Hi,
On Thu, May 16, 2024 at 4:42 AM Satish Patel via FreeIPA-users < [email protected]> wrote: > Folks, > > I have Master freeIPA running on CentOS 7 and now trying to migrate it to > RockyLinux 8.9 (because centos7 is EOL). > > When I am running # ipa-replica-install --setup-ca I encounter following > error > > Custodia uses 'ldap-vx-010101-4.site5.example.com' as master peer. > Is the above node running the CA instance? You can check with # ipa config-show | grep CA IPA CA servers: server.ipa.test IPA CA renewal master: server.ipa.test Then on this "master peer" machine, check that the custodia service is able to find all the keys: # /usr/libexec/ipa/ipa-custodia-check `hostname` I would also check the redirection for ipa/keys that should be defined in /etc/httpd/conf.d/ipa.conf. You should see lines similar to the following on the "master peer": # Custodia stuff is redirected to the custodia daemon # after authentication <Location "/ipa/keys/"> ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/"; RequestHeader set GSS_NAME %{GSS_NAME}s RequestHeader set REMOTE_USER %{REMOTE_USER}s </Location> And check that the custodia service is running on this "master peer": # systemctl status ipa-custodia flo Configuring ipa-custodia > [1/4]: Generating ipa-custodia config file > [2/4]: Generating ipa-custodia keys > [3/4]: starting ipa-custodia > [4/4]: configuring ipa-custodia to start on boot > Done configuring ipa-custodia. > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > 502 Server Error: Proxy Error for url: > https://ldap-vx-010101-4.site5.example.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.22_zi7TYs4bcSB18XAFIXx5nDggvASTH8aNiIFwpBAI7UVtSsscofijN9MXS1r5Ddo-P31n5fwybxbifiQ81fqFY3DqQ0mas40v_bKgWeBVfIRFZmU2mipTbE0OqmxY31YNmE-WBqMgktLvEY9x8dQW-slrrUGfIeBun1oAYaQeJwSulwh9w0-MCBh9XjTHNYrd37OeZeCKlB49UB-CTg7Mh9XRQ85PuoJ2UEbh9G47v6CnTYVjymUkvEhMEYodFfWr8JoqKZvkCnJhze9p8KZ6lJdwHmiVK2R_A1MLgAG_Nah-_AWu-JxEk18Gke4AcDuDD3qKtL92T9ge7u9NG8g.HaXy63qL4GjAm-sHu-HJzA.J5Z4KxfLC2OHnW8zxg7bl-rfFjc7_cJ5PP-Ewf4pzsH5JtNP5cDO4gQb2XfiP4rxLS6j6oXD_UXSVgTeUYTmS9CpaG_IfwqG5vnluep2HlNbJfCE581sBxmWUIXqE8RogmIgKWxdNet3CnlER0faVn-uYhbI4Dbjli5NP0MPvlleo-T05q-gNx7VNhtawVYbsBmF5FeqYW8JvfX9H4Vezwe_aRk962sBeO1xcGwaGCMNBrKLNBYx2cmRIinXQuK6HtzAMyGrNAS-4vsf1GjWc8u3Dpolfblwst2IGw71oCUZV7wwelkJRnNJ1zZCHqVt9PK2iQt5YmVVoD5HCGju9z2d3dyxeTsE8tETG2aVxf-w5vNsQbJnkjxTBUZYzNO4-W5sBQP2yyfoENfBW7SHzHozZW7TCFsOJ-0ndvZjCo5ZeuYxNRo6qaB1l8y8NOTeNmf9xyxV3RpNHvTt71kl4JR_4brXsMQVEvq6YWu2e04dLIN3aD54wtuDAg0Gayxa5FAqW1WuaVJZ015o19wGVQvzsuh_ORQ6B0MXsrB6Ie7Pz8gpIuX4HP6mW28jOsOheKzTNCieJIHXk9oeJq76yRPvjy9jYsVAtLWCZQ4I_hOg-u_yLRmsE8PAB15j34KYCoSBRIKd_7zY9bY8naPBmjyvrMro06qTeAK-dJ39lwcdlqY9iqEifvYcva3pZZ-H.RMGIOsihXuAxDeQR1czcVD5ICCv_A__WOBMve1Lx9xE > > I did google and found a similar issue but no solutions. Any idea what > could be wrong here? I have checked and all certs are updated and not > expired. > > Above error isn't great to understand what is going on. I am able to use > curls etc. That means cert is updated and valid. > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
