On Mon, Jan 15, 2018 at 01:48:34PM +0100, Aljaž Srebrnič via FreeIPA-users 
wrote:
> > On 15 Jan 2018, at 03:42, Fraser Tweedale <ftwee...@redhat.com 
> > <mailto:ftwee...@redhat.com>> wrote:
> > 
> > On Sat, Jan 13, 2018 at 11:09:59AM +0100, Aljaž Srebrnič via FreeIPA-users 
> > wrote:
> >> Hello!
> >> Yesterday I tried migrating a physical machine (ipa1) that was a FreeIPA 
> >> CA CRL master in my VM cluster. I followed the guide at [1] to migrate che 
> >> CRL master to another replica (ipa2) and uninstalled the replica ipa1. 
> >> Then I set up a VM with the same hostname and IP address as the physical 
> >> machine, and installed Fedora 27.
> >> 
> >> When I tried setting up the replica with CA, the install stopped at:
> >> [4/25]: configuring certificate server instance
> >> 
> > Hi Aljaž,
> > 
> > What does "stopped" mean?  Did it hang, or exit with error?
> 
> Hello Fraser,
> It hanged seemingly for an indefinite time (I left it running a couple of 
> hours even).
> 
> > 
> >> And in my /var/log/pki/pki-tomcat/ca/debug I see a bunch of log entries 
> >> like this, with increasing time stamps:
> >> 
> >> Unable to read key retriever class from CS.cfg: Property 
> >> features.authority.keyRetrieverClass missing value
> >> Retrying in 14778 seconds
> >> 
> >> I checked the /etc/pki/pki-tomcat/ca/CS.cfg file and I don’t actually have 
> >> that entry at all, I only have:
> >> 
> >> features.authority.description=Lightweight CAs
> >> features.authority.enabled=true
> >> features.authority.version=1.0
> >> 
> >> However, if I manually add them by copying the value from the good 
> >> replica, nothing changes and the installer is still blocked on that line 
> >> (maybe the CS.cfg file isn’t re-read on each retry).
> >> 
> >> Moreover, it looks like that file (CS.cfg) is generated by the installer 
> >> script…
> >> 
> >> How can I solve this?
> >> 
> > Please file a ticket and attach logs; in particular:
> > 
> > - /var/log/pki/pki-tomcat/ca/debug
> > - /var/log/pki/pki-ca-spawn.<timestamp>.log
> > - /var/log/ipareplica-install.log
> 
> Ticket opened: https://pagure.io/freeipa/issue/7361 
> <https://pagure.io/freeipa/issue/7361>
> 
Thank you.  I'll investigate as soon as I get a chance (which may be
in a week or two).

Cheers,
Fraser
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to