On Mon, Jul 24, 2017 at 10:44:24AM -0400, Mark Haney via FreeIPA-users wrote: > Prior to my employment, one of our engineers setup an IPA server to replace > the horrific OpenLDAP server. One of my first tasks was to build a second > IPA server and setup replication. Initially, the replication setup was > smooth and simple. (I used this: > https://www.howtoforge.com/installing-freeipa-with-replication for getting > replica up.) > > However, as we were starting to consider how best to deploy it to our remote > servers, and digging through the GUI I got this pop-up when looking at the > Topology page: > > It is strongly recommended to keep the CA services installed on more than > one server. > > As this replica needs to be a full 'replica' of the primary, I went about > trying to install the CA role on the second server, which I'll call IPA1 and > the master IPA0. The RH documentation says to 'Run ipa-replica-install with > the --setup-ca option.' Of course, the documentation doesn't explicitly say > whether that needs to be done on the initial creation of the replica, or if > it can be done after the replica was created. (IOW, it just adds the CA > services role and pulls from IPA0 the CA stuff it needs.) > > Unfortunately, that failed and I ended up uninstalling the replica with > 'ipa-server-install --uninstall' after removing the replica from IPA0. > After a reboot (just in case), I built a new replica GPG file on IPA0, > copied it over to IPA1 and ran this: > > ipa-replica-install replica-info-ipa1.neonova.net.gpg --setup-ca > > That also failed with the exact same error as the failure from trying to > install just the CA role on the existing replica. This is the error I get: > > [2/27]: configuring certificate server instance > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA > instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpYC8gIz' returned > non-zero exit status 1 > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation > logs and the following files/directories for more information: > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > /var/log/pki/pki-tomcat > [error] RuntimeError: CA configuration failed. > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipa.ipapython.install.cli.install_tool(Replica): ERROR CA configuration > failed. > ipa.ipapython.install.cli.install_tool(Replica): ERROR The > ipa-replica-install command failed. See /var/log/ipareplica-install.log for > more information > > Also, in the pki-tomcat/ca/debug log I get this: > > Failed to contact master using admin > portjavax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error > > issuer: CN=Go Daddy Secure Certificate Authority - > G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US > javax.ws.rs.NotFoundException: HTTP 404 Not Found > > We have a signed Wildcard Cert from GoDaddy on IPA0, but I can't tell why > this even needs to contact the Cert CA for any reason. > > BTW, I had this wildcard cert setup for the IPA web interface only prior to > blowing this thing to pieces over partial documentation and God knows what > else isn't spelled out that I missed. > > Any ideas? > Did you create a fresh replica file via `ipa-replica-prepare' after installing the wildcard cert? I would do that just in case.
Could you provide more of the /var/log/pki/pki-tomcat/ca/debug log file (ideally the whole thing)? Also to clarify: ``ipa-replica-install --setup-ca'' installs a new replica including the CA role. To install the CA role on an existing replica use the ``ipa-ca-install'' command. Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org