<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif">Hi, I desperately need your help/advice with our ipa update process. Briefly, we'd like to update our IPA 3.0 installation based on CentOS 6.7 to a newer version, and I read that the way of doing it is to create a new replica with a newer version of IPA server. Before writing this post, I browsed for similar issues (there are many of them with similar outcome) and tried to apply the suggested solutions but no luck. I also tried previous versions of Fedora (18 and 19) but again no luck. It seems I'm stuck and I don't know how to proceed :( Thank you in advance to anyhow who will take the time to read my message :) Let's start! Right now we have a single running on Centos 6.7, and we are planning to create a replica with Fedora 20 which has IPA 3.3 Here are the details of the master (CentOS 6.7, hostname ipaserver) [root@ipaserver ~]# uname -a Linux ipaserver.it.fx.lan 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux [root@ipaserver ~]# rpm -qa|grep -E 'freeipa-server|pki-ca' ipa-pki-ca-theme-9.0.3-7.el6.noarch pki-ca-9.0.3-43.el6.noarch And here are the details of the replica (Fedoraa 20, hostname ipaserver-ha2) [root@ipaserver-ha2 ~]# uname -a Linux ipaserver-ha2.it.fx.lan 3.19.8-100.fc20.x86_64 #1 SMP Tue May 12 17:08:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux [root@ipaserver-ha2 ~]# rpm -qa|grep -E 'freeipa-server|pki-ca' pki-ca-10.1.2-7.fc20.noarch freeipa-server-3.3.5-1.fc20.x86_64 Here are the steps I made: Before starting the replica I updated the schema of the master with the copy-schema-to-ca.py script I prepared the replica certificates on the server ("ipa-replica-prepare ipaserver-ha2.it.fx.lan --ip-address 10.0.0.10") and transferred to the replica server on the same folder The I ran the replica install and here's the output: [root@ipaserver-ha2 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders --no-ntp /var/lib/ipa/replica-info-ipaserver-ha2.it.fx.lan.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'ipaserver.it.fx.lan': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin@IT.FX.LAN password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'ipaserver-ha2.it.fx.lan': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK Configuring directory server (dirsrv): Estimated time 1 minute [1/34]: creating directory server user [2/34]: creating directory server instance [3/34]: adding default schema [4/34]: enabling memberof plugin [5/34]: enabling winsync plugin [6/34]: configuring replication version plugin [7/34]: enabling IPA enrollment plugin [8/34]: enabling ldapi [9/34]: configuring uniqueness plugin [10/34]: configuring uuid plugin [11/34]: configuring modrdn plugin [12/34]: configuring DNS plugin [13/34]: enabling entryUSN plugin [14/34]: configuring lockout plugin [15/34]: creating indices [16/34]: enabling referential integrity plugin [17/34]: configuring ssl for ds instance [18/34]: configuring certmap.conf [19/34]: configure autobind for root [20/34]: configure new location for managed entries [21/34]: configure dirsrv ccache [22/34]: enable SASL mapping fallback [23/34]: restarting directory server [24/34]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 3 seconds elapsed Update succeeded [25/34]: updating schema [26/34]: setting Auto Member configuration [27/34]: enabling S4U2Proxy delegation [28/34]: initializing group membership [29/34]: adding master entry [30/34]: configuring Posix uid/gid generation [31/34]: adding replication acis [32/34]: enabling compatibility plugin [33/34]: tuning directory server [34/34]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/19]: creating certificate server user [2/19]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpoqFGBW' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed Log files on the replica server are attached. On the master I extraced the access log of the http server: 10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET /ca/rest/securityDomain/domainInfo HTTP/1.1" 404 317 10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET /ca/admin/ca/getDomainXML HTTP/1.1" 200 1593 10.0.0.10 - - [09/Feb/2016:15:30:23 +0100] "GET /ca/rest/account/login HTTP/1.1" 404 305 10.0.0.10 - - [09/Feb/2016:15:30:45 +0100] "POST /ca/admin/ca/getCertChain HTTP/1.0" 200 1410 10.0.0.10 - - [09/Feb/2016:15:30:46 +0100] "GET /ca/rest/account/login HTTP/1.1" 404 305 10.0.0.10 - - [09/Feb/2016:15:30:46 +0100] "POST /ca/admin/ca/getCookie HTTP/1.1" 200 4092 10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1593 10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST /ca/admin/ca/getCertChain HTTP/1.0" 200 1410 10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST /ca/admin/ca/updateNumberRange HTTP/1.0" 404 313 10.0.0.8 - - [09/Feb/2016:15:30:47 +0100] "POST /ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154 10.0.0.10 - - [09/Feb/2016:15:30:48 +0100] "POST /ca/admin/ca/updateNumberRange HTTP/1.0" 404 313 10.0.0.10 - - [09/Feb/2016:15:30:47 +0100] "POST /ca/ee/ca/updateNumberRange HTTP/1.0" 200 163 10.0.0.8 - - [09/Feb/2016:15:30:48 +0100] "POST /ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154 10.0.0.10 - - [09/Feb/2016:15:30:48 +0100] "POST /ca/ee/ca/updateNumberRange HTTP/1.0" 200 163 10.0.0.10 - - [09/Feb/2016:15:30:49 +0100] "POST /ca/admin/ca/updateNumberRange HTTP/1.0" 404 313 10.0.0.8 - - [09/Feb/2016:15:30:49 +0100] "POST /ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154 10.0.0.10 - - [09/Feb/2016:15:30:49 +0100] "POST /ca/ee/ca/updateNumberRange HTTP/1.0" 200 157 10.0.0.8 - - [09/Feb/2016:15:30:50 +0100] "POST /ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154 10.0.0.10 - - [09/Feb/2016:15:30:50 +0100] "POST /ca/admin/ca/getConfigEntries HTTP/1.0" 200 13746 10.0.0.8 - - [09/Feb/2016:15:31:41 +0100] "POST /ca/ee/ca/tokenAuthenticate HTTP/1.0" 200 154 10.0.0.10 - - [09/Feb/2016:15:31:41 +0100] "POST /ca/ee/ca/profileSubmit HTTP/1.0" 200 1459 10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1593 10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST /ca/admin/ca/updateDomainXML HTTP/1.0" 404 311 10.0.0.10 - - [09/Feb/2016:15:31:42 +0100] "POST /ca/agent/ca/updateDomainXML HTTP/1.0" 200 115 </div> -- <div class="gmail_signature"><div dir="ltr">Giuseppe Calignano </div></div> </div>