Never mind. I just gave up and re-installed my original master from
scratch. We're just going to accept the pain of re-enrolling all the
clients and resetting all the user passwords. Whatever had gone wrong
inside my database was just too much. This gets us clean again.

*Bret Wortman*

On Mon, Sep 9, 2013 at 3:30 AM, Bret Wortman

> I've had some great success in the past 48 hours in recovering my system.
> Here's where I stand right now:
> 1. I successfully stood up a new replica (ipamaster7) and transferred CA
> authority to it from my old master (ipamaster).
> 2. I shutdown ipamaster and re-baselined it.
> 3. I created a new replica file from ipamaster7 for ipamaster (to transfer
> everything back).
> 4. I reinstalled the IPA software on ipamaster. I also made a small change
> to CS.cfg to work around my earlier CA problem.
> 5. I ran "ipa-replica-install --setup-dns --no-forwarders
>", which ran to completion.
> 6. I attempted to run "ipa-ca-install",
> which failed due to a 403 error.
> /var/log/ipareplica-ca-install.log showed this:
> 2013-09-09T07:10:30Z DEBUG Starting external process
> 2013-09-09T07:10:30Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpyIMTdo
> 2013-09-09T07:10:31Z DEBUG Process finished, return code=1
> 2013-09-09T07:10:31Z DEBUG stdout=Loading deployment configuration from
> /tmp/tmpyIMTdo.
> ERROR: Unable to access security domain: 403 Client Error: Forbidden
> 2013-09-09T07:10:31Z DEBUG stderr=
> 2013-09-09T07:10:31Z CRITICAL failed to configure ca instance Command
> '/usr/sbin/pkispawn -s CA -f /tmp/tmpyIMTdo' returned non-zero exit status 1
> 2013-09-09T07:10:31Z INFO    File
> "/usr/lib/python2.7/site-packages/ipaserver/install/", line
> 619, in run_script
>     return_value = main_function()
>   File "/usr/sbin/ipa-ca-install", line 182, in main
>     config, dogtag_master_ds_port, postinstall=True)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/",
> line 1809, in install_replica_ca
>     subject_base=config.subject_base)
>   File "/usr/ib/python2.7/site-packages/ipaserver/install/",
> line625, in configure_instance
>     self.start_creation(runtime=210)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/",
> line 358, in start_creation
>     method()
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/",
> line 744, in __spawn_instance
>     raise RuntimeError('Configuration of CA failed')
> 2013-09-09T07:10:31Z INFO The ipa-ca-install command failed, exception:
> RuntimeError: Configuration of CA failed
> Does this look familiar to anyone? I'd like to complete the transition
> back to ipamaster so that I can then finish cleaning up the dead replicas.
> Until I can do this, I'll have to leave ipamaster7 in place as my master.
> Thanks!
> *
> *
> *Bret Wortman*
Freeipa-users mailing list

Reply via email to