----- Original Message -----
> David Hendén via FreeIPA-users wrote:
> > Hi all,
> > 
> > I'm trying to set up a replica from RHEL6.9 FreeIPA 3.0.0 to RHEL7.3 RHEL
> > 4.4.0.
> > 
> > What I'm trying to achieve is an isolated FreeIPA 4.4 server that we could
> > replace the original FreeIPA 3.0 infrastrcuture with. The way I'm doing
> > this is:
> > 
> >  1) prepare replica file on production ipa01 and copy to ipasync
> >  2) install replica with CA on ipasync and then remove all connections to
> >  ipa01, ipa02 and ipa03 (which is the entire production infrastructure)
> >  3) Upgrade schema on ipasync and upgrade to RHEL 6.9 (from RHEL 6.7)
> >  4) Prepare replica file on ipasync and copy to ipa01 (a new clean
> >  installation in test that should later replace ipa01 in prod)
> >  5) install replica with CA on ipa01 and then remove all connections to
> >  ipasync
> > 
> > * Right now I'm failing at the create CA phase in step 5 with:
> > 
> >   [2/27]: configuring certificate server instance
> > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
> > CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpDsKVFr' returned
> > non-zero exit status 1
> > 
> > * I can see that it fails on the subsystem Clone URI in
> > /var/log/ipareplica-install.log
> > 
> > Installation failed:
> > com.netscape.certsrv.base.BadRequestException: Clone URI does not match
> > available subsystems: https://ipasync.xxx.com:443
> > Please check the CA logs in /var/log/pki/pki-tomcat/ca.
> > 2017-07-11T15:24:52Z DEBUG stderr=pkispawn    : WARNING  ....... unable to
> > validate security domain user/password through REST interface. Interface
> > not available
> > 
> > * To get more details I check the debug log for tomcat and find that it
> > still tries to match against the old infrastructure and not the ipasync
> > server:
> > 
> > # cat /var/log/pki/pki-tomcat/ca/debug
> > ...
> > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: len is 3
> > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa01.xxx.com>
> > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443>
> > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa02.xxx.com>
> > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443>
> > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa03.xxx.com>
> > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443>
> > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: === Subsystem Configuration
> > ===
> > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: SystemConfigService: validate
> > clone URI: https://ipasync.xxx.com:443
> > [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: Clone URI does not match
> > available subsystems: https://ipasync.xxx.com:443
> > 
> > * I validate this by checking the calist in getDomainXML:
> > 
> > # wget --no-check-certificate
> > https://ipasync.xxx.com:443/ca/admin/ca/getDomainXML
> > # cat getDomainXML | xmllint --format -
> > ...
> >   <CAList>
> >     <CA>
> >       <DomainManager>TRUE</DomainManager>
> >       <SubsystemName>pki-cad</SubsystemName>
> >       <Clone>FALSE</Clone>
> >       <UnSecurePort>80</UnSecurePort>
> >       <SecureEEClientAuthPort>443</SecureEEClientAuthPort>
> >       <SecureAdminPort>443</SecureAdminPort>
> >       <SecureAgentPort>443</SecureAgentPort>
> >       <SecurePort>443</SecurePort>
> >       <Host>ipa01.xxx.com</Host>
> >     </CA>
> >     <CA>
> >       <SubsystemName>pki-cad</SubsystemName>
> >       <Clone>TRUE</Clone>
> >       <DomainManager>TRUE</DomainManager>
> >       <SecureEEClientAuthPort>443</SecureEEClientAuthPort>
> >       <UnSecurePort>80</UnSecurePort>
> >       <SecureAdminPort>443</SecureAdminPort>
> >       <SecureAgentPort>443</SecureAgentPort>
> >       <SecurePort>443</SecurePort>
> >       <Host>ipa02.xxx.com</Host>
> >     </CA>
> >     <CA>
> >       <SubsystemName>pki-cad</SubsystemName>
> >       <Clone>TRUE</Clone>
> >       <DomainManager>TRUE</DomainManager>
> >       <SecureEEClientAuthPort>443</SecureEEClientAuthPort>
> >       <UnSecurePort>80</UnSecurePort>
> >       <SecureAdminPort>443</SecureAdminPort>
> >       <SecureAgentPort>443</SecureAgentPort>
> >       <SecurePort>443</SecurePort>
> >       <Host>ipa03.xxx.com</Host>
> >     </CA>
> >     <SubsystemCount>3</SubsystemCount>
> >   </CAList>
> > ...
> > 
> > Why does it still have the old ipa servers and why is not ipasync included?
> > Am I doing something wrong here, for example do I need to manually add
> > ipasync to the pki-cad list of CAs?
> 
> I don't believe uninstalling an IPA master will update this list as it
> is maintained by dogtag and other than removing the replication
> agreements I'm not aware of any other notification that a server is
> going away.
> 
> Endi, do you know what needs to happen here?
> 
> rob

Sorry, I'm not that familiar with this area.

Ade, could you take a look? Thanks.

--
Endi S. Dewata
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to