Hemminger, Corey Lee. [heco0...@stcloudstate.edu] wrote:
Hi,
I'm a student admin for St. Cloud State University's Business Computing Research Lab, and 
we run our own seperate network inside the campus network with dedicated internet feeds 
and hardware for professors research as well as masters and bachelors student research 
and labs. We have many computers setup for workstations, clusters, clouds, etc... and I'm 
trying to set up a redundant FreeIPA v2.0 in virtual box to help manage the systems and 
control access to machines. I have setup the master with no problems, but when creating 
the replica I run the command "ipa-replica-install -N --setup-dns 
/var/lib/ipa/replica-file-from-master" and I get this error output. It created the 
directory fine but is having trouble with the certs. I have disabled the firewalls on 
both and selinux hoping they would help but still same problem.

[r...@earth bcrl]# ipa-replica-install 
/var/lib/ipa/replica-info-earth.bcrl.stcloudstate.edu.gpg -N --setup-dns 
--no-forwarders

An existing Directory Server has been detected.
Do you wish to remove it and create a new one? [no]: yes
Directory Manager (existing master) password:

Warning: Hostname (earth.bcrl.stcloudstate.edu) not found in DNS
Configuring directory server for the CA:
   [1/4]: creating directory server user
   [2/4]: creating directory server instance
   [3/4]: configuring directory to start on boot
   [4/4]: restarting directory server
done configuring pkids.
Configuring certificate server:
   [1/9]: creating certificate server user
   [2/9]: configuring certificate server instance
root        : CRITICAL failed to restart ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname 
earth.bcrl.stcloudstate.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-vemQSV -client_certdb_pwd XXXXXXXX -preop_pin yhiJojW06gxaPrkvOJOK 
-domain_name IPA -admin_user admin -admin_email r...@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 
-agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA" -ldap_host earth.bcrl.stcloudstate.edu -ldap_port 7389 -bind_dn 
"cn=Directory Manager" -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -save_p12 true -backup_pwd 
XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA" 
-ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA" -ca_server_cert_subject_name "CN=earth.bcrl.stcloudstate.edu,O=IPA" 
-ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA" -ca_sign_cert_subject_name "CN=Certificate Auth
o!
  rity,O=IPA" -external false -clone true -clone_p12_file ca.p12 
-clone_p12_password XXXXXXXX -sd_hostname zeus.bcrl.stcloudstate.edu -sd_admin_port 
9445 -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_uri 
https://zeus.bcrl.stcloudstate.edu:9444' returned non-zero exit status 255
   [3/9]: creating RA agent certificate database
   [4/9]: importing CA chain to RA certificate database
creation of replica failed: Unable to retrieve CA chain: Retrieving CA cert 
chain failed: Error: Failed to get certificate chain.

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Thanks for any help,
Corey

Heh, I guess I didn't fat-finger this after all...

What distro is this?

What version of pki-* and dogtag-* do you have installed? Can you look at /var/log/ipareplica-install.log to see if there are any more details on the failure? /var/log/pki-ca/debug would also be a place to look though be forewarned, it is quite verbose and daunting (and has a number of red herrings, particularly warnings about cipher failures).

We had some problems creating dogtag clones while creating IPA replicas in the recent pas and it would fail in the pkisilent step. This may be another case of that or it may be that our current requires don't pull in the right set of of dogtag packages.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to