David Hendén via FreeIPA-users wrote:
> Hi all,
> 
> I'm trying to set up a replica from RHEL6.9 FreeIPA 3.0.0 to RHEL7.3 RHEL 
> 4.4.0.
> 
> What I'm trying to achieve is an isolated FreeIPA 4.4 server that we could 
> replace the original FreeIPA 3.0 infrastrcuture with. The way I'm doing this 
> is:
> 
>  1) prepare replica file on production ipa01 and copy to ipasync
>  2) install replica with CA on ipasync and then remove all connections to 
> ipa01, ipa02 and ipa03 (which is the entire production infrastructure)
>  3) Upgrade schema on ipasync and upgrade to RHEL 6.9 (from RHEL 6.7)
>  4) Prepare replica file on ipasync and copy to ipa01 (a new clean 
> installation in test that should later replace ipa01 in prod)
>  5) install replica with CA on ipa01 and then remove all connections to 
> ipasync
> 
> * Right now I'm failing at the create CA phase in step 5 with:
> 
>   [2/27]: configuring certificate server instance
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA 
> instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpDsKVFr' returned 
> non-zero exit status 1
> 
> * I can see that it fails on the subsystem Clone URI in 
> /var/log/ipareplica-install.log
> 
> Installation failed:
> com.netscape.certsrv.base.BadRequestException: Clone URI does not match 
> available subsystems: https://ipasync.xxx.com:443
> Please check the CA logs in /var/log/pki/pki-tomcat/ca.
> 2017-07-11T15:24:52Z DEBUG stderr=pkispawn    : WARNING  ....... unable to 
> validate security domain user/password through REST interface. Interface not 
> available
> 
> * To get more details I check the debug log for tomcat and find that it still 
> tries to match against the old infrastructure and not the ipasync server:
> 
> # cat /var/log/pki/pki-tomcat/ca/debug
> ...
> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: len is 3
> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa01.xxx.com>
> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443>
> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa02.xxx.com>
> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443>
> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa03.xxx.com>
> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443>
> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: === Subsystem Configuration ===
> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: SystemConfigService: validate 
> clone URI: https://ipasync.xxx.com:443
> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: Clone URI does not match 
> available subsystems: https://ipasync.xxx.com:443
> 
> * I validate this by checking the calist in getDomainXML:
> 
> # wget --no-check-certificate 
> https://ipasync.xxx.com:443/ca/admin/ca/getDomainXML
> # cat getDomainXML | xmllint --format -
> ...
>   <CAList>
>     <CA>
>       <DomainManager>TRUE</DomainManager>
>       <SubsystemName>pki-cad</SubsystemName>
>       <Clone>FALSE</Clone>
>       <UnSecurePort>80</UnSecurePort>
>       <SecureEEClientAuthPort>443</SecureEEClientAuthPort>
>       <SecureAdminPort>443</SecureAdminPort>
>       <SecureAgentPort>443</SecureAgentPort>
>       <SecurePort>443</SecurePort>
>       <Host>ipa01.xxx.com</Host>
>     </CA>
>     <CA>
>       <SubsystemName>pki-cad</SubsystemName>
>       <Clone>TRUE</Clone>
>       <DomainManager>TRUE</DomainManager>
>       <SecureEEClientAuthPort>443</SecureEEClientAuthPort>
>       <UnSecurePort>80</UnSecurePort>
>       <SecureAdminPort>443</SecureAdminPort>
>       <SecureAgentPort>443</SecureAgentPort>
>       <SecurePort>443</SecurePort>
>       <Host>ipa02.xxx.com</Host>
>     </CA>
>     <CA>
>       <SubsystemName>pki-cad</SubsystemName>
>       <Clone>TRUE</Clone>
>       <DomainManager>TRUE</DomainManager>
>       <SecureEEClientAuthPort>443</SecureEEClientAuthPort>
>       <UnSecurePort>80</UnSecurePort>
>       <SecureAdminPort>443</SecureAdminPort>
>       <SecureAgentPort>443</SecureAgentPort>
>       <SecurePort>443</SecurePort>
>       <Host>ipa03.xxx.com</Host>
>     </CA>
>     <SubsystemCount>3</SubsystemCount>
>   </CAList>
> ...
> 
> Why does it still have the old ipa servers and why is not ipasync included? 
> Am I doing something wrong here, for example do I need to manually add 
> ipasync to the pki-cad list of CAs?

I don't believe uninstalling an IPA master will update this list as it
is maintained by dogtag and other than removing the replication
agreements I'm not aware of any other notification that a server is
going away.

Endi, do you know what needs to happen here?

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to