subject:"Re\: \[Freeipa\-users\] CA Replication Installation Failing"

Re: [Freeipa-users] CA Replication Installation Failing - SOLVED!

2015-02-04 Thread Les Stott

Guys,

Thanks for your help. You pointed me in the right direction (checking the 
apache logs).

In the end, it was missing modules in httpd.conf on the Master.

I saw this error in /var/log/httpd/error_log

[Wed Feb 04 21:26:00 2015] [warn] proxy: No protocol handler was valid for the 
URL /ca/admin/ca/getStatus. If you are using a DSO version of mod_proxy, make 
sure the proxy submodules are included in the configuration using LoadModule.
[Wed Feb 04 21:26:00 2015] [warn] proxy: No protocol handler was valid for the 
URL /ca/admin/ca/getCertChain. If you are using a DSO version of mod_proxy, 
make sure the proxy submodules are included in the configuration using 
LoadModule.

These modules were not being loaded...

LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so

Now it works.

(well I have a different issue now with setting up a second replica ca, but 
that's another story and better in a new thread)

Thanks,

Les

> -Original Message-
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Thursday, 5 February 2015 2:24 AM
> To: Les Stott; freeipa-users@redhat.com
> Cc: Ade Lee
> Subject: Re: [Freeipa-users] CA Replication Installation Failing
> 
> Les Stott wrote:
> > Has anyone got any ideas on this?
> >
> > I am stuck with not being able to deploy a CA Replica and this is halting
> rollout of the project.
> >
> > Help please...
> >
> > Regards,
> 
> What is the version of IPA on the master you are connecting to?
> 
> Can you confirm on the existing master that /etc/httpd/conf.d/ipa-pki-
> proxy.conf has /ca/ee/ca/profileSubmit in it:
> 
>  # matches for ee port
>  ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/
> updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
> 
> rob
> 
> >
> > Les
> >
> >> -Original Message-
> >> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> >> boun...@redhat.com] On Behalf Of Les Stott
> >> Sent: Friday, 30 January 2015 4:48 PM
> >> To: freeipa-users@redhat.com
> >> Subject: Re: [Freeipa-users] CA Replication Installation Failing
> >>
> >>
> >>
> >>> -Original Message-
> >>> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> >>> boun...@redhat.com] On Behalf Of Les Stott
> >>> Sent: Wednesday, 10 December 2014 6:22 PM
> >>> To: freeipa-users@redhat.com
> >>> Subject: Re: [Freeipa-users] CA Replication Installation Failing
> >>>
> >>>
> >>>
> >>>> -Original Message-
> >>>> From: Ade Lee [mailto:a...@redhat.com]
> >>>> Sent: Wednesday, 10 December 2014 5:05 AM
> >>>> To: Les Stott
> >>>> Cc: freeipa-users@redhat.com
> >>>> Subject: Re: [Freeipa-users] CA Replication Installation Failing
> >>>>
> >>>> On Tue, 2014-12-09 at 07:48 +, Les Stott wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>
> __
> >>>> 
> >>>>> From: freeipa-users-boun...@redhat.com
> >>>>> [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal
> >>>>> [d...@redhat.com]
> >>>>> Sent: Tuesday, December 09, 2014 3:49 PM
> >>>>> To: freeipa-users@redhat.com
> >>>>> Subject: Re: [Freeipa-users] CA Replication Installation Failing
> >>>>>
> >>>>>
> >>>>>
> >>>>> On 12/08/2014 11:04 PM, Les Stott wrote:
> >>>>>
> >>>>>> Does anyone have any ideas on the below errors when trying to add
> >>>>>> CA replication to an existing replica?
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>> People who might be able to help are or PTO right now.
> >>>>>>
> >>>>>> Is your installation older than 2 years?
> >>>>>
> >>>>> No, December 2013 was when it was originally built.
> >>>>>
> >>>>>> Did you generate a new replica package or use the original one?
> >>>>>
> >>>>> I used the original replica file for serverb, based on
> >>>>> instructions i came across. I can try regenerating the repli

Re: [Freeipa-users] CA Replication Installation Failing

2015-02-04 Thread Ade Lee

Actually, it looks like it fails even earlier than getting the domain
info - that is, when the replica contacts the master and tries to get
its cert chain.

I think that you have modified the logs slightly?  There are a couple of
things that don't make sense. See annotated log below --


On Wed, 2015-02-04 at 09:19 -0500, Ade Lee wrote:
> >From the snippet of log below, it looks like the replica CA is trying to
> contact the master CA to obtain the security domain information and is
> failing to get a valid response.
> 
> The message about "spaces and parsing" is basically the replica saying
> that it cannot understand the response -- or lack of one from the master
> CA.  As this is an old version of IPA and Dogtag, it is trying to
> contact the master CA on port 9443.
> 
> Things to look into:
> 1) Is the CA on the master up?  Is port 9443 open on the master 
>(firewalls on master or replica)?  You could test this by using a 
>browser/curl on the replica to go to
>https://:9443/ca/admin/ca/getDomainXML
> 
> 2) Is selinux preventing the access?  You might want to set it in 
>permissive mode on either master or replica.
> 
> 3) Do you see activity in the master's debug log?
> 
> This looks to me like a different error from what was described before.
> Its failing much earlier now.
> 
> Ade
> 
> On Fri, 2015-01-30 at 05:48 +, Les Stott wrote:
> > 
> > > -Original Message-
> > > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> > > boun...@redhat.com] On Behalf Of Les Stott
> > > Sent: Wednesday, 10 December 2014 6:22 PM
> > > To: freeipa-users@redhat.com
> > > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> > > 
> > > 
> > > 
> > > > -----Original Message-----
> > > > From: Ade Lee [mailto:a...@redhat.com]
> > > > Sent: Wednesday, 10 December 2014 5:05 AM
> > > > To: Les Stott
> > > > Cc: freeipa-users@redhat.com
> > > > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> > > >
> > > > On Tue, 2014-12-09 at 07:48 +, Les Stott wrote:
> > > > >
> > > > >
> > > > >
> > > >
> > > __________________
> > > > 
> > > > > From: freeipa-users-boun...@redhat.com
> > > > > [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal
> > > > > [d...@redhat.com]
> > > > > Sent: Tuesday, December 09, 2014 3:49 PM
> > > > > To: freeipa-users@redhat.com
> > > > > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> > > > >
> > > > >
> > > > >
> > > > > On 12/08/2014 11:04 PM, Les Stott wrote:
> > > > >
> > > > > > Does anyone have any ideas on the below errors when trying to add
> > > > > > CA replication to an existing replica?
> > > > > >
> > > > > >
> > > > >
> > > > > > People who might be able to help are or PTO right now.
> > > > > >
> > > > > > Is your installation older than 2 years?
> > > > >
> > > > > No, December 2013 was when it was originally built.
> > > > >
> > > > > > Did you generate a new replica package or use the original one?
> > > > >
> > > > > I used the original replica file for serverb, based on instructions
> > > > > i came across. I can try regenerating the replica file.
> > > > >
> > > > > Interestingly, now that you mention it, servera had to be restored a
> > > > > couple of months back. Perhaps this is an issue and regenerating the
> > > > > replica file for serverb will be required.
> > > > >
> > > > > I will try this.
> > > > >
> > > >
> > > > I think that this is a safe bet to be the problem.
> > > >
> > > > The error in the log snippet you posted says:
> > > >
> > > >  The pkcs12 file is not correct.
> > > >
> > > > This indicates that the clone CA was unable to decode the pkcs12 file
> > > > in the replica.  Perhaps the certs changed -- or the DM password 
> > > > changed?
> > > >
> > > > Ade
> > > 
> > > I regenerated the replica file and retired the CA replica setup, but it 
> > > failed at
> > > th

Re: [Freeipa-users] CA Replication Installation Failing

2015-02-04 Thread Rob Crittenden

Les Stott wrote:
> Has anyone got any ideas on this?
> 
> I am stuck with not being able to deploy a CA Replica and this is halting 
> rollout of the project. 
> 
> Help please...
> 
> Regards,

What is the version of IPA on the master you are connecting to?

Can you confirm on the existing master that
/etc/httpd/conf.d/ipa-pki-proxy.conf has /ca/ee/ca/profileSubmit in it:

 # matches for ee port


rob

> 
> Les
> 
>> -Original Message-
>> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
>> boun...@redhat.com] On Behalf Of Les Stott
>> Sent: Friday, 30 January 2015 4:48 PM
>> To: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] CA Replication Installation Failing
>>
>>
>>
>>> -Original Message-
>>> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
>>> boun...@redhat.com] On Behalf Of Les Stott
>>> Sent: Wednesday, 10 December 2014 6:22 PM
>>> To: freeipa-users@redhat.com
>>> Subject: Re: [Freeipa-users] CA Replication Installation Failing
>>>
>>>
>>>
>>>> -Original Message-----
>>>> From: Ade Lee [mailto:a...@redhat.com]
>>>> Sent: Wednesday, 10 December 2014 5:05 AM
>>>> To: Les Stott
>>>> Cc: freeipa-users@redhat.com
>>>> Subject: Re: [Freeipa-users] CA Replication Installation Failing
>>>>
>>>> On Tue, 2014-12-09 at 07:48 +, Les Stott wrote:
>>>>>
>>>>>
>>>>>
>>>>
>>> __________
>>>> 
>>>>> From: freeipa-users-boun...@redhat.com
>>>>> [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal
>>>>> [d...@redhat.com]
>>>>> Sent: Tuesday, December 09, 2014 3:49 PM
>>>>> To: freeipa-users@redhat.com
>>>>> Subject: Re: [Freeipa-users] CA Replication Installation Failing
>>>>>
>>>>>
>>>>>
>>>>> On 12/08/2014 11:04 PM, Les Stott wrote:
>>>>>
>>>>>> Does anyone have any ideas on the below errors when trying to
>>>>>> add CA replication to an existing replica?
>>>>>>
>>>>>>
>>>>>
>>>>>> People who might be able to help are or PTO right now.
>>>>>>
>>>>>> Is your installation older than 2 years?
>>>>>
>>>>> No, December 2013 was when it was originally built.
>>>>>
>>>>>> Did you generate a new replica package or use the original one?
>>>>>
>>>>> I used the original replica file for serverb, based on
>>>>> instructions i came across. I can try regenerating the replica file.
>>>>>
>>>>> Interestingly, now that you mention it, servera had to be restored
>>>>> a couple of months back. Perhaps this is an issue and regenerating
>>>>> the replica file for serverb will be required.
>>>>>
>>>>> I will try this.
>>>>>
>>>>
>>>> I think that this is a safe bet to be the problem.
>>>>
>>>> The error in the log snippet you posted says:
>>>>
>>>>  The pkcs12 file is not correct.
>>>>
>>>> This indicates that the clone CA was unable to decode the pkcs12
>>>> file in the replica.  Perhaps the certs changed -- or the DM password
>> changed?
>>>>
>>>> Ade
>>>
>>> I regenerated the replica file and retired the CA replica setup, but
>>> it failed at the same point with the same error.
>>>
>>> I am thinking that the next step is to uninstall the ipa replica to
>>> cleanup, remove all traces and re-add as a replica on serverb.
>>>
>>> I wonder if the cert that its having an issue with is the one on
>>> serverB under /etc/ipa/ca.crt which is from Dec 2013.
>>>
>>> I will try that in a couple of days as I have to schedule this work in
>>> as its in production.
>>>
>>> Regards,
>>>
>>> Les
>>>
>>>
>>>>>> May be the problem is that the cert that is in that package
>>>>>> already
>>>>> expired?
>>>>>
>>>>> original replica file was created on Dec 16 2013. Cert is not set
>>>>> to expire until 2015-12-17.
>>>>>
>>>>>> Just a thought...
>>>>>>

Re: [Freeipa-users] CA Replication Installation Failing

2015-02-04 Thread Ade Lee

>From the snippet of log below, it looks like the replica CA is trying to
contact the master CA to obtain the security domain information and is
failing to get a valid response.

The message about "spaces and parsing" is basically the replica saying
that it cannot understand the response -- or lack of one from the master
CA.  As this is an old version of IPA and Dogtag, it is trying to
contact the master CA on port 9443.

Things to look into:
1) Is the CA on the master up?  Is port 9443 open on the master 
   (firewalls on master or replica)?  You could test this by using a 
   browser/curl on the replica to go to
   https://:9443/ca/admin/ca/getDomainXML

2) Is selinux preventing the access?  You might want to set it in 
   permissive mode on either master or replica.

3) Do you see activity in the master's debug log?

This looks to me like a different error from what was described before.
Its failing much earlier now.

Ade

On Fri, 2015-01-30 at 05:48 +, Les Stott wrote:
> 
> > -Original Message-
> > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> > boun...@redhat.com] On Behalf Of Les Stott
> > Sent: Wednesday, 10 December 2014 6:22 PM
> > To: freeipa-users@redhat.com
> > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> > 
> > 
> > 
> > > -Original Message-
> > > From: Ade Lee [mailto:a...@redhat.com]
> > > Sent: Wednesday, 10 December 2014 5:05 AM
> > > To: Les Stott
> > > Cc: freeipa-users@redhat.com
> > > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> > >
> > > On Tue, 2014-12-09 at 07:48 +, Les Stott wrote:
> > > >
> > > >
> > > >
> > >
> > __
> > > 
> > > > From: freeipa-users-boun...@redhat.com
> > > > [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal
> > > > [d...@redhat.com]
> > > > Sent: Tuesday, December 09, 2014 3:49 PM
> > > > To: freeipa-users@redhat.com
> > > > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> > > >
> > > >
> > > >
> > > > On 12/08/2014 11:04 PM, Les Stott wrote:
> > > >
> > > > > Does anyone have any ideas on the below errors when trying to add
> > > > > CA replication to an existing replica?
> > > > >
> > > > >
> > > >
> > > > > People who might be able to help are or PTO right now.
> > > > >
> > > > > Is your installation older than 2 years?
> > > >
> > > > No, December 2013 was when it was originally built.
> > > >
> > > > > Did you generate a new replica package or use the original one?
> > > >
> > > > I used the original replica file for serverb, based on instructions
> > > > i came across. I can try regenerating the replica file.
> > > >
> > > > Interestingly, now that you mention it, servera had to be restored a
> > > > couple of months back. Perhaps this is an issue and regenerating the
> > > > replica file for serverb will be required.
> > > >
> > > > I will try this.
> > > >
> > >
> > > I think that this is a safe bet to be the problem.
> > >
> > > The error in the log snippet you posted says:
> > >
> > >  The pkcs12 file is not correct.
> > >
> > > This indicates that the clone CA was unable to decode the pkcs12 file
> > > in the replica.  Perhaps the certs changed -- or the DM password changed?
> > >
> > > Ade
> > 
> > I regenerated the replica file and retired the CA replica setup, but it 
> > failed at
> > the same point with the same error.
> > 
> > I am thinking that the next step is to uninstall the ipa replica to cleanup,
> > remove all traces and re-add as a replica on serverb.
> > 
> > I wonder if the cert that its having an issue with is the one on serverB 
> > under
> > /etc/ipa/ca.crt which is from Dec 2013.
> > 
> > I will try that in a couple of days as I have to schedule this work in as 
> > its in
> > production.
> > 
> > Regards,
> > 
> > Les
> > 
> > 
> > > > > May be the problem is that the cert that is in that package
> > > > > already
> > > > expired?
> > > >
> > > > original replica file was created on Dec 16 2013. Cert is not set to
> > > > expire until 20

Re: [Freeipa-users] CA Replication Installation Failing

2015-02-03 Thread Les Stott

Has anyone got any ideas on this?

I am stuck with not being able to deploy a CA Replica and this is halting 
rollout of the project. 

Help please...

Regards,

Les

> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Les Stott
> Sent: Friday, 30 January 2015 4:48 PM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] CA Replication Installation Failing
> 
> 
> 
> > -Original Message-
> > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> > boun...@redhat.com] On Behalf Of Les Stott
> > Sent: Wednesday, 10 December 2014 6:22 PM
> > To: freeipa-users@redhat.com
> > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> >
> >
> >
> > > -Original Message-
> > > From: Ade Lee [mailto:a...@redhat.com]
> > > Sent: Wednesday, 10 December 2014 5:05 AM
> > > To: Les Stott
> > > Cc: freeipa-users@redhat.com
> > > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> > >
> > > On Tue, 2014-12-09 at 07:48 +, Les Stott wrote:
> > > >
> > > >
> > > >
> > >
> > __
> > > 
> > > > From: freeipa-users-boun...@redhat.com
> > > > [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal
> > > > [d...@redhat.com]
> > > > Sent: Tuesday, December 09, 2014 3:49 PM
> > > > To: freeipa-users@redhat.com
> > > > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> > > >
> > > >
> > > >
> > > > On 12/08/2014 11:04 PM, Les Stott wrote:
> > > >
> > > > > Does anyone have any ideas on the below errors when trying to
> > > > > add CA replication to an existing replica?
> > > > >
> > > > >
> > > >
> > > > > People who might be able to help are or PTO right now.
> > > > >
> > > > > Is your installation older than 2 years?
> > > >
> > > > No, December 2013 was when it was originally built.
> > > >
> > > > > Did you generate a new replica package or use the original one?
> > > >
> > > > I used the original replica file for serverb, based on
> > > > instructions i came across. I can try regenerating the replica file.
> > > >
> > > > Interestingly, now that you mention it, servera had to be restored
> > > > a couple of months back. Perhaps this is an issue and regenerating
> > > > the replica file for serverb will be required.
> > > >
> > > > I will try this.
> > > >
> > >
> > > I think that this is a safe bet to be the problem.
> > >
> > > The error in the log snippet you posted says:
> > >
> > >  The pkcs12 file is not correct.
> > >
> > > This indicates that the clone CA was unable to decode the pkcs12
> > > file in the replica.  Perhaps the certs changed -- or the DM password
> changed?
> > >
> > > Ade
> >
> > I regenerated the replica file and retired the CA replica setup, but
> > it failed at the same point with the same error.
> >
> > I am thinking that the next step is to uninstall the ipa replica to
> > cleanup, remove all traces and re-add as a replica on serverb.
> >
> > I wonder if the cert that its having an issue with is the one on
> > serverB under /etc/ipa/ca.crt which is from Dec 2013.
> >
> > I will try that in a couple of days as I have to schedule this work in
> > as its in production.
> >
> > Regards,
> >
> > Les
> >
> >
> > > > > May be the problem is that the cert that is in that package
> > > > > already
> > > > expired?
> > > >
> > > > original replica file was created on Dec 16 2013. Cert is not set
> > > > to expire until 2015-12-17.
> > > >
> > > > > Just a thought...
> > > > >
> > > > > The simplest workaround IMO would be to prepare Server C,
> > > > > install it
> > > > with CA and then decommission replica B.
> > > > > Do not forget to clean replication agreements on master.
> > > > >
> > > > > But that would be work around, would not solve this specific
> > > > problem, it will kill it.
> > > >
> > > > I actually

Re: [Freeipa-users] CA Replication Installation Failing

2015-01-29 Thread Les Stott



> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Les Stott
> Sent: Wednesday, 10 December 2014 6:22 PM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] CA Replication Installation Failing
> 
> 
> 
> > -Original Message-
> > From: Ade Lee [mailto:a...@redhat.com]
> > Sent: Wednesday, 10 December 2014 5:05 AM
> > To: Les Stott
> > Cc: freeipa-users@redhat.com
> > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> >
> > On Tue, 2014-12-09 at 07:48 +, Les Stott wrote:
> > >
> > >
> > >
> >
> __
> > 
> > > From: freeipa-users-boun...@redhat.com
> > > [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal
> > > [d...@redhat.com]
> > > Sent: Tuesday, December 09, 2014 3:49 PM
> > > To: freeipa-users@redhat.com
> > > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> > >
> > >
> > >
> > > On 12/08/2014 11:04 PM, Les Stott wrote:
> > >
> > > > Does anyone have any ideas on the below errors when trying to add
> > > > CA replication to an existing replica?
> > > >
> > > >
> > >
> > > > People who might be able to help are or PTO right now.
> > > >
> > > > Is your installation older than 2 years?
> > >
> > > No, December 2013 was when it was originally built.
> > >
> > > > Did you generate a new replica package or use the original one?
> > >
> > > I used the original replica file for serverb, based on instructions
> > > i came across. I can try regenerating the replica file.
> > >
> > > Interestingly, now that you mention it, servera had to be restored a
> > > couple of months back. Perhaps this is an issue and regenerating the
> > > replica file for serverb will be required.
> > >
> > > I will try this.
> > >
> >
> > I think that this is a safe bet to be the problem.
> >
> > The error in the log snippet you posted says:
> >
> >  The pkcs12 file is not correct.
> >
> > This indicates that the clone CA was unable to decode the pkcs12 file
> > in the replica.  Perhaps the certs changed -- or the DM password changed?
> >
> > Ade
> 
> I regenerated the replica file and retired the CA replica setup, but it 
> failed at
> the same point with the same error.
> 
> I am thinking that the next step is to uninstall the ipa replica to cleanup,
> remove all traces and re-add as a replica on serverb.
> 
> I wonder if the cert that its having an issue with is the one on serverB under
> /etc/ipa/ca.crt which is from Dec 2013.
> 
> I will try that in a couple of days as I have to schedule this work in as its 
> in
> production.
> 
> Regards,
> 
> Les
> 
> 
> > > > May be the problem is that the cert that is in that package
> > > > already
> > > expired?
> > >
> > > original replica file was created on Dec 16 2013. Cert is not set to
> > > expire until 2015-12-17.
> > >
> > > > Just a thought...
> > > >
> > > > The simplest workaround IMO would be to prepare Server C, install
> > > > it
> > > with CA and then decommission replica B.
> > > > Do not forget to clean replication agreements on master.
> > > >
> > > > But that would be work around, would not solve this specific
> > > problem, it will kill it.
> > >
> > > I actually do have serverc and serverd. I planned to have CA
> > > replication on at least 2 other servers, but held off on trying on
> > > serverc due to issues with serverb.
> > >
> > > I'll report back what i find after regenerating the replica file and
> > > re-trying to setup CA replication.
> > >

After a bit of a hiatus I have revisited this issue and I still have it.

Just to re-iterate the problem...

Trying to setup a ca replica on an already installed replica fails in rhel 6.6, 
ipa-3.0.0.42, pki 9.0.3-38.

/usr/sbin/ipa-ca-install -p xx -w xx -U 
/var/lib/ipa/replica-info-myhost.mydomain.com.gpg

It fails showing "CRITICAL failed to configure ca instance"
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/16]: creating certificate server user
  [2/16]: creating pki-ca instance
  [3/16]: configuring certificate server instance

Your system may be part

Re: [Freeipa-users] CA Replication Installation Failing

2014-12-09 Thread Les Stott



> -Original Message-
> From: Ade Lee [mailto:a...@redhat.com]
> Sent: Wednesday, 10 December 2014 5:05 AM
> To: Les Stott
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] CA Replication Installation Failing
> 
> On Tue, 2014-12-09 at 07:48 +, Les Stott wrote:
> >
> >
> >
> __
> 
> > From: freeipa-users-boun...@redhat.com
> > [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal
> > [d...@redhat.com]
> > Sent: Tuesday, December 09, 2014 3:49 PM
> > To: freeipa-users@redhat.com
> > Subject: Re: [Freeipa-users] CA Replication Installation Failing
> >
> >
> >
> > On 12/08/2014 11:04 PM, Les Stott wrote:
> >
> > > Does anyone have any ideas on the below errors when trying to add CA
> > > replication to an existing replica?
> > >
> > >
> >
> > > People who might be able to help are or PTO right now.
> > >
> > > Is your installation older than 2 years?
> >
> > No, December 2013 was when it was originally built.
> >
> > > Did you generate a new replica package or use the original one?
> >
> > I used the original replica file for serverb, based on instructions i
> > came across. I can try regenerating the replica file.
> >
> > Interestingly, now that you mention it, servera had to be restored a
> > couple of months back. Perhaps this is an issue and regenerating the
> > replica file for serverb will be required.
> >
> > I will try this.
> >
> 
> I think that this is a safe bet to be the problem.
> 
> The error in the log snippet you posted says:
> 
>  The pkcs12 file is not correct.
> 
> This indicates that the clone CA was unable to decode the pkcs12 file in the
> replica.  Perhaps the certs changed -- or the DM password changed?
> 
> Ade

I regenerated the replica file and retired the CA replica setup, but it failed 
at the same point with the same error.

I am thinking that the next step is to uninstall the ipa replica to cleanup, 
remove all traces and re-add as a replica on serverb.

I wonder if the cert that its having an issue with is the one on serverB under 
/etc/ipa/ca.crt which is from Dec 2013.

I will try that in a couple of days as I have to schedule this work in as its 
in production.

Regards,

Les


> > > May be the problem is that the cert that is in that package already
> > expired?
> >
> > original replica file was created on Dec 16 2013. Cert is not set to
> > expire until 2015-12-17.
> >
> > > Just a thought...
> > >
> > > The simplest workaround IMO would be to prepare Server C, install it
> > with CA and then decommission replica B.
> > > Do not forget to clean replication agreements on master.
> > >
> > > But that would be work around, would not solve this specific
> > problem, it will kill it.
> >
> > I actually do have serverc and serverd. I planned to have CA
> > replication on at least 2 other servers, but held off on trying on
> > serverc due to issues with serverb.
> >
> > I'll report back what i find after regenerating the replica file and
> > re-trying to setup CA replication.
> >
> > Thanks,
> >
> > Les
> >
> > >
> > >
> > > Thanks in advance,
> > >
> > >
> > >
> > > Les
> > >
> > >
> > >
> > > From:freeipa-users-boun...@redhat.com
> > > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott
> > > Sent: Tuesday, 2 December 2014 6:17 PM
> > > To: freeipa-users@redhat.com
> > > Subject: [Freeipa-users] CA Replication Installation Failing
> > >
> > >
> > >
> > >
> > > Hi All,
> > >
> > >
> > >
> > > I have RHEL6 with ipa servers running standard ipa server 3.0.0-42.
> > > Pki components are also standard version 9.0.3-38.
> > >
> > >
> > >
> > > Servera is the master
> > >
> > > Serverb is the replica
> > >
> > >
> > >
> > > Both have been running for many, many months. Serverb was initially
> > > setup as a replica, but not a CA replica.
> > >
> > >
> > >
> > > I am now trying to add CA Replication to serverb but it is failing
> > > midway through and I cannot figure out why.
> > >
> > >
> > >
> > > Annoyingly, I used the same method/command to setup a CA replica on
> > > test servers and it

Re: [Freeipa-users] CA Replication Installation Failing

2014-12-09 Thread Ade Lee

On Tue, 2014-12-09 at 07:48 +, Les Stott wrote:
> 
> 
> __
> From: freeipa-users-boun...@redhat.com
> [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal
> [d...@redhat.com]
> Sent: Tuesday, December 09, 2014 3:49 PM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] CA Replication Installation Failing
> 
> 
> 
> On 12/08/2014 11:04 PM, Les Stott wrote:
> 
> > Does anyone have any ideas on the below errors when trying to add CA
> > replication to an existing replica?
> > 
> > 
> 
> > People who might be able to help are or PTO right now.
> > 
> > Is your installation older than 2 years?
> 
> No, December 2013 was when it was originally built.
> 
> > Did you generate a new replica package or use the original one?
> 
> I used the original replica file for serverb, based on instructions i
> came across. I can try regenerating the replica file.
> 
> Interestingly, now that you mention it, servera had to be restored a
> couple of months back. Perhaps this is an issue and regenerating the
> replica file for serverb will be required.
> 
> I will try this.
> 

I think that this is a safe bet to be the problem.

The error in the log snippet you posted says:

 The pkcs12 file is not correct.

This indicates that the clone CA was unable to decode the pkcs12 file in
the replica.  Perhaps the certs changed -- or the DM password changed?

Ade
> > May be the problem is that the cert that is in that package already
> expired?
> 
> original replica file was created on Dec 16 2013. Cert is not set to
> expire until 2015-12-17.
> 
> > Just a thought...
> >
> > The simplest workaround IMO would be to prepare Server C, install it
> with CA and then decommission replica B. 
> > Do not forget to clean replication agreements on master.
> >
> > But that would be work around, would not solve this specific
> problem, it will kill it.
> 
> I actually do have serverc and serverd. I planned to have CA
> replication on at least 2 other servers, but held off on trying on
> serverc due to issues with serverb.
> 
> I'll report back what i find after regenerating the replica file and
> re-trying to setup CA replication.
> 
> Thanks,
> 
> Les
> 
> >  
> > 
> > Thanks in advance,
> > 
> >  
> > 
> > Les
> > 
> >  
> > 
> > From:freeipa-users-boun...@redhat.com
> > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott
> > Sent: Tuesday, 2 December 2014 6:17 PM
> > To: freeipa-users@redhat.com
> > Subject: [Freeipa-users] CA Replication Installation Failing
> > 
> > 
> >  
> > 
> > Hi All,
> > 
> >  
> > 
> > I have RHEL6 with ipa servers running standard ipa server 3.0.0-42.
> > Pki components are also standard version 9.0.3-38.
> > 
> >  
> > 
> > Servera is the master
> > 
> > Serverb is the replica
> > 
> >  
> > 
> > Both have been running for many, many months. Serverb was initially
> > setup as a replica, but not a CA replica.
> > 
> >  
> > 
> > I am now trying to add CA Replication to serverb but it is failing
> > midway through and I cannot figure out why.
> > 
> >  
> > 
> > Annoyingly, I used the same method/command to setup a CA replica on
> > test servers and it completed without issue.
> > 
> >  
> > 
> > Here is what I get….(for the sake of brevity, I am excluding the
> > lines for connection check which were all OK)
> > 
> >  
> > 
> > =
> > 
> > /usr/sbin/ipa-ca-install /var/lib/ipa/replica-info-serverb.mydomain.com.gpg
> > 
> > Directory Manager (existing master) password:
> > 
> > Get credentials to log in to remote master
> > 
> > ad...@mydomain.com password:
> > 
> > Execute check on remote master
> > 
> > Connection check OK
> > 
> > Configuring directory server for the CA (pkids): Estimated time 30
> > seconds
> > 
> >   [1/3]: creating directory server user
> > 
> >   [2/3]: creating directory server instance
> > 
> >   [3/3]: restarting directory server
> > 
> > Done configuring directory server for the CA (pkids).
> > 
> > Configuring certificate server (pki-cad): Estimated time 3 minutes
> > 30 seconds
> > 
> >   [1/16]: creating certificate server user
> > 
> >   [2/16]: creating pki-ca instance
> > 
> >   [3/16]: configuring certificate server instance
>

Re: [Freeipa-users] CA Replication Installation Failing

2014-12-08 Thread Les Stott



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Tuesday, December 09, 2014 3:49 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] CA Replication Installation Failing

On 12/08/2014 11:04 PM, Les Stott wrote:
Does anyone have any ideas on the below errors when trying to add CA 
replication to an existing replica?

> People who might be able to help are or PTO right now.
>
> Is your installation older than 2 years?

No, December 2013 was when it was originally built.

> Did you generate a new replica package or use the original one?

I used the original replica file for serverb, based on instructions i came 
across. I can try regenerating the replica file.

Interestingly, now that you mention it, servera had to be restored a couple of 
months back. Perhaps this is an issue and regenerating the replica file for 
serverb will be required.

I will try this.

> May be the problem is that the cert that is in that package already expired?

original replica file was created on Dec 16 2013. Cert is not set to expire 
until 2015-12-17.

> Just a thought...
>
> The simplest workaround IMO would be to prepare Server C, install it with CA 
> and then decommission replica B.
> Do not forget to clean replication agreements on master.
>
> But that would be work around, would not solve this specific problem, it will 
> kill it.

I actually do have serverc and serverd. I planned to have CA replication on at 
least 2 other servers, but held off on trying on serverc due to issues with 
serverb.

I'll report back what i find after regenerating the replica file and re-trying 
to setup CA replication.

Thanks,

Les


Thanks in advance,

Les

From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott
Sent: Tuesday, 2 December 2014 6:17 PM
To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: [Freeipa-users] CA Replication Installation Failing

Hi All,

I have RHEL6 with ipa servers running standard ipa server 3.0.0-42. Pki 
components are also standard version 9.0.3-38.

Servera is the master
Serverb is the replica

Both have been running for many, many months. Serverb was initially setup as a 
replica, but not a CA replica.

I am now trying to add CA Replication to serverb but it is failing midway 
through and I cannot figure out why.

Annoyingly, I used the same method/command to setup a CA replica on test 
servers and it completed without issue.

Here is what I get….(for the sake of brevity, I am excluding the lines for 
connection check which were all OK)

=
/usr/sbin/ipa-ca-install /var/lib/ipa/replica-info-serverb.mydomain.com.gpg
Directory Manager (existing master) password:
Get credentials to log in to remote master
ad...@mydomain.com<mailto:ad...@mydomain.com> password:
Execute check on remote master
Connection check OK
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/16]: creating certificate server user
  [2/16]: creating pki-ca instance
  [3/16]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl 
/usr/bin/pkisilent ConfigureCA -cs_hostname serverb.mydomain.com -cs_port 9445 
-client_certdb_dir /tmp/tmp-t3aHM7 -client_certdb_pwd  -preop_pin 
exoyO2y7bawG5yjZMACM -domain_name IPA -admin_user admin -admin_email 
root@localhost -admin_password  -agent_name ipa-ca-agent 
-agent_key_size 2048 -agent_key_type rsa -agent_cert_subject 
CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host serverb.mydomain.com -ldap_port 7389 
-bind_dn cn=Directory Manager -bind_password  -base_dn o=ipaca -db_name 
ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true 
-backup_pwd  -subsystem_name pki-cad -token_name internal 
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM 
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM 
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM 
-ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM 
-ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM 
-ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM -external 
false -clone true -clone_p12_file ca.p12 -clone_p12_password  
-sd_hostname servera.mydomain.com -sd_admin_port 443 -sd_admin_name admin 
-sd_admin_password  -clone_start_tls true -clone_uri 
https://servera.mydomain.com:443' returned non-zero exit status 255

Your system may be partly configured.
Run /usr/sbin

Re: [Freeipa-users] CA Replication Installation Failing

2014-12-08 Thread Dmitri Pal


On 12/08/2014 11:04 PM, Les Stott wrote:


Does anyone have any ideas on the below errors when trying to add CA 
replication to an existing replica?




People who might be able to help are or PTO right now.

Is your installation older than 2 years?
Did you generate a new replica package or use the original one?
May be the problem is that the cert that is in that package already expired?
Just a thought...

The simplest workaround IMO would be to prepare Server C, install it 
with CA and then decommission replica B.

Do not forget to clean replication agreements on master.

But that would be work around, would not solve this specific problem, it 
will kill it.



Thanks in advance,

Les

*From:*freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Les Stott

*Sent:* Tuesday, 2 December 2014 6:17 PM
*To:* freeipa-users@redhat.com
*Subject:* [Freeipa-users] CA Replication Installation Failing

Hi All,

I have RHEL6 with ipa servers running standard ipa server 3.0.0-42. 
Pki components are also standard version 9.0.3-38.


Servera is the master

Serverb is the replica

Both have been running for many, many months. Serverb was initially 
setup as a replica, but not a CA replica.


I am now trying to add CA Replication to serverb but it is failing 
midway through and I cannot figure out why.


Annoyingly, I used the same method/command to setup a CA replica on 
test servers and it completed without issue.


Here is what I get(for the sake of brevity, I am excluding the 
lines for connection check which were all OK)


=

/usr/sbin/ipa-ca-install 
/var/lib/ipa/replica-info-serverb.mydomain.com.gpg


Directory Manager (existing master) password:

Get credentials to log in to remote master

ad...@mydomain.com  password:

Execute check on remote master

Connection check OK

Configuring directory server for the CA (pkids): Estimated time 30 seconds

  [1/3]: creating directory server user

  [2/3]: creating directory server instance

  [3/3]: restarting directory server

Done configuring directory server for the CA (pkids).

Configuring certificate server (pki-cad): Estimated time 3 minutes 30 
seconds


  [1/16]: creating certificate server user

  [2/16]: creating pki-ca instance

  [3/16]: configuring certificate server instance

ipa : CRITICAL failed to configure ca instance Command 
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname 
serverb.mydomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-t3aHM7 
-client_certdb_pwd  -preop_pin exoyO2y7bawG5yjZMACM 
-domain_name IPA -admin_user admin -admin_email root@localhost 
-admin_password  -agent_name ipa-ca-agent -agent_key_size 2048 
-agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM 
-ldap_host serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory 
Manager -bind_password  -base_dn o=ipaca -db_name ipaca 
-key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 
true -backup_pwd  -subsystem_name pki-cad -token_name internal 
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM 
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM 
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM 
-ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM 
-ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM 
-ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM 
-external false -clone true -clone_p12_file ca.p12 -clone_p12_password 
 -sd_hostname servera.mydomain.com -sd_admin_port 443 
-sd_admin_name admin -sd_admin_password  -clone_start_tls true 
-clone_uri https://servera.mydomain.com:443' returned non-zero exit 
status 255


Your system may be partly configured.

Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed

=

Additional excerpt from the log file 
/var/log/ipareplica-ca-install.log at the point of failure


=

#

Attempting to connect to: serverb.mydomain.com:9445

Connected.

Posting Query = 
https://serverb.mydomain.com:9445//ca/admin/console/config/wizard?p=7&op=next&xml=true&__password=&path=ca.p12 



RESPONSE STATUS:  HTTP/1.1 200 OK

RESPONSE HEADER:  Server: Apache-Coyote/1.1

RESPONSE HEADER:  Content-Type: application/xml;charset=UTF-8

RESPONSE HEADER:  Date: Tue, 02 Dec 2014 05:44:19 GMT

RESPONSE HEADER:  Connection: close







admin/console/config/restorekeycertpanel.vm

  

failure

  

  The pkcs12 file is not correct.

  19

  Import Keys and Certificates

  



  

welcome

Welcome

  

  

module

Key Store

  

  

confighsmlogin

ConfigHSMLogin

  

  

securitydomain

Security Domain

Re: [Freeipa-users] CA Replication Installation Failing

2014-12-08 Thread Les Stott

Does anyone have any ideas on the below errors when trying to add CA 
replication to an existing replica?

Thanks in advance,

Les

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott
Sent: Tuesday, 2 December 2014 6:17 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] CA Replication Installation Failing

Hi All,

I have RHEL6 with ipa servers running standard ipa server 3.0.0-42. Pki 
components are also standard version 9.0.3-38.

Servera is the master
Serverb is the replica

Both have been running for many, many months. Serverb was initially setup as a 
replica, but not a CA replica.

I am now trying to add CA Replication to serverb but it is failing midway 
through and I cannot figure out why.

Annoyingly, I used the same method/command to setup a CA replica on test 
servers and it completed without issue.

Here is what I get(for the sake of brevity, I am excluding the lines for 
connection check which were all OK)

=
/usr/sbin/ipa-ca-install /var/lib/ipa/replica-info-serverb.mydomain.com.gpg
Directory Manager (existing master) password:
Get credentials to log in to remote master
ad...@mydomain.com password:
Execute check on remote master
Connection check OK
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/16]: creating certificate server user
  [2/16]: creating pki-ca instance
  [3/16]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl 
/usr/bin/pkisilent ConfigureCA -cs_hostname serverb.mydomain.com -cs_port 9445 
-client_certdb_dir /tmp/tmp-t3aHM7 -client_certdb_pwd  -preop_pin 
exoyO2y7bawG5yjZMACM -domain_name IPA -admin_user admin -admin_email 
root@localhost -admin_password  -agent_name ipa-ca-agent 
-agent_key_size 2048 -agent_key_type rsa -agent_cert_subject 
CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host serverb.mydomain.com -ldap_port 7389 
-bind_dn cn=Directory Manager -bind_password  -base_dn o=ipaca -db_name 
ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true 
-backup_pwd  -subsystem_name pki-cad -token_name internal 
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM 
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM 
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM 
-ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM 
-ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM 
-ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM -external 
false -clone true -clone_p12_file ca.p12 -clone_p12_password  
-sd_hostname servera.mydomain.com -sd_admin_port 443 -sd_admin_name admin 
-sd_admin_password  -clone_start_tls true -clone_uri 
https://servera.mydomain.com:443' returned non-zero exit status 255

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed
=

Additional excerpt from the log file /var/log/ipareplica-ca-install.log at the 
point of failure

=

#
Attempting to connect to: serverb.mydomain.com:9445
Connected.
Posting Query = 
https://serverb.mydomain.com:9445//ca/admin/console/config/wizard?p=7&op=next&xml=true&__password=&path=ca.p12
RESPONSE STATUS:  HTTP/1.1 200 OK
RESPONSE HEADER:  Server: Apache-Coyote/1.1
RESPONSE HEADER:  Content-Type: application/xml;charset=UTF-8
RESPONSE HEADER:  Date: Tue, 02 Dec 2014 05:44:19 GMT
RESPONSE HEADER:  Connection: close



  admin/console/config/restorekeycertpanel.vm
  
  failure
  
  The pkcs12 file is not correct.
  19
  Import Keys and Certificates
  

  
welcome
Welcome
  
  
module
Key Store
  
  
confighsmlogin
ConfigHSMLogin
  
  
securitydomain
Security Domain
  
  
securitydomain
Display Certificate Chain
  
  
subsystem
Subsystem Type
  
  
clone
Display Certificate Chain
  
  
restorekeys
Import Keys and Certificates
  
  
cahierarchy
PKI Hierarchy
  
  
database
Internal Database
  
  
size
Key Pairs
  
  
subjectname
Subject Names
  
  
certrequest
Requests and Certificates
  
  
backupkeys
Export Keys and Certificates

Re: [Freeipa-users] CA Replication Installation Failing - SOLVED!

Re: [Freeipa-users] CA Replication Installation Failing

Re: [Freeipa-users] CA Replication Installation Failing

Re: [Freeipa-users] CA Replication Installation Failing

Re: [Freeipa-users] CA Replication Installation Failing

Re: [Freeipa-users] CA Replication Installation Failing

Re: [Freeipa-users] CA Replication Installation Failing

Re: [Freeipa-users] CA Replication Installation Failing

Re: [Freeipa-users] CA Replication Installation Failing

Re: [Freeipa-users] CA Replication Installation Failing

Re: [Freeipa-users] CA Replication Installation Failing

11 matches

Site Navigation

Mail list logo

Footer information