Hi this error is also a known issue, #8865 <https://pagure.io/freeipa/issue/8865> [Tracker] ipa-replica-install fails on 2nd run (f35+) / #3544 <https://github.com/dogtagpki/pki/issues/3544> ipa-replica-install fails to reinstall a replica (rawhide) It's been fixed with pki updates 11.1.0-0.1.alpha1 and 11.0.2-1.fc35 on fedora.
The workaround is to manually delete the entry uid=CA-<replica fqdn>-8443,ou=People,o=ipaca before calling ipa-replica-install, for instance with: # ldapdelete -D "cn=Directory Manager" -w $PWD uid=CA-replica1.ipa.test-8443,ou=People,o=ipaca You will need to do the whole process with ipa server-del / ipa-server-install --uninstall etc... HTH, flo On Fri, Jan 28, 2022 at 7:07 PM Brian J. Murrell <[email protected]> wrote: > On Fri, 2022-01-28 at 16:02 +0100, Florence Blanc-Renaud wrote: > > Hi, > > you can do > > (on another server) > > $ ipa server-del --force server.example.com > > # ipa server-del --force server.example.com > Removing server.example.com from replication topology, please wait... > ipa: WARNING: Forcing removal of server.example.com > ipa: WARNING: Failed to cleanup server.example.com DNS entries: no > matching entry found > ipa: WARNING: You may need to manually remove them from the tree > ipa: WARNING: Server has already been deleted > ------------------------------------------- > Deleted IPA server "server.example.com" > ------------------------------------------- > > > This should clean up all references to server.example.com > > Hopefully it did. :-) > > > (on server.example.com) > > $ ipa-client-install --uninstall -U > > $ kdestroy -A > > $ ipa-client-install ... > > $ kinit admin > > $ ipa-replica-install ... > > This has now gotten as far as: > > > # ipa-replica-install --setup-ca --ip-address 10.75.22.247 --setup-dns > --no-forwarders > ... > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes > [1/29]: creating certificate server db > [2/29]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 12 seconds elapsed > Update succeeded > > [3/29]: creating ACIs for admin > [4/29]: creating installation admin user > [5/29]: configuring certificate server instance > Failed to configure CA instance > See the installation logs and the following files/directories for more > information: > /var/log/pki/pki-tomcat > [error] RuntimeError: CA configuration failed. > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > CA configuration failed. > The ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > > At the end of /var/log/ipareplica-install.log is the error: > > com.netscape.certsrv.base.ConflictingOperationException: Entry already > exists. > at > com.netscape.certsrv.ldap.LDAPExceptionConverter.toPKIException(LDAPExceptionConverter.java:45) > at > com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:720) > at > org.dogtagpki.server.cli.SubsystemUserAddCLI.execute(SubsystemUserAddCLI.java:180) > at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58) > at org.dogtagpki.cli.CLI.execute(CLI.java:357) > at org.dogtagpki.cli.CLI.execute(CLI.java:357) > at org.dogtagpki.cli.CLI.execute(CLI.java:357) > at > org.dogtagpki.server.cli.PKIServerCLI.execute(PKIServerCLI.java:93) > at > org.dogtagpki.server.cli.PKIServerCLI.main(PKIServerCLI.java:123) > Caused by: netscape.ldap.LDAPException: error result (68); Already exists > at netscape.ldap.LDAPConnection.checkMsg(Unknown Source) > at netscape.ldap.LDAPConnection.add(Unknown Source) > at netscape.ldap.LDAPConnection.add(Unknown Source) > at netscape.ldap.LDAPConnection.add(Unknown Source) > at > com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:717) > ... 7 more > CalledProcessError: Command '['/usr/sbin/runuser', '-u', 'pkiuser', '--', > '/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-classpath', > '/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*', > '-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory', > '-Dcatalina.base=/var/lib/pki/pki-tomcat', > '-Dcatalina.home=/usr/share/tomcat', '-Djava.endorsed.dirs=', > '-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp', > '-Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties', > '-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager', > '-Dcom.redhat.fips=false', 'org.dogtagpki.server.cli.PKIServerCLI', > 'ca-user-add', '--full-name', 'CA-server.example.com-8443', '--type', > 'agentType', '--state', '1', '--debug', 'CA-server.example.com-8443']' > returned non-zero exit status 255. > File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line > 575, in main > scriptlet.spawn(deployer) > File > "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", > line 740, in spawn > deployer.setup_subsystem_user(instance, subsystem, > system_certs['subsystem']) > File > "/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py", line > 1040, in setup_subsystem_user > state='1') > File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line > 1521, in add_user > capture_output=True) > File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line > 1653, in run > check=True) > File "/usr/lib64/python3.6/subprocess.py", line 438, in run > output=stdout, stderr=stderr) > > > 2022-01-28T17:44:16Z CRITICAL Failed to configure CA instance > > So while a lot further than before, it still fails, but much later in > the install. > > Any ideas on this new development? > > Cheers, > b. > > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
