Hi all, I'm trying to set up a replica from RHEL6.9 FreeIPA 3.0.0 to RHEL7.3 RHEL 4.4.0.
What I'm trying to achieve is an isolated FreeIPA 4.4 server that we could replace the original FreeIPA 3.0 infrastrcuture with. The way I'm doing this is: 1) prepare replica file on production ipa01 and copy to ipasync 2) install replica with CA on ipasync and then remove all connections to ipa01, ipa02 and ipa03 (which is the entire production infrastructure) 3) Upgrade schema on ipasync and upgrade to RHEL 6.9 (from RHEL 6.7) 4) Prepare replica file on ipasync and copy to ipa01 (a new clean installation in test that should later replace ipa01 in prod) 5) install replica with CA on ipa01 and then remove all connections to ipasync * Right now I'm failing at the create CA phase in step 5 with: [2/27]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpDsKVFr' returned non-zero exit status 1 * I can see that it fails on the subsystem Clone URI in /var/log/ipareplica-install.log Installation failed: com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://ipasync.xxx.com:443 Please check the CA logs in /var/log/pki/pki-tomcat/ca. 2017-07-11T15:24:52Z DEBUG stderr=pkispawn : WARNING ....... unable to validate security domain user/password through REST interface. Interface not available * To get more details I check the debug log for tomcat and find that it still tries to match against the old infrastructure and not the ipasync server: # cat /var/log/pki/pki-tomcat/ca/debug ... [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: len is 3 [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa01.xxx.com> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa02.xxx.com> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa03.xxx.com> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443> [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: === Subsystem Configuration === [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: SystemConfigService: validate clone URI: https://ipasync.xxx.com:443 [11/Jul/2017:17:24:52][http-bio-8443-exec-3]: Clone URI does not match available subsystems: https://ipasync.xxx.com:443 * I validate this by checking the calist in getDomainXML: # wget --no-check-certificate https://ipasync.xxx.com:443/ca/admin/ca/getDomainXML # cat getDomainXML | xmllint --format - ... <CAList> <CA> <DomainManager>TRUE</DomainManager> <SubsystemName>pki-cad</SubsystemName> <Clone>FALSE</Clone> <UnSecurePort>80</UnSecurePort> <SecureEEClientAuthPort>443</SecureEEClientAuthPort> <SecureAdminPort>443</SecureAdminPort> <SecureAgentPort>443</SecureAgentPort> <SecurePort>443</SecurePort> <Host>ipa01.xxx.com</Host> </CA> <CA> <SubsystemName>pki-cad</SubsystemName> <Clone>TRUE</Clone> <DomainManager>TRUE</DomainManager> <SecureEEClientAuthPort>443</SecureEEClientAuthPort> <UnSecurePort>80</UnSecurePort> <SecureAdminPort>443</SecureAdminPort> <SecureAgentPort>443</SecureAgentPort> <SecurePort>443</SecurePort> <Host>ipa02.xxx.com</Host> </CA> <CA> <SubsystemName>pki-cad</SubsystemName> <Clone>TRUE</Clone> <DomainManager>TRUE</DomainManager> <SecureEEClientAuthPort>443</SecureEEClientAuthPort> <UnSecurePort>80</UnSecurePort> <SecureAdminPort>443</SecureAdminPort> <SecureAgentPort>443</SecureAgentPort> <SecurePort>443</SecurePort> <Host>ipa03.xxx.com</Host> </CA> <SubsystemCount>3</SubsystemCount> </CAList> ... Why does it still have the old ipa servers and why is not ipasync included? Am I doing something wrong here, for example do I need to manually add ipasync to the pki-cad list of CAs? Best regards, -David -- David Hendén ITF +46736330916 david.hen...@itf.se _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org