Folks,
Trying to deploy CA on a replica node and failed here without any information. Can I restart the process again? Even log directories are empty /var/log/pki/pki-tomcat
My OS is RockyLunux 8.9 and Master CA running on CentOS7.x
[root@ldap-vx-010103-3 ~]# ipa-ca-install Directory Manager (existing master) password:
Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: creating certificate server db [2/28]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 161 seconds elapsed Update succeeded
[3/28]: creating ACIs for admin [4/28]: creating installation admin user [5/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed.
Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
CA configuration failed.
Satish Patel via FreeIPA-users wrote:
Folks,
Trying to deploy CA on a replica node and failed here without any information. Can I restart the process again? Even log directories are empty /var/log/pki/pki-tomcat
My OS is RockyLunux 8.9 and Master CA running on CentOS7.x
[root@ldap-vx-010103-3 ~]# ipa-ca-install Directory Manager (existing master) password:
Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: creating certificate server db [2/28]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 161 seconds elapsed Update succeeded
[3/28]: creating ACIs for admin [4/28]: creating installation admin user [5/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed.
Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
CA configuration failed.
/var/log/ipaserver-install.log may hold some clues
There should be a pki-ca-spawn log in /var/log/pki related to the install.
There is no uninstall for the CA (or KRA). You'd have to uninstall the replica and re-install it.
rob
This is crazy.. why freeIPA is so difficult to debug.
I can't attach a replica without thousand errors + errors don't make sense also.
Question, Can I create replication from 4.6 to 4.9 ?
What if I want to build a new freeIPA on a new OS and export/import all users to a new environment? is it going to work and how?
On Thu, May 16, 2024 at 2:23 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
Folks,
Trying to deploy CA on a replica node and failed here without any information. Can I restart the process again? Even log directories are empty /var/log/pki/pki-tomcat
My OS is RockyLunux 8.9 and Master CA running on CentOS7.x
[root@ldap-vx-010103-3 ~]# ipa-ca-install Directory Manager (existing master) password:
Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: creating certificate server db [2/28]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 161 seconds elapsed Update succeeded
[3/28]: creating ACIs for admin [4/28]: creating installation admin user [5/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA
instance
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed.
Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
CA configuration failed.
/var/log/ipaserver-install.log may hold some clues
There should be a pki-ca-spawn log in /var/log/pki related to the install.
There is no uninstall for the CA (or KRA). You'd have to uninstall the replica and re-install it.
rob
Satish Patel wrote:
This is crazy.. why freeIPA is so difficult to debug.
I can't attach a replica without thousand errors + errors don't make sense also.
Your originating system may still have a lot of problems with it. They don't go away when you create a replica.
You almost never post exact commands you've used and the output so its difficult to help.
Question, Can I create replication from 4.6 to 4.9 ?
It's more a question of the underlying operating system. crypto policies have been increasingly tightened. You've already been told that you have to go from RHEL 7 -> 8 -> 9 (or equivalent). Is that what you're really asking?
What if I want to build a new freeIPA on a new OS and export/import all users to a new environment? is it going to work and how?
There is no IPA-to-IPA migration in any release yet. migrate-ds can work with IPA to migrate users and groups but it has some pitfalls of its own. It was designed for legacy LDAP -> IPA migration.
rob
On Thu, May 16, 2024 at 2:23 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Satish Patel via FreeIPA-users wrote: > Folks, > > Trying to deploy CA on a replica node and failed here without any > information. Can I restart the process again? Even log directories are > empty /var/log/pki/pki-tomcat > > My OS is RockyLunux 8.9 and Master CA running on CentOS7.x > > [root@ldap-vx-010103-3 ~]# ipa-ca-install > Directory Manager (existing master) password: > > Run connection check to master > Connection check OK > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes > [1/28]: creating certificate server db > [2/28]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 161 seconds elapsed > Update succeeded > > [3/28]: creating ACIs for admin > [4/28]: creating installation admin user > [5/28]: configuring certificate server instance > > ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance > ipaserver.install.dogtaginstance: CRITICAL See the installation logs and > the following files/directories for more information: > ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat > [error] RuntimeError: CA configuration failed. > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > CA configuration failed. > /var/log/ipaserver-install.log may hold some clues There should be a pki-ca-spawn log in /var/log/pki related to the install. There is no uninstall for the CA (or KRA). You'd have to uninstall the replica and re-install it. rob
freeipa-users@lists.fedorahosted.org