On 01/12/2015 03:53 PM, [email protected] wrote: > Hi, > > no ideas about this one? > > I'm unsure if I did something wrong, but since I installed both systems the > same way, I really don't know, what could be wrong. > > One thing that may be related: The working system (the one that doesn't fail > to > create a replica with "--setup-ca") went productive in April 2014, the one > that > fails in September 2014. In between were several updates to the ipa-server > package, including one related to Dogtag ("Proxy calls to > /ca/ee/ca/profileSubmit to PKI to enable installation of replicas with Dogtag > 10 PKI (#1083878)"). Can this cause errors like the one I observe?
That's a good guess. Installing a RHEL/CentOS 7.0 replica with having such server without this update as the master would indeed cause a failure. Did you try updating it? > Something else I may want to look into? My installations are pretty much > standard, except that I use an external DNS and have SELinux disabled. If the referred update does not help, we would need to see full ipareplica-install.log and PKI logs (/var/log/pki/) on replica to continue with debug. > > > Best regards, > > --Daniel. > > On Tue, 6 Jan 2015, [email protected] wrote: > >> I have two small FreeIPA installations (for two different realms), both with >> CentOS 6/FreeIPA 3.0.0-42. After running them both with only one master >> server each for a while, I attempted to extend both installations with one >> replica each. >> >> Doing a >> >> ipa-replica-install --setup-ca /var/lib/ipa/replica-info-... >> >> worked fine for one of the installations, but failed for the other: >> >> --- >> [...] >> >> [3/17]: configuring certificate server instance ipa : CRITICAL failed to >> configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA >> -cs_hostname xxx -cs_port 9445 -client_certdb_dir /tmp/tmp-YsXvhP >> -client_certdb_pwd XXXXXXXX -preop_pin vJl0m3xc9Oz7b1fIgttD -domain_name IPA >> -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX >> -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa >> -agent_cert_subject CN=ipa-ca-agent,O=YYY -ldap_host xxx -ldap_port 7389 >> -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca >> -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA >> -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name >> internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=YYY >> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=YYY >> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=YYY >> -ca_server_cert_subject_name CN=xxx,O=YYY -ca_audit_signing_cert_subject_name >> CN=CA Audit,O=YYY -ca_sign_cert_subject_name CN=Certificate Authority,O=YYY >> -external false -clone true -clone_p12_file ca.p12 -clone_p12_password >> XXXXXXXX -sd_hostname mmm -sd_admin_port 443 -sd_admin_name admin >> -sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri https://mmm:443' >> returned non-zero exit status 255 >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> --- >> >> /var/log/ipareplica-install.log: >> >> --- >> [...] >> Error in DomainPanel(): updateStatus value is null >> ERROR: ConfigureCA: DomainPanel() failure >> ERROR: unable to create CA >> >> ####################################################################### >> >> 2015-01-06T13:36:25Z DEBUG stderr= >> 2015-01-06T13:36:25Z CRITICAL failed to configure ca instance Command >> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname >> 2015-01-06T13:36:25Z INFO File >> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line >> 614, in run_script >> return_value = main_function() >> >> File "/usr/sbin/ipa-replica-install", line 476, in main >> (CA, cs) = cainstance.install_replica_ca(config) >> >> File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", >> line 1626, in install_replica_ca >> subject_base=config.subject_base) >> >> File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", >> line 626, in configure_instance >> self.start_creation(runtime=210) >> >> File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line >> 358, in start_creation >> method() >> >> File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", >> line 888, in __configure_instance >> raise RuntimeError('Configuration of CA failed') >> >> 2015-01-06T13:36:25Z INFO The ipa-replica-install command failed, exception: >> RuntimeError: Configuration of CA failed >> --- >> >> Omitting "--setup-ca" lets me successfully install a working replica server. >> >> The problem appears to be my installation (since the other one works) - >> however: Both (intended) replica servers are nearly identical (operating >> system version, installed packages, etc.). >> >> My understanding is that a replica without a CA is not a 100%-clone of a IPA >> master, right? What are the downsides of having a replica without a CA? > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
