Hello

I got this same error with replica installation on rhel 7.4 after the OS was 
hardened with openscap. Pure base OS install without any additional hardening 
did work without problems. I was doing replica immediately after setting up the 
new primary.

Also, with same scap policy the fresh primary ipa did not allow any login at 
webui. In my case I believe it was about some security setting but have not yet 
had time to debug which one. Dunno where to start the debug though.

br,
risto

Sent from my iPad

> On 19 Apr 2018, at 18.24, Jan Gardian via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> Hello,
> 
> We had two ipa replicas ipa1 with CA and ipa2. Those servers were on Ubuntu 
> 16.
> 
> I successfully installed ipa3 replica with CA that is running on newer 
> version of IPA and Centos 7. After that I stopped old ipa2 and successfully 
> installed new ipa2 with CA on Centos 7. Lastly I setup CA master to be new 
> ipa2 following 
> https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_4.0_or_later
>  and turned off old ipa1 server.
> 
> Problem occurred when I was installing replica with CA to new ipa1 server 
> running at Centos 7.
> I can successfully install ipa client and create ticket under admin user but 
> when trying to install replica it fails with "ERROR    Certificate issuance 
> failed (CA_UNREACHABLE)". Somehow it tries to get certificates during replica 
> install from ipa1 server when it does not have yet httpd installed.
> 
> I thought it could be problem that certificate was primary created at old 
> ipa1 and we have it signed by our own certificates as well so I created 
> another ipa4 server on Centos 7. And again it crashed at the same point 
> trying to get certificate from itself when it did not have httpd installed 
> yet.
> 
> OS: CentOS Linux release 7.4.1708 
> IPA: VERSION: 4.5.0, API_VERSION: 2.228
> 
> Attached are logs from ipa client installation and ipa replica installation 
> for ipa4 server. 
> Please ask if you require any different logs. I tried also to follow 
> debugging from 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/SZKAQDRCRGWV3ZIEJNAVRG2LHLDIS3MJ/
>  but in my case it end earlier because it try to get certificate from itself 
> and does not get to master. This can be also seen in output of command 
> getcert list(in attachement).
> 
> 
> Thank you for checking.
> 
> 
> With kind regards,
> Ján Gardian
> Administrator
> <ipa4_debug>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to