[Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

Sebastian Schäfer sebastian.schaefer at dlr.de
Thu Jun 2 06:59:21 UTC 2016 

Hi Dan,

I had a similar problem when updating my FreeIPA. In my case it turned
out that the certificates that get bundled with the replica preparation
file were expired. This is due to the /root/cacert.p12 file not being
updated during the preparation process until FreeIPA 3.2.2

The file can be recreated with the commands from step 2 of
http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

If that does not solve the problem, it would be good to see (part of)
the actual logfiles of your replica installation attempt.

Best regards
--
Sebastian Schäfer, M. A.
-------------------------------
Deutsches Zentrum für Luft- und Raumfahrt e.V. (DLR)
Institute of Space Operations and Astronaut Training
Microgravity User Support Center (MUSC)
Linder Höhe | 51147 Köln

Telefon 02203 601-30 01 | Telefax: 02203 61471 | sebastian.schaefer at dlr.de
www.DLR.de

On 06/01/2016 06:45 PM, Dan.Finkelstein at high5games.com wrote:
> Hi folks,
> 
> As the subject suggests, we're converting from FreeIPA 3.0.0 on CentOS 6
> to 4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA
> replicas in CentOS 7 and then hope to promote one of them to the CA
> master. I'm running into two problems:
> 
>  
> 
> The first is that when we create a replica in FreeIPA 4.2.0 with the
> —setup-ca option, that portion fails. Here's a snippet of the output:
> 
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
> 30 seconds
> 
>   [1/23]: creating certificate server user
> 
>   [2/23]: configuring certificate server instance
> 
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpqPeYOW'' returned non-zero exit status 1
> 
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
> installation logs and the following files/directories for more information:
> 
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
> /var/log/pki-ca-install.log
> 
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
> /var/log/pki/pki-tomcat
> 
>   [error] RuntimeError: CA configuration failed.
> 
> Your system may be partly configured.
> 
> Run /usr/sbin/ipa-server-install --uninstall to clean up.

More information about the Freeipa-users mailing list