On 1/5/2015 8:53 PM, Martin Kosek wrote:
On 01/05/2015 02:05 PM, Anthony Messina wrote:
I was hoping to "migrate" from F20 to F21 using:
http://www.freeipa.org/page/Howto/Migration
http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

The migration procedure is only needed if you run FreeIPA server with PKI based
on Dogtag (pki-ca package) 9. Do you? Is your Fedora 20 FreeIPA&PKI instance
functional? FreeIPA+Dogtag 9 is not supported since Fedora 18, so I was
surprised such setup worked in Fedora 20.

I don't use Dogtag 9.  I installed FreeIPA freshly on a F19 VM, then yum
upgraded to F20.  With the significant changes for Fedora.next, systemd-216,
and FreeIPA 4, I wanted to create a new "master" (amd retire the old) by
replicating the current F20 3.3.5 master to what would become an F21 4.1.2 
master.

Ah, makes more sense then. The PKI error below gets more serious then - Fraser
and Endi, please help Anthony.

I'm discussing this with Ade (CC'd). Based on the stack trace it looks like the replica thinks the master returns an incomplete information about the security domain, probably due to the different Dogtag versions used in master and replica.

We need some additional info:

1. What is the pki-ca version on the master (F20)?
2. What is the pki-ca version on the replica (F21)?
3. What is the output of this URL on the master?
   https://<master>:8443/ca/rest/securityDomain/domainInfo

Thanks.

--
Endi S. Dewata

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to