Hi Thanks for taking a look at this.
'IDM domain replication group'. I mean it is the "Topology suffix" to connect two replicas. "Domain" suffix works for host2, it can receive and send updates with host1. "CA"suffix failed during install, ### Imported certificates into /etc/pki/pki-tomcat/alias: Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Installation failed: server failed to restart 2020-03-23T14:33:18Z DEBUG stderr=pkispawn :ERROR ... server failed to restart 2020-03-23T14:33:18Z CRITICAL Failed to configure CAinstance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpV8jHPQ' returnednon-zero exit status 1 2020-03-23T14:33:18Z CRITICAL See the installation logs andthe following files/directories for more information: 2020-03-23T14:33:18Z CRITICAL /var/log/pki/pki-tomcat 2020-03-23T14:33:18Z DEBUG Traceback (most recent calllast): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",line 567, in start_creation run_step(full_msg, method) File"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line557, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",line 675, in __spawn_instance pki_pin) File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 167, in spawn_instance self.handle_setup_error(e) File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 407, in handle_setup_error raise RuntimeError("%s configurationfailed." % self.subsystem) RuntimeError: CA configuration failed. 2020-03-23T14:33:18Z DEBUG [error] RuntimeError:CA configuration failed. 2020-03-23T14:33:18Z DEBUG File"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",line 1015, in run_script return_value = main_function() File "/usr/sbin/ipa-ca-install", line 341,in main promote(safe_options, options, filename) File "/usr/sbin/ipa-ca-install", line 309,in promote install_replica(safe_options, options,filename) File "/usr/sbin/ipa-ca-install", line 233,in install_replica ca.install(True, config, options,custodia=custodia) File"/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 254,in install install_step_0(standalone, replica_config,options, custodia=custodia) File"/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 334,in install_step_0 use_ldaps=standalone) File"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",line 490, in configure_instance self.start_creation(runtime=runtime) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",line 567, in start_creation run_step(full_msg, method) File"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line557, in run_step method() File"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",line 675, in __spawn_instance pki_pin) File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 167, in spawn_instance self.handle_setup_error(e) File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 407, in handle_setup_error raise RuntimeError("%s configurationfailed." % self.subsystem) 2020-03-23T14:33:18Z DEBUG The ipa-ca-install commandfailed, exception: RuntimeError: CA configuration failed. ### On Tuesday, April 7, 2020, 02:38:35 AM EDT, Alexander Bokovoy <aboko...@redhat.com> wrote: On ma, 06 huhti 2020, askstack--- via FreeIPA-users wrote: >Hi > >IDM domain: "fist.domain" >Host name: host1.first.domain > host2.second.domain >I was able to run "ipa-client-install" on host2 and promoted it to a domain >replica. After I verified domain replication was working, I tried to run >ipa-ca-install. It failed on host2. >Redhat support said host1 and host2 are on two different dns domains so >replication is not supported. I am not sure that is the case since two hosts >are in the same and onlyIDM domain replication group. >Is redhat support correct? I think there is not enough details in your request to answer that question. I also don't know what do you mean by 'IDM domain replication group'. In particular, what are the errors you are seeing, exactly? If you have a case open, please share the number and communicate within the case, not with with an anonymous account on a public mailing list. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org