On 09/09/2016 12:13 PM, Giorgos Kafataridis wrote: > Yes, I have followed > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html > > to the letter. > The only reason I had to recreate the cacert.p12 file is because it is not > renewed automatically in v3, so the cacert.p12 was outdated and the CA was > throwing an "p12 invalid digest" error. > > * I opened all necessary ports > * I checked all certs and they are valid for another year > > > /Run connection check to master// > //Check connection from replica to remote master 'ipa-server.nelios':// > // Directory Service: Unsecure port (389): OK// > // Directory Service: Secure port (636): OK// > // Kerberos KDC: TCP (88): OK// > // Kerberos Kpasswd: TCP (464): OK// > // HTTP Server: Unsecure port (80): OK// > // HTTP Server: Secure port (443): OK// > // PKI-CA: Directory Service port (7389): OK// > // > //The following list of ports use UDP protocol and would need to be// > //checked manually:// > // Kerberos KDC: UDP (88): SKIPPED// > // Kerberos Kpasswd: UDP (464): SKIPPED// > // > //Connection from replica to master is OK.// > //Start listening on required ports for remote master check// > //Get credentials to log in to remote master// > //Check SSH connection to remote master// > //Execute check on remote master// > //Check connection from master to remote replica 'ipa2-server2.nelios':// > // Directory Service: Unsecure port (389): OK// > // Directory Service: Secure port (636): OK// > // Kerberos KDC: TCP (88): OK// > // Kerberos KDC: UDP (88): OK// > // Kerberos Kpasswd: TCP (464): OK// > // Kerberos Kpasswd: UDP (464): OK// > // HTTP Server: Unsecure port (80): OK// > // HTTP Server: Secure port (443): OK// > // > //Connection from master to replica is OK.// > // > //Connection check OK/ > > *Even with a fresh install of centos 7 with different hostname and ip and I > still get the the error below* > > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 > seconds > [1/24]: creating certificate server user > [2/24]: configuring certificate server instance > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA > instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpbMwmp_'' > returned non-zero exit status 1 > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation > logs > and the following files/directories for more information: > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > /var/log/pki-ca-install.log > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat > [error] RuntimeError: CA configuration failed. > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipa.ipapython.install.cli.install_tool(Replica): ERROR CA configuration > failed. > > * > **With debug enabled I get: * > > pa : DEBUG Starting external process > ipa : DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmpwY8XjR' > ipa : DEBUG Process finished, return code=1 > ipa : DEBUG stdout=Log file: > /var/log/pki/pki-ca-spawn.20160909044214.log > Loading deployment configuration from /tmp/tmpwY8XjR. > Installing CA into /var/lib/pki/pki-tomcat. > Storing deployment configuration into > /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. > > Installation failed. > > > ipa : DEBUG > stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: > InsecureRequestWarning: Unverified HTTPS request is being made. Adding > certificate verification is strongly advised. See: > https://urllib3.readthedocs.org/en/latest/security.html > InsecureRequestWarning) > pkispawn : WARNING ....... unable to validate security domain > user/password > through REST interface. Interface not available > pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 > Server Error: Internal Server Error > pkispawn : ERROR ....... ParseError: not well-formed (invalid token): > line > 1, column 0: > {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Failed > > to obtain installation token from security domain"} > > > Is there a way to validate the repilca .gpg file from a v3 installation > against > a v4.2 freeipa installation to check for any errors before going through the > ipa-replica-install? > The ipa-replica-install completes if I don't include the --setup-ca flag but > I > don't want that >
There is no automatic method to verify the replica file. Could you share the stack trace from /var/log/pki/pki-tomcat/ca/debug + couple lines before and after? -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
