Hi, If you're cloning from an IPA running on RHEL/CentOS 6 with CA signed by another CA you are likely hitting this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1291747
The bug has been fixed in this package: pki-ca-9.0.3-45. You'll need to install it on the master, then restart the server, then try cloning again. The latest PKI available on RHEL/CentOS 7 is version 10.2.5, but it's patched with relevant bug fixes from newer versions. If you're still having a problem, try enabling the debug log on the master and clone by setting the following property in CS.cfg: debug.level=1 See also: http://pki.fedoraproject.org/wiki/PKI_Server_Logs -- Endi S. Dewata ----- Original Message ----- > Hi Martin > > I am happy to provide the necessary information. What packages should i check > for? As for IPA we are IPA CA being signed with other CA > > Thank You > > On Wed, Jan 27, 2016 at 2:24 AM, Martin Kosek < mko...@redhat.com > wrote: > > > On 01/26/2016 09:45 PM, Ash Alam wrote: > > I didnt want to dig up an old thread but i am running into this issue. The > > old thread points to Pki 10.2.6 as the solution but i am not seeing that > > package on centos 7.2. > > > > STDERR: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to > > configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' > > '/tmp/tmpHfdvFD'' returned non-zero exit status 1 > > CCing David and Endi, they might have an idea what is wrong. There were > several > recent fixes, to again fix RHEL-6 to RHEL-7 migration, we would need to check > if you have them installed. As for your RHEL-6 IPA setup, is it running with > External CA, i.e. IPA CA with being signed with other CA? > > > > > On Tue, Jan 26, 2016 at 12:14 PM, Ash Alam < aa...@paperlesspost.com > > > wrote: > > > >> thank you! Out of curiosity has anyone been able to automate this using > >> chef/puppet etc? > >> > >> On Tue, Jan 26, 2016 at 10:56 AM, Martin Kosek < mko...@redhat.com > > >> wrote: > >> > >>> Did you follow the instructions in the error message? There is also a > >>> longer > >>> description here: > >>> > >>> > >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc > >>> > >>> Martin > >>> > >>> On 01/26/2016 04:38 PM, Ash Alam wrote: > >>>> I wanted to follow up on this as i finally gotten around to doing the > >>>> upgrade. I an running into this error. I also found a bugzilla ticket. > >>> Do > >>>> you have to do some type of schema upgrade like you do with active > >>>> directory? > >>>> > >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1235766 > >>>> > >>>> STDERR: ipa : CRITICAL The master CA directory server does > >>> not > >>>> have necessary schema. Please copy the following script to all CA > >>> masters > >>>> and run it on them: /usr/share/ipa/copy-schema-to-ca.py > >>>> > >>>> If you are certain that this is a false positive, use > >>>> --skip-schema-check. > >>>> > >>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA schema > >>>> missing on master CA directory server > >>>> > >>>> > >>>> > >>>> Thank You > >>>> > >>>> > >>>> > >>>> > >>>> On Fri, Nov 20, 2015 at 11:13 AM, Martin Kosek < mko...@redhat.com > > >>> wrote: > >>>> > >>>>> On 11/20/2015 04:08 PM, Ash Alam wrote: > >>>>> > >>>>>> Most of the clients in my env are centos 6.6 with ipa 3.0.0 client > >>>>>> installed. I > >>>>>> if bring up a replica on centos 7.2 with ipa 4.2.3 server and then > >>> start > >>>>>> phasing out the older 3.0.0 servers. Will the client that are still > >>>>>> running the > >>>>>> older client software still work? > >>>>>> > >>>>> > >>>>> It should, yes. It is expected that there are RHEL/CentOS-6 clients > >>> with > >>>>> RHEL-7 FreeIPA servers. The older clients just won't be able to use the > >>>>> newest features. > >>>>> > >>>>> > >>>>>> On Fri, Nov 20, 2015 at 4:31 AM, Martin Kosek < mko...@redhat.com > >>>>>> <mailto: mko...@redhat.com >> wrote: > >>>>>> > >>>>>> On 11/19/2015 11:03 PM, Ash Alam wrote: > >>>>>> > >>>>>> Hello All > >>>>>> > >>>>>> I am looking for some advice on upgrading. Currently our > >>> FreeIPA > >>>>>> servers are > >>>>>> 3.0.0 on centos 6.6. We are looking to go to 4.2.3 Centos7. > >>> This > >>>>>> upgrade path > >>>>>> is not possible per IPA documentation. Minimum version > >>> required > >>>>>> is 3.3.x. I > >>>>>> have also found that cenos6 does not provide anything past > >>> 3.0.0. > >>>>>> > >>>>>> > >>>>>> And it won't. There are no plans in updating FreeIPA version in > >>>>>> RHEL/CentOS-6.x, we encourage people who want the new features to > >>>>>> migrate > >>>>>> to RHEL-7.x: > >>>>>> > >>>>>> > >>>>>> > >>> http://www.freeipa.org/page/Howto/Migration#Migrating_Identity_Management_in_RHEL.2FCentOS > >>>>>> > >>>>>> > >>>>>> > >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc > >>>>>> > >>>>>> If you want to wait on CentOS-7.2, it should be in works now: > >>>>>> http://seven.centos.org/2015/11/rhel-7-2-released-today/ > >>>>>> > >>>>>> One idea is to upgrade to 3.3.x first and then upgrade to > >>> 4.2.3 > >>>>>> on centos7. > >>>>>> This is harder since centos does not provide this. The other > >>>>>> issue is if > >>>>>> 3.0/3.3 client will be supported with 4.2.3 server. > >>>>>> > >>>>>> > >>>>>> The right way is to migrate via creating replicas in > >>> RHEL/CentOS-7.x > >>>>>> and > >>>>>> slowly deprecating RHEL/CentOS-6 ones. Detailed procedure in the > >>>>>> links above. > >>>>>> > >>>>>> > >>>>>> > >>>>> > >>>> > >>> > >>> > >> > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
