-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 07/26/2014 05:25 PM, Erinn Looney-Triggs wrote: > Well it hasn't been all the pretty trying to move from RHEL 6.5 to > RHEL 7. > > I have two servers providing my ipa instances ipa and ipa2. Given > that I don't have a great deal of spare capacity the plan was to > remove ipa2 from the replication agreement, modify DNS so that only > IPA was available in SRV logs (IPA does not manage DNS at this > point, was waiting for DNSSEC). As well, I would change my > sudo-ldap config files to point to ipa and remove ipa2. > > Well that all worked well, installed RHEL 7 on the system and > began working through the steps in the upgrade guide. > > First major problem was running into this bug: > https://fedorahosted.org/freeipa/ticket/4375 ValueError: > nsDS5ReplicaId has 2 values, one expected. > > Went and patched the replication.py file to get around that issue, > and we moved on. > > Next up is my current issue: Exception from Java Configuration > Servlet: Clone does not have all the required certificates. > > I suspect this is because I am running the CA as a subordinate to > an AD CS instance, but I am unsure at this point. > > It has been a haul to get here, despite the short explanation. It > seems that my primary ipa instance is working on only a hit or > miss basis for kerberos tickets which has made all this a bit of a > pain. You can kinit as admin once it will fail unable to find KDC, > try again another three times, it will work. I have even modified > the krb5.conf file to point directly at the server, thus bypassing > DNS SRV lookups, however, that hasn't worked. > > Point is, any help would be appreciated on the aforementioned > error. > > -Erinn >
To reply to myself here, I believe the problem may be that I had to renew the CA certificates and as such the certificates in /root/cacert.p12 are no longer valid. It is this file that gets bundled up with whatever else using ipa-replica-prepare, so I will have to create a new one that has the valid certificates in it. One way or another though, if it isn't already documented, during a CA renewal this file should probably be updated with the correct certificates. - -Erinn - -Erinn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJT1GAjAAoJEFg7BmJL2iPO1BsIAIVSC2p7bR1mHSG9VVbJq6Uk ostO/9Yh1ro8pgAWXbRnGJphDlfHhot+aauITsuFzIVSUk4rw7nTYA2jynROmjQJ 8mUEXap3i7GOnonHmZmUL3wrhiBVmkNWIizUZV3uIQ9/FKgUpTcflpeUqm/lUzxj FeaQ3QOVeizdib2r+QkFLjF6nMYRZ7FTPIdXZiilVkG1TkEDK2V3LpZfnN5LBgNf AzsnA0opUxNWvPeorFBD2RV20rVsTTf424S8nqseP1yALUIh4hc9xk6qivB+7DdF MXI85uSGj30p1Wk3kIEWlUNU/mkmN0wQL2NcMTCJMrLrLbUQ9c+AvGNdmhBv8s4= =74l8 -----END PGP SIGNATURE----- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
