On 07/25/2018 12:02 AM, Jared Biel via FreeIPA-users wrote:
Hello,
I'm trying to add a CA replica to an already established "regular"
replica and am unable to do so. Can anyone point me to instructions for
how to do this? It seems like maybe some files need to be manually
copied over from the existing replica but none of the instructions that
I've found mention this. The existing CA is running 4.5.4 and the new
replica is 4.7.0 (I'm trying to migrate to 4.7.0 entirely.)
Hi,
I was able to reproduce the first part of your issue (ERROR: Failed to
add lightweight CA...), this is a bug in FreeIPA. Could you open a
pagure ticket at https://pagure.io/freeipa/new_issue?
The issue can be easily reproduced with:
* on the master:
ipa-server-install (with integrated ca)
kinit admin
ipa ca-add (create a lightweight CA on the master)
* on the replica:
ipa-replica-install
ipa-ca-install
ipa-ca-install is internally calling ipa-certupdate, and ipa-certupdate
tries to track lightweight CA even though there is no CA instance yet on
the replica.
Regarding the 2nd issue (pkispawn failure), can you provide the replica
logs in /var/log/pki/pki-ca-spawn-$DATE.log? They may provide more
information.
Thanks,
flo
Regarding the output below, /var/log/pki/pki-tomcat does not exist and
there are only 2 uninteresting files in /var/log/pki.
Thanks.
# ipa-ca-install
Directory Manager (existing master) password:
ipaclient.install.ipa_certupdate: ERROR Failed to add lightweight CA
tracking requests
Traceback (most recent call last):
File
"/usr/lib/python3.6/site-packages/ipaclient/install/ipa_certupdate.py",
line 117, in run_with_args
cainstance.add_lightweight_ca_tracking_requests(lwcas)
File
"/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line
1914, in add_lightweight_ca_tracking_requests
pin=certmonger.get_pin('internal'),
File "/usr/lib/python3.6/site-packages/ipalib/install/certmonger.py",
line 672, in get_pin
with open(paths.PKI_TOMCAT_PASSWORD_CONF, 'r') as f:
FileNotFoundError: [Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/password.conf'
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/26]: creating certificate server db
[2/26]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded
[3/26]: creating ACIs for admin
[4/26]: creating installation admin user
[5/26]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA
instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA',
'-f', '/tmp/tmp0n1ii3z2'] returned non-zero exit status 1: '')
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and
the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
CA configuration failed.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/NPCSGJ7P7Y6M3HXSJDWXLRW2EZVN4CTI/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/S24KZEVEMGXW5OLW3ZHC3WWR2MQWT2KT/