On Monday, January 05, 2015 10:40:08 PM Endi Sukma Dewata wrote:
> On 1/5/2015 8:53 PM, Martin Kosek wrote:
> > On 01/05/2015 02:05 PM, Anthony Messina wrote:
> >>>> I was hoping to "migrate" from F20 to F21 using:
> >>>> http://www.freeipa.org/page/Howto/Migration
> >>>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
> >>> 
> >>> The migration procedure is only needed if you run FreeIPA server with
> >>> PKI based on Dogtag (pki-ca package) 9. Do you? Is your Fedora 20
> >>> FreeIPA&PKI instance functional? FreeIPA+Dogtag 9 is not supported
> >>> since Fedora 18, so I was surprised such setup worked in Fedora 20.
> >> 
> >> I don't use Dogtag 9.  I installed FreeIPA freshly on a F19 VM, then yum
> >> upgraded to F20.  With the significant changes for Fedora.next,
> >> systemd-216, and FreeIPA 4, I wanted to create a new "master" (amd
> >> retire the old) by replicating the current F20 3.3.5 master to what
> >> would become an F21 4.1.2 master.> 
> > Ah, makes more sense then. The PKI error below gets more serious then -
> > Fraser and Endi, please help Anthony.
> I'm discussing this with Ade (CC'd). Based on the stack trace it looks 
> like the replica thinks the master returns an incomplete information 
> about the security domain, probably due to the different Dogtag versions 
> used in master and replica.
> We need some additional info:
> 1. What is the pki-ca version on the master (F20)?


> 2. What is the pki-ca version on the replica (F21)?


> 3. What is the output of this URL on the master?
>     https://<master>:8443/ca/rest/securityDomain/domainInfo

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<DomainInfo id="IPA">
  <Subsystem id="CA">
    <Host id="CA ipa1.example.com 443">
      <SubsystemName>CA ipa1.example.com 8443</SubsystemName>
    <Host id="CA ipa2.example.com 443">
      <SubsystemName>CA ipa2.example.com 8443</SubsystemName>

Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

Attachment: signature.asc
Description: This is a digitally signed message part.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to