[Freeipa-users] Replica install fails when using --setup-ca

Linov Suresh linov.suresh at gmail.com
Tue Jul 26 16:18:17 UTC 2016 

I tried to create master replica using the option --setup-ca, it failed,
because of "Your system may be partly configured."

Please note we use different ipa package for master and replica.

master:
[root at caer ~]# rpm -q ipa-server
ipa-server-3.0.0-26.el6_4.2.x86_64

replica:

[root at neit-lab01 ~]# rpm -q ipa-server
ipa-server-3.0.0-50.el6.1.x86_64

*Is this because ipa-server-3.0.0-50 has updates feature "Proxy calls to
/ca/ee/ca/profileSubmit to PKI to enable installation of replicas with
Dogtag 10 PKI (#1083878)"*

If yes, how do we fix it? Your help is appreciated.


[root at neit-lab01 ipa]#* ipa-replica-install --setup-dns --setup-ca
--no-forwarders /var/lib/ipa/replica-info-neit-lab01.teloip.net.gpg*
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'caer.teloip.net':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin at TELOIP.NET password:

Execute check on remote master
Check connection from master to remote replica 'neit-lab01.teloip.net':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

Connection from master to replica is OK.

Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30
seconds
  [1/17]: creating certificate server user
  [2/17]: creating pki-ca instance
  [3/17]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
neit-lab01.teloip.net -cs_port 9445 -client_certdb_dir /tmp/tmp-t5u9YQ
-client_certdb_pwd XXXXXXXX -preop_pin BAoCQwvMxnG4xLdxOKln -domain_name
IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX
-agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET -ldap_host
neit-lab01.teloip.net -ldap_port 7389 -bind_dn cn=Directory Manager
-bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048
-key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd
XXXXXXXX -subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TELOIP.NET
-ca_server_cert_subject_name CN=neit-lab01.teloip.net,O=TELOIP.NET
-ca_audit_signing_cert_subject_name CN=CA Audit,O=TELOIP.NET
-ca_sign_cert_subject_name CN=Certificate Authority,O=TELOIP.NET -external
false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX
-sd_hostname caer.teloip.net -sd_admin_port 443 -sd_admin_name admin
-sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri
https://caer.teloip.net:443' returned non-zero exit status 255

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160726/edf620fc/attachment.htm>

More information about the Freeipa-users mailing list