There was no record in the CA list. I added one for the CA master with the ldapadd command. The ipa-ca-install command completed successfully this time! Thanks a million for your help!
Thanks, Ross ________________________________________ From: Fraser Tweedale [ftweedal@redhat.com] Sent: Tuesday, May 08, 2018 11:49 PM To: Ross Infinger Cc: FreeIPA users list Subject: Re: [Freeipa-users] CA install on replica fails - Clone URI does not match...
On Thu, May 03, 2018 at 02:25:34PM +0000, Ross Infinger wrote:
I assume the issue here is with the command... https://urldefense.proofpoint.com/v2/url?u=https-3A__pci-2Dmgmt-2Dipa01.pci....
Which returns... domain info: <?xml version="1.0" encoding="UTF-8" standalone="no"?><DomainInfo><Name>IPA</Name><CAList><SubsystemCount>0</SubsystemCount></CAList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><RAList><SubsystemCount>0</SubsystemCount></RAList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
I notice that all the SubsystemCount values are 0. I'm guessing that is what is causing the ipa-ca-install command to throw the Clone URI does not match available subsystems error.
However, the ipa server-show command shows that the pci-mgmt-ipa01 server is actually enabled for CA server.
[root@ipa-nyc-pci01 ~]# ipa server-show pci-mgmt-ipa01.pci.xxxxxx.com Server name: pci-mgmt-ipa01.pci.xxxxxx.com Managed suffixes: domain, ca Min domain level: 0 Max domain level: 1 Enabled server roles: CA server, DNS server, NTP server
So why does the DomainXML query return 0 subsystems?
What is the ipa-ca-install command expecting here?
Thanks, Ross
Hi Ross,
Could you please check the contents of the Security Domain CA List in LDAP? There should be an entry for the master. For example:
% ldapsearch -LLL -D "cn=directory manager" -w DM_PASSWORD -b "cn=CAList,ou=Security Domain,o=ipaca" dn: cn=CAList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSecurityGroup cn: CAList
dn: cn=f28-0.ipa.local:443,cn=CAList,ou=Security Domain,o=ipaca objectClass: top objectClass: pkiSubsystem host: f28-0.ipa.local SecurePort: 443 SecureAgentPort: 443 SecureAdminPort: 443 SecureEEClientAuthPort: 443 UnSecurePort: 80 Clone: FALSE SubsystemName: CA f28-0.ipa.local 8443 cn: f28-0.ipa.local:443 DomainManager: TRUE
`f28-0.ipa.local' is my master hostname. I don't have a CA replica in this topology (there would be another entry for it).
Do you have an entry for the master? Are all the attribute values as expected? If not, you could try creating the entry based on the example above, restart Dogtag on the master, then attempt replica installation again.
Cheers, Fraser