I need to upgrade from IPA3.0 to IPA4.2 (from centos 6.7 to 7.2) and
the replica process is failing to install on the new system:

2016-01-13T17:27:46Z DEBUG Starting external process
2016-01-13T17:27:46Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpjklK4o'
2016-01-13T17:28:19Z DEBUG Process finished, return code=1
2016-01-13T17:28:19Z DEBUG stdout=Log file: /var/log/pki/pki-ca-
spawn.20160113122746.log
Loading deployment configuration from /tmp/tmpjklK4o.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-
tomcat/ca/deployment.cfg.

Installation failed.


2016-01-13T17:28:19Z DEBUG stderr=/usr/lib/python2.7/site-
packages/urllib3/connectionpool.py:769: InsecureRequestWarning:
Unverified HTTPS request is being made. Adding certifi
cate verification is strongly advised. See: https://urllib3.readthedocs
.org/en/latest/security.html
  InsecureRequestWarning)
pkispawn    : WARNING  ....... unable to validate security domain
user/password through REST interface. Interface not available
pkispawn    : ERROR    ....... Exception from Java Configuration
Servlet: 500 Server Error: Internal Server Error
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid
token): line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.P
KIException
","Code":500,"Message":"Clone does not have all the required
certificates"} 

2016-01-13T17:28:19Z CRITICAL Failed to configure CA instance: Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpjklK4o'' returned non-
zero exit status 1
2016-01-13T17:28:19Z CRITICAL See the installation logs and the
following files/directories for more information:
2016-01-13T17:28:19Z CRITICAL   /var/log/pki-ca-install.log
2016-01-13T17:28:19Z CRITICAL   /var/log/pki/pki-tomcat
2016-01-13T17:28:19Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 418, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 408, in run_step
    method()
  File "/usr/lib/python2.7/site-
packages/ipaserver/install/cainstance.py", line 620, in
__spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
  File "/usr/lib/python2.7/site-
packages/ipaserver/install/dogtaginstance.py", line 201, in
spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python2.7/site-
packages/ipaserver/install/dogtaginstance.py", line 465, in
handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2016-01-13T17:28:19Z DEBUG   [error] RuntimeError: CA configuration
failed.
2016-01-13T17:28:19Z DEBUG   File "/usr/lib/python2.7/site-
packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 311, in run






It looks to me that the original, first install version 3.0 system is 
generating a bad gpg file.  Will a reinstall of the orginal cert file solve 
this? If so, where and what is the best procedure? Is there a way to add CA 
capability to an existing master replicant by reusing it's original replica.gpg 
file?


Background: the old v3.0 system runs on a virtual machine (ovirt). The physical 
host had a series of "bad days" that involved multiple crashes and lock-ups 
that were ultimately attributed to insufficient cooling of the RAID card. It is 
suspected that the data was scrambled on the drive. The original cert is backed 
up but the remaining machine backups are of dubious quality (long story - bad 
week at the datacenter).


This is the last system on old hardware that was hit when the datacenter 
cooling totally failed and erased all the backups. Some days your're the 
pigeon, some days you're the statue.




-- 








  
  


Jim Kinney

Senior System Administrator

36 Eagle Row Suite 588

Department of Biomedical Informatics

Emory University School of Medicine

jkin...@emory.edu

404-712-0300


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to