Andrew Meyer via FreeIPA-users wrote: > Ok, I got further this time. Now I am getting this error: > > [2/27]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 5 seconds elapsed > Update succeeded > > [3/27]: creating installation admin user > [4/27]: configuring certificate server instance > [error] OSError: [Errno 12] Cannot allocate memory > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): > ERROR [Errno 12] Cannot allocate memory > ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): > ERROR The ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information
How much RAM does your instance have? You need 2GB minimum. rob > > > On Thursday, February 8, 2018 8:01 AM, Andrew Meyer via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > > Thank you, I also did some digging and found that there is a bug > directly related this an version 4.5.2 which is what i'm running. > Apparently it is fixed in 4.6.3 but it hasn't reached CentOS 7 EPEL repo. > > > On Thursday, February 8, 2018 7:29 AM, Florence Blanc-Renaud via > FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: > > > On 02/07/2018 10:53 PM, Andrew Meyer via FreeIPA-users wrote: >> I just got FreeIPA added as a client and then I tried to promote it as > a replica. I got the following error: >> >> Done configuring kadmin. >> Configuring directory server (dirsrv) >> [1/3]: configuring TLS for DS instance >> [error] RuntimeError: Certificate issuance failed (CA_REJECTED) >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): > ERROR Certificate issuance failed (CA_REJECTED) >> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): > ERROR The ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information >> [ec2-user@freeipa-replica-aws <mailto:ec2-user@freeipa-replica-aws> ~]$ >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> >> To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> >> > Hi, > > During a replication installation, the replica will use certmonger to > request certificates for 389-ds and httpd. Then certmonger (on the > replica-to-be) contacts a FreeIPA master with a cert_request command, > and the master communicates with Dogtag to issue the certificate. > > When this fails, you may get more information with the following command: > - on the client that you try to promote: sudo getcert list > It may contain an error message with an explanation > > - on the FreeIPA master, check the logs in /var/log/httpd/error_log. > They should contain some lines like: > > [...date...] [:error] [pid 9337] ipa: INFO: [xmlserver] > host/vm-replica.ipadomain....@ipadomain.com > <mailto:vm-replica.ipadomain....@ipadomain.com>: > cert_request(u'MII...MJUs6', profile_id=u'caIPAserviceCert', > principal=u'ldap/replica.ipadomain....@ipadomain.com > <mailto:replica.ipadomain....@ipadomain.com>', add=True, > version=u'2.51'): XXX > > where XXX will contain the reason for the failure. The PKI logs in > /var/log/pki/pki-tomcat/ on the master may also help diagnose. > > HTH, > Flo > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org