On 02/19/2015 10:07 AM, Jani West wrote:
Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with FreeIPA 3.3.3-28 by using replication.

I have prepared replication file and moved it to the new replica server. Configured the firewalld and installed Ipa and other needed packages via yum.

When running "ipa-replica-install --setup-ca -d" installation will always stuck on:

"Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
[2/19]: configuring certificate server instance
ipa         : DEBUG    Starting external process
ipa         : DEBUG    args=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5
ipa         : DEBUG    Process finished, return code=1
ipa : DEBUG stdout=Loading deployment configuration from /tmp/tmpHJBhR5.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.

ipa : DEBUG stderr=pkispawn : WARNING ....... unable to validate security domain user/password through REST interface. Interface not available pkispawn : ERROR ....... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: java.io.IOException: SocketException cannot read on socket

ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1

Betwee the attempts I have cleaned yu ipa and pki configurations and deleteted the old replication agreement.

Apache logs on old CentOS 6 server have these errors.
---------------------------------------------------------------------- - - [19/Feb/2015:11:38:44 +0200] "POST /ca/admin/ca/getDomainXML HTTP/1.0" 200 1158 - - [19/Feb/2015:11:38:44 +0200] "POST /ca/admin/ca/updateDomainXML HTTP/1.0" 404 - - - [19/Feb/2015:11:38:44 +0200] "POST /ca/agent/ca/updateDomainXML HTTP/1.0" 403 323
[Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181
[Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not accepted by client!?

What certificate this means? ca.crt have more than five years left.

Clocks are synced, /ca/admin/ca/updateDomainXML can be found on ipa-pki-proxy.conf and there are no obvious reason. Any hints?

Are CA ports accessible on your master? Can you check your FW please?

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to