[Freeipa-users] FreeIPA update guidance

B.harries b.harries at protonmail.com
Mon Apr 24 14:18:20 UTC 2017 

Hi All,

As you might be interested, today we re-attempted to create a replica. Apparently, exactly the same problem was reported to Red Hat Bugzilla ten days ago: https://bugzilla.redhat.com/show_bug.cgi?id=1432016

Our replica install also fails on the following point:

[...]
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
[1/27]: creating certificate server user
[2/27]: configuring certificate server instance
[3/27]: stopping certificate server instance to update CS.cfg
[4/27]: backing up CS.cfg
[5/27]: disabling nonces
[6/27]: set up CRL publishing
[7/27]: enable PKIX certificate path discovery and validation
[8/27]: starting certificate server instance
< hangs here indefinitely >

At this moment we are thus stuck and waiting for the new package to be released.

Thanks for the pointers!

Bennie

-------- Original Message --------
Subject: Re: [Freeipa-users] FreeIPA update guidance
Local Time: 21 april 2017 5:55 PM
UTC Time: 21 april 2017 15:55
From: b.harries at protonmail.com
To: Jochen Hein <jochen at jochen.org>
freeipa-users\@redhat.com <freeipa-users at redhat.com>

Hi Jochen,

Thanks for your quick reply! As I just left the office I don't have the log ATM. The installation however failed after setting up de Tomcat PKI service, where the ipa-replica-install script was waiting for the service to come up. While manually trying to reach the service using Curl, I also never got a response. After running the Tomcat PKI service manually, I got an error stating that the user "cn=<replica>,cn=config" doesn't exist in the directory. When manually querying the directory I noticed the same, it did however exist with an additional CN. I will retry the replication excersise next monday and hopefully your tip will help me. Then I can also provide the logs. I will keep you updated!

Thanks,

Bennie

-------- Original Message --------
Subject: Re: [Freeipa-users] FreeIPA update guidance
Local Time: April 21, 2017 5:29 PM
UTC Time: April 21, 2017 3:29 PM
From: jochen at jochen.org
To: B.harries <b.harries at protonmail.com>
freeipa-users\@redhat.com <freeipa-users at redhat.com>

"B.harries" <b.harries at protonmail.com> writes:

> Second attempt
> We then tried to install a fresh CentOS server, having FreeIPA version
> 4.4 and attaching it as a second master to our IPA instance. This
> however didn't work out as well,

I did that to move my installation from Fedora to CentOS - it worked
quite well. First adding a replica failed, because python-jwcrypto on
CentOS is quite old. I've installed the package from Fedora
(python-jwcrypto-0.3.2-1.fc23.noarch.rpm) and all went well. After I
decomissioned the Fedora system I've downgraded the package again.

That's what I found:
https://www.redhat.com/archives/freeipa-users/2016-December/msg00024.html
(Re: [Freeipa-users] Add 4.4 replica to 4.3 server fails)

Can you provide logs/messages what didn't work?

Jochen

--
This space is intentionally left blank.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170424/e19507eb/attachment.htm>

More information about the Freeipa-users mailing list