Thanks so much you've been a big help. I'll give it a whack tomorrow morning. 
Thanks again. 

Corey

On Aug 17, 2010, at 3:06 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Hemminger, Corey Lee. [heco0...@stcloudstate.edu] wrote:
>> ok I did the updates, and edited the python files. Now when I try to run the 
>> replica install I get:
>> 
>> [r...@earth bcrl]# ipa-replica-install 
>> /var/lib/ipa/replica-info-earth.bcrl.stcloudstate.edu.gpg -N --setup-dns 
>> --no-forwarder
>> Directory Manager (existing master) password:
>> 
>> root        : ERROR    Cannot find Reverse Address for 
>> earth.bcrl.stcloudstate.edu (3.2.0.10.in-addr.arpa.)
>> 
>> I had this when installing the ipa-server and there was a --no-dns-lookup 
>> option but not with the replica. Before the testing updates, i did get a 
>> warning about the server not working for DNS lookup but still went ahead 
>> with install. I'm looking to set these two up and make them the DNS servers 
>> and currently have a simple dns setup that will get replaced by this setup. 
>> How do I get around the reverse address lookup on the replica install side. 
>> Thanks again for all the help.
> 
> You'll need to modify /usr/sbin/ipa-replica-install. Look for the 
> function get_host_name(). You'll want to comment out the 5 lines 
> starting with try:. The comment character in python is the hash #. This 
> will cause it to skip the call to verify_fqdn() and your install should 
> proceed.
> 
> I've opened a ticket to add this functionality to ipa-replica-install: 
> https://fedorahosted.org/freeipa/ticket/146
> 
> rob
> 
>> 
>> Corey-
>> ________________________________________
>> From: Rob Crittenden [rcrit...@redhat.com]
>> Sent: Monday, August 16, 2010 2:49 PM
>> To: Hemminger, Corey Lee. [heco0...@stcloudstate.edu]
>> Cc: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation 
>> problems
>> 
>> Hemminger, Corey Lee. [heco0...@stcloudstate.edu] wrote:
>>> I'm using fedora 13 amd-64 version. I added the developers repo from 
>>> freeIPA.com for V2.0 and then did a yum install ipa-server so which ever 
>>> version it installed. I'm looking at dogtag and one of the packages says 
>>> 1.3.1-2.fc13 and the other 2 packages for dogtag say 1.3.2-2.fc13 for the 
>>> pki dogtag package it says 1.3.7-1.fc13 all the packages read 1.3.something 
>>> the pki-silent-1.3.3-1.fc13 package if that helps. I also attached the two 
>>> files you asked to check. I attached the ipa-serv_deplist that i created 
>>> from running "yum deplist ipa-server" and it has all the packages and 
>>> version numbers. Sorry for the choppy e-mail I'm writing and looking up the 
>>> stuff in pieces.
>> 
>> Can you update the pki-* and dogtag-* packages from the updates-testing
>> repo? There are a number of important fixes there.
>> 
>> It is also going to break your replica install because a new required
>> option has been added to pkisilent. You'll need to modify
>> /usr/lib/python*/site-packages/ipaserver/install/cainstance.py
>> 
>> Search for pkisilent. We create a python list of the command to execute.
>> You want to patch it like this (the numbers might not exactly line up):
>> 
>> @@ -535,6 +524,7 @@ class CAInstance(service.Service):
>>                       "-db_name", "ipaca",
>>                       "-key_size", "2048",
>>                       "-key_type", "rsa",
>> +                    "-key_algorithm", "SHA256withRSA",
>>                       "-save_p12", "true",
>>                       "-backup_pwd", self.admin_password,
>>                       "-subsystem_name", self.service_name,
>> 
>> You *might* be able to get away with just updating dogtag on the
>> replica, I'm not sure.
>> 
>> rob
>> 
>>> ________________________________________
>>> From: Rob Crittenden [rcrit...@redhat.com]
>>> Sent: Monday, August 16, 2010 12:35 PM
>>> To: Hemminger, Corey Lee. [heco0...@stcloudstate.edu]
>>> Cc: freeipa-users@redhat.com
>>> Subject: Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation 
>>> problems
>>> 
>>> Hemminger, Corey Lee. [heco0...@stcloudstate.edu] wrote:
>>>> Hi,
>>>> I'm a student admin for St. Cloud State University's Business Computing 
>>>> Research Lab, and we run our own seperate network inside the campus 
>>>> network with dedicated internet feeds and hardware for professors research 
>>>> as well as masters and bachelors student research and labs. We have many 
>>>> computers setup for workstations, clusters, clouds, etc... and I'm trying 
>>>> to set up a redundant FreeIPA v2.0 in virtual box to help manage the 
>>>> systems and control access to machines. I have setup the master with no 
>>>> problems, but when creating the replica I run the command 
>>>> "ipa-replica-install -N --setup-dns /var/lib/ipa/replica-file-from-master" 
>>>> and I get this error output. It created the directory fine but is having 
>>>> trouble with the certs. I have disabled the firewalls on both and selinux 
>>>> hoping they would help but still same problem.
>>>> 
>>>> [r...@earth bcrl]# ipa-replica-install 
>>>> /var/lib/ipa/replica-info-earth.bcrl.stcloudstate.edu.gpg -N --setup-dns 
>>>> --no-forwarders
>>>> 
>>>> An existing Directory Server has been detected.
>>>> Do you wish to remove it and create a new one? [no]: yes
>>>> Directory Manager (existing master) password:
>>>> 
>>>> Warning: Hostname (earth.bcrl.stcloudstate.edu) not found in DNS
>>>> Configuring directory server for the CA:
>>>>     [1/4]: creating directory server user
>>>>     [2/4]: creating directory server instance
>>>>     [3/4]: configuring directory to start on boot
>>>>     [4/4]: restarting directory server
>>>> done configuring pkids.
>>>> Configuring certificate server:
>>>>     [1/9]: creating certificate server user
>>>>     [2/9]: configuring certificate server instance
>>>> root        : CRITICAL failed to restart ca instance Command 
>>>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname 
>>>> earth.bcrl.stcloudstate.edu -cs_port 9445 -client_certdb_dir 
>>>> /tmp/tmp-vemQSV -client_certdb_pwd XXXXXXXX -preop_pin 
>>>> yhiJojW06gxaPrkvOJOK -domain_name IPA -admin_user admin -admin_email 
>>>> r...@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent 
>>>> -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject 
>>>> "CN=ipa-ca-agent,O=IPA" -ldap_host earth.bcrl.stcloudstate.edu -ldap_port 
>>>> 7389 -bind_dn "cn=Directory Manager" -bind_password XXXXXXXX -base_dn 
>>>> o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -save_p12 true 
>>>> -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal 
>>>> -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA" 
>>>> -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA" 
>>>> -ca_server_cert_subject_name "CN=earth.bcrl.stcloudstate.edu,O=IPA" 
>>>> -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA" 
>>>> -ca_sign_cert_subject_name "CN=Certificate !
 Au
> t
>> h
>>> o!
>>>>    rity,O=IPA" -external false -clone true -clone_p12_file ca.p12 
>>>> -clone_p12_password XXXXXXXX -sd_hostname zeus.bcrl.stcloudstate.edu 
>>>> -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password XXXXXXXX 
>>>> -clone_uri https://zeus.bcrl.stcloudstate.edu:9444' returned non-zero exit 
>>>> status 255
>>>>     [3/9]: creating RA agent certificate database
>>>>     [4/9]: importing CA chain to RA certificate database
>>>> creation of replica failed: Unable to retrieve CA chain: Retrieving CA 
>>>> cert chain failed: Error: Failed to get certificate chain.
>>>> 
>>>> Your system may be partly configured.
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>> 
>>>> Thanks for any help,
>>>> Corey
>>> 
>>> Heh, I guess I didn't fat-finger this after all...
>>> 
>>> What distro is this?
>>> 
>>> What version of pki-* and dogtag-* do you have installed? Can you look
>>> at /var/log/ipareplica-install.log to see if there are any more details
>>> on the failure? /var/log/pki-ca/debug would also be a place to look
>>> though be forewarned, it is quite verbose and daunting (and has a number
>>> of red herrings, particularly warnings about cipher failures).
>>> 
>>> We had some problems creating dogtag clones while creating IPA replicas
>>> in the recent pas and it would fail in the pkisilent step. This may be
>>> another case of that or it may be that our current requires don't pull
>>> in the right set of of dogtag packages.
>>> 
>>> rob
>> 
> 

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to