Hello I got this same error with replica installation on rhel 7.4 after the OS was hardened with openscap. Pure base OS install without any additional hardening did work without problems. I was doing replica immediately after setting up the new primary.
Also, with same scap policy the fresh primary ipa did not allow any login at webui. In my case I believe it was about some security setting but have not yet had time to debug which one. Dunno where to start the debug though. br, risto Sent from my iPad > On 19 Apr 2018, at 18.24, Jan Gardian via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Hello, > > We had two ipa replicas ipa1 with CA and ipa2. Those servers were on Ubuntu > 16. > > I successfully installed ipa3 replica with CA that is running on newer > version of IPA and Centos 7. After that I stopped old ipa2 and successfully > installed new ipa2 with CA on Centos 7. Lastly I setup CA master to be new > ipa2 following > https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_4.0_or_later > and turned off old ipa1 server. > > Problem occurred when I was installing replica with CA to new ipa1 server > running at Centos 7. > I can successfully install ipa client and create ticket under admin user but > when trying to install replica it fails with "ERROR Certificate issuance > failed (CA_UNREACHABLE)". Somehow it tries to get certificates during replica > install from ipa1 server when it does not have yet httpd installed. > > I thought it could be problem that certificate was primary created at old > ipa1 and we have it signed by our own certificates as well so I created > another ipa4 server on Centos 7. And again it crashed at the same point > trying to get certificate from itself when it did not have httpd installed > yet. > > OS: CentOS Linux release 7.4.1708 > IPA: VERSION: 4.5.0, API_VERSION: 2.228 > > Attached are logs from ipa client installation and ipa replica installation > for ipa4 server. > Please ask if you require any different logs. I tried also to follow > debugging from > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/SZKAQDRCRGWV3ZIEJNAVRG2LHLDIS3MJ/ > but in my case it end earlier because it try to get certificate from itself > and does not get to master. This can be also seen in output of command > getcert list(in attachement). > > > Thank you for checking. > > > With kind regards, > Ján Gardian > Administrator > <ipa4_debug> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org