On 09/05/2018 12:41 PM, Ilie Soltanici via FreeIPA-devel wrote:
Hi All,
Trying to install a replica for an already running ipa-server but it fails.
IPA Main server is already running and properly configured. I'm trying to setup
the second server and replicate with the main server.
This is the command what i'm using:
ipa-replica-install --principal admin --admin-password 'password' --setup-ca
--setup-dns --auto-forwarders --server ipa-server.domain.local --domain
domain.local
Everything is going well until this:
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR
Certificate issuance failed (CA_UNREACHABLE)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for
more information
Hi,
a similar error was reported in this thread [1]. Can you check the
root's umask on the master? If it is too restrictive, the httpd server
is not able to read the CA file and establish a secure connection with
Dogtag. This is a known issue [2], the workaround is to modify the cert
file permissions:
chmod 644 /etc/ipa/ca.crt
chmod 440 /var/lib/ipa/ra-agent.{key|pem}
[1]
https://lists.fedorahosted.org/archives/list/freeipa-us...@lists.fedorahosted.org/thread/P2CRIDX5HAKSIF6WJYBID24LNW7ORYYA/
[2] https://pagure.io/freeipa/issue/7193
HTH,
flo
The getcert list command is getting this;
Number of certificates and requests being tracked: 1.
Request ID '20180905101554':
status: CA_UNREACHABLE
ca-error: Server at https://ipa-server2.domain.local/ipa/xml failed
request, will retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining: Failed connect to ipa-server2.domain.local:443; Connection
refused).
[ipa-server2] # netstat -lnp | grep 443 - is not getting anything back.
httpd server is running by listening 80 port only.
[root@host user]# ipa --version
VERSION: 4.5.4, API_VERSION: 2.228
cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
How can i make the replica working?
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
