I tried to create master replica using the option --setup-ca, it failed, because of "Your system may be partly configured."
Please note we use different ipa package for master and replica. master: [root@caer ~]# rpm -q ipa-server ipa-server-3.0.0-26.el6_4.2.x86_64 replica: [root@neit-lab01 ~]# rpm -q ipa-server ipa-server-3.0.0-50.el6.1.x86_64 *Is this because ipa-server-3.0.0-50 has updates feature "Proxy calls to /ca/ee/ca/profileSubmit to PKI to enable installation of replicas with Dogtag 10 PKI (#1083878)"* If yes, how do we fix it? Your help is appreciated. [root@neit-lab01 ipa]#* ipa-replica-install --setup-dns --setup-ca --no-forwarders /var/lib/ipa/replica-info-neit-lab01.teloip.net.gpg* Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'caer.teloip.net': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master [email protected] password: Execute check on remote master Check connection from master to remote replica 'neit-lab01.teloip.net': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname neit-lab01.teloip.net -cs_port 9445 -client_certdb_dir /tmp/tmp-t5u9YQ -client_certdb_pwd XXXXXXXX -preop_pin BAoCQwvMxnG4xLdxOKln -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET -ldap_host neit-lab01.teloip.net -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TELOIP.NET -ca_server_cert_subject_name CN=neit-lab01.teloip.net,O=TELOIP.NET -ca_audit_signing_cert_subject_name CN=CA Audit,O=TELOIP.NET -ca_sign_cert_subject_name CN=Certificate Authority,O=TELOIP.NET -external false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX -sd_hostname caer.teloip.net -sd_admin_port 443 -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri https://caer.teloip.net:443' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
