Thanks so much you've been a big help. I'll give it a whack tomorrow morning. 
Thanks again. 


On Aug 17, 2010, at 3:06 PM, Rob Crittenden <> wrote:

> Hemminger, Corey Lee. [] wrote:
>> ok I did the updates, and edited the python files. Now when I try to run the 
>> replica install I get:
>> [r...@earth bcrl]# ipa-replica-install 
>> /var/lib/ipa/ -N --setup-dns 
>> --no-forwarder
>> Directory Manager (existing master) password:
>> root        : ERROR    Cannot find Reverse Address for 
>> (
>> I had this when installing the ipa-server and there was a --no-dns-lookup 
>> option but not with the replica. Before the testing updates, i did get a 
>> warning about the server not working for DNS lookup but still went ahead 
>> with install. I'm looking to set these two up and make them the DNS servers 
>> and currently have a simple dns setup that will get replaced by this setup. 
>> How do I get around the reverse address lookup on the replica install side. 
>> Thanks again for all the help.
> You'll need to modify /usr/sbin/ipa-replica-install. Look for the 
> function get_host_name(). You'll want to comment out the 5 lines 
> starting with try:. The comment character in python is the hash #. This 
> will cause it to skip the call to verify_fqdn() and your install should 
> proceed.
> I've opened a ticket to add this functionality to ipa-replica-install: 
> rob
>> Corey-
>> ________________________________________
>> From: Rob Crittenden []
>> Sent: Monday, August 16, 2010 2:49 PM
>> To: Hemminger, Corey Lee. []
>> Cc:
>> Subject: Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation 
>> problems
>> Hemminger, Corey Lee. [] wrote:
>>> I'm using fedora 13 amd-64 version. I added the developers repo from 
>>> for V2.0 and then did a yum install ipa-server so which ever 
>>> version it installed. I'm looking at dogtag and one of the packages says 
>>> 1.3.1-2.fc13 and the other 2 packages for dogtag say 1.3.2-2.fc13 for the 
>>> pki dogtag package it says 1.3.7-1.fc13 all the packages read 1.3.something 
>>> the pki-silent-1.3.3-1.fc13 package if that helps. I also attached the two 
>>> files you asked to check. I attached the ipa-serv_deplist that i created 
>>> from running "yum deplist ipa-server" and it has all the packages and 
>>> version numbers. Sorry for the choppy e-mail I'm writing and looking up the 
>>> stuff in pieces.
>> Can you update the pki-* and dogtag-* packages from the updates-testing
>> repo? There are a number of important fixes there.
>> It is also going to break your replica install because a new required
>> option has been added to pkisilent. You'll need to modify
>> /usr/lib/python*/site-packages/ipaserver/install/
>> Search for pkisilent. We create a python list of the command to execute.
>> You want to patch it like this (the numbers might not exactly line up):
>> @@ -535,6 +524,7 @@ class CAInstance(service.Service):
>>                       "-db_name", "ipaca",
>>                       "-key_size", "2048",
>>                       "-key_type", "rsa",
>> +                    "-key_algorithm", "SHA256withRSA",
>>                       "-save_p12", "true",
>>                       "-backup_pwd", self.admin_password,
>>                       "-subsystem_name", self.service_name,
>> You *might* be able to get away with just updating dogtag on the
>> replica, I'm not sure.
>> rob
>>> ________________________________________
>>> From: Rob Crittenden []
>>> Sent: Monday, August 16, 2010 12:35 PM
>>> To: Hemminger, Corey Lee. []
>>> Cc:
>>> Subject: Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation 
>>> problems
>>> Hemminger, Corey Lee. [] wrote:
>>>> Hi,
>>>> I'm a student admin for St. Cloud State University's Business Computing 
>>>> Research Lab, and we run our own seperate network inside the campus 
>>>> network with dedicated internet feeds and hardware for professors research 
>>>> as well as masters and bachelors student research and labs. We have many 
>>>> computers setup for workstations, clusters, clouds, etc... and I'm trying 
>>>> to set up a redundant FreeIPA v2.0 in virtual box to help manage the 
>>>> systems and control access to machines. I have setup the master with no 
>>>> problems, but when creating the replica I run the command 
>>>> "ipa-replica-install -N --setup-dns /var/lib/ipa/replica-file-from-master" 
>>>> and I get this error output. It created the directory fine but is having 
>>>> trouble with the certs. I have disabled the firewalls on both and selinux 
>>>> hoping they would help but still same problem.
>>>> [r...@earth bcrl]# ipa-replica-install 
>>>> /var/lib/ipa/ -N --setup-dns 
>>>> --no-forwarders
>>>> An existing Directory Server has been detected.
>>>> Do you wish to remove it and create a new one? [no]: yes
>>>> Directory Manager (existing master) password:
>>>> Warning: Hostname ( not found in DNS
>>>> Configuring directory server for the CA:
>>>>     [1/4]: creating directory server user
>>>>     [2/4]: creating directory server instance
>>>>     [3/4]: configuring directory to start on boot
>>>>     [4/4]: restarting directory server
>>>> done configuring pkids.
>>>> Configuring certificate server:
>>>>     [1/9]: creating certificate server user
>>>>     [2/9]: configuring certificate server instance
>>>> root        : CRITICAL failed to restart ca instance Command 
>>>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname 
>>>> -cs_port 9445 -client_certdb_dir 
>>>> /tmp/tmp-vemQSV -client_certdb_pwd XXXXXXXX -preop_pin 
>>>> yhiJojW06gxaPrkvOJOK -domain_name IPA -admin_user admin -admin_email 
>>>> r...@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent 
>>>> -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject 
>>>> "CN=ipa-ca-agent,O=IPA" -ldap_host -ldap_port 
>>>> 7389 -bind_dn "cn=Directory Manager" -bind_password XXXXXXXX -base_dn 
>>>> o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -save_p12 true 
>>>> -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal 
>>>> -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA" 
>>>> -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA" 
>>>> -ca_server_cert_subject_name ",O=IPA" 
>>>> -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA" 
>>>> -ca_sign_cert_subject_name "CN=Certificate !
> t
>> h
>>> o!
>>>>    rity,O=IPA" -external false -clone true -clone_p12_file ca.p12 
>>>> -clone_p12_password XXXXXXXX -sd_hostname 
>>>> -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password XXXXXXXX 
>>>> -clone_uri' returned non-zero exit 
>>>> status 255
>>>>     [3/9]: creating RA agent certificate database
>>>>     [4/9]: importing CA chain to RA certificate database
>>>> creation of replica failed: Unable to retrieve CA chain: Retrieving CA 
>>>> cert chain failed: Error: Failed to get certificate chain.
>>>> Your system may be partly configured.
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>> Thanks for any help,
>>>> Corey
>>> Heh, I guess I didn't fat-finger this after all...
>>> What distro is this?
>>> What version of pki-* and dogtag-* do you have installed? Can you look
>>> at /var/log/ipareplica-install.log to see if there are any more details
>>> on the failure? /var/log/pki-ca/debug would also be a place to look
>>> though be forewarned, it is quite verbose and daunting (and has a number
>>> of red herrings, particularly warnings about cipher failures).
>>> We had some problems creating dogtag clones while creating IPA replicas
>>> in the recent pas and it would fail in the pkisilent step. This may be
>>> another case of that or it may be that our current requires don't pull
>>> in the right set of of dogtag packages.
>>> rob

Freeipa-users mailing list

Reply via email to