On Thu, Aug 03, 2017 at 07:18:30AM -0400, Mark Haney wrote: > On 08/02/2017 04:17 PM, Fraser Tweedale wrote: > > > > > - /var/log/ipareplica-install.log from replica > > > - /etc/pki/pki-tomcat/ca/debug from both master and replica > > > > > > Those logs should do for a start. > > > > > > I'd also like to see your /etc/pki/pki-tomcat/ca/CS.cfg from both > > > master and replica. Depending on where investigation goes I might > > > ask for some LDAP entries too, but I'm not up to that point yet. > > > > > > Feel free to send logs directly to me and/or redact them as you see > > > fit. > > > > > Oh, and which version of IPA are you creating the replica from? > > > > Thanks, > > Fraser > > Actually that won't be necessary, it took two of us looking at it, but we > figured out the problem. Based on what I can gather, when IPA0 was built, > kinit admin wasn't run prior to updating the GoDaddy certs. (The > documentation isn't real clear on that, if said documentation was perused > while setting it up. As I said, I didn't build the server.) Once the GD > cert files were pulled from nssdb on IPA0 and reinstalled and updated with > kinit admin ipa-certupdate, it seems to have cleared up the wonky > configuration on that side. > > Then, we went the nuclear option and removed the ipa-server packages from > IPA1, re-installed them, ran ipa-client-install (which I didn't run and > wasn't clear that it needed to be run), then run the ipa-replica-install > --setup-ca and now everything is kosher. > > I was fairly certain as I got into debugging it that it wasn't a bug, as the > documentation tells you different things depending on what documentation you > look at (ie, RH vs FreeIPA docs), so wasn't sure where the issue lie. Most > of the time, I had focused on something not right with IPA1, not really > considering IPA0 could be jacked up in its own special way. It was my > colleague who reminded me there were two parts to the equation. Tunnel > vision still gets me even after 20 years of doing this! > > Now though, we're up and running fine and ready to being a real rollout to > our production servers. > > I appreciate all the help from the list. > Mark, that's great news; I'm glad you were able to resolve the issue.
Everyone gets the tunnel vision sometimes :) I wish you a successful rollout to production. Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org