lejeczek via FreeIPA-users wrote:
hi guys,
I have a working domain off Centos 7's VERSION: 4.6.8, API_VERSION:
2.237 and now I'm adding Centos 8's VERSION: 4.8.4, API_VERSION: 2.235.
Adding Centos 8 replica worked okey and now with on that new replica/master:
$ ipa-ca-install
I get:
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/27]: creating certificate server db
[2/27]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 8 seconds elapsed
Update succeeded
[3/27]: creating ACIs for admin
[4/27]: creating installation admin user
[5/27]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA
instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s',
'CA',
'-f', '/tmp/tmpwodqkt5b'] returned non-zero exit status 1: 'Notice:
Trust flag u is set automatically if the private key is
present.\nWARNING: Unable to modify o=ipaca:
netscape.ldap.LDAPException: error result (20); Type or value
exists\nERROR: Exception: Server unreachable due to SSL error: [SSL:
WRONG_VERSION_NUMBER] wrong version number (_ssl.c:897)\n File
"/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 562, in
main\n scriptlet.spawn(deployer)\n File
"/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 836, in spawn\n request_timeout=status_request_timeout,\n File
"/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelper.py",
line 911, in wait_for_startup\n raise Exception(\'Server unreachable
due to SSL error: %s\' % reason) from exc\n\n')
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and
the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
and I wonder if it fails because it should, because these two versions
will not! work together or the problem of some other cause not related
to the fact different versions are used?
This isn't an issue with mixed versions. The problem is openjdk
1.8.0.272 whcih caused some TLS regressions
(
https://bugzilla.redhat.com/show_bug.cgi?id=1892216). Downgrade to
1.8.0.265 and it should work.
rob