Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with FreeIPA 3.3.3-28 by using replication.

I have prepared replication file and moved it to the new replica server. Configured the firewalld and installed Ipa and other needed packages via yum.

When running "ipa-replica-install --setup-ca -d" installation will always stuck on:

"Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
[2/19]: configuring certificate server instance
ipa         : DEBUG    Starting external process
ipa         : DEBUG    args=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5
ipa         : DEBUG    Process finished, return code=1
ipa : DEBUG stdout=Loading deployment configuration from /tmp/tmpHJBhR5.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.

ipa : DEBUG stderr=pkispawn : WARNING ....... unable to validate security domain user/password through REST interface. Interface not available pkispawn : ERROR ....... Exception from Java Configuration Servlet: Error while updating security domain: SocketException cannot read on socket

ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1

Betwee the attempts I have cleaned yu ipa and pki configurations and deleteted the old replication agreement.

Apache logs on old CentOS 6 server have these errors.
---------------------------------------------------------------------- - - [19/Feb/2015:11:38:44 +0200] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1158 - - [19/Feb/2015:11:38:44 +0200] "POST /ca/admin/ca/updateDomainXML HTTP/1.0" 404 - - - [19/Feb/2015:11:38:44 +0200] "POST /ca/agent/ca/updateDomainXML HTTP/1.0" 403 323
[Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181
[Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not accepted by client!?

What certificate this means? ca.crt have more than five years left.

Clocks are synced, /ca/admin/ca/updateDomainXML can be found on ipa-pki-proxy.conf and there are no obvious reason. Any hints?
-- Jani West

Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to