* Where did the CA instance go? I see nothing in the documentation about
this, but I found a ipa-ca-install command. ipa-ca-install yelded the
error below. Same error occour if I attempt to --setup-ca while doing
the ipa-replica-install:

Configuring certificate server: Estimated time 3 minutes 30 seconds
[1/11]: creating certificate server user
[2/11]: creating pki-ca instance
[3/11]: configuring certificate server instance
root : CRITICAL failed to configure ca instance Command '/usr/bin/perl
/usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipa03.ix.test.com'
'-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-GyGkkW'
'-client_certdb_pwd' XXXXXXXX '-preop_pin' 'BZiIPv9BeXIPIKs7hJrv'
'-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email'
'root@localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent'
'-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject'
'CN=ipa-ca-agent,O=IX.TEST.COM' '-ldap_host' 'ipa03.ix.test.com'
'-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password'
XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048'
'-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true'
'-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name'
'internal' '-ca_subsystem_cert_subject_name' 'CN=CA
Subsystem,O=IX.TEST.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP
Subsystem,O=IX.TEST.COM' '-ca_server_cert_subject_name'
'CN=ipa03.ix.test.com,O=IX.TEST.COM'
'-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=IX.TEST.COM'
'-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=IX.TEST.COM'
'-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
'-clone_p12_password' XXXXXXXX '-sd_hostname' 'ipa01.ix.test.com'
'-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password'
XXXXXXXX '-clone_start_tls' 'true' '-clone_uri'
'https://ipa01.ix.test.com:443'' returned non-zero exit status 255
creation of replica failed: Configuration of CA failed

More details on the install failure may be in /var/log/ipareplica-ca-install.log and /var/log/pki-ca/debug. I wonder if they are related to the DNS errors you are seeing.
I'll send you these in private.



Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


Running ipa-ca-install on a IPv6 enabled host is even worse off:

root : DEBUG stderr=gpg: WARNING: unsafe permissions on homedir
`/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg'
gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/secring.gpg' created
gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/pubring.gpg' created
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected

root : DEBUG args=tar xf /tmp/tmpQ_4Prsipa/files.tar -C /tmp/tmpQ_4Prsipa
root : DEBUG stdout=
root : DEBUG stderr=
creation of replica failed: The network address 2001:db8:abab:2::21 does
not match the DNS lookup 192.168.1.21. Check /etc/hosts and ensure that
2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com
root : DEBUG The network address 2001:db8:abab:2::21 does not match the
DNS lookup 192.168.1.21. Check /etc/hosts and ensure that
2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com
File "/usr/sbin/ipa-ca-install", line 156, in <module>

Are these IPs pointing to the right hostnames?

I posted scrambeled IP's to the list, but they are configured correctly, yes. And they work for any other traffic.


Rgds,
Siggi

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to