Ok, I got further this time. Now I am getting this error:
[2/27]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded
[3/27]: creating installation admin user
[4/27]: configuring certificate server instance
[error] OSError: [Errno 12] Cannot allocate memory
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR
[Errno 12] Cannot allocate memory
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for
more information
On Thursday, February 8, 2018 8:01 AM, Andrew Meyer via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
Thank you, I also did some digging and found that there is a bug directly
related this an version 4.5.2 which is what i'm running. Apparently it is
fixed in 4.6.3 but it hasn't reached CentOS 7 EPEL repo.
On Thursday, February 8, 2018 7:29 AM, Florence Blanc-Renaud via
FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
On 02/07/2018 10:53 PM, Andrew Meyer via FreeIPA-users wrote:
> I just got FreeIPA added as a client and then I tried to promote it as a
> replica. I got the following error:
>
> Done configuring kadmin.
> Configuring directory server (dirsrv)
> [1/3]: configuring TLS for DS instance
> [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR
> Certificate issuance failed (CA_REJECTED)
> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR
> The ipa-replica-install command failed. See /var/log/ipareplica-install.log
> for more information
> [ec2-user@freeipa-replica-aws ~]$
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
Hi,
During a replication installation, the replica will use certmonger to
request certificates for 389-ds and httpd. Then certmonger (on the
replica-to-be) contacts a FreeIPA master with a cert_request command,
and the master communicates with Dogtag to issue the certificate.
When this fails, you may get more information with the following command:
- on the client that you try to promote: sudo getcert list
It may contain an error message with an explanation
- on the FreeIPA master, check the logs in /var/log/httpd/error_log.
They should contain some lines like:
[...date...] [:error] [pid 9337] ipa: INFO: [xmlserver]
host/vm-replica.ipadomain....@ipadomain.com:
cert_request(u'MII...MJUs6', profile_id=u'caIPAserviceCert',
principal=u'ldap/replica.ipadomain....@ipadomain.com', add=True,
version=u'2.51'): XXX
where XXX will contain the reason for the failure. The PKI logs in
/var/log/pki/pki-tomcat/ on the master may also help diagnose.
HTH,
Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
