Kat via FreeIPA-users wrote: > And now a new error if I just try to install as a simple replica with no > CA or DNS :-( > > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv). Estimated time: 30 seconds > [1/40]: creating directory server instance > [error] RuntimeError: failed to create DS instance Command > '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpml5FQc' returned > non-zero exit status 1 > > Any ideas/suggestions on this one? Only ran "ipa-replica-install" after > client was installed and working. So frustrating since the other 4 have > been working flawlessly for months. >
You have to look in ipareplica-install.log for details. rob > -k > > > On 2/5/18 12:52, Simo Sorce wrote: >> I think this could be considered a bug, not sure if there is a ticket >> open already, but I think someone else reported something similar >> previously. >> >> Simo. >> >> On Mon, 2018-02-05 at 10:06 -0600, Kat wrote: >>> Yes, D is CA >>> >>> Firewalling is not 100% accurate. The masters are in different VPCs >>> across AWS AZ's. I use secure tunnels (stunnel) to connect the >>> master/replicas, which has worked fine for months. This is the 3rd VPC. >>> And in this case, rather than stunnel decided to peer the VPCs instead. >>> >>> They are all DNS servers too, but because of the unique VPCs, used >>> "location" settings to have DNS work properly (this works great BTW) >>> >>> -k >>> >>> >>> On 2/5/18 09:58, Simo Sorce wrote: >>>> On Sun, 2018-02-04 at 14:28 -0600, Kat via FreeIPA-users wrote: >>>>> This is a new one I have not seen before. >>>>> >>>>> Have 4 servers, trying to add a 5th. >>>>> >>>>> Master A and B (in one location) can talk to C and D (in another >>>>> location) >>>>> >>>>> Trying to add E, which is a new location with the master to replicate >>>>> from being D. >>>>> >>>>> When I run client install, no issues at all. Then I try to install >>>>> E as >>>>> a replica with DNS and CA setup and it gets almost all the way and >>>>> ends >>>>> up failing with (from the logs): >>>>> >>>>> 2018-02-04T20:00:56Z DEBUG The ipa-replica-install command failed, >>>>> exception: RuntimeError: Timed out trying to obtain keys. >>>>> 2018-02-04T20:00:56Z ERROR Timed out trying to obtain keys. >>>>> >>>>> It actually dies at: >>>>> >>>>> Done configuring ipa-otpd. >>>>> Configuring ipa-custodia >>>>> [1/4]: Generating ipa-custodia config file >>>>> [2/4]: Generating ipa-custodia keys >>>>> [3/4]: starting ipa-custodia >>>>> [4/4]: configuring ipa-custodia to start on boot >>>>> Done configuring ipa-custodia. >>>>> Your system may be partly configured. >>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>>> >>>>> What is confusing, the log also shows that it times out waiting for >>>>> keys >>>>> to appear on "A", which it cannot get to because of location/firewall >>>>> settings. What I don't understand, since I am building the replica off >>>>> "D", why is it trying to communicate with A? >>>>> >>>>> Any ideas on how to resolve this? >>>> Is D a CA master ? >>>> I think the replica installation code picks the first master it can >>>> find, so it may be picking A (if that's a CA) in your case. >>>> >>>> What's the reason to firewall off masters from each other ? >>>> >>>> Simo. >>>> >>> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org