I've had some great success in the past 48 hours in recovering my system.
Here's where I stand right now:
1. I successfully stood up a new replica (ipamaster7) and transferred CA
authority to it from my old master (ipamaster).
2. I shutdown ipamaster and re-baselined it.
3. I created a new replica file from ipamaster7 for ipamaster (to transfer
4. I reinstalled the IPA software on ipamaster. I also made a small change
to CS.cfg to work around my earlier CA problem.
5. I ran "ipa-replica-install --setup-dns --no-forwarders
replica-info-ipamaster.foo.net.gpg", which ran to completion.
6. I attempted to run "ipa-ca-install replica-info-ipamaster.foo.net.gpg",
which failed due to a 403 error.
/var/log/ipareplica-ca-install.log showed this:
2013-09-09T07:10:30Z DEBUG Starting external process
2013-09-09T07:10:30Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpyIMTdo
2013-09-09T07:10:31Z DEBUG Process finished, return code=1
2013-09-09T07:10:31Z DEBUG stdout=Loading deployment configuration from
ERROR: Unable to access security domain: 403 Client Error: Forbidden
2013-09-09T07:10:31Z DEBUG stderr=
2013-09-09T07:10:31Z CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpyIMTdo' returned non-zero exit status 1
2013-09-09T07:10:31Z INFO File
619, in run_script
return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 182, in main
config, dogtag_master_ds_port, postinstall=True)
line 1809, in install_replica_ca
line625, in configure_instance
line 358, in start_creation
line 744, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
2013-09-09T07:10:31Z INFO The ipa-ca-install command failed, exception:
RuntimeError: Configuration of CA failed
Does this look familiar to anyone? I'd like to complete the transition back
to ipamaster so that I can then finish cleaning up the dead replicas. Until
I can do this, I'll have to leave ipamaster7 in place as my master.
Freeipa-users mailing list