Hash: SHA256

On 07/26/2014 05:25 PM, Erinn Looney-Triggs wrote:
> Well it hasn't been all the pretty trying to move from RHEL 6.5 to 
> RHEL 7.
> I have two servers providing my ipa instances ipa and ipa2. Given
> that I don't have a great deal of spare capacity the plan was to
> remove ipa2 from the replication agreement, modify DNS so that only
> IPA was available in SRV logs (IPA does not manage DNS at this
> point, was waiting for DNSSEC). As well, I would change my
> sudo-ldap config files to point to ipa and remove ipa2.
> Well that all worked well, installed RHEL 7 on the system and
> began working through the steps in the upgrade guide.
> First major problem was running into this bug: 
> https://fedorahosted.org/freeipa/ticket/4375 ValueError:
> nsDS5ReplicaId has 2 values, one expected.
> Went and patched the replication.py file to get around that issue,
> and we moved on.
> Next up is my current issue: Exception from Java Configuration 
> Servlet: Clone does not have all the required certificates.
> I suspect this is because I am running the CA as a subordinate to
> an AD CS instance, but I am unsure at this point.
> It has been a haul to get here, despite the short explanation. It 
> seems that my primary ipa instance is working on only a hit or
> miss basis for kerberos tickets which has made all this a bit of a
> pain. You can kinit as admin once it will fail unable to find KDC,
> try again another three times, it will work. I have even modified
> the krb5.conf file to point directly at the server, thus bypassing
> DNS SRV lookups, however, that hasn't worked.
> Point is, any help would be appreciated on the aforementioned
> error.
> -Erinn

To reply to myself here, I believe the problem may be that I had to
renew the CA certificates and as such the certificates in
/root/cacert.p12 are no longer valid. It is this file that gets
bundled up with whatever else using ipa-replica-prepare, so I will
have to create a new one that has the valid certificates in it.

One way or another though, if it isn't already documented, during a CA
renewal this file should probably be updated with the correct

- -Erinn

- -Erinn

Version: GnuPG v1


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to