[Freeipa-users] Replica install fails when using --setup-ca
Rob Crittenden
rcritten at redhat.com
Tue Jul 26 21:25:50 UTC 2016
Linov Suresh wrote:
> I tried to create master replica using the option --setup-ca, it failed,
> because of "Your system may be partly configured."
>
> Please note we use different ipa package for master and replica.
>
> master:
> [root at caer ~]# rpm -q ipa-server
> ipa-server-3.0.0-26.el6_4.2.x86_64
>
> replica:
>
> [root at neit-lab01 ~]# rpm -q ipa-server
> ipa-server-3.0.0-50.el6.1.x86_64
>
> *Is this because ipa-server-3.0.0-50 has updates feature "Proxy calls to
> /ca/ee/ca/profileSubmit to PKI to enable installation of replicas with
> Dogtag 10 PKI (#1083878)"*
> *
> *
> If yes, how do we fix it? Your help is appreciated.
>
>
> [root at neit-lab01 ipa]#*ipa-replica-install --setup-dns --setup-ca
> --no-forwarders /var/lib/ipa/replica-info-neit-lab01.teloip.net.gpg*
> Directory Manager (existing master) password:
>
> Run connection check to master
> Check connection from replica to remote master 'caer.teloip.net
> <http://caer.teloip.net>':
> Directory Service: Unsecure port (389): OK
> Directory Service: Secure port (636): OK
> Kerberos KDC: TCP (88): OK
> Kerberos Kpasswd: TCP (464): OK
> HTTP Server: Unsecure port (80): OK
> HTTP Server: Secure port (443): OK
> PKI-CA: Directory Service port (7389): OK
>
> The following list of ports use UDP protocol and would need to be
> checked manually:
> Kerberos KDC: UDP (88): SKIPPED
> Kerberos Kpasswd: UDP (464): SKIPPED
>
> Connection from replica to master is OK.
> Start listening on required ports for remote master check
> Get credentials to log in to remote master
> admin at TELOIP.NET <mailto:admin at TELOIP.NET> password:
>
> Execute check on remote master
> Check connection from master to remote replica 'neit-lab01.teloip.net
> <http://neit-lab01.teloip.net>':
> Directory Service: Unsecure port (389): OK
> Directory Service: Secure port (636): OK
> Kerberos KDC: TCP (88): OK
> Kerberos KDC: UDP (88): OK
> Kerberos Kpasswd: TCP (464): OK
> Kerberos Kpasswd: UDP (464): OK
> HTTP Server: Unsecure port (80): OK
> HTTP Server: Secure port (443): OK
> PKI-CA: Directory Service port (7389): OK
>
> Connection from master to replica is OK.
>
> Connection check OK
> Configuring NTP daemon (ntpd)
> [1/4]: stopping ntpd
> [2/4]: writing configuration
> [3/4]: configuring ntpd to start on boot
> [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server for the CA (pkids): Estimated time 30 seconds
> [1/3]: creating directory server user
> [2/3]: creating directory server instance
> [3/3]: restarting directory server
> Done configuring directory server for the CA (pkids).
> Configuring certificate server (pki-cad): Estimated time 3 minutes 30
> seconds
> [1/17]: creating certificate server user
> [2/17]: creating pki-ca instance
> [3/17]: configuring certificate server instance
> ipa : CRITICAL failed to configure ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> neit-lab01.teloip.net <http://neit-lab01.teloip.net> -cs_port 9445
> -client_certdb_dir /tmp/tmp-t5u9YQ -client_certdb_pwd XXXXXXXX
> -preop_pin BAoCQwvMxnG4xLdxOKln -domain_name IPA -admin_user admin
> -admin_email root at localhost -admin_password XXXXXXXX -agent_name
> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
> -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET <http://TELOIP.NET>
> -ldap_host neit-lab01.teloip.net <http://neit-lab01.teloip.net>
> -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX
> -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
> -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
> -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
> <http://TELOIP.NET> -ca_subsystem_cert_subject_name CN=CA
> Subsystem,O=TELOIP.NET <http://TELOIP.NET> -ca_ocsp_cert_subject_name
> CN=OCSP Subsystem,O=TELOIP.NET <http://TELOIP.NET>
> -ca_server_cert_subject_name CN=neit-lab01.teloip.net
> <http://neit-lab01.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
> -ca_audit_signing_cert_subject_name CN=CA Audit,O=TELOIP.NET
> <http://TELOIP.NET> -ca_sign_cert_subject_name CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET> -external false -clone true
> -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX -sd_hostname
> caer.teloip.net <http://caer.teloip.net> -sd_admin_port 443
> -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true
> -clone_uri https://caer.teloip.net:443' returned non-zero exit status 255
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> Configuration of CA failed
>
>
You need to look at the dogtag logs to see any reasonable errors. IPA
doesn't get much back from the dogtag installer except a pass/fail
(especially in 3.x).
rob
More information about the Freeipa-users
mailing list