[Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master
Sebastian Schäfer
sebastian.schaefer at dlr.de
Thu Jun 2 06:59:21 UTC 2016
Hi Dan,
I had a similar problem when updating my FreeIPA. In my case it turned
out that the certificates that get bundled with the replica preparation
file were expired. This is due to the /root/cacert.p12 file not being
updated during the preparation process until FreeIPA 3.2.2
The file can be recreated with the commands from step 2 of
http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
If that does not solve the problem, it would be good to see (part of)
the actual logfiles of your replica installation attempt.
Best regards
--
Sebastian Schäfer, M. A.
-------------------------------
Deutsches Zentrum für Luft- und Raumfahrt e.V. (DLR)
Institute of Space Operations and Astronaut Training
Microgravity User Support Center (MUSC)
Linder Höhe | 51147 Köln
Telefon 02203 601-30 01 | Telefax: 02203 61471 | sebastian.schaefer at dlr.de
www.DLR.de
On 06/01/2016 06:45 PM, Dan.Finkelstein at high5games.com wrote:
> Hi folks,
>
> As the subject suggests, we're converting from FreeIPA 3.0.0 on CentOS 6
> to 4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA
> replicas in CentOS 7 and then hope to promote one of them to the CA
> master. I'm running into two problems:
>
>
>
> The first is that when we create a replica in FreeIPA 4.2.0 with the
> —setup-ca option, that portion fails. Here's a snippet of the output:
>
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
> 30 seconds
>
> [1/23]: creating certificate server user
>
> [2/23]: configuring certificate server instance
>
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpqPeYOW'' returned non-zero exit status 1
>
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
> installation logs and the following files/directories for more information:
>
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki-ca-install.log
>
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki/pki-tomcat
>
> [error] RuntimeError: CA configuration failed.
>
> Your system may be partly configured.
>
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
More information about the Freeipa-users
mailing list