[Freeipa-users] Redhat/Centos iDM 3.0 to 3.1 upgrade fail
Endi Sukma Dewata
edewata at redhat.com
Thu Jan 15 01:31:12 UTC 2015
Hi,
I need some information from you. Which versions of the PKI packages
that you are using on the CentOS 6.6 and 7.0 machines? Could you email
me the PKI CA debug logs (/var/log/pki-ca/debug or
/var/log/pki/pki-tomcat/ca/debug) from both machines?
There's a possibility it may be related to this ticket:
https://fedorahosted.org/pki/ticket/1235
Thanks.
--
Endi S. Dewata
On 1/13/2015 7:59 PM, Jim Richard wrote:
> Carefully following the instructions here:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
>
> I have split one of my Centis 6.6 based replicas from the main cluster
> of 4 IDM servers, fully disconnected it from current IDM infrastructure,
> converted it to a master CA, double checked that I have no
> dangling/tombstone entries pointing back to other cluster members,
> ipa-replica-manage list and ipa-replica-manage list-ruv both show no
> other masters, in short, made absolutely sure that this replica is now a
> standalone.
>
> I then applied the schema updates via the python script per the above
> referenced instructions, did “ipa-replica-prepare”, deployed a new
> Centos 7 vm, yum install ipa-server there, scp’d over the replica file.
>
> Next up, "ipa-replica-install --setup-ca”.
>
> And that’s where the story ends…..
>
> Done configuring directory server (dirsrv).
> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
> 30 seconds
> [1/19]: creating certificate server user
> [2/19]: configuring certificate server instance
> ipa : CRITICAL failed to configure ca instance Command
> '/usr/sbin/pkispawn -s CA -f /tmp/tmpM9BzPz' returned non-zero exit status 1
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Configuration of CA failed
>
>
> I tried the workaround mentioned here:
>
> https://fedorahosted.org/pki/ticket/816
>
> updated /usr/share/pki/ca/conf/CS.cfg before running ipa-replica-install
>
> But not luck.
>
> Anybody have a clue where I should look?
>
> From pki-ca-spawn.20150114014019.log:
> 2015-01-14 01:40:32 pkispawn : ERROR ....... Exception from Java
> Configuration Servlet: Failed to obtain installation token from security
> domain
>
> and in /var/log/pki/pki-tomcat/ca/server I have:
>
> 2754.localhost-startStop-1 - [14/Jan/2015:01:40:29 UTC] [3] [3] Cannot
> build CA chain. Error java.security.cert.CertificateException:
> Certificate is not a PKCS #11 certificate
> 2754.localhost-startStop-1 - [14/Jan/2015:01:40:29 UTC] [13] [3] authz
> instance DirAclAuthz initialization failed and skipped, error=Property
> internaldb.ldapconn.port missing value
>
>
> more info that might help…….
>
>
> [root at sso-centos7 pki]# certutil -L -d /var/lib/pki/pki-tomcat/alias
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> Server-Cert cert-pki-ca CTu,Cu,Cu
> Certificate Authority - PLACEIQ.NET <http://PLACEIQ.NET>
> CT,c,
>
> My CS.cfg is attached.
>
>
>
> Maybe the fact that my new server is looking at the same DNS and can see
> the SRV records for the current Centos 6.6/IDM 3.0 cluster is causing a
> problem ??
>
> Of course I have uninstalled and done this a zillion times:
>
> pkidestroy -s CA -i pki-tomcat
> rm -rf /var/log/pki/pki-tomcat
> rm -rf /etc/sysconfig/pki-tomcat
> rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
> rm -rf /var/lib/pki/pki-tomcat
> rm -rf /etc/pki/pki-tomcat
>
>
> I’m at a loss, no idea even where to look at this point.
>
>
> Thanks in advance for any clues you can provide.
>
>
>
>
>
> Jim Richard | PlaceIQ
> <http://www.google.com/url?q=http%3A%2F%2Fwww.placeiq.com%2F&sa=D&sntz=1&usg=AFrqEzcYjZpDPyqW7feNK9EgLq-c9JlHiw> |
> Systems Administrator | jrichard at placeiq.com
> <mailto:name at placeiq.com> | +1 (646) 338-8905
>
>
>
>
>
>
More information about the Freeipa-users
mailing list