Prior to my employment, one of our engineers setup an IPA server to
replace the horrific OpenLDAP server. One of my first tasks was to build
a second IPA server and setup replication. Initially, the replication
setup was smooth and simple. (I used this:
https://www.howtoforge.com/installing-freeipa-with-replication for
getting replica up.)
However, as we were starting to consider how best to deploy it to our
remote servers, and digging through the GUI I got this pop-up when
looking at the Topology page:
It is strongly recommended to keep the CA services installed on more
than one server.
As this replica needs to be a full 'replica' of the primary, I went
about trying to install the CA role on the second server, which I'll
call IPA1 and the master IPA0. The RH documentation says to 'Run
ipa-replica-install with the --setup-ca option.' Of course, the
documentation doesn't explicitly say whether that needs to be done on
the initial creation of the replica, or if it can be done after the
replica was created. (IOW, it just adds the CA services role and pulls
from IPA0 the CA stuff it needs.)
Unfortunately, that failed and I ended up uninstalling the replica with
'ipa-server-install --uninstall' after removing the replica from IPA0.
After a reboot (just in case), I built a new replica GPG file on IPA0,
copied it over to IPA1 and ran this:
ipa-replica-install replica-info-ipa1.neonova.net.gpg --setup-ca
That also failed with the exact same error as the failure from trying to
install just the CA role on the existing replica. This is the error I get:
[2/27]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA instance: Command '/usr/sbin/pkispawn -s CA -f
/tmp/tmpYC8gIz' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR CA
configuration failed.
ipa.ipapython.install.cli.install_tool(Replica): ERROR The
ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information
Also, in the pki-tomcat/ca/debug log I get this:
Failed to contact master using admin
portjavax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
issuer: CN=Go Daddy Secure Certificate Authority -
G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
javax.ws.rs.NotFoundException: HTTP 404 Not Found
We have a signed Wildcard Cert from GoDaddy on IPA0, but I can't tell
why this even needs to contact the Cert CA for any reason.
BTW, I had this wildcard cert setup for the IPA web interface only prior
to blowing this thing to pieces over partial documentation and God knows
what else isn't spelled out that I missed.
Any ideas?
--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.ha...@neonova.net
www.neonova.net
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org