I've had some great success in the past 48 hours in recovering my system.
Here's where I stand right now:

1. I successfully stood up a new replica (ipamaster7) and transferred CA
authority to it from my old master (ipamaster).
2. I shutdown ipamaster and re-baselined it.
3. I created a new replica file from ipamaster7 for ipamaster (to transfer
everything back).
4. I reinstalled the IPA software on ipamaster. I also made a small change
to CS.cfg to work around my earlier CA problem.
5. I ran "ipa-replica-install --setup-dns --no-forwarders
replica-info-ipamaster.foo.net.gpg", which ran to completion.
6. I attempted to run "ipa-ca-install replica-info-ipamaster.foo.net.gpg",
which failed due to a 403 error.

/var/log/ipareplica-ca-install.log showed this:

2013-09-09T07:10:30Z DEBUG Starting external process
2013-09-09T07:10:30Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpyIMTdo
2013-09-09T07:10:31Z DEBUG Process finished, return code=1
2013-09-09T07:10:31Z DEBUG stdout=Loading deployment configuration from
ERROR: Unable to access security domain: 403 Client Error: Forbidden

2013-09-09T07:10:31Z DEBUG stderr=
2013-09-09T07:10:31Z CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpyIMTdo' returned non-zero exit status 1
2013-09-09T07:10:31Z INFO    File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
619, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-ca-install", line 182, in main
    config, dogtag_master_ds_port, postinstall=True)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 1809, in install_replica_ca

  File "/usr/ib/python2.7/site-packages/ipaserver/install/cainstance.py",
line625, in configure_instance

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 358, in start_creation

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 744, in __spawn_instance
    raise RuntimeError('Configuration of CA failed')

2013-09-09T07:10:31Z INFO The ipa-ca-install command failed, exception:
RuntimeError: Configuration of CA failed

Does this look familiar to anyone? I'd like to complete the transition back
to ipamaster so that I can then finish cleaning up the dead replicas. Until
I can do this, I'll have to leave ipamaster7 in place as my master.

*Bret Wortman*

Freeipa-users mailing list

Reply via email to