I finally got this working.  However I am wondering if anyone has worked with 
split-horizon zones in R53?   I have a zone in R53 that will have a private and 
public view.  I want to forward all requests for all zones to R53.  From what I 
understand if you set this up right, it always looks at the private or internal 
zone first and then moves to the external if the record is not found.  I have 
my DNS servers in /etc/resolv.conf setup to hit the DNS server on FreeIPA.  I 
have setup a zone forwarders/conditional forwarders to point to the DNS 
resolver of the private subnet within my AWS EC2 VPC, but its not forwarding 
the info onto R53 it seems.  When I do a dig zone +trace  it is still looking 
at the external name servers.  The TTL on the zone and records is 300. 
I suspect that my DNS configuration needs some tweaking (not at the conf file 
level).  But I was just wondering if anyone else has done something similar?


 

    On Thursday, February 8, 2018 3:28 PM, Rob Crittenden via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
 

 Andrew Meyer wrote:
> Ok, I launched a new instance using 1CPU x 2GB.  I got further.  And
> then all of sudden the promotion script killed itself?
> 
> Done configuring ipa-custodia.
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
>   [1/27]: creating certificate server db
>   [2/27]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 5 seconds elapsed
> Update succeeded
> 
>   [3/27]: creating installation admin user
>   [4/27]: configuring certificate server instance
>   [5/27]: exporting Dogtag certificate store pin
>   [6/27]: stopping certificate server instance to update CS.cfg
>   [7/27]: backing up CS.cfg
>   [8/27]: disabling nonces
>   [9/27]: set up CRL publishing
>   [10/27]: enable PKIX certificate path discovery and validation
>   [11/27]: destroying installation admin user
>   [12/27]: starting certificate server instance
>   [13/27]: configure certmonger for renewals
>   [14/27]: Importing RA key
>   [15/27]: setting up signing cert profile
>   [16/27]: setting audit signing renewal to 2 years
>   [17/27]: restarting certificate server
> Killed
> 
> This is what is in the ipareplica-install.log.  It looks like it worked
> but for some reason killed itself?

It wouldn't kill itself. I'd check the system messages. I'm guessing OOM
killer.

rob

> 
> 2018-02-08T20:32:24Z DEBUG Starting external process
> 2018-02-08T20:32:24Z DEBUG args=/usr/bin/openssl pkcs12 -in
> /tmp/tmpTxzHP7 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin
> pass:XXXXXXXX
> 2018-02-08T20:32:24Z DEBUG Process finished, return code=0
> 2018-02-08T20:32:24Z DEBUG stdout=
> 2018-02-08T20:32:24Z DEBUG stderr=MAC verified OK
> 
> 2018-02-08T20:32:24Z DEBUG Starting external process
> 2018-02-08T20:32:24Z DEBUG args=/usr/sbin/selinuxenabled
> 2018-02-08T20:32:24Z DEBUG Process finished, return code=1
> 2018-02-08T20:32:24Z DEBUG stdout=
> 2018-02-08T20:32:24Z DEBUG stderr=
> 2018-02-08T20:32:24Z DEBUG Starting external process
> 2018-02-08T20:32:24Z DEBUG args=/usr/sbin/selinuxenabled
> 2018-02-08T20:32:24Z DEBUG Process finished, return code=1
> 2018-02-08T20:32:24Z DEBUG stdout=
> 2018-02-08T20:32:24Z DEBUG stderr=
> 2018-02-08T20:32:25Z DEBUG   duration: 2 seconds
> 2018-02-08T20:32:25Z DEBUG   [15/27]: setting up signing cert profile
> 2018-02-08T20:32:25Z DEBUG   duration: 0 seconds
> 2018-02-08T20:32:25Z DEBUG   [16/27]: setting audit signing renewal to 2
> years
> 2018-02-08T20:32:25Z DEBUG caSignedLogCert.cfg profile validity range is 720
> 2018-02-08T20:32:25Z DEBUG   duration: 0 seconds
> 2018-02-08T20:32:25Z DEBUG   [17/27]: restarting certificate server
> 2018-02-08T20:32:25Z DEBUG Starting external process
> 2018-02-08T20:32:25Z DEBUG args=/bin/systemctl restart
> pki-tomcatd@pki-tomcat.service
> 2018-02-08T20:32:39Z DEBUG Process finished, return code=0
> 2018-02-08T20:32:39Z DEBUG stdout=
> 2018-02-08T20:32:39Z DEBUG stderr=
> 2018-02-08T20:32:39Z DEBUG Starting external process
> 2018-02-08T20:32:39Z DEBUG args=/bin/systemctl is-active
> pki-tomcatd@pki-tomcat.service
> 2018-02-08T20:32:39Z DEBUG Process finished, return code=0
> 2018-02-08T20:32:39Z DEBUG stdout=active
> 
> 2018-02-08T20:32:39Z DEBUG stderr=
> 2018-02-08T20:32:39Z DEBUG wait_for_open_ports: localhost [8080, 8443]
> timeout 300
> 2018-02-08T20:32:39Z DEBUG waiting for port: 8080
> 2018-02-08T20:32:39Z DEBUG Failed to connect to port 8080 tcp on 127.0.0.1
> 2018-02-08T20:32:54Z DEBUG SUCCESS: port: 8080
> 2018-02-08T20:32:54Z DEBUG waiting for port: 8443
> 2018-02-08T20:32:54Z DEBUG Failed to connect to port 8443 tcp on 127.0.0.1
> 2018-02-08T20:32:57Z DEBUG SUCCESS: port: 8443
> 2018-02-08T20:32:57Z DEBUG Waiting until the CA is running
> 2018-02-08T20:32:57Z DEBUG request POST
> http://infra-freeipa01-aws.gatewayblend.net:8080/ca/admin/ca/getStatus
> 2018-02-08T20:32:57Z DEBUG request body ''
>  
> 
> 
> On Thursday, February 8, 2018 11:29 AM, Andrew Meyer via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> 
> That's what I thought.  Thank you for confirming that!
> 
> 
> On Thursday, February 8, 2018 11:26 AM, Rob Crittenden via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> 
> Andrew Meyer via FreeIPA-users wrote:
>> Ok, I got further this time.  Now I am getting this error:
>>
>>   [2/27]: setting up initial replication
>> Starting replication, please wait until this has completed.
>> Update in progress, 5 seconds elapsed
>> Update succeeded
>>
>>   [3/27]: creating installation admin user
>>   [4/27]: configuring certificate server instance
>>   [error] OSError: [Errno 12] Cannot allocate memory
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>> ERROR    [Errno 12] Cannot allocate memory
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>> ERROR    The ipa-replica-install command failed. See
>> /var/log/ipareplica-install.log for more information
> 
> How much RAM does your instance have? You need 2GB minimum.
> 
> rob
> 
>>
>>
>> On Thursday, February 8, 2018 8:01 AM, Andrew Meyer via FreeIPA-users
>> <freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>
>>
>> Thank you, I also did some digging and found that there is a bug
>> directly related this an version 4.5.2 which is what i'm running. 
>> Apparently it is fixed in 4.6.3 but it hasn't reached CentOS 7 EPEL repo.
>>
>>
>> On Thursday, February 8, 2018 7:29 AM, Florence Blanc-Renaud via
>> FreeIPA-users <freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>
>>
>> On 02/07/2018 10:53 PM, Andrew Meyer via FreeIPA-users wrote:
>>> I just got FreeIPA added as a client and then I tried to promote it as
>> a replica.  I got the following error:
>>>
>>> Done configuring kadmin.
>>> Configuring directory server (dirsrv)
>>> [1/3]: configuring TLS for DS instance
>>> [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>> ERROR    Certificate issuance failed (CA_REJECTED)
>>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>> ERROR    The ipa-replica-install command failed. See
>> /var/log/ipareplica-install.log for more information
>>> [ec2-user@freeipa-replica-aws <mailto:ec2-user@freeipa-replica-aws>
> <mailto:ec2-user@freeipa-replica-aws
> <mailto:ec2-user@freeipa-replica-aws>> ~]$
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
>>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>>
>>>
>> Hi,
>>
>> During a replication installation, the replica will use certmonger to
>> request certificates for 389-ds and httpd. Then certmonger (on the
>> replica-to-be) contacts a FreeIPA master with a cert_request command,
>> and the master communicates with Dogtag to issue the certificate.
>>
>> When this fails, you may get more information with the following command:
>> - on the client that you try to promote: sudo getcert list
>> It may contain an error message with an explanation
>>
>> - on the FreeIPA master, check the logs in /var/log/httpd/error_log.
>> They should contain some lines like:
>>
>> [...date...] [:error] [pid 9337] ipa: INFO: [xmlserver]
>> host/vm-replica.ipadomain....@ipadomain.com
> <mailto:vm-replica.ipadomain....@ipadomain.com>
>> <mailto:vm-replica.ipadomain....@ipadomain.com
> <mailto:vm-replica.ipadomain....@ipadomain.com>>:
>> cert_request(u'MII...MJUs6', profile_id=u'caIPAserviceCert',
>> principal=u'ldap/replica.ipadomain....@ipadomain.com
> <mailto:replica.ipadomain....@ipadomain.com>
>> <mailto:replica.ipadomain....@ipadomain.com
> <mailto:replica.ipadomain....@ipadomain.com>>', add=True,
>> version=u'2.51'): XXX
>>
>> where XXX will contain the reason for the failure. The PKI logs in
>> /var/log/pki/pki-tomcat/ on the master may also help diagnose.
>>
>> HTH,
>> Flo
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
> 
>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>>
>>
>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
> 
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to