So given that 4.6 wasn't going to work nicely with F28, I decided to
rollback to F27. I also DID NOT use the COPR repo; just what was stock with
F27. I'm still unable to create a replica. I get the following error on the
replica install.
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Waiting for keys to appear on host: ipa-server0.ipa.domain, please wait
until this has completed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: ERROR 400 Client Error: Bad Request for url:
https://ipa-server0.ipa.domain/ipa/keys/ca/caSigningCert%20cert-pki-ca?ty...
ipapython.admintool: ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
Any ideas why I'd get a 400 error. This is the same error I when I did use
the COPR repo with F27. I *thought* it would work if I'd stop trying to
jump ahead on the software version by skipping COPR. This is getting
downright frustrating. How many people setup a FreeIPA server and don't
setup at least 1 replica? Wouldn't that be a basic use case for testing
before inclusion?
Any help would definitely be appreciated. Do I need to step back to F26?
On Wed, May 2, 2018 at 4:32 PM, Rob Crittenden <rcritten(a)redhat.com> wrote:
Brian Weaver via FreeIPA-users wrote:
> I had issues with my old FreeIPA installation so I rebuilt using Fedora
> 28 and FreeIPA 4.6 from the COPR of @freeipa/freeipa-4-6.
>
> I managed successfully setup the server and import my DNS data. Now when
> I try to create a replica it is blowing up. When I run "ipa-replica-install
> --principal admin(a)IPA.${DOMAIN} -w 'uber-secret-password' -N" it's
> failing. I've tried Google, cleaned up the directory of the server entries,
> etc. I'm at an impass.
>
> Here is the error
>
> Done configuring Kerberos KDC (krb5kdc).
> Configuring kadmin
> [1/2]: starting kadmin
> [2/2]: configuring kadmin to start on boot
> Done configuring kadmin.
> Configuring directory server (dirsrv)
> [1/3]: configuring TLS for DS instance
> [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> I was going to get the error from the log directory. I ran uninstall
> before I thought about it. Then when I try again it fails on "entry already
> exists". So when I run uninstall again I have to do 'ipa server-del
> ipa-server1.ipa.domain'.
>
> I'm having no luck and it fails at random places. For example after the
> last cleanup I got "Insufficient Access" with write privilege on
> cn=replication,cn=etc,dc=ipa,dc=$domain'
>
> Any help would really be appreciated. This is really holding me up.
>
4.6 is probably not going to work nicely in F28. NSS changed the default
database type and that caused a lot of issues for IPA.
rob
--
/* insert witty comment here */