Ok, I got further this time. Now I am getting this error: [2/27]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 5 seconds elapsed Update succeeded
[3/27]: creating installation admin user [4/27]: configuring certificate server instance [error] OSError: [Errno 12] Cannot allocate memory Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR [Errno 12] Cannot allocate memory ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information On Thursday, February 8, 2018 8:01 AM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Thank you, I also did some digging and found that there is a bug directly related this an version 4.5.2 which is what i'm running. Apparently it is fixed in 4.6.3 but it hasn't reached CentOS 7 EPEL repo. On Thursday, February 8, 2018 7:29 AM, Florence Blanc-Renaud via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: On 02/07/2018 10:53 PM, Andrew Meyer via FreeIPA-users wrote: > I just got FreeIPA added as a client and then I tried to promote it as a > replica. I got the following error: > > Done configuring kadmin. > Configuring directory server (dirsrv) > [1/3]: configuring TLS for DS instance > [error] RuntimeError: Certificate issuance failed (CA_REJECTED) > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR > Certificate issuance failed (CA_REJECTED) > ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR > The ipa-replica-install command failed. See /var/log/ipareplica-install.log > for more information > [ec2-user@freeipa-replica-aws ~]$ > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Hi, During a replication installation, the replica will use certmonger to request certificates for 389-ds and httpd. Then certmonger (on the replica-to-be) contacts a FreeIPA master with a cert_request command, and the master communicates with Dogtag to issue the certificate. When this fails, you may get more information with the following command: - on the client that you try to promote: sudo getcert list It may contain an error message with an explanation - on the FreeIPA master, check the logs in /var/log/httpd/error_log. They should contain some lines like: [...date...] [:error] [pid 9337] ipa: INFO: [xmlserver] host/vm-replica.ipadomain....@ipadomain.com: cert_request(u'MII...MJUs6', profile_id=u'caIPAserviceCert', principal=u'ldap/replica.ipadomain....@ipadomain.com', add=True, version=u'2.51'): XXX where XXX will contain the reason for the failure. The PKI logs in /var/log/pki/pki-tomcat/ on the master may also help diagnose. HTH, Flo _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org