Re: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
Hi, Not yet, I'm busy with it right now. I created a bugreport where I'm checking the reference bugs now, but I didn't saw a solution that fast. https://bugzilla.redhat.com/show_bug.cgi?id=1235766 I did do point 3 & 4. Matt 2015-06-27 15:27 GMT+02:00 Dmitri Pal : > On 06/23/2015 06:15 PM, Matt . wrote: >> >> Anyone some suggestions about this ? >> >> I'm thinking about adding from my second 3.x master where I first need >> to split that cluster to make that happen. > > > > Was that resolved? > > > >> >> >> >> 2015-06-22 22:57 GMT+02:00 Matt . : >>> >>> OK, >>> >>> I'm on the go here but I have some issue. >>> >>> When I install the replica server I get this error on the new replica: >>> >>> ipa : CRITICAL CA DS schema check failed. Make sure the PKI >>> service on the remote master is operational. >>> >>> >>> When I restart IPA on the old master I get this: >>> >>> PKI-IPA...[22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: >>> the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with >>> the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] >>> [22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: the SUBSTR >>> matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with >>> the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] >>> [ OK ] >>> >>> So the error on the replica is not that strange, but how to fix this >>> on the master ? >>> >>> Matt >>> >>> 2015-06-22 15:59 GMT+02:00 Hendrik Frenzel : Am 22.06.2015 12:10, schrieb Matt .: > > Hi Guys, Hi Matt, > I found some good information about migrating from 3.3 to 4.x using > replica's. > > It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as > CentOS doesn't provide 3.3. Could you please share an URL or something? Currently I'm here: * ipa-6 - CentOS 6.6: ipa-admintools-3.0.0-42.el6.centos.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-3.0.0-42.el6.centos.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 ipa-server-selinux-3.0.0-42.el6.centos.x86_64 sssd-ipa-1.11.6-30.el6_6.4.x86_64 pki-ca-9.0.3-38.el6_6.noarch * ipa-7 - CentOS 7.1 (fresh/minimal installation with ipa-server, bind, bind-dyndb-ldap): ipa-admintools-4.1.0-18.el7.centos.3.x86_64 ipa-client-4.1.0-18.el7.centos.3.x86_64 ipa-python-4.1.0-18.el7.centos.3.x86_64 ipa-server-4.1.0-18.el7.centos.3.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 pki-ca-10.1.2-7.el7.noarch -1. Update schema ipa-7# scp /usr/share/ipa/copy-schema-to-ca.py root@ipa-6: ipa-6# python copy-schema-to-ca.py 0. clean up old/stale replication aggreements ipa-replica-manage del --force ipa-6.example.com ipa-csreplica-manage del --force ipa-6.example.com 1. prepare replication on ipa-6 for ipa-7 ipa-replica-prepare ipa-7.example.com 2. add |^/ca/ee/ca/profileSubmit to the EE LocationMatch in /etc/httpd/conf.d/ipa-pki-proxy.conf on ipa-6 (s. https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) - >>> "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL"> + >>> "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit"> 3. slow down the network a bit (don't know how effective it is, as we already got 1GBit, but without it, a timing bug in 389-ds-base is triggered - s. https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) tc qdisc add dev eth0 root handle 1: tbf rate 1000mbit latency 1ms burst 1540 4. install replication (without CA for the moment) ipa-replica-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg --setup-dns --mkhomedir --no-forwarders Up to now, everything works, but we need the CA too: 5. install ca ipa-ca-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg But this won't work and I don't have a clue how to fix/proceed from here. # ipa-7: /var/log/ipareplica-ca-install.log ipa : DEBUGstderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updat
Re: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
On 06/23/2015 06:15 PM, Matt . wrote: Anyone some suggestions about this ? I'm thinking about adding from my second 3.x master where I first need to split that cluster to make that happen. Was that resolved? 2015-06-22 22:57 GMT+02:00 Matt . : OK, I'm on the go here but I have some issue. When I install the replica server I get this error on the new replica: ipa : CRITICAL CA DS schema check failed. Make sure the PKI service on the remote master is operational. When I restart IPA on the old master I get this: PKI-IPA...[22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] [22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: the SUBSTR matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] [ OK ] So the error on the replica is not that strange, but how to fix this on the master ? Matt 2015-06-22 15:59 GMT+02:00 Hendrik Frenzel : Am 22.06.2015 12:10, schrieb Matt .: Hi Guys, Hi Matt, I found some good information about migrating from 3.3 to 4.x using replica's. It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as CentOS doesn't provide 3.3. Could you please share an URL or something? Currently I'm here: * ipa-6 - CentOS 6.6: ipa-admintools-3.0.0-42.el6.centos.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-3.0.0-42.el6.centos.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 ipa-server-selinux-3.0.0-42.el6.centos.x86_64 sssd-ipa-1.11.6-30.el6_6.4.x86_64 pki-ca-9.0.3-38.el6_6.noarch * ipa-7 - CentOS 7.1 (fresh/minimal installation with ipa-server, bind, bind-dyndb-ldap): ipa-admintools-4.1.0-18.el7.centos.3.x86_64 ipa-client-4.1.0-18.el7.centos.3.x86_64 ipa-python-4.1.0-18.el7.centos.3.x86_64 ipa-server-4.1.0-18.el7.centos.3.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 pki-ca-10.1.2-7.el7.noarch -1. Update schema ipa-7# scp /usr/share/ipa/copy-schema-to-ca.py root@ipa-6: ipa-6# python copy-schema-to-ca.py 0. clean up old/stale replication aggreements ipa-replica-manage del --force ipa-6.example.com ipa-csreplica-manage del --force ipa-6.example.com 1. prepare replication on ipa-6 for ipa-7 ipa-replica-prepare ipa-7.example.com 2. add |^/ca/ee/ca/profileSubmit to the EE LocationMatch in /etc/httpd/conf.d/ipa-pki-proxy.conf on ipa-6 (s. https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) - + 3. slow down the network a bit (don't know how effective it is, as we already got 1GBit, but without it, a timing bug in 389-ds-base is triggered - s. https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) tc qdisc add dev eth0 root handle 1: tbf rate 1000mbit latency 1ms burst 1540 4. install replication (without CA for the moment) ipa-replica-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg --setup-dns --mkhomedir --no-forwarders Up to now, everything works, but we need the CA too: 5. install ca ipa-ca-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg But this won't work and I don't have a clue how to fix/proceed from here. # ipa-7: /var/log/ipareplica-ca-install.log ipa : DEBUGstderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 ipa : CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmppByBPz'' returned non-zero exit status 1 ipa : DEBUGTraceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 673, in __spawn_instance raise RuntimeError('Configuration of CA failed') RuntimeError: Configuration of CA failed # ipa-7: /var/log/pki/pki-tomcat/ca/system 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value # ipa-7: /var/log/pki/pki-tomcat/ca/debug [22/Jun/2015:15
Re: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
Anyone some suggestions about this ? I'm thinking about adding from my second 3.x master where I first need to split that cluster to make that happen. 2015-06-22 22:57 GMT+02:00 Matt . : > OK, > > I'm on the go here but I have some issue. > > When I install the replica server I get this error on the new replica: > > ipa : CRITICAL CA DS schema check failed. Make sure the PKI > service on the remote master is operational. > > > When I restart IPA on the old master I get this: > > PKI-IPA...[22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: > the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with > the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] > [22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: the SUBSTR > matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with > the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] >[ OK ] > > So the error on the replica is not that strange, but how to fix this > on the master ? > > Matt > > 2015-06-22 15:59 GMT+02:00 Hendrik Frenzel : >> Am 22.06.2015 12:10, schrieb Matt .: >>> >>> Hi Guys, >> >> >> Hi Matt, >> >>> I found some good information about migrating from 3.3 to 4.x using >>> replica's. >>> >>> It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as >>> CentOS doesn't provide 3.3. >> >> >> Could you please share an URL or something? >> >> Currently I'm here: >> >> * ipa-6 - CentOS 6.6: >>ipa-admintools-3.0.0-42.el6.centos.x86_64 >>ipa-client-3.0.0-42.el6.centos.x86_64 >>ipa-pki-ca-theme-9.0.3-7.el6.noarch >>ipa-pki-common-theme-9.0.3-7.el6.noarch >>ipa-python-3.0.0-42.el6.centos.x86_64 >>ipa-server-3.0.0-42.el6.centos.x86_64 >>ipa-server-selinux-3.0.0-42.el6.centos.x86_64 >>sssd-ipa-1.11.6-30.el6_6.4.x86_64 >>pki-ca-9.0.3-38.el6_6.noarch >> >> * ipa-7 - CentOS 7.1 (fresh/minimal installation with ipa-server, bind, >> bind-dyndb-ldap): >>ipa-admintools-4.1.0-18.el7.centos.3.x86_64 >>ipa-client-4.1.0-18.el7.centos.3.x86_64 >>ipa-python-4.1.0-18.el7.centos.3.x86_64 >>ipa-server-4.1.0-18.el7.centos.3.x86_64 >>sssd-ipa-1.12.2-58.el7_1.6.x86_64 >>pki-ca-10.1.2-7.el7.noarch >> >> -1. Update schema >> ipa-7# scp /usr/share/ipa/copy-schema-to-ca.py root@ipa-6: >> ipa-6# python copy-schema-to-ca.py >> >>0. clean up old/stale replication aggreements >> ipa-replica-manage del --force ipa-6.example.com >> ipa-csreplica-manage del --force ipa-6.example.com >> >>1. prepare replication on ipa-6 for ipa-7 >> ipa-replica-prepare ipa-7.example.com >> >>2. add |^/ca/ee/ca/profileSubmit to the EE LocationMatch in >> /etc/httpd/conf.d/ipa-pki-proxy.conf on ipa-6 (s. >> https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) >> - > "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL"> >> + > "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit"> >> >>3. slow down the network a bit >> (don't know how effective it is, as we already got 1GBit, but without >> it, a timing bug in 389-ds-base is triggered - s. >> https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) >> tc qdisc add dev eth0 root handle 1: tbf rate 1000mbit latency 1ms >> burst 1540 >> >>4. install replication (without CA for the moment) >> ipa-replica-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg >> --setup-dns --mkhomedir --no-forwarders >> >> Up to now, everything works, but we need the CA too: >> >>5. install ca >> ipa-ca-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg >> >> But this won't work and I don't have a clue how to fix/proceed from here. >> >> # ipa-7: /var/log/ipareplica-ca-install.log >> ipa : DEBUGstderr=pkispawn: WARNING ... unable to >> validate security domain user/password through REST interface. Interface not >> available >> pkispawn: ERROR... Exception from Java Configuration Servlet: >> Error while updating security domain: java.io.IOException: 2 >> >> ipa : CRITICAL failed to configure ca instance Command >> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmppByBPz'' returned non-zero >> exit status 1 >> ipa : DEBUGTraceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 382, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 372, in run_step >> method() >> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 673, in __spawn_instance >> raise RuntimeError('Co
Re: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
OK, I'm on the go here but I have some issue. When I install the replica server I get this error on the new replica: ipa : CRITICAL CA DS schema check failed. Make sure the PKI service on the remote master is operational. When I restart IPA on the old master I get this: PKI-IPA...[22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] [22/Jun/2015:22:50:36 +0200] attr_syntax_create - Error: the SUBSTR matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] [ OK ] So the error on the replica is not that strange, but how to fix this on the master ? Matt 2015-06-22 15:59 GMT+02:00 Hendrik Frenzel : > Am 22.06.2015 12:10, schrieb Matt .: >> >> Hi Guys, > > > Hi Matt, > >> I found some good information about migrating from 3.3 to 4.x using >> replica's. >> >> It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as >> CentOS doesn't provide 3.3. > > > Could you please share an URL or something? > > Currently I'm here: > > * ipa-6 - CentOS 6.6: >ipa-admintools-3.0.0-42.el6.centos.x86_64 >ipa-client-3.0.0-42.el6.centos.x86_64 >ipa-pki-ca-theme-9.0.3-7.el6.noarch >ipa-pki-common-theme-9.0.3-7.el6.noarch >ipa-python-3.0.0-42.el6.centos.x86_64 >ipa-server-3.0.0-42.el6.centos.x86_64 >ipa-server-selinux-3.0.0-42.el6.centos.x86_64 >sssd-ipa-1.11.6-30.el6_6.4.x86_64 >pki-ca-9.0.3-38.el6_6.noarch > > * ipa-7 - CentOS 7.1 (fresh/minimal installation with ipa-server, bind, > bind-dyndb-ldap): >ipa-admintools-4.1.0-18.el7.centos.3.x86_64 >ipa-client-4.1.0-18.el7.centos.3.x86_64 >ipa-python-4.1.0-18.el7.centos.3.x86_64 >ipa-server-4.1.0-18.el7.centos.3.x86_64 >sssd-ipa-1.12.2-58.el7_1.6.x86_64 >pki-ca-10.1.2-7.el7.noarch > > -1. Update schema > ipa-7# scp /usr/share/ipa/copy-schema-to-ca.py root@ipa-6: > ipa-6# python copy-schema-to-ca.py > >0. clean up old/stale replication aggreements > ipa-replica-manage del --force ipa-6.example.com > ipa-csreplica-manage del --force ipa-6.example.com > >1. prepare replication on ipa-6 for ipa-7 > ipa-replica-prepare ipa-7.example.com > >2. add |^/ca/ee/ca/profileSubmit to the EE LocationMatch in > /etc/httpd/conf.d/ipa-pki-proxy.conf on ipa-6 (s. > https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) > - "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL"> > + "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit"> > >3. slow down the network a bit > (don't know how effective it is, as we already got 1GBit, but without > it, a timing bug in 389-ds-base is triggered - s. > https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) > tc qdisc add dev eth0 root handle 1: tbf rate 1000mbit latency 1ms > burst 1540 > >4. install replication (without CA for the moment) > ipa-replica-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg > --setup-dns --mkhomedir --no-forwarders > > Up to now, everything works, but we need the CA too: > >5. install ca > ipa-ca-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg > > But this won't work and I don't have a clue how to fix/proceed from here. > > # ipa-7: /var/log/ipareplica-ca-install.log > ipa : DEBUGstderr=pkispawn: WARNING ... unable to > validate security domain user/password through REST interface. Interface not > available > pkispawn: ERROR... Exception from Java Configuration Servlet: > Error while updating security domain: java.io.IOException: 2 > > ipa : CRITICAL failed to configure ca instance Command > ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmppByBPz'' returned non-zero > exit status 1 > ipa : DEBUGTraceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 382, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 372, in run_step > method() > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 673, in __spawn_instance > raise RuntimeError('Configuration of CA failed') > RuntimeError: Configuration of CA failed > > # ipa-7: /var/log/pki/pki-tomcat/ca/system > 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [3] [3] Cannot build > CA chain. Error java.security.cert.CertificateException: Certificate is not > a PKCS #11 certificate > 0.localhost-startStop-
Re: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
Am 22.06.2015 12:10, schrieb Matt .: Hi Guys, Hi Matt, I found some good information about migrating from 3.3 to 4.x using replica's. It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as CentOS doesn't provide 3.3. Could you please share an URL or something? Currently I'm here: * ipa-6 - CentOS 6.6: ipa-admintools-3.0.0-42.el6.centos.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-3.0.0-42.el6.centos.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 ipa-server-selinux-3.0.0-42.el6.centos.x86_64 sssd-ipa-1.11.6-30.el6_6.4.x86_64 pki-ca-9.0.3-38.el6_6.noarch * ipa-7 - CentOS 7.1 (fresh/minimal installation with ipa-server, bind, bind-dyndb-ldap): ipa-admintools-4.1.0-18.el7.centos.3.x86_64 ipa-client-4.1.0-18.el7.centos.3.x86_64 ipa-python-4.1.0-18.el7.centos.3.x86_64 ipa-server-4.1.0-18.el7.centos.3.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 pki-ca-10.1.2-7.el7.noarch -1. Update schema ipa-7# scp /usr/share/ipa/copy-schema-to-ca.py root@ipa-6: ipa-6# python copy-schema-to-ca.py 0. clean up old/stale replication aggreements ipa-replica-manage del --force ipa-6.example.com ipa-csreplica-manage del --force ipa-6.example.com 1. prepare replication on ipa-6 for ipa-7 ipa-replica-prepare ipa-7.example.com 2. add |^/ca/ee/ca/profileSubmit to the EE LocationMatch in /etc/httpd/conf.d/ipa-pki-proxy.conf on ipa-6 (s. https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) - "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL"> + "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit"> 3. slow down the network a bit (don't know how effective it is, as we already got 1GBit, but without it, a timing bug in 389-ds-base is triggered - s. https://www.redhat.com/archives/freeipa-users/2015-May/msg00283.html) tc qdisc add dev eth0 root handle 1: tbf rate 1000mbit latency 1ms burst 1540 4. install replication (without CA for the moment) ipa-replica-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg --setup-dns --mkhomedir --no-forwarders Up to now, everything works, but we need the CA too: 5. install ca ipa-ca-install /var/lib/ipa/replica-info-ipa-7.example.com.gpg But this won't work and I don't have a clue how to fix/proceed from here. # ipa-7: /var/log/ipareplica-ca-install.log ipa : DEBUGstderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: Error while updating security domain: java.io.IOException: 2 ipa : CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmppByBPz'' returned non-zero exit status 1 ipa : DEBUGTraceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 673, in __spawn_instance raise RuntimeError('Configuration of CA failed') RuntimeError: Configuration of CA failed # ipa-7: /var/log/pki/pki-tomcat/ca/system 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 0.localhost-startStop-1 - [22/Jun/2015:15:10:09 MESZ] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value # ipa-7: /var/log/pki/pki-tomcat/ca/debug [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: Cloning a domain master [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML start hostname=ipa-6.example.com port=443 [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain: failed to update security domain using admin port 443: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateSecurityDomain: now trying agent port with client auth [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML start hostname=ipa-6.example.com port=443 [22/Jun/2015:15:12:31][http-bio-8443-exec-3]: updateDomainXML() nickname=subsystemCert cert-pki-ca [22/Jun/2015:15:12:32][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML: status=1 # ipa-6: /var/log/httpd/acc
Re: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)
Matt . wrote: Hi Guys, I found some good information about migrating from 3.3 to 4.x using replica's. It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as CentOS doesn't provide 3.3. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html Some other question is that my hostnames are now like ipa-01 and ipa-02 where I make one replica ipa-01-1 and finally go from there. But what is the best way to set my hostnames back to ipa-01 from ipa-01-1 (and maybe ipa-02-1) ? I hope for some good suggestions. You can't change a hostname in IPA. You'd need to create ipa-01-1 and ipa-02-1, confirm that they are working ok, delete ipa-01 and ipa-02, then re-create those as new replicas, connect them, then delete the -1 versions. It is a lot of trouble to go through to preserve a hostname. Things to consider: - maintaining a CA throughout - consider DNA ranges - ensure that RUVs are properly cleaned up rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project