<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 11.02.2016 11:05, Martin Basti
wrote:<br>
</div>
<blockquote cite="mid:56BC5CE9.7080402@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
Hello,<br>
comments inline.<br>
<br>
<div class="moz-cite-prefix">On 11.02.2016 10:46, Quasar wrote:<br>
</div>
<blockquote
cite="mid:CA+uTVjJAnb8sc=97FcteYeyr_2e_uA3jTGmkvX1fFN-AEC=AKQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:verdana,sans-serif">Hi, I desperately
need your help/advice with our ipa update process.<br>
Briefly, we'd like to update our IPA 3.0 installation based
on CentOS 6.7 to a newer version, and I read that the way of
doing it is to create a new replica with a newer version of
IPA server.<br>
Before writing this post, I browsed for similar issues
(there are many of them with similar outcome) and tried to
apply the suggested solutions but no luck. I also tried
previous versions of Fedora (18 and 19) but again no luck.<br>
It seems I'm stuck and I don't know how to proceed :(<br>
<br>
Thank you in advance to anyhow who will take the time to
read my message :) Let's start!<br>
<br>
Right now we have a single running on Centos 6.7, and we are
planning to create a replica with Fedora 20 which has IPA
3.3<br>
</div>
</div>
</blockquote>
<br>
Fedora 20 is end of life, why you use that old fedora?<br>
Why not Centos7 or F23 ?<br>
<br>
Upgrade path from CentOS to Fedora is supported or tested, there
might be issues because versions of FreeIPA are different due
backporting patches to CentOS<br>
</blockquote>
* is NOT supported<br>
<br>
sorry<br>
<blockquote cite="mid:56BC5CE9.7080402@redhat.com" type="cite"> <br>
I suggest to use new FreeIPA 4.2 on centos 7.<br>
<blockquote
cite="mid:CA+uTVjJAnb8sc=97FcteYeyr_2e_uA3jTGmkvX1fFN-AEC=AKQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:verdana,sans-serif"><br>
Here are the details of the master (CentOS 6.7, hostname
ipaserver)<br>
<span style="font-family:monospace,monospace">[root@ipaserver
~]# uname -a<br>
Linux ipaserver.it.fx.lan 2.6.32-279.el6.x86_64 #1 SMP Fri
Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux<br>
<br>
[root@ipaserver ~]# rpm -qa|grep -E
'freeipa-server|pki-ca'<br>
ipa-pki-ca-theme-9.0.3-7.el6.noarch<br>
pki-ca-9.0.3-43.el6.noarch</span><br>
<br>
And here are the details of the replica (Fedoraa 20,
hostname ipaserver-ha2)<br>
<span style="font-family:monospace,monospace">[root@ipaserver-ha2
~]# uname -a<br>
Linux ipaserver-ha2.it.fx.lan 3.19.8-100.fc20.x86_64 #1
SMP Tue May 12 17:08:50 UTC 2015 x86_64 x86_64 x86_64
GNU/Linux<br>
<br>
[root@ipaserver-ha2 ~]# rpm -qa|grep -E
'freeipa-server|pki-ca'<br>
pki-ca-10.1.2-7.fc20.noarch<br>
freeipa-server-3.3.5-1.fc20.x86_64<br>
</span><br>
Here are the steps I made:<br>
Before starting the replica I updated the schema of the
master with the copy-schema-to-ca.py script<br>
I prepared the replica certificates on the server
("ipa-replica-prepare ipaserver-ha2.it.fx.lan --ip-address
10.0.0.10") and transferred to the replica server on the
same folder<br>
The I ran the replica install and here's the output:<br>
<span style="font-family:monospace,monospace">[root@ipaserver-ha2
~]# ipa-replica-install --setup-ca --setup-dns
--no-forwarders --no-ntp
/var/lib/ipa/replica-info-ipaserver-ha2.it.fx.lan.gpg <br>
Directory Manager (existing master) password: <br>
<br>
Run connection check to master<br>
Check connection from replica to remote master
'ipaserver.it.fx.lan':<br>
Directory Service: Unsecure port (389): OK<br>
Directory Service: Secure port (636): OK<br>
Kerberos KDC: TCP (88): OK<br>
Kerberos Kpasswd: TCP (464): OK<br>
HTTP Server: Unsecure port (80): OK<br>
HTTP Server: Secure port (443): OK<br>
PKI-CA: Directory Service port (7389): OK<br>
<br>
The following list of ports use UDP protocol and would
need to be<br>
checked manually:<br>
Kerberos KDC: UDP (88): SKIPPED<br>
Kerberos Kpasswd: UDP (464): SKIPPED<br>
<br>
Connection from replica to master is OK.<br>
Start listening on required ports for remote master check<br>
Get credentials to log in to remote master<br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:admin@IT.FX.LAN">admin@IT.FX.LAN</a>
password: <br>
<br>
Check SSH connection to remote master<br>
Execute check on remote master<br>
Check connection from master to remote replica
'ipaserver-ha2.it.fx.lan':<br>
Directory Service: Unsecure port (389): OK<br>
Directory Service: Secure port (636): OK<br>
Kerberos KDC: TCP (88): OK<br>
Kerberos KDC: UDP (88): OK<br>
Kerberos Kpasswd: TCP (464): OK<br>
Kerberos Kpasswd: UDP (464): OK<br>
HTTP Server: Unsecure port (80): OK<br>
HTTP Server: Secure port (443): OK<br>
<br>
Connection from master to replica is OK.<br>
<br>
Connection check OK<br>
Configuring directory server (dirsrv): Estimated time 1
minute<br>
[1/34]: creating directory server user<br>
[2/34]: creating directory server instance<br>
[3/34]: adding default schema<br>
[4/34]: enabling memberof plugin<br>
[5/34]: enabling winsync plugin<br>
[6/34]: configuring replication version plugin<br>
[7/34]: enabling IPA enrollment plugin<br>
[8/34]: enabling ldapi<br>
[9/34]: configuring uniqueness plugin<br>
[10/34]: configuring uuid plugin<br>
[11/34]: configuring modrdn plugin<br>
[12/34]: configuring DNS plugin<br>
[13/34]: enabling entryUSN plugin<br>
[14/34]: configuring lockout plugin<br>
[15/34]: creating indices<br>
[16/34]: enabling referential integrity plugin<br>
[17/34]: configuring ssl for ds instance<br>
[18/34]: configuring certmap.conf<br>
[19/34]: configure autobind for root<br>
[20/34]: configure new location for managed entries<br>
[21/34]: configure dirsrv ccache<br>
[22/34]: enable SASL mapping fallback<br>
[23/34]: restarting directory server<br>
[24/34]: setting up initial replication<br>
Starting replication, please wait until this has
completed.<br>
Update in progress, 3 seconds elapsed<br>
Update succeeded<br>
<br>
[25/34]: updating schema<br>
[26/34]: setting Auto Member configuration<br>
[27/34]: enabling S4U2Proxy delegation<br>
[28/34]: initializing group membership<br>
[29/34]: adding master entry<br>
[30/34]: configuring Posix uid/gid generation<br>
[31/34]: adding replication acis<br>
[32/34]: enabling compatibility plugin<br>
[33/34]: tuning directory server<br>
[34/34]: configuring directory to start on boot<br>
Done configuring directory server (dirsrv).<br>
Configuring certificate server (pki-tomcatd): Estimated
time 3 minutes 30 seconds<br>
[1/19]: creating certificate server user<br>
[2/19]: configuring certificate server instance<br>
ipa : CRITICAL failed to configure ca instance
Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpoqFGBW'
returned non-zero exit status 1<br>
<br>
Your system may be partly configured.<br>
Run /usr/sbin/ipa-server-install --uninstall to clean up.<br>
<br>
Configuration of CA failed</span><br>
<br>
<br>
Log files on the replica server are attached.<br>
<br>
<br>
On the master I extraced the access log of the http server:<br>
<span style="font-family:monospace,monospace">10.0.0.10 - -
[09/Feb/2016:15:30:23 +0100] "GET
/ca/rest/securityDomain/domainInfo HTTP/1.1" 404 317<br>
10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET
/ca/admin/ca/getDomainXML HTTP/1.1" 200 1593<br>
10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET
/ca/rest/account/login HTTP/1.1" 404 305<br>
10.0.0.10 - - [09/Feb/2016:15:30:45 +0100] "POST
/ca/admin/ca/getCertChain HTTP/1.0" 200 1410<br>
10.0.0.10 - - [09/Feb/2016:15:30:46 +0100] "GET
/ca/rest/account/login HTTP/1.1" 404 305<br>
10.0.0.10 - - [09/Feb/2016:15:30:46 +0100] "POST
/ca/admin/ca/getCookie HTTP/1.1" 200 4092<br>
10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST
/ca/admin/ca/getDomainXML HTTP/1.0" 200 1593<br>
10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST
/ca/admin/ca/getCertChain HTTP/1.0" 200 1410<br>
10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST
/ca/admin/ca/updateNumberRange HTTP/1.0" 404 313<br>
10.0.0.8 - - [09/Feb/2016:15:30:47 +0100] "POST
/ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154<br>
10.0.0.10 - - [09/Feb/2016:15:30:48 +0100] "POST
/ca/admin/ca/updateNumberRange HTTP/1.0" 404 313<br>
10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST
/ca/ee/ca/updateNumberRange HTTP/1.0" 200 163<br>
10.0.0.8 - - [09/Feb/2016:15:30:48 +0100] "POST
/ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154<br>
10.0.0.10 - - [09/Feb/2016:15:30:48 +0100] "POST
/ca/ee/ca/updateNumberRange HTTP/1.0" 200 163<br>
10.0.0.10 - - [09/Feb/2016:15:30:49 +0100] "POST
/ca/admin/ca/updateNumberRange HTTP/1.0" 404 313<br>
10.0.0.8 - - [09/Feb/2016:15:30:49 +0100] "POST
/ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154<br>
10.0.0.10 - - [09/Feb/2016:15:30:49 +0100] "POST
/ca/ee/ca/updateNumberRange HTTP/1.0" 200 157<br>
10.0.0.8 - - [09/Feb/2016:15:30:50 +0100] "POST
/ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154<br>
10.0.0.10 - - [09/Feb/2016:15:30:50 +0100] "POST
/ca/admin/ca/getConfigEntries HTTP/1.0" 200 13746<br>
10.0.0.8 - - [09/Feb/2016:15:31:41 +0100] "POST
/ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154<br>
10.0.0.10 - - [09/Feb/2016:15:31:41 +0100] "POST
/ca/ee/ca/profileSubmit HTTP/1.0" 200 1459<br>
10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST
/ca/admin/ca/getDomainXML HTTP/1.0" 200 1593<br>
10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST
/ca/admin/ca/updateDomainXML HTTP/1.0" 404 311<br>
10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST
/ca/agent/ca/updateDomainXML HTTP/1.0" 200 115</span><br>
<br clear="all">
</div>
</div>
</blockquote>
Can you post debug log of CA?<br>
/var/log/pki/pki-tomcat/ca/debug<br>
<br>
It may contains more information<br>
<br>
Martin<br>
<blockquote
cite="mid:CA+uTVjJAnb8sc=97FcteYeyr_2e_uA3jTGmkvX1fFN-AEC=AKQ@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
-- <br>
<div class="gmail_signature">
<div dir="ltr"><span style="font-family:verdana,sans-serif">Giuseppe
Calignano</span><br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>