Hi Aaron, Can you please provide the contents of /var/log/pki/pki-ca-spawn.20180802044015.log, and /var/log/pki/pki-tomcat/ca/debug from both the replica (if it exists) and the master.
Thanks, Fraser On Thu, Aug 02, 2018 at 05:03:54PM +1200, Aaron Hicks via FreeIPA-users wrote: > Hello the List, > > > > I'm successfully replicating IPA and DNS across two sites, however when I > try and replicate CA it fails: > > > > [root@ipa01 pki]# ipa-ca-install > > Directory Manager (existing master) password: > > > > Run connection check to master > > Connection check OK > > /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: > Certificate has no `subjectAltName`, falling back to check for a > `commonName` for now. This feature is being removed by major browsers and > deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 > for details.) > > SecurityWarning > > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes > > [1/25]: creating certificate server db > > [2/25]: setting up initial replication > > Starting replication, please wait until this has completed. > > Update in progress, 5 seconds elapsed > > Update succeeded > > > > [3/25]: creating installation admin user > > [4/25]: configuring certificate server instance > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA > instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpaJdg1W' returned > non-zero exit status 1 > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation > logs and the following files/directories for more information: > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > /var/log/pki/pki-tomcat > > [error] RuntimeError: CA configuration failed. > > > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > CA configuration failed. > > > > When I check the logs in /var/log/ipareplica-ca-install.log > > > > <snip all good> > > 2018-08-02T04:40:15Z DEBUG Starting external process > > 2018-08-02T04:40:15Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpaJdg1W > > 2018-08-02T04:45:31Z DEBUG Process finished, return code=1 > > 2018-08-02T04:45:31Z DEBUG stdout=Log file: > /var/log/pki/pki-ca-spawn.20180802044015.log > > Loading deployment configuration from /tmp/tmpaJdg1W. > > WARNING: The 'pki_ssl_server_nickname' in [CA] has been deprecated. Use > 'pki_sslserver_nickname' instead. > > WARNING: The 'pki_ssl_server_subject_dn' in [CA] has been deprecated. Use > 'pki_sslserver_subject_dn' instead. > > Installing CA into /var/lib/pki/pki-tomcat. > > Storing deployment configuration into > /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. > > Importing certificates from /tmp/ca.p12: > > <snip a certificate> > > Installation failed: > > > > > > Please check the CA logs in q. > > > > 2018-08-02T04:45:31Z DEBUG stderr= > > 2018-08-02T04:45:31Z CRITICAL Failed to configure CA instance: Command > '/usr/sbin/pkispawn -s CA -f /tmp/tmpaJdg1W > > ' returned non-zero exit status 1 > > 2018-08-02T04:45:31Z CRITICAL See the installation logs and the following > files/directories for more information: > > 2018-08-02T04:45:31Z CRITICAL /var/log/pki/pki-tomcat > > 2018-08-02T04:45:31Z DEBUG Traceback (most recent call last): > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 504, in start_creation > > run_step(full_msg, method) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 494, in run_step > > method() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 616, in __spawn_instance > > self.tmp_agent_pwd) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line > 148, in spawn_instance > > self.handle_setup_error(e) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line > 386, in handle_setup_error > > raise RuntimeError("%s configuration failed." % self.subsystem) > > RuntimeError: CA configuration failed. > > > > 2018-08-02T04:45:31Z DEBUG [error] RuntimeError: CA configuration failed. > > 2018-08-02T04:45:31Z DEBUG File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line > 998, > > in run_script > > return_value = main_function() > > > > File "/sbin/ipa-ca-install", line 309, in main > > promote(safe_options, options, filename) > > > > File "/sbin/ipa-ca-install", line 277, in promote > > install_replica(safe_options, options, filename) > > > > File "/sbin/ipa-ca-install", line 207, in install_replica > > ca.install(True, config, options, custodia=custodia) > > > > File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 202, > in install > > install_step_0(standalone, replica_config, options, custodia=custodia) > > > > File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 279, > in install_step_0 > > use_ldaps=standalone) > > > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 448, in configure_instance > > self.start_creation(runtime=runtime) > > > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 504, in start_creation > > run_step(full_msg, method) > > > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 494, in run_step > > method() > > > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 616, in __spawn_instance > > self.tmp_agent_pwd) > > > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line > 148, in spawn_instance > > self.handle_setup_error(e) > > > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line > 386, in handle_setup_error > > raise RuntimeError("%s configuration failed." % self.subsystem) > > > > 2018-08-02T04:45:31Z DEBUG The ipa-ca-install command failed, exception: > RuntimeError: CA configuration failed. > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/QJOK7T4BHOBDRSCX6GH2W6PW2QRUI6ZI/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/3CTYECVVGEEQFTE5C3HX4LCWOF5AJPAN/