Hi,

I've got a FreeIPA setup at home I just built the other week on Fedora 16. It's a very small/basic setup I'm mainly using for secure NFS+Kerberos and automount. Today, I updated everything and rebooted, and all seemed to be working okay (even /var/log/ipaupgrade.log). I'm now running:


freeipa-python-2.1.4-7.fc16.x86_64
freeipa-client-2.1.4-7.fc16.x86_64
freeipa-admintools-2.1.4-7.fc16.x86_64
freeipa-server-2.1.4-7.fc16.x86_64
freeipa-server-selinux-2.1.4-7.fc16.x86_64
dogtag-pki-common-theme-9.0.11-1.fc16.noarch
dogtag-pki-ca-theme-9.0.11-1.fc16.noarch
pki-symkey-9.0.19-1.fc16.x86_64
pki-java-tools-9.0.19-1.fc16.noarch
pki-setup-9.0.19-1.fc16.noarch
pki-common-9.0.19-1.fc16.noarch
pki-silent-9.0.19-1.fc16.noarch
pki-util-9.0.19-1.fc16.noarch
pki-selinux-9.0.19-1.fc16.noarch
pki-ca-9.0.19-1.fc16.noarch

I went to try and setup a replica following the docs at http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html and ran into a problem I can't figure out (after checking logs, list, google, and BZ searches):

[root@<master> log]# ipa-replica-prepare <replica fqdn>
Directory Manager (existing master) password:

Preparing replica for <replica fqdn> from <master fqdn>
Creating SSL certificate for the Directory Server
Certificate issuance failed

I just ran it again, with a tail on /var/log/pki-ca/debug and this is what it spat out:

[04/May/2012:14:44:09][http-9444-1]: CMSServlet:service() uri = /ca/ee/ca/profileSubmitSSLClient [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='cert_request_type' value='pkcs10' [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='cert_request' value='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n
...cut...
H3dNbe4A
'
[04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='requestor_name' value='IPA Installer' [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='xmlOutput' value='true' [04/May/2012:14:44:09][http-9444-1]: CMSServlet::service() param name='profileId' value='caIPAserviceCert' [04/May/2012:14:44:09][http-9444-1]: CMSServlet: caProfileSubmitSSLClient start to service.
[04/May/2012:14:44:09][http-9444-1]: xmlOutput true
[04/May/2012:14:44:09][http-9444-1]: Start of ProfileSubmitServlet Input Parameters [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter cert_request_type='pkcs10' [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter cert_request='MIICcjCCAVoCAQAwLTESMBAGA1UEChMJWUVXRVNTLlVTMRcwFQYDVQQDEw5raW5n
...cut...
H3dNbe4A
'
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter requestor_name='IPA Installer' [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter xmlOutput='true' [04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet Input Parameter profileId='caIPAserviceCert' [04/May/2012:14:44:09][http-9444-1]: End of ProfileSubmitServlet Input Parameters
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: start serving
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: SubId=profile
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: isRenewal false
[04/May/2012:14:44:09][http-9444-1]: ProfileSubmitServlet: profileId caIPAserviceCert [04/May/2012:14:44:09][http-9444-1]: CMSServlet: curDate=Fri May 04 14:44:09 EDT 2012 id=caProfileSubmitSSLClient time=11

Which also looks normal (to me). Though I've done nothing intentional with anything certificate related, again this is mainly a setup for kerberos. Where else can I look, or what can I run to get more clues why ipa-replica-prepare is failing?

Thanks.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to