On Thu, Aug 03, 2017 at 07:18:30AM -0400, Mark Haney wrote:
> On 08/02/2017 04:17 PM, Fraser Tweedale wrote:
> > 
> > > - /var/log/ipareplica-install.log from replica
> > > - /etc/pki/pki-tomcat/ca/debug from both master and replica
> > > 
> > > Those logs should do for a start.
> > > 
> > > I'd also like to see your /etc/pki/pki-tomcat/ca/CS.cfg from both
> > > master and replica.  Depending on where investigation goes I might
> > > ask for some LDAP entries too, but I'm not up to that point yet.
> > > 
> > > Feel free to send logs directly to me and/or redact them as you see
> > > fit.
> > > 
> > Oh, and which version of IPA are you creating the replica from?
> > 
> > Thanks,
> > Fraser
> Actually that won't be necessary, it took two of us looking at it, but we
> figured out the problem.  Based on what I can gather, when IPA0 was built,
> kinit admin wasn't run prior to updating the GoDaddy certs.  (The
> documentation isn't real clear on that, if said documentation was perused
> while setting it up.  As I said, I didn't build the server.)  Once the GD
> cert files were pulled from nssdb on IPA0 and reinstalled and updated with
> kinit admin ipa-certupdate, it seems to have cleared up the wonky
> configuration on that side.
> Then, we went the nuclear option and removed the ipa-server packages from
> IPA1, re-installed them, ran ipa-client-install (which I didn't run and
> wasn't clear that it needed to be run), then run the ipa-replica-install
> --setup-ca and now everything is kosher.
> I was fairly certain as I got into debugging it that it wasn't a bug, as the
> documentation tells you different things depending on what documentation you
> look at (ie, RH vs FreeIPA docs), so wasn't sure where the issue lie.   Most
> of the time, I had focused on something not right with IPA1, not really
> considering IPA0 could be jacked up in its own special way.  It was my
> colleague who reminded me there were two parts to the equation.  Tunnel
> vision still gets me even after 20 years of doing this!
> Now though, we're up and running fine and ready to being a real rollout to
> our production servers.
> I appreciate all the help from the list.
Mark, that's great news; I'm glad you were able to resolve the

Everyone gets the tunnel vision sometimes :)

I wish you a successful rollout to production.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to