On Monday, January 05, 2015 10:40:08 PM Endi Sukma Dewata wrote: > On 1/5/2015 8:53 PM, Martin Kosek wrote: > > On 01/05/2015 02:05 PM, Anthony Messina wrote: > >>>> I was hoping to "migrate" from F20 to F21 using: > >>>> http://www.freeipa.org/page/Howto/Migration > >>>> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master > >>> > >>> The migration procedure is only needed if you run FreeIPA server with > >>> PKI based on Dogtag (pki-ca package) 9. Do you? Is your Fedora 20 > >>> FreeIPA&PKI instance functional? FreeIPA+Dogtag 9 is not supported > >>> since Fedora 18, so I was surprised such setup worked in Fedora 20. > >> > >> I don't use Dogtag 9. I installed FreeIPA freshly on a F19 VM, then yum > >> upgraded to F20. With the significant changes for Fedora.next, > >> systemd-216, and FreeIPA 4, I wanted to create a new "master" (amd > >> retire the old) by replicating the current F20 3.3.5 master to what > >> would become an F21 4.1.2 master.> > > Ah, makes more sense then. The PKI error below gets more serious then - > > Fraser and Endi, please help Anthony. > > I'm discussing this with Ade (CC'd). Based on the stack trace it looks > like the replica thinks the master returns an incomplete information > about the security domain, probably due to the different Dogtag versions > used in master and replica. > > We need some additional info: > > 1. What is the pki-ca version on the master (F20)?
pki-ca-10.1.2-7.fc20.noarch > 2. What is the pki-ca version on the replica (F21)? pki-ca-10.2.0-5.fc21.noarch > 3. What is the output of this URL on the master? > https://<master>:8443/ca/rest/securityDomain/domainInfo <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <DomainInfo id="IPA"> <Subsystem id="CA"> <Host id="CA ipa1.example.com 443"> <Clone>FALSE</Clone> <DomainManager>TRUE</DomainManager> <Hostname>ipa1.example.com</Hostname> <Port>80</Port> <SecureAdminPort>443</SecureAdminPort> <SecureAgentPort>443</SecureAgentPort> <SecureEEClientAuthPort>443</SecureEEClientAuthPort> <SecurePort>443</SecurePort> <SubsystemName>CA ipa1.example.com 8443</SubsystemName> </Host> <Host id="CA ipa2.example.com 443"> <Clone>TRUE</Clone> <DomainManager>TRUE</DomainManager> <Hostname>ipa2.example.com</Hostname> <Port>80</Port> <SecureAdminPort>443</SecureAdminPort> <SecureAgentPort>443</SecureAgentPort> <SecureEEClientAuthPort>443</SecureEEClientAuthPort> <SecurePort>443</SecurePort> <SubsystemName>CA ipa2.example.com 8443</SubsystemName> </Host> </Subsystem> </DomainInfo> -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
signature.asc
Description: This is a digitally signed message part.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project