On Mon, Jul 24, 2017 at 10:44:24AM -0400, Mark Haney via FreeIPA-users wrote:
> Prior to my employment, one of our engineers setup an IPA server to replace
> the horrific OpenLDAP server. One of my first tasks was to build a second
> IPA server and setup replication.  Initially, the replication setup was
> smooth and simple.  (I used this:
> https://www.howtoforge.com/installing-freeipa-with-replication for getting
> replica up.)
> However, as we were starting to consider how best to deploy it to our remote
> servers, and digging through the GUI I got this pop-up when looking at the
> Topology page:
> It is strongly recommended to keep the CA services installed on more than
> one server.
> As this replica needs to be a full 'replica' of the primary, I went about
> trying to install the CA role on the second server, which I'll call IPA1 and
> the master IPA0.  The RH documentation says to 'Run ipa-replica-install with
> the --setup-ca option.' Of course, the documentation doesn't explicitly say
> whether that needs to be done on the initial creation of the replica, or if
> it can be done after the replica was created.  (IOW, it just adds the CA
> services role and pulls from IPA0 the CA stuff it needs.)
> Unfortunately, that failed and I ended up uninstalling the replica with
> 'ipa-server-install --uninstall' after removing the replica from IPA0.
> After a reboot (just in case), I built a new replica GPG file on IPA0,
> copied it over to IPA1 and ran this:
> ipa-replica-install replica-info-ipa1.neonova.net.gpg --setup-ca
> That also failed with the exact same error as the failure from trying to
> install just the CA role on the existing replica. This is the error I get:
>  [2/27]: configuring certificate server instance
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
> instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpYC8gIz' returned
> non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation
> logs and the following files/directories for more information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> /var/log/pki/pki-tomcat
>   [error] RuntimeError: CA configuration failed.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    CA configuration
> failed.
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    The
> ipa-replica-install command failed. See /var/log/ipareplica-install.log for
> more information
> Also, in the pki-tomcat/ca/debug log I get this:
> Failed to contact master using admin
> portjavax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
> issuer: CN=Go Daddy Secure Certificate Authority -
> G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com,
> Inc.",L=Scottsdale,ST=Arizona,C=US
> javax.ws.rs.NotFoundException: HTTP 404 Not Found
> We have a signed Wildcard Cert from GoDaddy on IPA0, but I can't tell why
> this even needs to contact the Cert CA for any reason.
> BTW, I had this wildcard cert setup for the IPA web interface only prior to
> blowing this thing to pieces over partial documentation and God knows what
> else isn't spelled out that I missed.
> Any ideas?
Did you create a fresh replica file via `ipa-replica-prepare' after
installing the wildcard cert?  I would do that just in case.

Could you provide more of the /var/log/pki/pki-tomcat/ca/debug log
file (ideally the whole thing)?

Also to clarify: ``ipa-replica-install --setup-ca'' installs a new
replica including the CA role.  To install the CA role on an
existing replica use the ``ipa-ca-install'' command.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to