ipa-ca-install will install on top of FreeIPA CA-less replica, nothing else, you really don't want to do it manually.


On 18.05.2017 14:12, Callum Guy wrote:
Thanks Martin, really appreciate the additional information.

Are you aware of a separate guide for installing DogTag/PKI on top of FreeIPA - basically I am happy to install separately if it doesn't compromise the FreeIPA server configuration, i'm not clear on whether this is possible without a major time investment.

On Thu, May 18, 2017 at 12:46 PM Martin Bašti <mba...@redhat.com <mailto:mba...@redhat.com>> wrote:


    Please note that commits in #6766 will not fix this issue, the
    issue is on dogtag side, please see
    https://pagure.io/dogtagpki/issue/2646

    Sorry for troubles


    On 18.05.2017 12:19, Callum Guy wrote:
    Haha, looks like i'm going CA-less for a while on the replica. I
    don't see any immediate requirement for one so time to get on
    with my life!

    I'll post back if anything changes but I'm probably stuck waiting
    for the upgrade too..

    On Thu, May 18, 2017 at 11:01 AM Lachlan Musicman
    <data...@gmail.com <mailto:data...@gmail.com>> wrote:

        Sorry cobber. We only found 6766 today - we've been tackling
        it on and off for a couple of weeks :)

        ------
        "Mission Statement: To provide hope and inspiration for
        collective action, to build collective power, to achieve
        collective transformation, rooted in grief and rage but
        pointed towards vision and dreams."

         - Patrice Cullors, /Black Lives Matter founder/

        On 18 May 2017 at 19:53, Callum Guy <callum....@x-on.co.uk
        <mailto:callum....@x-on.co.uk>> wrote:

            Ah, thanks for that Lachlan - its always reassuring to
            hear that its not just me!

            As mentioned above I have it running without the CA so
            that's a good start. I am sure we will upgrade as well
            once 4.5 becomes stable and GA for CentOS. I'm not
            expecting that to happen quickly so will have to work
            with what we have for now.

            Do you happen to know if there is any way to build the CA
            component separately?

            On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman
            <data...@gmail.com <mailto:data...@gmail.com>> wrote:

                https://pagure.io/freeipa/issue/6766

                4.5.1 - I stand corrected. Can add more tomorrow.

                ------
                "Mission Statement: To provide hope and inspiration
                for collective action, to build collective power, to
                achieve collective transformation, rooted in grief
                and rage but pointed towards vision and dreams."

                 - Patrice Cullors, /Black Lives Matter founder/

                On 18 May 2017 at 19:34, Lachlan Musicman
                <data...@gmail.com <mailto:data...@gmail.com>> wrote:

                    We are seeing this. I'm not at work, but I think
                    it's bug report 6766.

                    Patch has already been committed (bot by us),
                    we're waiting for IPA 4.5.

                    cheers
                    L.

                    ------
                    "Mission Statement: To provide hope and
                    inspiration for collective action, to build
                    collective power, to achieve collective
                    transformation, rooted in grief and rage but
                    pointed towards vision and dreams."

                     - Patrice Cullors, /Black Lives Matter founder/

                    On 18 May 2017 at 18:57, Callum Guy
                    <callum....@x-on.co.uk
                    <mailto:callum....@x-on.co.uk>> wrote:

                        Hi All,

                        I am currently stuck trying to setup the
                        first replica of our master IPA server. I
                        have tried a number of different approaches
                        including escalating from a client and
                        nothing is working for me. I perform a full
                        OS reset each time I get stuck.

                        I'm running CentOS 7.2 with the FreeIPA 4.4.0
                        (rpm -q reports this version however having
                        performed ipa-server-upgrade - does this mean
                        i'm on 4.4.4?).

                        The command is shown below - note that i am
                        skipping the conn check as my platforms
                        security settings do not allow the SSH
                        session to be established back on the master,
                        all ports should be available to the
                        application however.

                        [root@ipa2 ~]# ipa-replica-install
                        --ip-address=172.24.0.101 --setup-ca
                        --setup-dns --skip-conncheck
                        --no-forwarders SITE.net.gpg

                        Directory Manager (existing master) password:

                        ipa         : ERROR    Could not resolve
                        hostname ipa2.SITE.net <http://ipa2.SITE.net>
                        usis check queries IPA DNS directly and
                        ignores /etc/hosts.)
                        Continue? [no]: yes
                        Configuring NTP daemon (ntpd)
                          [1/4]: stopping ntpd
                          [2/4]: writing configuration
                          [3/4]: configuring ntpd to start on boot
                          [4/4]: starting ntpd
                        Done configuring NTP daemon (ntpd).
                        Configuring directory server (dirsrv).
                        Estimated time: 1 minute
                          [1/42]: creating directory server user
                          [2/42]: creating directory server instance
                          [3/42]: updating configuration in dse.ldif
                          [4/42]: restarting directory server
                          [5/42]: adding default schema
                          [6/42]: enabling memberof plugin
                          [7/42]: enabling winsync plugin
                          [8/42]: configuring replication version plugin
                          [9/42]: enabling IPA enrollment plugin
                          [10/42]: enabling ldapi
                          [11/42]: configuring uniqueness plugin
                          [12/42]: configuring uuid plugin
                          [13/42]: configuring modrdn plugin
                          [14/42]: configuring DNS plugin
                          [15/42]: enabling entryUSN plugin
                          [16/42]: configuring lockout plugin
                          [17/42]: configuring topology plugin
                          [18/42]: creating indices
                          [19/42]: enabling referential integrity plugin
                          [20/42]: configuring ssl for ds instance
                          [21/42]: configuring certmap.conf
                          [22/42]: configure autobind for root
                          [23/42]: configure new location for managed
                        entries
                          [24/42]: configure dirsrv ccache
                          [25/42]: enabling SASL mapping fallback
                          [26/42]: restarting directory server
                          [27/42]: setting up initial replication
                        Starting replication, please wait until this
                        has completed.
                        Update in progress, 4 seconds elapsed
                        Update succeeded

                          [28/42]: adding sasl mappings to the directory
                          [29/42]: updating schema
                          [30/42]: setting Auto Member configuration
                          [31/42]: enabling S4U2Proxy delegation
                          [32/42]: importing CA certificates from LDAP
                          [33/42]: initializing group membership
                          [34/42]: adding master entry
                          [35/42]: initializing domain level
                          [36/42]: configuring Posix uid/gid generation
                          [37/42]: adding replication acis
                          [38/42]: enabling compatibility plugin
                          [39/42]: activating sidgen plugin
                          [40/42]: activating extdom plugin
                          [41/42]: tuning directory server
                          [42/42]: configuring directory to start on boot
                        Done configuring directory server (dirsrv).
                        Configuring certificate server (pki-tomcatd).
                        Estimated time: 3 minutes 30 seconds
                          [1/27]: creating certificate server user
                          [2/27]: configuring certificate server instance
                          [3/27]: stopping certificate server
                        instance to update CS.cfg
                          [4/27]: backing up CS.cfg
                          [5/27]: disabling nonces
                          [6/27]: set up CRL publishing
                          [7/27]: enable PKIX certificate path
                        discovery and validation
                          [8/27]: starting certificate server instance

                        And here is stays and refuses to move on. The
                        ipareplica-install.log log reports:
                        2017-05-18T08:40:07Z DEBUG
                        wait_for_open_ports: localhost [8080, 8443]
                        timeout 300
                        2017-05-18T08:40:09Z DEBUG Waiting until the
                        CA is running
                        2017-05-18T08:40:09Z DEBUG request POST
                        http://ipa2.SITE.net:8080/ca/admin/ca/getStatus
                        2017-05-18T08:40:09Z DEBUG request body ''

                        I have tried and that port is indeed
                        inaccessible but I can't establish a way to
                        progress this issue from any of the the other
                        log files. Also I have seen in the 4.4.4
                        release notes that IPv6 being disabled on the
                        master can cause issues, re-enabling (at
                        least in /etc/hosts) did not seem to help.

                        If anyone is able to offer ideas that would
                        be very much appreciated. I am tempted to
                        remove the --setup-ca option to see if this
                        helps.

                        Thanks,

                        Callum



                        *^0333 332 0000  | www.x-on.co.uk
                        <http://www.x-on.co.uk> |
                        _**_^<https://www.linkedin.com/company/x-on>
                        <https://www.facebook.com/XonTel>
                        <https://twitter.com/xonuk> *
                        X-on is a trading name of Storacall
                        Technology Ltd a limited company registered
                        in England and Wales.
                        Registered Office : Avaland House, 110 London
                        Road, Apsley, Hemel Hempstead, Herts, HP3
                        9SD. Company Registration No. 2578478.
                        The information in this e-mail is
                        confidential and for use by the addressee(s)
                        only. If you are not the intended recipient,
                        please notify X-on immediately on +44(0)333
                        332 0000 <tel:+44%20333%20332%200000> and
                        delete the
                        message from your computer. If you are not a
                        named addressee you must not use, disclose,
                        disseminate, distribute, copy, print or reply
                        to this email. Views or opinions expressed by
                        an individual
                        within this email may not necessarily reflect
                        the views of X-on or its associated
                        companies. Although X-on routinely screens
                        for viruses, addressees should scan this
                        email and any attachments
                        for viruses. X-on makes no representation or
                        warranty as to the absence of viruses in this
                        email or any attachments.


                        --
                        Manage your subscription for the
                        Freeipa-users mailing list:
                        https://www.redhat.com/mailman/listinfo/freeipa-users
                        Go to http://freeipa.org for more info on the
                        project





            *^0333 332 0000  | www.x-on.co.uk <http://www.x-on.co.uk>
            | _**_^<https://www.linkedin.com/company/x-on>
            <https://www.facebook.com/XonTel>
            <https://twitter.com/xonuk> *
            X-on is a trading name of Storacall Technology Ltd a
            limited company registered in England and Wales.
            Registered Office : Avaland House, 110 London Road,
            Apsley, Hemel Hempstead, Herts, HP3 9SD. Company
            Registration No. 2578478.
            The information in this e-mail is confidential and for
            use by the addressee(s) only. If you are not the intended
            recipient, please notify X-on immediately on +44(0)333
            332 0000 <tel:+44%20333%20332%200000> and delete the
            message from your computer. If you are not a named
            addressee you must not use, disclose, disseminate,
            distribute, copy, print or reply to this email. Views or
            opinions expressed by an individual
            within this email may not necessarily reflect the views
            of X-on or its associated companies. Although X-on
            routinely screens for viruses, addressees should scan
            this email and any attachments
            for viruses. X-on makes no representation or warranty as
            to the absence of viruses in this email or any attachments.




    *^0333 332 0000  | www.x-on.co.uk <http://www.x-on.co.uk>  |
    _**_^<https://www.linkedin.com/company/x-on>
    <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> *
    X-on is a trading name of Storacall Technology Ltd a limited
    company registered in England and Wales.
    Registered Office : Avaland House, 110 London Road, Apsley, Hemel
    Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
    The information in this e-mail is confidential and for use by the
    addressee(s) only. If you are not the intended recipient, please
    notify X-on immediately on +44(0)333 332 0000
    <tel:+44%20333%20332%200000> and delete the
    message from your computer. If you are not a named addressee you
    must not use, disclose, disseminate, distribute, copy, print or
    reply to this email. Views or opinions expressed by an individual
    within this email may not necessarily reflect the views of X-on
    or its associated companies. Although X-on routinely screens for
    viruses, addressees should scan this email and any attachments
    for viruses. X-on makes no representation or warranty as to the
    absence of viruses in this email or any attachments.




-- Martin Bašti
    Software Engineer
    Red Hat Czech



*^0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> | _**_^<https://www.linkedin.com/company/x-on> <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> * X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales. Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on +44(0)333 332 0000 and delete the message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email. Views or opinions expressed by an individual within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments.


--
Martin Bašti
Software Engineer
Red Hat Czech

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to