Hi Dan,

I had a similar problem when updating my FreeIPA. In my case it turned
out that the certificates that get bundled with the replica preparation
file were expired. This is due to the /root/cacert.p12 file not being
updated during the preparation process until FreeIPA 3.2.2

The file can be recreated with the commands from step 2 of

If that does not solve the problem, it would be good to see (part of)
the actual logfiles of your replica installation attempt.

Best regards
Sebastian Schäfer, M. A.
Deutsches Zentrum für Luft- und Raumfahrt e.V. (DLR)
Institute of Space Operations and Astronaut Training
Microgravity User Support Center (MUSC)
Linder Höhe | 51147 Köln

Telefon 02203 601-30 01 | Telefax: 02203 61471 | sebastian.schae...@dlr.de

On 06/01/2016 06:45 PM, dan.finkelst...@high5games.com wrote:
> Hi folks,
> As the subject suggests, we're converting from FreeIPA 3.0.0 on CentOS 6
> to 4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA
> replicas in CentOS 7 and then hope to promote one of them to the CA
> master. I'm running into two problems:
> The first is that when we create a replica in FreeIPA 4.2.0 with the
> —setup-ca option, that portion fails. Here's a snippet of the output:
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
> 30 seconds
>   [1/23]: creating certificate server user
>   [2/23]: configuring certificate server instance
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpqPeYOW'' returned non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
> installation logs and the following files/directories for more information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
> /var/log/pki-ca-install.log
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
> /var/log/pki/pki-tomcat
>   [error] RuntimeError: CA configuration failed.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to