On 3/10/15 10:06 AM, Alexander Bokovoy wrote:
> We have http://www.freeipa.org/page/Documentation#User_Guides and going
> through user guide would be our recommended action. There is a whole
> chapter 6 in RHEL7 docs for upgrades and migration.

Ah, I see it now.  I had no idea from the name that " Linux Domain
Identity, Authentication and Policy Guide for RHEL 7" referred to the
general user/admin guide.  As a newb to FreeIPA and domain management in
general, it looked like word soup.  Sorry for the noise.  :P

> Looks like you don't have CA installed on auth.internal so you don't
> need to update CA schema there. 


So I started the install on the CentOS7 machine, and it almost
completed, but failed out with this error:

> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
> 30 seconds
>   [1/19]: creating certificate server user
>   [2/19]: configuring certificate server instance
> ipa         : CRITICAL failed to configure ca instance Command
> '/usr/sbin/pkispawn -s CA -f /tmp/tmp2_03I3' returned non-zero exit
> status 1

In the ipareplica-install.log file, I find this:

> Storing deployment configuration into
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
> Installation failed.
> 2015-03-10T14:12:04Z DEBUG stderr=pkispawn    : WARNING  .......
> unable to validate security domain user/password through REST
> interface. Interface not available
> pkispawn    : ERROR    ....... Exception from Java Configuration
> Servlet: Error while updating security domain: java.io.IOException:
> java.io.IOException: SocketException cannot read on socket
> 2015-03-10T14:12:04Z CRITICAL failed to configure ca instance Command
> '/usr/sbin/pkispawn -s CA -f /tmp/tmp2_03I3' returned non-zero exit
> status 1
> 2015-03-10T14:12:04Z DEBUG   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line 638, in run_script

I ran `ipa-server-install --uninstall` to undo everything, as it
suggested.  Then I generated a new replica file on the RHEL6 machine
with `ipa-replica-prepare` and tried the install again.  This time, it
successfully finishes, but the last thing it says is:

> Done configuring directory server (dirsrv).
> A CA is already configured on this system.

...which makes me think it just didn't undo everything when I did
`ipa-server-install --uninstall` and the CA isn't actually set up
properly.  Is there a good way to confirm everything is actually working
as expected?


Benjamin Reed
The OpenNMS Group

Attachment: signature.asc
Description: OpenPGP digital signature

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to