[Freeipa-users] Re: Installation Replica reports error: Full PKINIT configuration did not succeed

Mon, 03 Dec 2018 00:15:56 -0800 

OK... following your advise and delete the "old" files.
Then run ipa-pkinit-manage enable and get this output:
[root@ipa-replica ~]# rm /var/kerberos/krb5kdc/kdc.crt
rm: reguläre Datei '/var/kerberos/krb5kdc/kdc.crt' entfernen? y
[root@ipa-replica ~]# rm /var/kerberos/krb5kdc/kdc.key
rm: reguläre Datei '/var/kerberos/krb5kdc/kdc.key' entfernen? y
[root@ipa-replica ~]# ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE: 
Error 7 connecting to 
https://ipa-replica.biszumbitterenen.de:8443/ca/ee/ca/profileSubmitSSLClient: 
Couldn't connect to server.)
Failed to configure PKINIT
Full PKINIT configuration did not succeed
The setup will only install bits essential to the server functionality
You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
Done configuring Kerberos KDC (krb5kdc).
The ipa-pkinit-manage command was successful

The relevant logfile shows this:
[root@ipa-replica ~]# tail /var/log/krb5kdc.log
Dez 03 09:01:46 ipa-replica.biszumbitterenen.de krb5kdc[2523](Information): 
Dateideskriptor 8 wird geschlossen
Dez 03 09:01:46 ipa-replica.biszumbitterenen.de krb5kdc[2523](Information): 
Dateideskriptor 7 wird geschlossen
Dez 03 09:01:46 ipa-replica.biszumbitterenen.de krb5kdc[2525](Information): 
Aktion wird begonnen
Dez 03 09:01:46 ipa-replica.biszumbitterenen.de krb5kdc[2524](Information): 
Aktion wird begonnen
Dez 03 09:08:48 ipa-replica.biszumbitterenen.de krb5kdc[2524](Information): 
AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.100.201: NEEDED_PREAUTH: 
host/ipa-replica.biszumbitterenen...@biszumbitterenen.de für 
krbtgt/biszumbitterenen...@biszumbitterenen.de, zusätzlich Vorauthentifizierung 
erforderlich
Dez 03 09:08:48 ipa-replica.biszumbitterenen.de krb5kdc[2524](Information): 
Dateideskriptor 11 wird geschlossen
Dez 03 09:08:48 ipa-replica.biszumbitterenen.de krb5kdc[2524](Information): 
AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.100.201: ISSUE: authtime 
1543824528, etypes {rep=18 tkt=18 ses=18}, 
host/ipa-replica.biszumbitterenen...@biszumbitterenen.de for 
krbtgt/biszumbitterenen...@biszumbitterenen.de
Dez 03 09:08:48 ipa-replica.biszumbitterenen.de krb5kdc[2524](Information): 
Dateideskriptor 11 wird geschlossen
Dez 03 09:08:48 ipa-replica.biszumbitterenen.de krb5kdc[2524](Information): 
TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.100.201: ISSUE: authtime 
1543824528, etypes {rep=18 tkt=18 ses=18}, 
host/ipa-replica.biszumbitterenen...@biszumbitterenen.de for 
ldap/ipa-replica.biszumbitterenen...@biszumbitterenen.de
Dez 03 09:08:48 ipa-replica.biszumbitterenen.de krb5kdc[2524](Information): 
Dateideskriptor 11 wird geschlossen


What is causing this error?

THX
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to