipa-users mailing list