Brian Weaver via FreeIPA-users wrote:
I had issues with my old FreeIPA installation so I rebuilt using
Fedora
28 and FreeIPA 4.6 from the COPR of @freeipa/freeipa-4-6.
I managed successfully setup the server and import my DNS data. Now when
I try to create a replica it is blowing up. When I run
"ipa-replica-install --principal admin(a)IPA.${DOMAIN} -w
'uber-secret-password' -N" it's failing. I've tried Google, cleaned
up
the directory of the server entries, etc. I'm at an impass.
Here is the error
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
I was going to get the error from the log directory. I ran uninstall
before I thought about it. Then when I try again it fails on "entry
already exists". So when I run uninstall again I have to do 'ipa
server-del ipa-server1.ipa.domain'.
I'm having no luck and it fails at random places. For example after the
last cleanup I got "Insufficient Access" with write privilege on
cn=replication,cn=etc,dc=ipa,dc=$domain'
Any help would really be appreciated. This is really holding me up.
4.6 is probably not going to work nicely in F28. NSS changed the default
database type and that caused a lot of issues for IPA.
rob