[Freeipa-devel] ipa-server-install reporting "missing basic constraints" for ipa cert while it has X509v3 Basic Constraints:CA:TRUE

2018-02-15 Thread Amit via FreeIPA-devel 
Hello,

This is process i followed:
# ipa-server-install --external-ca

/root/ipa.csr.
# openssl req -text -noout -verify -in /root/ipa.csr
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: O=GSSLAB.PNQ2.REDHAT.COM, CN=Certificate Authority
Subject Public Key Info:..
Attributes:
Requested Extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Certificate Sign,
CRL Sign

//root CA
# openssl x509 -noout -text -in MyRootCA.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
89:aa:02:78:65:ae:47:fa
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=IN, O=RH, OU=IDM, CN=CN=rootCA
Validity
Not Before: Feb 15 08:35:15 2018 GMT
Not After : Dec  5 08:35:15 2020 GMT
Subject: C=IN, O=RH, OU=IDM, CN=CN=rootCA
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE

*//Intermidiate CA*
openssl x509 -noout -text -in intermidiateCA.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
dc:95:74:7a:9b:7e:b2:17
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=IN, O=RH, OU=IDM, CN=CN=rootCA
Validity
Not Before: Feb 15 08:36:32 2018 GMT
Not After : Mar 17 08:36:32 2018 GMT
Subject: C=IN, O=RH, OU=IDM, CN=CN=interCA



*IPA Cert*
# openssl x509 -noout -text -in user.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8e:35:5a:00:e9:82:af:2b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=IN, O=RH, OU=IDM, CN=CN=interCA
Validity
Not Before: Feb 15 08:37:36 2018 GMT
Not After : Mar 17 08:37:36 2018 GMT
Subject: O=GSSLAB.PNQ2.REDHAT.COM, CN=Certificate Authority
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE

*C**reating CA Chain*:
cat rootCA.crt intermidiateCA.crt > ca-chain.pem

*And When I try install**ing ipa*:
# ipa-server-install
--external-cert-file=/root/ca-hierarchy/ca-chain.pem
--external-cert-file=/root/ca-hierarchy/user.pem

The log file for this installation can be found in
/var/log/ipaserver-install.log
Directory Manager password:

==
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure the KDC to enable PKINIT

ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall):
ERRORCA certificate CN=CN\=rootCA,OU=IDM,O=RH,C=IN in
/root/ca-hierarchy/ca-chain.pem, /root/ca-hierarchy/user.pem is not
valid: missing basic constraints
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall):
ERRORThe ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] Re: replica installation without CA

2018-02-19 Thread Amit via FreeIPA-devel 
Now I am getting this Error:

# ipa-replica-install --dirsrv-cert-file /root/rootCA.crt
--dirsrv-cert-file /root/dirsrv.crt --dirsrv-cert-file /root/dirsrv.key
--dirsrv-pin amit --http-cert-file /root/rootCA.crt --http-cert-file
/root/http.crt --http-cert-file /root/http.key --http-pin amit --no-pkinit
WARNING: conflicting time synchronization service 'chronyd' will
be disabled in favor of ntpd

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERRORThe server certificate in /root/rootCA.crt, /root/http.crt,
/root/http.key is not valid: invalid for server
rhel7u4-7.gsslab.pnq2.redhat.com
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERRORThe ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
[root@rhel7u4-7 ~]# openssl verify -CAfile rootCA.crt  dirsrv.crt
dirsrv.crt: OK
[root@rhel7u4-7 ~]# openssl verify -CAfile rootCA.crt  http.crt
http.crt: OK
[root@rhel7u4-7 ~]#

CN= in http.crt.

Attached rootCA.crt, http.crt



On 02/19/2018 06:05 PM, Florence Blanc-Renaud wrote:
> On 02/19/2018 11:28 AM, Amit via FreeIPA-devel wrote:
>> Thanks Flo for response.
>>
>> When I am using --pkinit-cert-file to provide rootca cert and key. Still
>> not able to install replica.
>>
>> # ipa-replica-install --pkinit-cert-file /root/rootCA.crt
>> --pkinit-cert-file /root/rootCA.key --pkinit-pin amit --dirsrv-cert-file
>> /root/dirsrv.crt --dirsrv-cert-file /root/dirsrv.key --dirsrv-pin amit
>> --http-cert-file /root/http.crt --http-cert-file /root/http.key
>> --http-pin amit
>
> Hi Amit,
>
> the root CA needs to be provided for all the certs, i.e. in your case
> you also have to supply --dirsrv-cert-file /root/rootCA.crt
> --http-cert-file /root/rootCA.crt
>
> Note: you do not need to supply the root CA key, you can remove
> --pkinit-cert-file /root/rootCA.key
>
> HTH,
> Flo
>
>> WARNING: conflicting time synchronization service 'chronyd' will
>> be disabled in favor of ntpd
>>
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>> ERRORThe full certificate chain is not present in /root/http.crt,
>> /root/http.key
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>> ERRORThe ipa-replica-install command failed. See
>> /var/log/ipareplica-install.log for more information
>> #
>>
>>
>> On 02/19/2018 03:27 PM, Florence Blanc-Renaud wrote:
>>> On 02/19/2018 08:28 AM, Amit via FreeIPA-devel wrote:
>>>> Hello,
>>>>
>>>> In installed IPA Server successfully with following command:
>>>>
>>>> # ipa-server-install
>>>>   --ca-cert-file /root/ca-hierarchy/rootCA.crt
>>>>   --dirsrv-cert-file /root/ca-hierarchy/dirsrv.crt
>>>> --dirsrv-cert-file
>>>> /root/ca-hierarchy/dirsrv.key --dirsrv-pin amit
>>>>   --http-cert-file /root/ca-hierarchy/http.crt --http-cert-file
>>>> /root/ca-hierarchy/http.key  --http-pin amit
>>>>   --no-pkinit
>>>>
>>>> Now when I tried installing replica using this process:
>>>> 1. scp http.key, http.crt, dirsrv.key, dirsrv.crt to replica
>>>> 2. Made replica as IPA client:
>>>># vim /etc/hosts
>>>>  
>>>> # ntpdate 
>>>> # ipa-client-install  --domain   --server
>>>> 
>>>> # kinit admin
>>>> # getent passwd admin;id admin;//Works
>>>>
>>>> 3. # ipa-replica-install --dirsrv-cert-file /root/dirsrv.crt
>>>> --dirsrv-cert-file /root/dirsrv.key --dirsrv-pin amit --http-cert-file
>>>> /root/http.crt --http-cert-file /root/http.key --http-pin amit
>>>> --no-pkinit
>>>> WARNING: conflicting time synchronization service 'chronyd' will
>>>> be disabled in favor of ntpd
>>>>
>>>> Your system may be partly configured.
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>
>>>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>>>> ERRORThe full certificate chain is not present in /root/http.crt,
>>>> /root/http.key
>>> Hi,
>>>
>>> you can use multiple times the --http-cert-file / --dirsrv-cert-file /
>>> --pkinit-cert-file to also provide the root cert.
>>>
>>> The doc for replica installation without a CA states th

[Freeipa-devel] Not able to renew certs using 'ipa-gertcert request'

2018-02-22 Thread Amit via FreeIPA-devel 
Hello,

_This command is executed at IPA Client_:
# date;ipa-getcert request -vvv -T SubjectAlternateNamesCert -R -K 
TEST/$(hostname) -E <>@<>  -f 
opt/certs/test3.crt -k /opt/certs/test3.key -X BLE-IDM-SUB1
Wed Feb 14 07:54:49 CET 2018
Certificate at same location is already used by request with nickname 
"201802070  
 95750".
Error org.fedorahosted.certmonger.duplicate: Certificate at same location is 
already used by request with nickname "20180207095750".

# ipa-getcert stop-tracking --id "20180207095750"
Request "20180207095750" removed.

# date;ipa-getcert request -vvv -T SubjectAlternateNamesCert -R -K 
TEST/$(hostname) -E <>@<>  -f 
/opt/certs/test3.crt -k /opt/certs/test3.key -X BLE-IDM-SUB1
Wed Feb 14 07:55:19 CET 2018
New signing request "20180214065519" added.

# getcert list -i "20180214065519"
Number of certificates and requests being tracked: 1.
Request ID '20180214065519':
status: CA_REJECTED
ca-error: Server at https://<>/ipa/xml 
 denied our request, giving up: 3009 
(RPC failed at server.  invalid 'csr': subject alt name type RFC822Name is 
forbidden for non-user principals).
stuck: yes
key pair storage: type=FILE,location='/opt/certs/test3.key'
certificate: type=FILE,location='/opt/certs/test3.crt'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: no




Thanks
Amit
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] Re: replica installation without CA

2018-02-19 Thread Amit via FreeIPA-devel 
Thanks Flo for response.

When I am using --pkinit-cert-file to provide rootca cert and key. Still
not able to install replica.

# ipa-replica-install --pkinit-cert-file /root/rootCA.crt
--pkinit-cert-file /root/rootCA.key --pkinit-pin amit --dirsrv-cert-file
/root/dirsrv.crt --dirsrv-cert-file /root/dirsrv.key --dirsrv-pin amit
--http-cert-file /root/http.crt --http-cert-file /root/http.key
--http-pin amit
WARNING: conflicting time synchronization service 'chronyd' will
be disabled in favor of ntpd

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERRORThe full certificate chain is not present in /root/http.crt,
/root/http.key
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERRORThe ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
#


On 02/19/2018 03:27 PM, Florence Blanc-Renaud wrote:
> On 02/19/2018 08:28 AM, Amit via FreeIPA-devel wrote:
>> Hello,
>>
>> In installed IPA Server successfully with following command:
>>
>> # ipa-server-install
>>  --ca-cert-file /root/ca-hierarchy/rootCA.crt
>>  --dirsrv-cert-file /root/ca-hierarchy/dirsrv.crt --dirsrv-cert-file
>> /root/ca-hierarchy/dirsrv.key --dirsrv-pin amit
>>  --http-cert-file /root/ca-hierarchy/http.crt --http-cert-file
>> /root/ca-hierarchy/http.key  --http-pin amit
>>  --no-pkinit
>>
>> Now when I tried installing replica using this process:
>> 1. scp http.key, http.crt, dirsrv.key, dirsrv.crt to replica
>> 2. Made replica as IPA client:
>>   # vim /etc/hosts
>> 
>> # ntpdate 
>> # ipa-client-install  --domain   --server
>> 
>> # kinit admin
>> # getent passwd admin;id admin;//Works
>>
>> 3. # ipa-replica-install --dirsrv-cert-file /root/dirsrv.crt
>> --dirsrv-cert-file /root/dirsrv.key --dirsrv-pin amit --http-cert-file
>> /root/http.crt --http-cert-file /root/http.key --http-pin amit
>> --no-pkinit
>> WARNING: conflicting time synchronization service 'chronyd' will
>> be disabled in favor of ntpd
>>
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>> ERRORThe full certificate chain is not present in /root/http.crt,
>> /root/http.key
> Hi,
>
> you can use multiple times the --http-cert-file / --dirsrv-cert-file /
> --pkinit-cert-file to also provide the root cert.
>
> The doc for replica installation without a CA states that there is no
> need to add the --ca-cert-file option as ipa-replica-install should
> use the CA info from the master, but it is inconsistent with the
> current behavior. Either the doc or the code is wrong.
> Could you please open an issue?
>
> Thanks,
> Flo
>
> [1]
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/creating-the-replica#replica-install-setup-ca-less
>
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>> ERRORThe ipa-replica-install command failed. See
>> /var/log/ipareplica-install.log for more information
>> [root@rhel7u4-7 site-packages]#
>>
>>
>> Attached ipareplica-install.log
>>
>>
>> Huge Thanks In Advance
>> Amit
>>
>>
>>
>> ___
>> FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-devel-le...@lists.fedorahosted.org
>>
>

-- 
Thanks
Amit Kumar
!!If you stumble, get back up. 
What happened yesterday, no longer matters.
Today is another day to move closer to your GOAL!!
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] Re: ipa-replica-install --principal admin --admin-password --setup-ca Traceback

2018-03-16 Thread Amit via FreeIPA-devel 
_destructor - ERROR bulk 
import abandoned
[06/Feb/2018:14:16:53.851487751 +0100] - ERR - import_run_pass - import 
userRoot: Thread monitoring returned: -23

[06/Feb/2018:14:16:53.852810886 +0100] - ERR - import_main_offline - import 
userRoot: Aborting all Import threads...
[06/Feb/2018:14:17:02.979086957 +0100] - ERR - import_main_offline - import 
userRoot: Import threads aborted.
[06/Feb/2018:14:17:02.982961132 +0100] - INFO - import_main_offline - import 
userRoot: Closing files...
[06/Feb/2018:14:17:03.092290649 +0100] - ERR - import_main_offline - import 
userRoot: Import failed.
[06/Feb/2018:14:17:03.110305211 +0100] - ERR - process_bulk_import_op - NULL 
target sdn
[06/Feb/2018:14:17:04.354545913 +0100] - ERR - NSMMReplicationPlugin - 
replica_replace_ruv_tombstone - Failed to update replication update vector for 
replica dc=example,dc=com: LDAP error


Command on IPA server idm01.example.com <http://idm01.example.com/>

[root@idm01 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b 
"dc=example,dc=com" 
'(&(nsuniqueid=---)(objectclass=nstombstone))'
Enter LDAP Password: 
dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
cn: replica
nsDS5Flags: 1
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindDN: krbprincipalname=ldap/idm02.example.com@EXAMPLE,cn=ser
 vices,cn=accounts,dc=example,dc=com
nsDS5ReplicaId: 4
nsDS5ReplicaName: abd8ec06-40d511e5-8b849572-73def7f6
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaType: 3
nsState:: BACIq3pamQADAA==
nsds5ReplicaLegacyConsumer: off
nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,
 dc=example,dc=com
nsds5replicabinddngroupcheckinterval: 60
objectClass: nsds5replica
objectClass: top
objectClass: extensibleobject
nsds50ruv: {replicageneration} 5a70773d0004
nsds50ruv: {replica 4 ldap://idm01.example.com:389} 5a70779c0004 5a7aa
 c2100020004
nsds50ruv: {replica 11 ldap://idm02.example.com:389}
nsds5agmtmaxcsn: dc=example,dc=com;meToidm02.example.com;idm02.example.com
<http://metoidm02.example.com%3Bidm02.example.com/>;
 389;unavailable
nsruvReplicaLastModified: {replica 4 ldap://idm01.example.com:389} 5a7aab88
nsruvReplicaLastModified: {replica 11 ldap://idm02.example.com:389} 
nsds5ReplicaChangeCount: 1460
nsds5replicareapactive: 0


# ipa-replica-manage list-ruv
Directory Manager password: 

Replica Update Vectors:
idm01.example.com <http://idm01.example.com/>:389: 4
idm02.example.com <http://idm02.example.com/>:389: 11
Certificate Server Replica Update Vectors:
No CS-RUVs found.



On 03/13/2018 12:53 PM, Florence Blanc-Renaud wrote:
> On 03/12/2018 06:09 PM, Amit wrote:
>> Hello Flo, PFA replica-install log. 
> Hi, sorry if I was not clear, but I meant 389-ds access logs, located
> in /var/log/dirsrv/slapd-DOMxxx/access. The ones from the master and
> the soon-to-be-replica may provide more information. The customer may
> also try ipa-replica-install with the -d option, which will add debug
> information to the ipareplica-install.log file. Flo
>> Thanks On 03/12/2018 01:59 PM, Florence Blanc-Renaud wrote:
>>> On 03/10/2018 12:07 PM, Amit via FreeIPA-devel wrote:
>>>> Ping!! On 03/09/2018 02:08 PM, Amit wrote:
>>>>> Hello, Any thoughts would be helpful. Thanks On 03/07/2018 02:57
>>>>> PM, Amit wrote:
>>>>>> Hello, This is scenario in customer env. Customer is using fresh
>>>>>> machine to install replica. *IPA-Server *#
>>>>>> ipa-server-install --no-ntp//Success  *IPA
>>>>>> Replica*  # ipa-replica-install --principal admin
>>>>>> --admin-password  --setup-ca  DEBUG Traceback (most
>>>>>> recent call last):File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>>> line 504, in start_creationrun_step(full_msg, method)
>>>>>>File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>>> line 494, in run_stepmethod()File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
>>>>>> line 439, in __setup_replica cacert=self.ca_file)File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>>>>>> line 1666, in setup_promote_replicationraise
>>>>>> RuntimeError("Failed to start replication") RuntimeError:
>>>>>> Failed to start replication  2018-02-06T06:56:48Z DEBUG
>>>>>> [error] RuntimeError: Failed

[Freeipa-devel] Re: ipa-replica-install --principal admin --admin-password --setup-ca Traceback

2018-03-10 Thread Amit via FreeIPA-devel 
Ping!!


On 03/09/2018 02:08 PM, Amit wrote:
> Hello,
>
> Any thoughts would be helpful.
>
> Thanks
>
>
> On 03/07/2018 02:57 PM, Amit wrote:
>> Hello,
>>
>> This is scenario in customer env.
>> Customer is using fresh machine to install replica.
>>
>> *IPA-Server
>> *# ipa-server-install --no-ntp//Success
>>
>>
>> *IPA Replica*
>> # ipa-replica-install --principal admin --admin-password 
>> --setup-ca
>> DEBUG Traceback (most recent call last):
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>> 504, in start_creationrun_step(full_msg, method)
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>> 494, in run_stepmethod()
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>> 439, in __setup_replica cacert=self.ca_file)
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>> line 1666, in setup_promote_replicationraise RuntimeError("Failed to
>> start replication")
>>RuntimeError: Failed to start replication
>> 2018-02-06T06:56:48Z DEBUG [error] RuntimeError: Failed to start
>> replication
>> 2018-02-06T06:56:48Z DEBUG Destroyed connection context.ldap2_113870544
>> 2018-02-06T06:56:48Z DEBUG Backing up system configuration file
>> '/etc/ipa/default.conf'
>> 2018-02-06T06:56:48Z DEBUG Saving Index File to
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>> 2018-02-06T06:56:48Z DEBUG File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
>> execute
>> return_value = self.run()
>>
>> While I cannot repro in my local lab
>>

-- 
Thanks
Amit Kumar
!!If you stumble, get back up. 
What happened yesterday, no longer matters.
Today is another day to move closer to your GOAL!!
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] Re: ipa-replica-install --principal admin --admin-password --setup-ca Traceback

2018-03-09 Thread Amit via FreeIPA-devel 
Hello,

Any thoughts would be helpful.

Thanks


On 03/07/2018 02:57 PM, Amit wrote:
> Hello,
>
> This is scenario in customer env.
> Customer is using fresh machine to install replica.
>
> *IPA-Server
> *# ipa-server-install --no-ntp//Success
>
>
> *IPA Replica*
> # ipa-replica-install --principal admin --admin-password 
> --setup-ca
> DEBUG Traceback (most recent call last):
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 504, in start_creationrun_step(full_msg, method)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 494, in run_stepmethod()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
> 439, in __setup_replica cacert=self.ca_file)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> line 1666, in setup_promote_replicationraise RuntimeError("Failed to
> start replication")
>RuntimeError: Failed to start replication
> 2018-02-06T06:56:48Z DEBUG [error] RuntimeError: Failed to start
> replication
> 2018-02-06T06:56:48Z DEBUG Destroyed connection context.ldap2_113870544
> 2018-02-06T06:56:48Z DEBUG Backing up system configuration file
> '/etc/ipa/default.conf'
> 2018-02-06T06:56:48Z DEBUG Saving Index File to
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2018-02-06T06:56:48Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
> execute
> return_value = self.run()
>
> While I cannot repro in my local lab
>

-- 
Thanks
Amit Kumar
!!If you stumble, get back up. 
What happened yesterday, no longer matters.
Today is another day to move closer to your GOAL!!

___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] ipa-replica-install --principal admin --admin-password --setup-ca Traceback

2018-03-07 Thread Amit via FreeIPA-devel 
Hello,

This is scenario in customer env.
Customer is using fresh machine to install replica.

*IPA-Server
*# ipa-server-install --no-ntp//Success

   
*IPA Replica*
# ipa-replica-install --principal admin --admin-password 
--setup-ca
DEBUG Traceback (most recent call last):
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
504, in start_creationrun_step(full_msg, method)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
494, in run_stepmethod()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
439, in __setup_replica cacert=self.ca_file)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 1666, in setup_promote_replicationraise RuntimeError("Failed to
start replication")
   RuntimeError: Failed to start replication
2018-02-06T06:56:48Z DEBUG [error] RuntimeError: Failed to start
replication
2018-02-06T06:56:48Z DEBUG Destroyed connection context.ldap2_113870544
2018-02-06T06:56:48Z DEBUG Backing up system configuration file
'/etc/ipa/default.conf'
2018-02-06T06:56:48Z DEBUG Saving Index File to
'/var/lib/ipa/sysrestore/sysrestore.index'
2018-02-06T06:56:48Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
execute
return_value = self.run()

While I cannot repro in my local lab

-- 
Thanks
Amit Kumar
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org