-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 07/26/2014 05:25 PM, Erinn Looney-Triggs wrote:
Well it hasn't been all the pretty trying to move from RHEL 6.5 to
RHEL 7.
I have two servers providing my ipa instances ipa and ipa2. Given
that I don't have a great deal of spare capacity the plan was to
remove ipa2 from the replication agreement, modify DNS so that only
IPA was available in SRV logs (IPA does not manage DNS at this
point, was waiting for DNSSEC). As well, I would change my
sudo-ldap config files to point to ipa and remove ipa2.
Well that all worked well, installed RHEL 7 on the system and
began working through the steps in the upgrade guide.
First major problem was running into this bug:
https://fedorahosted.org/freeipa/ticket/4375 ValueError:
nsDS5ReplicaId has 2 values, one expected.
Went and patched the replication.py file to get around that issue,
and we moved on.
Next up is my current issue: Exception from Java Configuration
Servlet: Clone does not have all the required certificates.
I suspect this is because I am running the CA as a subordinate to
an AD CS instance, but I am unsure at this point.
It has been a haul to get here, despite the short explanation. It
seems that my primary ipa instance is working on only a hit or
miss basis for kerberos tickets which has made all this a bit of a
pain. You can kinit as admin once it will fail unable to find KDC,
try again another three times, it will work. I have even modified
the krb5.conf file to point directly at the server, thus bypassing
DNS SRV lookups, however, that hasn't worked.
Point is, any help would be appreciated on the aforementioned
error.
-Erinn
To reply to myself here, I believe the problem may be that I had to
renew the CA certificates and as such the certificates in
/root/cacert.p12 are no longer valid. It is this file that gets
bundled up with whatever else using ipa-replica-prepare, so I will
have to create a new one that has the valid certificates in it.
One way or another though, if it isn't already documented, during a CA
renewal this file should probably be updated with the correct
certificates.
- -Erinn
- -Erinn
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQEcBAEBCAAGBQJT1GAjAAoJEFg7BmJL2iPO1BsIAIVSC2p7bR1mHSG9VVbJq6Uk
ostO/9Yh1ro8pgAWXbRnGJphDlfHhot+aauITsuFzIVSUk4rw7nTYA2jynROmjQJ
8mUEXap3i7GOnonHmZmUL3wrhiBVmkNWIizUZV3uIQ9/FKgUpTcflpeUqm/lUzxj
FeaQ3QOVeizdib2r+QkFLjF6nMYRZ7FTPIdXZiilVkG1TkEDK2V3LpZfnN5LBgNf
AzsnA0opUxNWvPeorFBD2RV20rVsTTf424S8nqseP1yALUIh4hc9xk6qivB+7DdF
MXI85uSGj30p1Wk3kIEWlUNU/mkmN0wQL2NcMTCJMrLrLbUQ9c+AvGNdmhBv8s4=
=74l8
-END PGP SIGNATURE-
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project