I installed my first master ipa server (server1) many months ago (Redhat 7.1 IIRC) and made a replica server2 without problems.

Now I'd like to bring online another replica (server3).

All servers are now on Redhat 7.2 ipa-server-4.2.0-15.el7_2.17.x86_64, but I get the following error when I run this on server1:

server1> ipa-replica-prepare server3.example.com

Directory Manager (existing master) password:

Preparing replica for server3.example.com from server1.example.com
Creating SSL certificate for the Directory Server
Certificate issuance failed

If I repeat this on server2, my fist replica, it succeeds.

Running in debug mode on server1:
server1> ipa-replica-prepare --debug server3.example.com
gives a lot of output of which the following seems relevant (some info has been anonymised):

Generating key.  This may take a few moments...

ipa: DEBUG: request POST https://server1.example.com:8443/ca/ee/ca/profileSubmitSSLClient ipa: DEBUG: request body 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=...CU24QyOEd%0A&cert_request_type=pkcs10&xmlOutput=true'
ipa: DEBUG: NSSConnection init server1.example.com
ipa: DEBUG: Connecting: xxx.xxx.xxx.xxx:0
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for "CN=server1.example.com,O=EXAMPLE.COM"
ipa: DEBUG: handshake complete, peer = xxx.xxx.xxx.xxx:8443
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: response status 200
ipa: DEBUG: response headers {'date': 'Fri, 01 Jul 2016 15:13:37 GMT', 'content-length': '161', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} ipa: DEBUG: response body '<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>1</Status><Error>Server Internal Error</Error><RequestId> 3</RequestId></XMLResponse>' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 337, in run
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 382, in copy_ds_certificate
    self.export_certdb("dscert", passwd_fname)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 589, in export_certdb
    db.create_server_cert(nickname, hostname, ca_db)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 337, in create_server_cert
    cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 418, in issue_server_cert
    raise RuntimeError("Certificate issuance failed")

ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: RuntimeError: Certificate issuance failed ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: Certificate issuance failed

If its of relevance I did change the directory manager password on both server1 and server2 a couple of weeks ago.

I'd appreciate some pointers to resolving this.


Roderick Johnstone

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to