> On 15 Jan 2018, at 03:42, Fraser Tweedale <ftwee...@redhat.com 
> <mailto:ftwee...@redhat.com>> wrote:
> On Sat, Jan 13, 2018 at 11:09:59AM +0100, Aljaž Srebrnič via FreeIPA-users 
> wrote:
>> Hello!
>> Yesterday I tried migrating a physical machine (ipa1) that was a FreeIPA CA 
>> CRL master in my VM cluster. I followed the guide at [1] to migrate che CRL 
>> master to another replica (ipa2) and uninstalled the replica ipa1. Then I 
>> set up a VM with the same hostname and IP address as the physical machine, 
>> and installed Fedora 27.
>> When I tried setting up the replica with CA, the install stopped at:
>> [4/25]: configuring certificate server instance
> Hi Aljaž,
> What does "stopped" mean?  Did it hang, or exit with error?

Hello Fraser,
It hanged seemingly for an indefinite time (I left it running a couple of hours 

>> And in my /var/log/pki/pki-tomcat/ca/debug I see a bunch of log entries like 
>> this, with increasing time stamps:
>> Unable to read key retriever class from CS.cfg: Property 
>> features.authority.keyRetrieverClass missing value
>> Retrying in 14778 seconds
>> I checked the /etc/pki/pki-tomcat/ca/CS.cfg file and I don’t actually have 
>> that entry at all, I only have:
>> features.authority.description=Lightweight CAs
>> features.authority.enabled=true
>> features.authority.version=1.0
>> However, if I manually add them by copying the value from the good replica, 
>> nothing changes and the installer is still blocked on that line (maybe the 
>> CS.cfg file isn’t re-read on each retry).
>> Moreover, it looks like that file (CS.cfg) is generated by the installer 
>> script…
>> How can I solve this?
> Please file a ticket and attach logs; in particular:
> - /var/log/pki/pki-tomcat/ca/debug
> - /var/log/pki/pki-ca-spawn.<timestamp>.log
> - /var/log/ipareplica-install.log

Ticket opened: https://pagure.io/freeipa/issue/7361 

Aljaž Srebrnič a.k.a g5pw
My public key:  https://g5pw.me/key <https://g5pw.me/key>
Key fingerprint = 2109 8131 60CA 01AF 75EC  01BF E140 E1EE A54E E677

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to