Hi Alex, (Cc some other engineers for Dogtag cloning troubleshooting exposure).
Thanks for the additional logs. Can we please see [temporally relevant snippets of] any other log files under /var/log/pki/pki-tomcat and /var/log/pki/pki-tomcat/ca , as well as the journal (`journalctl -u pki-tomcatd@pki-tomcat`)? The original server is returning status 500 upon /updateNumberRange request from the new replica, but the cause is unknown. There is likely to be a stack trace hiding in the journal or one of the other log files that was not included in the data you provided. (Which is fair enough; we didn't ask for this extra stuff until now.) One more question: is this a replica created from a replica? I fixed an issue quite recently that can occur under such a scenario, the symptoms of which are similar to yours. Thanks, Fraser On Wed, Nov 07, 2018 at 08:44:05PM +0100, Alex Corcoles via FreeIPA-users wrote: > OK, did the whole song and dance again (btw, it takes about 6m, I'm not > sure if that's normal), and extracted logs again: > > https://gist.github.com/alexpdp7/358626a92a07c787fbf246b2761dddb3 > > Thanks for your time, guys, > > Álex > > On Tue, Nov 6, 2018 at 5:17 PM Rob Crittenden <rcrit...@redhat.com> wrote: > > > Alex Corcoles via FreeIPA-users wrote: > > > So I solved my LXC problems (thanks Rob, again), but now: > > > > > > ipa-replica-install -U --setup-ca -N > > > > > > fails when rebuilding my replica from scratch, see: > > > > > > https://gist.github.com/alexpdp7/4431da5e11afe6029e2baa01bc1f2251 > > > > > > , where I think I've copied the relevant logs. I think I saw someone > > > recommending revoking the replica certs, which makes sense as I'm using > > > the same hostname that I used on the previous replica, but that doesn't > > > seem to fix things. > > > > > > (I'm removing the previous replica via the admin interface, IPA Server > > > -> Topology -> IPA Servers, select my replica and "Delete Server". This > > > removes it too from the host list). > > > > I don't know what it is but it isn't related to existing entries in IPA > > (nor un-revoked certs). > > > > The dogtag installer is asking for a serial # range and getting a > > NotFound. Maybe Fraser knows. > > > > rob > > > > > -- > ___ > {~._.~} > ( Y ) > ()~*~() mail: alex at corcoles dot net > (_)-(_) http://alex.corcoles.net/ > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
