[Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master
Dan.Finkelstein at high5games.com
Dan.Finkelstein at high5games.com
Wed Jun 1 16:45:10 UTC 2016
Hi folks,
As the subject suggests, we're converting from FreeIPA 3.0.0 on CentOS 6 to 4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA replicas in CentOS 7 and then hope to promote one of them to the CA master. I'm running into two problems:
The first is that when we create a replica in FreeIPA 4.2.0 with the —setup-ca option, that portion fails. Here's a snippet of the output:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
[1/23]: creating certificate server user
[2/23]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpqPeYOW'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Second, I've tried a "trick" where I run an ipa-backup on the 4.2.0 replica and then restore it, hoping to convince the server that it's now a master. When I try to run ipa-replica-prepare, it quickly exits with the mysterious "no such entry" error:
[root at ipa ~]# ipa-replica-prepare ipa4test.example.local --ip-address 10.55.10.36
Directory Manager (existing master) password:
Preparing replica for ipa4test.example.local from ipa.example.local
no such entry
Ideas, suggestions, and help are very welcome!
Best regards,
Dan
[cid:image001.jpg at 01D1BC03.6DD03360]<http://www.high5games.com/>
Daniel Alex Finkelstein| Senior Dev Ops Engineer
Dan.Finkelstein at h5g.com<mailto:Dan.Finkelstein at h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, Twitter<https://twitter.com/High5Games>, YouTube<http://www.youtube.com/High5Games>, Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>
This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160601/2f7e3709/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 4331 bytes
Desc: image001.jpg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160601/2f7e3709/attachment.jpg>
More information about the Freeipa-users
mailing list