Hi all,
I would appreciate any help on my attempt to promote an existing
client to replica. After client installation, I added replica-to-be
to ipaservers hostgroup and then run "replica-install --setup-ca"
but unfortunately I end up with the errors below. Both master and
client have ipa-server-4.4.0-14.el7.centos.7.x86_64
Thanks in advance,
Petros
_____________________________________________________________________________________________________________
On replica-to-be:
[...]
Done configuring ipa-otpd.
Configuring certificate server (pki-tomcatd). Estimated time: 3
minutes 30 seconds
[1/26]: creating certificate server user
[2/26]: creating certificate server db
[3/26]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded
[4/26]: creating installation admin user
[5/26]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA instance: Command '/usr/sbin/pkispawn -s CA -f
/tmp/tmp6Q_ZLY' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs and the following files/directories for more
information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR CA
configuration failed.
ipa.ipapython.install.cli.install_tool(Replica): ERROR The
ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
_____________________________________________________________________________________________________________
/var/log/ipareplica-install.log
[...]
Import complete
---------------
Imported certificates in /etc/pki/pki-tomcat/alias:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu
Installation failed:
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2017-07-27T06:57:54Z DEBUG stderr=
2017-07-27T06:57:54Z CRITICAL Failed to configure CA instance:
Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp6Q_ZLY' returned
non-zero exit status 1
2017-07-27T06:57:54Z CRITICAL See the installation logs and the
following files/directories for more information:
2017-07-27T06:57:54Z CRITICAL /var/log/pki/pki-tomcat
2017-07-27T06:57:54Z DEBUG Traceback (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 449, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 439, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 586, in __spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 181, in spawn_instance
self.handle_setup_error(e)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 420, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
2017-07-27T06:57:54Z DEBUG [error] RuntimeError: CA configuration
failed.
2017-07-27T06:57:54Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
171, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 318, in run
cfgr.run()
File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
310, in run
self.execute()
File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
332, in execute
for nothing in self._executor():
File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
372, in __runner
self._handle_exception(exc_info)
File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
394, in _handle_exception
six.reraise(*exc_info)
File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
362, in __runner
step()
File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
359, in <lambda>
step = lambda: next(self.__gen)
File
"/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
81, in run_generator_with_yield_from
six.reraise(*exc_info)
File
"/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
59, in run_generator_with_yield_from
value = gen.send(prev_value)
File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
586, in _configure
next(executor)
File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
372, in __runner
self._handle_exception(exc_info)
File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
449, in _handle_exception
self.__parent._handle_exception(exc_info)
File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
394, in _handle_exception
six.reraise(*exc_info)
File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
446, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
394, in _handle_exception
six.reraise(*exc_info)
File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
362, in __runner
step()
File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
359, in <lambda>
step = lambda: next(self.__gen)
File
"/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
81, in run_generator_with_yield_from
six.reraise(*exc_info)
File
"/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
59, in run_generator_with_yield_from
value = gen.send(prev_value)
File
"/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 63, in _install
for nothing in self._installer(self.parent):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1722, in main
promote(self)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 372, in decorated
func(installer)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1519, in promote
ca_cert_bundle=ca_data)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 1392, in configure_replica
self.start_creation(runtime=210)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 449, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 439, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 586, in __spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 181, in spawn_instance
self.handle_setup_error(e)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 420, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
2017-07-27T06:57:54Z DEBUG The ipa-replica-install command failed,
exception: RuntimeError: CA configuration failed.
2017-07-27T06:57:54Z ERROR CA configuration failed.
2017-07-27T06:57:54Z ERROR The ipa-replica-install command failed.
See /var/log/ipareplica-install.log for more information
_____________________________________________________________________________________________________________
On master server:
[27/Jul/2017:09:53:19.624201120 +0300] NSMMReplicationPlugin -
agmt="cn=meTomedea.geo.auth.gr" (medea:389): Replication bind with
GSSAPI auth failed: LDAP error 49 (Invalid credentials) ()
[27/Jul/2017:09:53:19.910732845 +0300] NSMMReplicationPlugin -
agmt="cn=meTomedea.geo.auth.gr" (medea:389): Replication bind with
GSSAPI auth resumed
[27/Jul/2017:09:53:21.525459152 +0300] NSMMReplicationPlugin -
Beginning total update of replica "agmt="cn=meTomedea.geo.auth.gr"
(medea:389)".
[27/Jul/2017:09:53:26.923911503 +0300] NSMMReplicationPlugin -
Finished total update of replica "agmt="cn=meTomedea.geo.auth.gr"
(medea:389)". Sent 719 entries.
[27/Jul/2017:09:53:29.398775963 +0300] NSMMReplicationPlugin -
agmt="cn=meTomedea.geo.auth.gr" (medea:389): Unable to acquire
replica: permission denied. The bind dn "" does not have permission
to supply replication updates to the replica. Will retry later.
[27/Jul/2017:09:53:32.746503539 +0300] NSMMReplicationPlugin -
agmt="cn=meTomedea.geo.auth.gr" (medea:389): Unable to acquire
replica: permission denied. The bind dn "" does not have permission
to supply replication updates to the replica. Will retry later.
[27/Jul/2017:09:53:38.862288126 +0300] NSMMReplicationPlugin -
agmt="cn=meTomedea.geo.auth.gr" (medea:389): Unable to receive the
response for a startReplication extended operation to consumer
(Can't contact LDAP server). Will retry later.
[27/Jul/2017:09:53:51.238616755 +0300] NSMMReplicationPlugin -
agmt="cn=meTomedea.geo.auth.gr" (medea:389): Replication bind with
GSSAPI auth resumed
[27/Jul/2017:09:54:30.937398919 +0300] NSMMReplicationPlugin -
agmt="cn=meTomedea.geo.auth.gr" (medea:389): Unable to receive the
response for a startReplication extended operation to consumer
(Can't contact LDAP server). Will retry later.
[27/Jul/2017:09:56:03.537114454 +0300] NSMMReplicationPlugin -
agmt="cn=meTomedea.geo.auth.gr" (medea:389): Replication bind with
GSSAPI auth resumed
[27/Jul/2017:09:56:04.495965497 +0300] NSMMReplicationPlugin -
agmt="cn=caTomedea.geo.auth.gr" (medea:389): The remote replica has
a different database generation ID than the local database. You may
have to reinitialize the remote replica, or the local replica.
[27/Jul/2017:09:56:06.236968406 +0300] NSMMReplicationPlugin -
Beginning total update of replica "agmt="cn=caTomedea.geo.auth.gr"
(medea:389)".
[27/Jul/2017:09:56:10.494727689 +0300] NSMMReplicationPlugin -
Finished total update of replica "agmt="cn=caTomedea.geo.auth.gr"
(medea:389)". Sent 159 entries.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org