On 02/07/2018 10:53 PM, Andrew Meyer via FreeIPA-users wrote:
I just got FreeIPA added as a client and then I tried to promote it as a 
replica.  I got the following error:

Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    
Certificate issuance failed (CA_REJECTED)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for 
more information
[ec2-user@freeipa-replica-aws ~]$
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hi,

During a replication installation, the replica will use certmonger to request certificates for 389-ds and httpd. Then certmonger (on the replica-to-be) contacts a FreeIPA master with a cert_request command, and the master communicates with Dogtag to issue the certificate.

When this fails, you may get more information with the following command:
- on the client that you try to promote: sudo getcert list
It may contain an error message with an explanation

- on the FreeIPA master, check the logs in /var/log/httpd/error_log. They should contain some lines like:

[...date...] [:error] [pid 9337] ipa: INFO: [xmlserver] host/vm-replica.ipadomain....@ipadomain.com: cert_request(u'MII...MJUs6', profile_id=u'caIPAserviceCert', principal=u'ldap/replica.ipadomain....@ipadomain.com', add=True, version=u'2.51'): XXX

where XXX will contain the reason for the failure. The PKI logs in /var/log/pki/pki-tomcat/ on the master may also help diagnose.

HTH,
Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to