ipa-replica-install failure.
by Arjen Heidinga
Hi!
My primary IPA-server is severely damaged. It is an old server, updated
and updated and updated through time (anaconda-ks.cfg is 4 Dec 2014). I
run Fedora-33 (now).
Because the installation is broken on several parts (missing certs, odd
tomcat issues), I thought, lets replicate and reinstall and start over
fresh-ish. New machine, ipa-replica install goes smooth for about an
hour (or so) and burns down:
The ipa-replica-install command failed, exception: CalledProcessError:
CalledProcessError(Command ['/bin/systemctl', 'start',
'pki-tomcatd(a)pki-tomcat.service'] returned non-zero exit status 1: 'Job
for pki-tomcatd(a)pki-tomcat.service failed because a timeout was
exceeded.\nSee "systemctl status pki-tomcatd(a)pki-tomcat.service" and
"journalctl -xe" for details.\n')
CalledProcessError(Command ['/bin/systemctl', 'start',
'pki-tomcatd(a)pki-tomcat.service'] returned non-zero exit status 1: 'Job
for pki-tomcatd(a)pki-tomcat.service failed because a timeout was
exceeded.\nSee "systemctl status pki-tomcatd(a)pki-tomcat.service" and
"journalctl -xe" for details.\n')
The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
(install log attached).
Inspecting the tomcat-ca log i see:
2021-02-25 13:07:18 [main] INFO: PluginRegistry: Loading plugin registry
from /var/lib/pki/pki-tomcat/conf/ca/registry.cfg
2021-02-25 13:07:18 [main] SEVERE: LdapBoundConnFactory: Unable to
connect to LDAP server: Authentication failed
netscape.ldap.LDAPException: Authentication failed (49)
Yes, this is one of the issues I had with the main server. Somehow not
trusting the tomcat client-cert anymore. Ended up with doing password
auth without ssl.
Is there a way to repair this, or trick the server into doing this. Or
should I do a fresh start?
Kind regards,
Arjen Heidinga
3 years, 2 months