Andrew Meyer via FreeIPA-users wrote:
> Ok, I got further this time.  Now I am getting this error:
> 
>   [2/27]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 5 seconds elapsed
> Update succeeded
> 
>   [3/27]: creating installation admin user
>   [4/27]: configuring certificate server instance
>   [error] OSError: [Errno 12] Cannot allocate memory
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
> ERROR    [Errno 12] Cannot allocate memory
> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
> ERROR    The ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for more information

How much RAM does your instance have? You need 2GB minimum.

rob

> 
> 
> On Thursday, February 8, 2018 8:01 AM, Andrew Meyer via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> 
> Thank you, I also did some digging and found that there is a bug
> directly related this an version 4.5.2 which is what i'm running. 
> Apparently it is fixed in 4.6.3 but it hasn't reached CentOS 7 EPEL repo.
> 
> 
> On Thursday, February 8, 2018 7:29 AM, Florence Blanc-Renaud via
> FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
> 
> 
> On 02/07/2018 10:53 PM, Andrew Meyer via FreeIPA-users wrote:
>> I just got FreeIPA added as a client and then I tried to promote it as
> a replica.  I got the following error:
>>
>> Done configuring kadmin.
>> Configuring directory server (dirsrv)
>> [1/3]: configuring TLS for DS instance
>> [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
> ERROR    Certificate issuance failed (CA_REJECTED)
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
> ERROR    The ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for more information
>> [ec2-user@freeipa-replica-aws <mailto:ec2-user@freeipa-replica-aws> ~]$
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>>
> Hi,
> 
> During a replication installation, the replica will use certmonger to
> request certificates for 389-ds and httpd. Then certmonger (on the
> replica-to-be) contacts a FreeIPA master with a cert_request command,
> and the master communicates with Dogtag to issue the certificate.
> 
> When this fails, you may get more information with the following command:
> - on the client that you try to promote: sudo getcert list
> It may contain an error message with an explanation
> 
> - on the FreeIPA master, check the logs in /var/log/httpd/error_log.
> They should contain some lines like:
> 
> [...date...] [:error] [pid 9337] ipa: INFO: [xmlserver]
> host/vm-replica.ipadomain....@ipadomain.com
> <mailto:vm-replica.ipadomain....@ipadomain.com>:
> cert_request(u'MII...MJUs6', profile_id=u'caIPAserviceCert',
> principal=u'ldap/replica.ipadomain....@ipadomain.com
> <mailto:replica.ipadomain....@ipadomain.com>', add=True,
> version=u'2.51'): XXX
> 
> where XXX will contain the reason for the failure. The PKI logs in
> /var/log/pki/pki-tomcat/ on the master may also help diagnose.
> 
> HTH,
> Flo
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
> 
> 
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to