Hi Flo, Thanks, I was able to resolve the issue by following your feedback. It was time sync issue between IPA master and new IPA replica.
Moving further, I would like to check with you on recommended path on upgrading IPA from Centos 7.9 (IPA v 4.6) to Alma Linux 8.6. Can we directly add linux 8.6 replica on existing Centos 7.9 IPA master and then promote it to CA certificate renewal node and decommission older version. Thanks & Regards, Dushyant On Fri, Nov 25, 2022 at 9:01 AM Florence Blanc-Renaud <[email protected]> wrote: > Hi, > > please keep the list in copy as the resolution steps can often help other > users. > > On Fri, Nov 25, 2022 at 4:55 PM Dushyant Khobragade < > [email protected]> wrote: > >> Hi Flo, >> Thank you for response. >> I could see below logs in /var/log/ipareplica-install.log >> <<Truncated>>> >> 2022-11-25T15:43:46Z DEBUG certmonger request is in state >> 'GENERATING_KEY_PAIR' >> 2022-11-25T15:43:46Z DEBUG certmonger request is in state 'SUBMITTING' >> 2022-11-25T15:44:11Z DEBUG certmonger request is in state 'CA_UNREACHABLE' >> 2022-11-25T15:44:11Z DEBUG Cert request 20221125154346 failed: >> CA_UNREACHABLE (Server at https://innsv01p1.mylab.domain/ipa/json failed >> request, will retry: 4001 (The service principal for subject alt name >> ipa-ca. mylab.domain in certificate request does not exist).) >> > > Is IPA configured as DNS server? You can check with > # ipa config-show | grep DNS > IPA DNS servers: fedora36.ipa.test > > If there is at least one server in the IPA DNS servers list, then IPA is > configured as DNS server. It should contain a DNS record for > ipa-ca.mylab.domain with the IP addresses of all the CA servers: > # ipa dnsrecord-show mylab.domain ipa-ca > Record name: ipa-ca > A record: xxx.xxx.xxx.xxx > > If you are using an external DNS server, make sure that there is an A > record for ipa-ca. You can generate an update file using > # ipa dns-update-system-records --dry-run > > > 2022-11-25T15:44:11Z DEBUG Giving up on cert request 20221125154346 >> 2022-11-25T15:44:11Z DEBUG certmonger request is in state 'GENERATING_CSR' >> 2022-11-25T15:44:12Z DEBUG certmonger request is in state 'SUBMITTING' >> 2022-11-25T15:44:13Z DEBUG certmonger request is in state >> 'POST_SAVED_CERT' >> 2022-11-25T15:44:14Z DEBUG certmonger request is in state 'MONITORING' >> 2022-11-25T15:44:14Z DEBUG Cert request 20221125154411 was successful >> <<Truncated>>> >> ldap.SERVER_DOWN: {'result': -1, 'desc': "Can't contact LDAP server", >> 'ctrls': [], 'info': 'error:1416F086:SSL >> routines:tls_process_server_certificate:certificate verify failed >> (certificate is not yet valid)'} >> 2022-11-25T15:45:40Z CRITICAL Failed to configure CA instance >> > It's not clear if this error or the previous one is the root cause, but > the content of /var/log/pki/pki-ca-spawn.<date>.log on the replica may give > some hints. > *Certificate not yet valid* would strongly suggest that the dates are not > in sync on the master and the replica. > > flo > > >> 2022-11-25T15:45:40Z CRITICAL See the installation logs and the following >> files/directories for more information: >> 2022-11-25T15:45:40Z CRITICAL /var/log/pki/pki-tomcat >> 2022-11-25T15:45:40Z DEBUG Traceback (most recent call last): >> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >> line 635, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >> line 621, in run_step >> method() >> File >> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line >> 627, in __spawn_instance >> nolog_list=nolog_list >> File >> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", >> line 227, in spawn_instance >> self.handle_setup_error(e) >> File >> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", >> line 606, in handle_setup_error >> ) from None >> RuntimeError: CA configuration failed. >> 2022-11-25T15:45:40Z DEBUG [error] RuntimeError: CA configuration >> failed. >> 2022-11-25T15:45:40Z DEBUG Removing /root/.dogtag/pki-tomcat/ca >> >>Truncted>> >> >> >> Thanks & Regards, >> Dushyant >> >> >> >> >> >> >> On Fri, Nov 25, 2022 at 7:18 AM Florence Blanc-Renaud <[email protected]> >> wrote: >> >>> Hi, >>> >>> On Fri, Nov 25, 2022 at 3:59 PM dushyant k via FreeIPA-users < >>> [email protected]> wrote: >>> >>>> I am trying to add new replica Centos 8 IPA v.4.7 to my existing centos >>>> 7 IPA cluster which has IPA version 4.6 >>>> >>>> I am able to add centos 8 replica as ipa client however while adding as >>>> replica with setup-ca. it failing. >>>> >>>> Please provide the logs from the failing replica >>> (/var/log/ipareplica-install.log). >>> >>> >>>> Also it would be great if anyone can provide documents on migrating IPA >>>> to centos 8 from centos 7 >>>> >>> The doc is available here: >>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/migrating_to_identity_management_on_rhel_8/migrate-7-to-8_migrating >>> >>> HTH, >>> flo >>> >>> >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- [email protected] >>>> To unsubscribe send an email to >>>> [email protected] >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>> Do not reply to spam, report it: >>>> https://pagure.io/fedora-infrastructure/new_issue >>>> >>>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
