Unfortunately I rolled it back to the snapshot I made prior to the
installation.  I can say I did try the 'ipa-ca-install' command and it
broke in pretty much the same way as doing the --setup-ca after
uninstalling the server, preparing a new replica from IPA0 and starting
IPA1 with a clean sheet.

I will do the 'ipa-ca-install' again, but probably not until Thursday or
Friday as I'll be out of the office the next two days to go see my Red
Devils play Barcelona.

If that fails, I'll pull the logs, uninstall the server and start with a
freshly prepared replica and install as if it was a new replica with CA and
pull those logs if/when that fails.


On Mon, Jul 24, 2017 at 10:25 PM, Fraser Tweedale <ftwee...@redhat.com>
wrote:

> On Mon, Jul 24, 2017 at 10:44:24AM -0400, Mark Haney via FreeIPA-users
> wrote:
> > Prior to my employment, one of our engineers setup an IPA server to
> replace
> > the horrific OpenLDAP server. One of my first tasks was to build a second
> > IPA server and setup replication.  Initially, the replication setup was
> > smooth and simple.  (I used this:
> > https://www.howtoforge.com/installing-freeipa-with-replication for
> getting
> > replica up.)
> >
> > However, as we were starting to consider how best to deploy it to our
> remote
> > servers, and digging through the GUI I got this pop-up when looking at
> the
> > Topology page:
> >
> > It is strongly recommended to keep the CA services installed on more than
> > one server.
> >
> > As this replica needs to be a full 'replica' of the primary, I went about
> > trying to install the CA role on the second server, which I'll call IPA1
> and
> > the master IPA0.  The RH documentation says to 'Run ipa-replica-install
> with
> > the --setup-ca option.' Of course, the documentation doesn't explicitly
> say
> > whether that needs to be done on the initial creation of the replica, or
> if
> > it can be done after the replica was created.  (IOW, it just adds the CA
> > services role and pulls from IPA0 the CA stuff it needs.)
> >
> > Unfortunately, that failed and I ended up uninstalling the replica with
> > 'ipa-server-install --uninstall' after removing the replica from IPA0.
> > After a reboot (just in case), I built a new replica GPG file on IPA0,
> > copied it over to IPA1 and ran this:
> >
> > ipa-replica-install replica-info-ipa1.neonova.net.gpg --setup-ca
> >
> > That also failed with the exact same error as the failure from trying to
> > install just the CA role on the existing replica. This is the error I
> get:
> >
> >  [2/27]: configuring certificate server instance
> > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
> configure CA
> > instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpYC8gIz' returned
> > non-zero exit status 1
> > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
> installation
> > logs and the following files/directories for more information:
> > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
> > /var/log/pki/pki-tomcat
> >   [error] RuntimeError: CA configuration failed.
> > Your system may be partly configured.
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> > ipa.ipapython.install.cli.install_tool(Replica): ERROR    CA
> configuration
> > failed.
> > ipa.ipapython.install.cli.install_tool(Replica): ERROR    The
> > ipa-replica-install command failed. See /var/log/ipareplica-install.log
> for
> > more information
> >
> > Also, in the pki-tomcat/ca/debug log I get this:
> >
> > Failed to contact master using admin
> > portjavax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server
> Error
> >
> > issuer: CN=Go Daddy Secure Certificate Authority -
> > G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com,
> > Inc.",L=Scottsdale,ST=Arizona,C=US
> > javax.ws.rs.NotFoundException: HTTP 404 Not Found
> >
> > We have a signed Wildcard Cert from GoDaddy on IPA0, but I can't tell why
> > this even needs to contact the Cert CA for any reason.
> >
> > BTW, I had this wildcard cert setup for the IPA web interface only prior
> to
> > blowing this thing to pieces over partial documentation and God knows
> what
> > else isn't spelled out that I missed.
> >
> > Any ideas?
> >
> Did you create a fresh replica file via `ipa-replica-prepare' after
> installing the wildcard cert?  I would do that just in case.
>
> Could you provide more of the /var/log/pki/pki-tomcat/ca/debug log
> file (ideally the whole thing)?
>
> Also to clarify: ``ipa-replica-install --setup-ca'' installs a new
> replica including the CA role.  To install the CA role on an
> existing replica use the ``ipa-ca-install'' command.
>
> Cheers,
> Fraser
>



-- 
[image: photo]
Mark Haney
Network Engineer at NeoNova
919-460-3330 <(919)%20460-3330> (opt 1) • mark.ha...@neonova.net
www.neonova.net <https://neonova.net/>
<https://www.facebook.com/NeoNovaNNS/>  <https://twitter.com/NeoNova_NNS>
<http://www.linkedin.com/company/neonova-network-services>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to