Hemminger, Corey Lee. [heco0...@stcloudstate.edu] wrote:
I'm a student admin for St. Cloud State University's Business Computing Research Lab, and
we run our own seperate network inside the campus network with dedicated internet feeds
and hardware for professors research as well as masters and bachelors student research
and labs. We have many computers setup for workstations, clusters, clouds, etc... and I'm
trying to set up a redundant FreeIPA v2.0 in virtual box to help manage the systems and
control access to machines. I have setup the master with no problems, but when creating
the replica I run the command "ipa-replica-install -N --setup-dns
/var/lib/ipa/replica-file-from-master" and I get this error output. It created the
directory fine but is having trouble with the certs. I have disabled the firewalls on
both and selinux hoping they would help but still same problem.
[r...@earth bcrl]# ipa-replica-install
/var/lib/ipa/replica-info-earth.bcrl.stcloudstate.edu.gpg -N --setup-dns
An existing Directory Server has been detected.
Do you wish to remove it and create a new one? [no]: yes
Directory Manager (existing master) password:
Warning: Hostname (earth.bcrl.stcloudstate.edu) not found in DNS
Configuring directory server for the CA:
[1/4]: creating directory server user
[2/4]: creating directory server instance
[3/4]: configuring directory to start on boot
[4/4]: restarting directory server
done configuring pkids.
Configuring certificate server:
[1/9]: creating certificate server user
[2/9]: configuring certificate server instance
root : CRITICAL failed to restart ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
earth.bcrl.stcloudstate.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-vemQSV -client_certdb_pwd XXXXXXXX -preop_pin yhiJojW06gxaPrkvOJOK
-domain_name IPA -admin_user admin -admin_email r...@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048
-agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA" -ldap_host earth.bcrl.stcloudstate.edu -ldap_port 7389 -bind_dn
"cn=Directory Manager" -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -save_p12 true -backup_pwd
XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA"
-ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA" -ca_server_cert_subject_name "CN=earth.bcrl.stcloudstate.edu,O=IPA"
-ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA" -ca_sign_cert_subject_name "CN=Certificate Auth
rity,O=IPA" -external false -clone true -clone_p12_file ca.p12
-clone_p12_password XXXXXXXX -sd_hostname zeus.bcrl.stcloudstate.edu -sd_admin_port
9445 -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_uri
https://zeus.bcrl.stcloudstate.edu:9444' returned non-zero exit status 255
[3/9]: creating RA agent certificate database
[4/9]: importing CA chain to RA certificate database
creation of replica failed: Unable to retrieve CA chain: Retrieving CA cert
chain failed: Error: Failed to get certificate chain.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Thanks for any help,
Heh, I guess I didn't fat-finger this after all...
What distro is this?
What version of pki-* and dogtag-* do you have installed? Can you look
at /var/log/ipareplica-install.log to see if there are any more details
on the failure? /var/log/pki-ca/debug would also be a place to look
though be forewarned, it is quite verbose and daunting (and has a number
of red herrings, particularly warnings about cipher failures).
We had some problems creating dogtag clones while creating IPA replicas
in the recent pas and it would fail in the pkisilent step. This may be
another case of that or it may be that our current requires don't pull
in the right set of of dogtag packages.
Freeipa-users mailing list