Hi Dan, I had a similar problem when updating my FreeIPA. In my case it turned out that the certificates that get bundled with the replica preparation file were expired. This is due to the /root/cacert.p12 file not being updated during the preparation process until FreeIPA 3.2.2
The file can be recreated with the commands from step 2 of http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password If that does not solve the problem, it would be good to see (part of) the actual logfiles of your replica installation attempt. Best regards -- Sebastian Schäfer, M. A. ------------------------------- Deutsches Zentrum für Luft- und Raumfahrt e.V. (DLR) Institute of Space Operations and Astronaut Training Microgravity User Support Center (MUSC) Linder Höhe | 51147 Köln Telefon 02203 601-30 01 | Telefax: 02203 61471 | sebastian.schae...@dlr.de www.DLR.de On 06/01/2016 06:45 PM, dan.finkelst...@high5games.com wrote: > Hi folks, > > As the subject suggests, we're converting from FreeIPA 3.0.0 on CentOS 6 > to 4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA > replicas in CentOS 7 and then hope to promote one of them to the CA > master. I'm running into two problems: > > > > The first is that when we create a replica in FreeIPA 4.2.0 with the > —setup-ca option, that portion fails. Here's a snippet of the output: > > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes > 30 seconds > > [1/23]: creating certificate server user > > [2/23]: configuring certificate server instance > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to > configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmpqPeYOW'' returned non-zero exit status 1 > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the > installation logs and the following files/directories for more information: > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > /var/log/pki-ca-install.log > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > /var/log/pki/pki-tomcat > > [error] RuntimeError: CA configuration failed. > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project