Linov Suresh wrote:
I tried to create master replica using the option --setup-ca, it failed,
because of "Your system may be partly configured."

Please note we use different ipa package for master and replica.

master:
[root@caer ~]# rpm -q ipa-server
ipa-server-3.0.0-26.el6_4.2.x86_64

replica:

[root@neit-lab01 ~]# rpm -q ipa-server
ipa-server-3.0.0-50.el6.1.x86_64

*Is this because ipa-server-3.0.0-50 has updates feature "Proxy calls to
/ca/ee/ca/profileSubmit to PKI to enable installation of replicas with
Dogtag 10 PKI (#1083878)"*
*
*
If yes, how do we fix it? Your help is appreciated.


[root@neit-lab01 ipa]#*ipa-replica-install --setup-dns --setup-ca
--no-forwarders /var/lib/ipa/replica-info-neit-lab01.teloip.net.gpg*
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'caer.teloip.net
<http://caer.teloip.net>':
    Directory Service: Unsecure port (389): OK
    Directory Service: Secure port (636): OK
    Kerberos KDC: TCP (88): OK
    Kerberos Kpasswd: TCP (464): OK
    HTTP Server: Unsecure port (80): OK
    HTTP Server: Secure port (443): OK
    PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
    Kerberos KDC: UDP (88): SKIPPED
    Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@teloip.net <mailto:ad...@teloip.net> password:

Execute check on remote master
Check connection from master to remote replica 'neit-lab01.teloip.net
<http://neit-lab01.teloip.net>':
    Directory Service: Unsecure port (389): OK
    Directory Service: Secure port (636): OK
    Kerberos KDC: TCP (88): OK
    Kerberos KDC: UDP (88): OK
    Kerberos Kpasswd: TCP (464): OK
    Kerberos Kpasswd: UDP (464): OK
    HTTP Server: Unsecure port (80): OK
    HTTP Server: Secure port (443): OK
    PKI-CA: Directory Service port (7389): OK

Connection from master to replica is OK.

Connection check OK
Configuring NTP daemon (ntpd)
   [1/4]: stopping ntpd
   [2/4]: writing configuration
   [3/4]: configuring ntpd to start on boot
   [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
   [1/3]: creating directory server user
   [2/3]: creating directory server instance
   [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30
seconds
   [1/17]: creating certificate server user
   [2/17]: creating pki-ca instance
   [3/17]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
neit-lab01.teloip.net <http://neit-lab01.teloip.net> -cs_port 9445
-client_certdb_dir /tmp/tmp-t5u9YQ -client_certdb_pwd XXXXXXXX
-preop_pin BAoCQwvMxnG4xLdxOKln -domain_name IPA -admin_user admin
-admin_email root@localhost -admin_password XXXXXXXX -agent_name
ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET <http://TELOIP.NET>
-ldap_host neit-lab01.teloip.net <http://neit-lab01.teloip.net>
-ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX
-base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
-key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
-subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
<http://TELOIP.NET> -ca_subsystem_cert_subject_name CN=CA
Subsystem,O=TELOIP.NET <http://TELOIP.NET> -ca_ocsp_cert_subject_name
CN=OCSP Subsystem,O=TELOIP.NET <http://TELOIP.NET>
-ca_server_cert_subject_name CN=neit-lab01.teloip.net
<http://neit-lab01.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
-ca_audit_signing_cert_subject_name CN=CA Audit,O=TELOIP.NET
<http://TELOIP.NET> -ca_sign_cert_subject_name CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET> -external false -clone true
-clone_p12_file ca.p12 -clone_p12_password XXXXXXXX -sd_hostname
caer.teloip.net <http://caer.teloip.net> -sd_admin_port 443
-sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true
-clone_uri https://caer.teloip.net:443' returned non-zero exit status 255

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed



You need to look at the dogtag logs to see any reasonable errors. IPA doesn't get much back from the dogtag installer except a pass/fail (especially in 3.x).

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to