Ilie Soltanici via FreeIPA-devel wrote: > Hi All, > Trying to install a replica for an already running ipa-server but it fails. > > IPA Main server is already running and properly configured. I'm trying to > setup the second server and replicate with the main server. > This is the command what i'm using: > > ipa-replica-install --principal admin --admin-password 'password' --setup-ca > --setup-dns --auto-forwarders --server ipa-server.domain.local --domain > domain.local > > Everything is going well until this: > > Done configuring kadmin. > Configuring directory server (dirsrv) > [1/3]: configuring TLS for DS instance > [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR > Certificate issuance failed (CA_UNREACHABLE) > ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR > The ipa-replica-install command failed. See /var/log/ipareplica-install.log > for more information > > The getcert list command is getting this; > Number of certificates and requests being tracked: 1. > Request ID '20180905101554': > status: CA_UNREACHABLE > ca-error: Server at https://ipa-server2.domain.local/ipa/xml failed > request, will retry: -504 (libcurl failed to execute the HTTP POST > transaction, explaining: Failed connect to ipa-server2.domain.local:443; > Connection refused). > > [ipa-server2] # netstat -lnp | grep 443 - is not getting anything back. > > httpd server is running by listening 80 port only. > > [root@host user]# ipa --version > VERSION: 4.5.4, API_VERSION: 2.228 > > cat /etc/os-release > NAME="CentOS Linux" > VERSION="7 (Core)" > > How can i make the replica working?
The error reported by certmonger is the initial failure. It will also attempt to look up other masters using DNS SRV records to find another master and then the values in cn=masters,cn=ipa,cn,etc,$SUFFIX to find an API server to talk to. I'd check your other master(s) to see if you can see a connection request and what the resolution was. rob _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
