Hi folks,
As the subject suggests, we're converting from FreeIPA 3.0.0 on CentOS 6 to 
4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA replicas in 
CentOS 7 and then hope to promote one of them to the CA master. I'm running 
into two problems:

The first is that when we create a replica in FreeIPA 4.2.0 with the —setup-ca 
option, that portion fails. Here's a snippet of the output:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 
  [1/23]: creating certificate server user
  [2/23]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA 
instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpqPeYOW'' 
returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs 
and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Second, I've tried a "trick" where I run an ipa-backup on the 4.2.0 replica and 
then restore it, hoping to convince the server that it's now a master. When I 
try to run ipa-replica-prepare, it quickly exits with the mysterious "no such 
entry" error:

[root@ipa ~]# ipa-replica-prepare ipa4test.example.local --ip-address
Directory Manager (existing master) password:

Preparing replica for ipa4test.example.local from ipa.example.local
no such entry

Ideas, suggestions, and help are very welcome!

Best regards,

Daniel Alex Finkelstein| Senior Dev Ops Engineer
dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the 
Follow us on: Facebook<http://www.facebook.com/high5games>, 

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to