I've tried installing in two different waysfirst as a part of full replica install. IE
ipa-replica-install --setup-ca --no-forwarders -p <password> replica.gpg this
failed on step 8 [8/27]: starting certificate server
instanceipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag
instance.See the installation log for details. [9/27]: creating RA agent certificate
database [10/27]: importing CA chain to RA certificate database [error] RuntimeError:
Unable to retrieve CA chain: request failed with HTTP status 500
I then tried installing just the replica (no --setup-ca option) which succeeded and then
ipa-ca-install -w -p replica.gpg which again failed with the same error
ca/debug log shows the following when I grep for errors
[22/Aug/2017:17:01:06][http-bio-8443-exec-3]: SystemConfigService: request:
ConfigurationRequest [pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX,
securityDomainType=existingdomain, securityDomainUri=https://server1:443,
securityDomainName=null, securityDomainUser=admin, securityDomainPassword=XXXX,
isClone=true, cloneUri=https://server1:443, subsystemName=CA server2 8443,
p12File=/tmp/ca.p12, p12Password=XXXX, hierarchy=root, dsHost=server2, dsPort=389,
baseDN=o=ipaca, bindDN=cn=Directory Manager, bindpwd=XXXX, database=ipaca,
secureConn=false, removeData=true, replicateSchema=false, masterReplicationPort=389,
cloneReplicationPort=389, replicationSecurity=TLS, systemCertsImported=false,
systemCerts=[com.netscape.certsrv.system.SystemCertData@8ffc78b],
issuingCA=https://server1:443, backupKeys=true, backupPassword=XXXX,
backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12, adminUID=null,
adminPassword=XXXX, adminEmail=null, adminCertRequest=null, adminCertRequestType=null,
adminSubjectDN=null, adminName=null, adminProfileID=null, adminCert=null,
importAdminCert=false, generateServerCert=true, external=false, standAlone=false,
stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null,
caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null,
importSharedSecret=null, generateSubsystemCert=null, sharedDB=false, sharedDBUserDN=null,
createNewDB=true, setupReplication=True, subordinateSecurityDomainName=null,
reindexData=False, startingCrlNumber=0, createSigningCertRecord=true,
signingCertSerialNumber=1][22/Aug/2017:17:01:07][http-bio-8443-exec-3]: updateNumberRange
start host=server1 adminPort=443 eePort=443[22/Aug/2017:17:01:07][http-bio-8443-exec-3]:
ConfigurationUtils: POST
https://server1:443/ca/admin/ca/updateNumberRange[22/Aug/2017:17:01:07][h...:
updateNumberRange(): status=0[22/Aug/2017:17:01:07][http-bio-8443-exec-3]:
updateNumberRange start host=server1 adminPort=443
eePort=443[22/Aug/2017:17:01:07][http-bio-8443-exec-3]: ConfigurationUtils: POST
https://server1:443/ca/admin/ca/updateNumberRange[22/Aug/2017:17:01:07][h...:
updateNumberRange(): status=0[22/Aug/2017:17:01:07][http-bio-8443-exec-3]:
updateNumberRange start host=server1 adminPort=443
eePort=443[22/Aug/2017:17:01:07][http-bio-8443-exec-3]: ConfigurationUtils: POST
https://server1:443/ca/admin/ca/updateNumberRange[22/Aug/2017:17:01:07][h...:
updateNumberRange(): status=0[22/Aug/2017:17:01:09][http-bio-8443-exec-3]: init: before
makeConnection errorIfDown is false[22/Aug/2017:17:01:09][http-bio-8443-exec-3]:
makeConnection: errorIfDown false[22/Aug/2017:17:01:09][http-bio-8443-exec-3]: init:
before makeConnection errorIfDown is false[22/Aug/2017:17:01:09][http-bio-8443-exec-3]:
makeConnection: errorIfDown false[22/Aug/2017:17:02:08][http-bio-8443-exec-3]: init:
before makeConnection errorIfDown is false[22/Aug/2017:17:02:08][http-bio-8443-exec-3]:
makeConnection: errorIfDown false[22/Aug/2017:17:02:09][http-bio-8443-exec-3]: init:
before makeConnection errorIfDown is false[22/Aug/2017:17:02:09][http-bio-8443-exec-3]:
makeConnection: errorIfDown false[22/Aug/2017:17:02:09][http-bio-8443-exec-3]:
enableReplication: Failed to modify cn=replica,cn="o=ipaca",cn=mapping
tree,cn=config entry. Exception: netscape.ldap.LDAPException: error result
(68)[22/Aug/2017:17:02:51][http-bio-8443-exec-3]: init: before makeConnection errorIfDown
is false[22/Aug/2017:17:02:51][http-bio-8443-exec-3]: makeConnection: errorIfDown
false[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: importLDIFS(): LDAP Errors in importing
/var/lib/pki/pki-tomcat/ca/conf/manager.ldif[22/Aug/2017:17:02:52][http-bio-8443-exec-3]:
LDAPUtil:importLDIF: exception in adding entry
ou=csusers,cn=config:netscape.ldap.LDAPException: error result
(68)[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in
modifying entry o=ipaca:netscape.ldap.LDAPException: error result
(20)[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: init: before makeConnection errorIfDown
is false[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: makeConnection: errorIfDown
false[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection errorIfDown
is true[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown
true[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection errorIfDown
is false[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown
false[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection errorIfDown
is false[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown
false[22/Aug/2017:17:02:58][http-bio-8443-exec-3]: init: before makeConnection errorIfDown
is false[22/Aug/2017:17:02:58][http-bio-8443-exec-3]: makeConnection: errorIfDown
false[22/Aug/2017:17:03:07][localhost-startStop-1]: init: before makeConnection
errorIfDown is true[22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection:
errorIfDown true[22/Aug/2017:17:03:07][localhost-startStop-1]: init: before makeConnection
errorIfDown is false[22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection:
errorIfDown false[22/Aug/2017:17:03:08][localhost-startStop-1]: init: before
makeConnection errorIfDown is false[22/Aug/2017:17:03:08][localhost-startStop-1]:
makeConnection: errorIfDown false[22/Aug/2017:17:03:08][localhost-startStop-1]: init:
before makeConnection errorIfDown is false[22/Aug/2017:17:03:08][localhost-startStop-1]:
makeConnection: errorIfDown false[22/Aug/2017:17:03:08][profileChangeMonitor]: Start
Profile Creation - caDirUserRenewal caEnrollImpl
com.netscape.cms.profile.common.CAEnrollProfile[22/Aug/2017:17:03:08][profileChangeMonitor]:
Done Profile Creation - caDirUserRenewal[22/Aug/2017:17:03:08][profileChangeMonitor]:
Start Profile Creation - IECUserRoles caEnrollImpl
com.netscape.cms.profile.common.CAEnrollProfile[22/Aug/2017:17:03:08][profileChangeMonitor]:
Done Profile Creation - IECUserRoles[22/Aug/2017:17:03:08][localhost-startStop-1]: init:
before makeConnection errorIfDown is false[22/Aug/2017:17:03:08][localhost-startStop-1]:
makeConnection: errorIfDown false[22/Aug/2017:17:03:09][localhost-startStop-1]: init:
before makeConnection errorIfDown is false[22/Aug/2017:17:03:09][localhost-startStop-1]:
makeConnection: errorIfDown false[22/Aug/2017:17:03:09][localhost-startStop-1]: init:
before makeConnection errorIfDown is false[22/Aug/2017:17:03:09][localhost-startStop-1]:
makeConnection: errorIfDown false[22/Aug/2017:17:03:09][localhost-startStop-1]:
DBSubsystem: getNextRange. Unable to provide next range :netscape.ldap.LDAPException:
error result (68)[22/Aug/2017:17:13:08][SerialNumberUpdateTask]: DBSubsystem:
getNextRange. Unable to provide next range :netscape.ldap.LDAPException: error result
(68)
this has failed on every Centos 7 and Fedora 26 server that we have available so
doesn't seem like problem with particular versions.
Can someone please suggest as to what the problem might be here.