Thanks for the clarification. I tried again, but no luck. The stdout/err was:
[root@ipa ~]# ipa-ca-install /var/lib/ipa/replica-info-ipa.example.com.local.gpg Directory Manager (existing master) password: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/21]: creating certificate server user [2/21]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpD3cjWu'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. CA configuration failed. And the ipareplica-ca-install.log is: [root@ipa log]# cat ipareplica-ca-install.log 2016-06-06T17:59:37Z DEBUG /sbin/ipa-ca-install was invoked with argument "/var/lib/ipa/replica-info-ipa.example.com.local.gpg" and options: {'external_cert_files': None, 'skip_schema_check': False, 'external_ca_type': None, 'unattended': False, 'no_host_dns': False, 'ca_signing_algorithm': None, 'debug': False, 'external_ca': False, 'skip_conncheck': False} 2016-06-06T17:59:37Z DEBUG IPA version 4.2.0-15.0.1.el7.centos.6.1 2016-06-06T17:59:37Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-06-06T17:59:37Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2016-06-06T17:59:37Z DEBUG importing all plugin modules in ipalib.plugins... 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.aci 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.automember 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.automount 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.baseldap 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.baseuser 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.batch 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.caacl 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.cert 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.certprofile 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.config 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.delegation 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.dns 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.domainlevel 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.group 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.hbacrule 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.hbacsvc 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.hbacsvcgroup 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.hbactest 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.host 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.hostgroup 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.idrange 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.idviews 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.internal 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.kerberos 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.krbtpolicy 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.migration 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.misc 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.netgroup 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.otpconfig 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.otptoken 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.otptoken_yubikey 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.passwd 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.permission 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.ping 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.pkinit 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.privilege 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.pwpolicy 2016-06-06T17:59:37Z DEBUG Starting external process 2016-06-06T17:59:37Z DEBUG args='klist' '-V' 2016-06-06T17:59:37Z DEBUG Process finished, return code=0 2016-06-06T17:59:37Z DEBUG stdout=Kerberos 5 version 1.13.2 2016-06-06T17:59:37Z DEBUG stderr= 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.radiusproxy 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.realmdomains 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.role 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.rpcclient 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.selfservice 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.selinuxusermap 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.server 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.service 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.servicedelegation 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.session 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.stageuser 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.sudocmd 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.sudocmdgroup 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.sudorule 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.topology 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.trust 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.user 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.vault 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.virtual 2016-06-06T17:59:37Z DEBUG importing all plugin modules in ipaserver.plugins... 2016-06-06T17:59:37Z DEBUG importing plugin module ipaserver.plugins.dogtag 2016-06-06T17:59:37Z DEBUG importing plugin module ipaserver.plugins.join 2016-06-06T17:59:37Z DEBUG importing plugin module ipaserver.plugins.ldap2 2016-06-06T17:59:37Z DEBUG importing plugin module ipaserver.plugins.rabase 2016-06-06T17:59:37Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2016-06-06T17:59:37Z DEBUG SessionAuthManager.register: name=jsonserver_session_42663248 2016-06-06T17:59:37Z DEBUG SessionAuthManager.register: name=xmlserver_session_42686160 2016-06-06T17:59:37Z DEBUG Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' 2016-06-06T17:59:37Z DEBUG session_auth_duration: 0:20:00 2016-06-06T17:59:37Z DEBUG Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' 2016-06-06T17:59:37Z DEBUG session_auth_duration: 0:20:00 2016-06-06T17:59:37Z DEBUG Mounting ipaserver.rpcserver.login_password() at '/session/login_password' 2016-06-06T17:59:37Z DEBUG session_auth_duration: 0:20:00 2016-06-06T17:59:37Z DEBUG Mounting ipaserver.rpcserver.change_password() at '/session/change_password' 2016-06-06T17:59:37Z DEBUG Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' 2016-06-06T17:59:37Z DEBUG session_auth_duration: 0:20:00 2016-06-06T17:59:37Z DEBUG session_auth_duration: 0:20:00 2016-06-06T17:59:37Z DEBUG Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' 2016-06-06T17:59:38Z DEBUG Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' 2016-06-06T17:59:38Z DEBUG session_auth_duration: 0:20:00 2016-06-06T17:59:38Z DEBUG Mounting ipaserver.rpcserver.xmlserver() at '/xml' 2016-06-06T17:59:38Z DEBUG session_auth_duration: 0:20:00 2016-06-06T17:59:40Z DEBUG Starting external process 2016-06-06T17:59:40Z DEBUG args='/usr/bin/gpg-agent' '--batch' '--homedir' '/tmp/tmpm9cf7Xipa/ipa-cLLKJh/.gnupg' '--daemon' '/usr/bin/gpg' '--batch' '--homedir' '/tmp/tmpm9cf7Xipa/ipa-cLLKJh/.gnupg' '--passphrase-fd' '0' '--yes' '--no-tty' '-o' '/tmp/tmpm9cf7Xipa/files.tar' '-d' '/var/lib/ipa/replica-info-ipa.example.com.gpg' 2016-06-06T17:59:41Z DEBUG Process finished, return code=0 2016-06-06T17:59:41Z DEBUG Starting external process 2016-06-06T17:59:41Z DEBUG args='tar' 'xf' '/tmp/tmpm9cf7Xipa/files.tar' '-C' '/tmp/tmpm9cf7Xipa' 2016-06-06T17:59:41Z DEBUG Process finished, return code=0 2016-06-06T17:59:41Z DEBUG stdout= 2016-06-06T17:59:41Z DEBUG stderr= 2016-06-06T17:59:41Z DEBUG Installing replica file with version 300 (0 means no version in prepared file). 2016-06-06T17:59:41Z DEBUG Check if ipa.example.com is a primary hostname for localhost 2016-06-06T17:59:41Z DEBUG Primary hostname for localhost: ipa.example.com 2016-06-06T17:59:41Z DEBUG Search DNS for ipa.example.com 2016-06-06T17:59:41Z DEBUG Check if ipa.h5c.local is not a CNAME 2016-06-06T17:59:41Z DEBUG Check reverse address of 10.55.10.31 2016-06-06T17:59:41Z DEBUG Found reverse name: ipa.example.com 2016-06-06T17:59:41Z DEBUG Created connection context.ldap2_42662608 2016-06-06T17:59:41Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-06-06T17:59:41Z DEBUG Checking if IPA schema is present in ldap://ipa-replica.example.com:7389 2016-06-06T17:59:41Z DEBUG retrieving schema for SchemaCache url=ldap://ipa-replica.example.com:7389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x28b41b8> 2016-06-06T17:59:41Z DEBUG Check OK 2016-06-06T17:59:41Z DEBUG Destroyed connection context.ldap2_42662608 2016-06-06T17:59:41Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-06-06T17:59:41Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-06-06T17:59:41Z DEBUG Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds 2016-06-06T17:59:41Z DEBUG [1/21]: creating certificate server user 2016-06-06T17:59:41Z DEBUG group pkiuser exists 2016-06-06T17:59:41Z DEBUG user pkiuser exists 2016-06-06T17:59:41Z DEBUG duration: 0 seconds 2016-06-06T17:59:41Z DEBUG [2/21]: configuring certificate server instance 2016-06-06T17:59:41Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-06-06T17:59:41Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-06-06T17:59:41Z DEBUG Contents of pkispawn configuration file (/tmp/tmpD3cjWu): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki_backup_password = XXXXXXXX pki_profiles_in_ldap = True pki_client_database_dir = /tmp/tmp-jUfjcK pki_client_database_password = XXXXXXXX pki_client_database_purge = False pki_client_pkcs12_password = XXXXXXXX pki_admin_name = admin pki_admin_uid = admin pki_admin_email = root@localhost pki_admin_password = XXXXXXXX pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = XXXXXXXX pki_ds_base_dn = o=ipaca pki_ds_database = ipaca pki_subsystem_subject_dn = cn=CA Subsystem,O= EXAMPLE.COM pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O= EXAMPLE.COM pki_ssl_server_subject_dn = cn=ipa.example.com,O= EXAMPLE.COM pki_audit_signing_subject_dn = cn=CA Audit,O= EXAMPLE.COM pki_ca_signing_subject_dn = cn=Certificate Authority,O= EXAMPLE.COM pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_ca_signing_nickname = caSigningCert cert-pki-ca pki_ca_signing_key_algorithm = SHA256withRSA pki_security_domain_hostname = ipa-replica.example.com pki_security_domain_https_port = 443 pki_security_domain_user = admin pki_security_domain_password = XXXXXXXX pki_clone = True pki_clone_pkcs12_path = /tmp/ca.p12 pki_clone_pkcs12_password = XXXXXXXX pki_clone_replication_security = TLS pki_clone_replication_master_port = 7389 pki_clone_replication_clone_port = 389 pki_clone_replicate_schema = False pki_clone_uri = https://ipa-replica.example.com:443 2016-06-06T17:59:41Z DEBUG Starting external process 2016-06-06T17:59:41Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpD3cjWu' 2016-06-06T17:59:41Z DEBUG Process finished, return code=1 2016-06-06T17:59:41Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20160606135941.log Loading deployment configuration from /tmp/tmpD3cjWu. 2016-06-06T17:59:41Z DEBUG stderr=Traceback (most recent call last): File "/usr/sbin/pkispawn", line 717, in <module> main(sys.argv) File "/usr/sbin/pkispawn", line 523, in main parser.compose_pki_master_dictionary() File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", line 573, in compose_pki_master_dictionary instance.load() File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 454, in load subsystem.load() File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 118, in load lines = open(self.cs_conf).read().splitlines() IOError: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/ca/conf/CS.cfg' 2016-06-06T17:59:41Z CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpD3cjWu'' returned non-zero exit status 1 2016-06-06T17:59:41Z CRITICAL See the installation logs and the following files/directories for more information: 2016-06-06T17:59:41Z CRITICAL /var/log/pki-ca-install.log 2016-06-06T17:59:41Z CRITICAL /var/log/pki/pki-tomcat 2016-06-06T17:59:41Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 620, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 201, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 465, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2016-06-06T17:59:41Z DEBUG [error] RuntimeError: CA configuration failed. 2016-06-06T17:59:41Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 732, in run_script return_value = main_function() File "/sbin/ipa-ca-install", line 202, in main install_replica(safe_options, options, filename) File "/sbin/ipa-ca-install", line 150, in install_replica ca.install(True, config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 106, in install install_step_0(standalone, replica_config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 130, in install_step_0 ra_p12=getattr(options, 'ra_p12', None)) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1543, in install_replica_ca subject_base=config.subject_base) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 486, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 620, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 201, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 465, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) 2016-06-06T17:59:41Z DEBUG The ipa-ca-install command failed, exception: RuntimeError: CA configuration failed. [cid:image001.jpg@01D1BFFD.A8A3E740]<http://www.high5games.com/> Daniel Alex Finkelstein| Senior Dev Ops Engineer dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com<http://www.high5games.com/> Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the Sky<https://apps.facebook.com/shakethesky/> Follow us on: Facebook<http://www.facebook.com/high5games>, Twitter<https://twitter.com/High5Games>, YouTube<http://www.youtube.com/High5Games>, Linkedin<http://www.linkedin.com/company/1072533?trk=tyah> This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: Rob Crittenden <rcrit...@redhat.com> Date: Monday, June 6, 2016 at 11:44 To: Daniel Finkestein <dan.finkelst...@high5games.com>, "freeipa-users@redhat.com" <freeipa-users@redhat.com> Subject: Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master dan.finkelst...@high5games.com<mailto:dan.finkelst...@high5games.com> wrote: Swing and a miss: when setting up the replicas, we always use the —setup-ca and end the command with the replica gpg file, but it's the —setup-ca that fails as per the earlier messages. If we proceed without —setup-ca, it's fine. I'll try it without skipping the connection check, but I don't think the replica file is the issue. I meant to say: ipa-ca-install replicafile When running ipa-ca-install without a replicafile then it assumes you are trying to set up a brand new CA which isn't allowed if one already exists. The messaging has been improved upstream. Skipping the conncheck can mask odd problems and should be used sparingly. rob Thanks, Dan <http://www.high5games.com/> *Daniel Alex Finkelstein*| Senior Dev Ops Engineer _dan.finkelst...@h5g.com<mailto:_dan.finkelst...@h5g.com> <mailto:dan.finkelst...@h5g.com>_|<mailto:dan.finkelst...@h5g.com%3E_|> 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com <http://www.high5games.com/> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake the Sky <https://apps.facebook.com/shakethesky/> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter <https://twitter.com/High5Games>, YouTube <http://www.youtube.com/High5Games>, Linkedin <http://www.linkedin.com/company/1072533?trk=tyah> // /This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful./ *From: *Rob Crittenden <rcrit...@redhat.com<mailto:rcrit...@redhat.com>> *Date: *Monday, June 6, 2016 at 09:51 *To: *Daniel Finkestein <dan.finkelst...@high5games.com<mailto:dan.finkelst...@high5games.com>>, "freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>" <freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master I think I figured out what is wrong. It is trying to add a NEW CA, not creating a replica of the CA on this host. You need to pass in the replica install file as an argument: # ipa-replica-install foo.example.com Not sure skipping the conncheck is a great idea either. rob
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project