Hi all,
I would appreciate any help on my attempt to promote an existing client to replica. After client installation, I added replica-to-be to ipaservers hostgroup and then run "replica-install --setup-ca" but unfortunately I end up with the errors below. Both master and client have ipa-server-4.4.0-14.el7.centos.7.x86_64
Thanks in advance,
Petros

_____________________________________________________________________________________________________________
On replica-to-be:

[...]
Done configuring ipa-otpd.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/26]: creating certificate server user
  [2/26]: creating certificate server db
  [3/26]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

  [4/26]: creating installation admin user
  [5/26]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp6Q_ZLY' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR CA configuration failed. ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

_____________________________________________________________________________________________________________ /var/log/ipareplica-install.log

[...]
Import complete
---------------
Imported certificates in /etc/pki/pki-tomcat/alias:

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu

Installation failed:


Please check the CA logs in /var/log/pki/pki-tomcat/ca.

2017-07-27T06:57:54Z DEBUG stderr=
2017-07-27T06:57:54Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp6Q_ZLY' returned non-zero exit status 1 2017-07-27T06:57:54Z CRITICAL See the installation logs and the following files/directories for more information:
2017-07-27T06:57:54Z CRITICAL   /var/log/pki/pki-tomcat
2017-07-27T06:57:54Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation
    run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step
    method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 586, in __spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance
    self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2017-07-27T06:57:54Z DEBUG   [error] RuntimeError: CA configuration failed.
2017-07-27T06:57:54Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run
    cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run
    self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute
    for nothing in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
    self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
    step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
    step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure
    next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
    self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception
    self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
    step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
    step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
    for nothing in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1722, in main
    promote(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated
    func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1519, in promote
    ca_cert_bundle=ca_data)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1392, in configure_replica
    self.start_creation(runtime=210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation
    run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step
    method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 586, in __spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance
    self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 420, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)

2017-07-27T06:57:54Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: CA configuration failed.
2017-07-27T06:57:54Z ERROR CA configuration failed.
2017-07-27T06:57:54Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

_____________________________________________________________________________________________________________

On master server:

[27/Jul/2017:09:53:19.624201120 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [27/Jul/2017:09:53:19.910732845 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Replication bind with GSSAPI auth resumed [27/Jul/2017:09:53:21.525459152 +0300] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meTomedea.geo.auth.gr" (medea:389)". [27/Jul/2017:09:53:26.923911503 +0300] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=meTomedea.geo.auth.gr" (medea:389)". Sent 719 entries. [27/Jul/2017:09:53:29.398775963 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [27/Jul/2017:09:53:32.746503539 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [27/Jul/2017:09:53:38.862288126 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [27/Jul/2017:09:53:51.238616755 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Replication bind with GSSAPI auth resumed [27/Jul/2017:09:54:30.937398919 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [27/Jul/2017:09:56:03.537114454 +0300] NSMMReplicationPlugin - agmt="cn=meTomedea.geo.auth.gr" (medea:389): Replication bind with GSSAPI auth resumed [27/Jul/2017:09:56:04.495965497 +0300] NSMMReplicationPlugin - agmt="cn=caTomedea.geo.auth.gr" (medea:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [27/Jul/2017:09:56:06.236968406 +0300] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=caTomedea.geo.auth.gr" (medea:389)". [27/Jul/2017:09:56:10.494727689 +0300] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=caTomedea.geo.auth.gr" (medea:389)". Sent 159 entries.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to