This is a new one I have not seen before.

Have 4 servers, trying to add a 5th.

Master A and B (in one location) can talk to C and D (in another location)

Trying to add E, which is a new location with the master to replicate from being D.

When I run client install, no issues at all.  Then I try to install E as a replica with DNS and CA setup and it gets almost all the way and ends up failing with (from the logs):

2018-02-04T20:00:56Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Timed out trying to obtain keys.
2018-02-04T20:00:56Z ERROR Timed out trying to obtain keys.

It actually dies at:

Done configuring ipa-otpd.
Configuring ipa-custodia
  [1/4]: Generating ipa-custodia config file
  [2/4]: Generating ipa-custodia keys
  [3/4]: starting ipa-custodia
  [4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

What is confusing, the log also shows that it times out waiting for keys to appear on "A", which it cannot get to because of location/firewall settings. What I don't understand, since I am building the replica off "D", why is it trying to communicate with A?

Any ideas on how to resolve this?

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to