Hi Rob,
There's a few logs in there, I'm not sure which is most informative. Here are 
some sections from what I think are relevant logs:

/var/log/pki/pki-tomcat/localhost.log:

Jun 01, 2016 12:16:34 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/ca] 
threw exception
org.jboss.resteasy.spi.UnhandledException: 
org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find 
MessageBodyWriter for response object of type: 
com.netscape.certsrv.base.PKIException$Data of media type: 
application/x-www-form-urlencoded
        at 
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:157)
        at 
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
        at 
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
        at 
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
        at 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at sun.reflect.GeneratedMethodAccessor41.invoke(Unknown Source)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
        at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
        at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
        at 
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
        at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
        at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
        at java.security.AccessController.doPrivileged(Native Method)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
        at 
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at sun.reflect.GeneratedMethodAccessor40.invoke(Unknown Source)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
        at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
        at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
        at 
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
        at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
        at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
        at java.security.AccessController.doPrivileged(Native Method)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
        at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
        at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
        at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
        at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
        at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
...skipping...
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
        at 
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
        at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
        at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
        at java.security.AccessController.doPrivileged(Native Method)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
        at 
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at sun.reflect.GeneratedMethodAccessor40.invoke(Unknown Source)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
        at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
        at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
        at 
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
        at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
        at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
        at java.security.AccessController.doPrivileged(Native Method)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
        at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
        at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
        at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
        at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
        at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not 
find MessageBodyWriter for response object of type: 
com.netscape.certsrv.base.PKIException$Data of media type: 
application/x-www-form-urlencoded
        at 
org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:67)
        at 
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:153)
        ... 52 more

/var/log/pki/pki-tomcat/catalina.out:

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'ssl2Ciphers' to 
'-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5'
 did not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'ssl3Ciphers' to 
'-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA'
 did not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'tlsCiphers' to 
'-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA'
 did not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'sslRangeCiphers' to 
'-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256'
 did not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did 
not find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a 
matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not 
find a matching property.
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property.
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 
'xmlValidation' to 'false' did not find a matching property.
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 
'xmlNamespaceAware' to 'false' did not find a matching property.

/var/log/pki/pki-tomcat/ca/system:

0.localhost-startStop-1 - [01/Jun/2016:12:15:12 EDT] [3] [3] Cannot build CA 
chain. Error java.security.cert.CertificateException: Certificate is not a PKCS 
#11 certificate
0.localhost-startStop-1 - [01/Jun/2016:12:15:12 EDT] [13] [3] authz instance 
DirAclAuthz initialization failed and skipped, error=Property 
internaldb.ldapconn.port missing value
0.http-bio-8443-exec-3 - [01/Jun/2016:12:15:55 EDT] [3] [3] Cannot build CA 
chain. Error java.security.cert.CertificateException: Certificate is not a PKCS 
#11 certificate
0.Thread-14 - [01/Jun/2016:12:16:17 EDT] [8] [3] Publishing: Could not publish 
certificate serial number 0x7. Error Failed to publish using rule: No rules 
enabled
0.Thread-13 - [01/Jun/2016:12:16:45 EDT] [8] [3] Publishing: Could not publish 
certificate serial number 0x8. Error Failed to publish using rule: No rules 
enabled
0.Thread-13 - [01/Jun/2016:12:20:22 EDT] [8] [3] Publishing: Could not publish 
certificate serial number 0x9. Error Failed to publish using rule: No rules 
enabled
0.Thread-14 - [01/Jun/2016:12:20:23 EDT] [8] [3] Publishing: Could not publish 
certificate serial number 0xa. Error Failed to publish using rule: No rules 
enabled
0.profileChangeMonitor - [01/Jun/2016:12:20:28 EDT] [8] [3] In Ldap (bound) 
connection pool to host ipa.example.com port 636, Cannot connect to LDAP 
server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket 
(-1)
(repeats)
0.RetrieveModificationsTask - [01/Jun/2016:12:21:33 EDT] [8] [3] In Ldap 
(bound) connection pool to host ipa.h5c.local port 636, Cannot connect to LDAP 
server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket 
(-1)
0.RetrieveModificationsTask - [01/Jun/2016:12:21:33 EDT] [5] [3] Failed to get 
a connection to the LDAP server. Error Could not connect to LDAP server host 
ipa.example.com port 636 Error netscape.ldap.LDAPException: IO Error creating 
JSS SSL Socket (-1)
0.profileChangeMonitor - [01/Jun/2016:12:21:33 EDT] [8] [3] In Ldap (bound) 
connection pool to host ipa.example.com port 636, Cannot connect to LDAP 
server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket 
(-1)

Thanks,
Dan


[cid:image001.jpg@01D1BCF6.2E41DCA0]<http://www.high5games.com/>
Daniel Alex Finkelstein| Senior Dev Ops Engineer
dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the 
Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, 
Twitter<https://twitter.com/High5Games>, 
YouTube<http://www.youtube.com/High5Games>, 
Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.

From: Rob Crittenden <rcrit...@redhat.com>
Date: Thursday, June 2, 2016 at 17:29
To: Daniel Finkestein <dan.finkelst...@high5games.com>, 
"freeipa-users@redhat.com" <freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 
3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to 
master

dan.finkelst...@high5games.com<mailto:dan.finkelst...@high5games.com> wrote:
Hi Sebastian,

Unfortunately, that doesn't seem to be it and reinstalling the replica
with —setup-ca failed again with the same errors. I've included relevant
sections of the logs.

/var/log/ipareplica-install.log:

016-06-02T10:43:16Z DEBUG Starting external process

2016-06-02T10:43:16Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpl8RqSM'

2016-06-02T10:43:16Z DEBUG Process finished, return code=1

2016-06-02T10:43:16Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20160602064316.log

Loading deployment configuration from /tmp/tmpl8RqSM.

2016-06-02T10:43:16Z DEBUG stderr=Traceback (most recent call last):

    File "/usr/sbin/pkispawn", line 717, in <module>

      main(sys.argv)

    File "/usr/sbin/pkispawn", line 523, in main

      parser.compose_pki_master_dictionary()

    File
"/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py",
line 573, in compose_pki_master_dictionary

      instance.load()

    File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line
454, in load

      subsystem.load()

    File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line
118, in load

      lines = open(self.cs_conf).read().splitlines()

IOError: [Errno 2] No such file or directory:
'/var/lib/pki/pki-tomcat/ca/conf/CS.cfg'

2016-06-02T10:43:16Z CRITICAL Failed to configure CA instance: Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpl8RqSM'' returned non-zero
exit status 1

2016-06-02T10:43:16Z CRITICAL See the installation logs and the
following files/directories for more information:

2016-06-02T10:43:16Z CRITICAL   /var/log/pki-ca-install.log

2016-06-02T10:43:16Z CRITICAL   /var/log/pki/pki-tomcat

2016-06-02T10:43:16Z DEBUG Traceback (most recent call last):

    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation

      run_step(full_msg, method)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step

      method()

    File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
620, in __spawn_instance

      DogtagInstance.spawn_instance(self, cfg_file)

    File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance

      self.handle_setup_error(e)

    File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error

      raise RuntimeError("%s configuration failed." % self.subsystem)

RuntimeError: CA configuration failed.

2016-06-02T10:43:16Z DEBUG   [error] RuntimeError: CA configuration failed.

2016-06-02T10:43:16Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute

      return_value = self.run()

    File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 311, in run

      cfgr.run()

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 281, in run

      self.execute()

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 303, in execute

      for nothing in self._executor():

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner

      self._handle_exception(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception

      util.raise_exc_info(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner

      step()

    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from

      raise_exc_info(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from

      value = gen.send(prev_value)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 524, in _configure

      executor.next()

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner

      self._handle_exception(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 421, in _handle_exception

      self.__parent._handle_exception(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception

      util.raise_exc_info(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 418, in _handle_exception

      super(ComponentBase, self)._handle_exception(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception

      util.raise_exc_info(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner

      step()

    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from

      raise_exc_info(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from

      value = gen.send(prev_value)

    File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 63, in _install

      for nothing in self._installer(self.parent):

    File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 879, in main

      install(self)

    File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 295, in decorated

      func(installer)

    File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 584, in install

      ca.install(False, config, options)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
106, in install

      install_step_0(standalone, replica_config, options)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
130, in install_step_0

      ra_p12=getattr(options, 'ra_p12', None))

    File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1543, in install_replica_ca

      subject_base=config.subject_base)

    File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
486, in configure_instance

      self.start_creation(runtime=210)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation

      run_step(full_msg, method)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step

      method()

    File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
620, in __spawn_instance

      DogtagInstance.spawn_instance(self, cfg_file)

    File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance

      self.handle_setup_error(e)

    File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error

      raise RuntimeError("%s configuration failed." % self.subsystem)

2016-06-02T10:43:16Z DEBUG The ipa-replica-install command failed,
exception: RuntimeError: CA configuration failed.

2016-06-02T10:43:16Z ERROR CA configuration failed.

Of note, there is no /var/log/pki-ca-install.log file nor (as the error
above shows) is there /var/lib/pki/pki-tomcat/ca/conf/CS.cfg.

Best regards,

Dan

cid:image001.jpg@01D1BC9A.CBB33580<mailto:image001.jpg@01D1BC9A.CBB33580> 
<http://www.high5games.com/>

*Daniel Alex Finkelstein*| Senior Dev Ops Engineer

dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> 
<mailto:dan.finkelst...@h5g.com>|<mailto:dan.finkelst...@h5g.com%3E|> 
212.604.3447

One World Trade Center, New York, NY 10007

www.high5games.com <http://www.high5games.com/>

Play High 5 Casino 
<https://apps.facebook.com/highfivecasino/>and<https://apps.facebook.com/highfivecasino/%3Eand>
 Shake
the Sky <https://apps.facebook.com/shakethesky/>

Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
<https://twitter.com/High5Games>, YouTube
<http://www.youtube.com/High5Games>, Linkedin
<http://www.linkedin.com/company/1072533?trk=tyah>

//

/This message and any attachments may contain confidential or privileged
information and are only for the use of the intended recipient of this
message. If you are not the intended recipient, please notify the sender
by return email, and delete or destroy this and all copies of this
message and all attachments. Any unauthorized disclosure, use,
distribution, or reproduction of this message or any attachments is
prohibited and may be unlawful./

*From: *Sebastian Schäfer 
<sebastian.schae...@dlr.de<mailto:sebastian.schae...@dlr.de>>
*Date: *Thursday, June 2, 2016 at 02:59
*To: *"freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>" 
<freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>>, Daniel
Finkestein 
<dan.finkelst...@high5games.com<mailto:dan.finkelst...@high5games.com>>
*Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of
FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica,
cannot promote to master

Hi Dan,

I had a similar problem when updating my FreeIPA. In my case it turned

out that the certificates that get bundled with the replica preparation

file were expired. This is due to the /root/cacert.p12 file not being

updated during the preparation process until FreeIPA 3.2.2

The file can be recreated with the commands from step 2 of

http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

If that does not solve the problem, it would be good to see (part of)

the actual logfiles of your replica installation attempt.

Best regards

--

Sebastian Schäfer, M. A.

-------------------------------

Deutsches Zentrum für Luft- und Raumfahrt e.V. (DLR)

Institute of Space Operations and Astronaut Training

Microgravity User Support Center (MUSC)

Linder Höhe | 51147 Köln

Telefon 02203 601-30 01 | Telefax: 02203 61471 |
sebastian.schae...@dlr.de<mailto:sebastian.schae...@dlr.de> 
<mailto:sebastian.schae...@dlr.de>

www.DLR.de

On 06/01/2016 06:45 PM, 
dan.finkelst...@high5games.com<mailto:dan.finkelst...@high5games.com>
<mailto:dan.finkelst...@high5games.com> wrote:

     Hi folks,

     As the subject suggests, we're converting from FreeIPA 3.0.0 on CentOS 6

     to 4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA

     replicas in CentOS 7 and then hope to promote one of them to the CA

     master. I'm running into two problems:

     The first is that when we create a replica in FreeIPA 4.2.0 with the

     —setup-ca option, that portion fails. Here's a snippet of the output:

     Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes

     30 seconds

         [1/23]: creating certificate server user

         [2/23]: configuring certificate server instance

     ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to

     configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'

     '/tmp/tmpqPeYOW'' returned non-zero exit status 1

     ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the

     installation logs and the following files/directories for more
     information:

     ipa.ipaserver.install.cainstance.CAInstance: CRITICAL

     /var/log/pki-ca-install.log

     ipa.ipaserver.install.cainstance.CAInstance: CRITICAL

     /var/log/pki/pki-tomcat

         [error] RuntimeError: CA configuration failed.

     Your system may be partly configured.

     Run /usr/sbin/ipa-server-install --uninstall to clean up.





You need to find the CA logs. All IPA gets is "the install failed" and
no details why. Lok in /var/log/pki/pki-tomcat for the relevant logs.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to