On Thu, Aug 03, 2017 at 06:09:22AM +1000, Fraser Tweedale wrote: > On Wed, Aug 02, 2017 at 08:34:59AM -0400, Mark Haney wrote: > > On 08/02/2017 07:25 AM, Fraser Tweedale wrote: > > > On Tue, Aug 01, 2017 at 02:55:26PM -0400, Rob Crittenden wrote: > > > > > > > > Providing the dogtag debug log might be helpful. The replica install log > > > > shows that the GoDaddy CA chain was imported and trusted reasonably > > > > (C,,) but the installer later claims it can't find them by nickname. I > > > > think we need Fraser to take a closer look as he's a dogtag developer. > > > > > > > > rob > > > > > > > Hi Mark, > > > > > > Thank you for reporting your issue, for the information you have > > > provided and for bearing with us as we investigate it. The CA is a > > > complex part of the FreeIPA system with many moving parts so it can > > > take a while to get to the bottom of things. > > > > > > I am travelling this week though I hope to find some time to start > > > looking into this tomorrow. Realistically I will not have a lot of > > > time to focus on this issue until next week. > > > > > > Thanks, > > > Fraser > > > > Apologies for the harshness of my previous reply. It was a long and > > frustrating day on a lot of fronts for me. That's not really an excuse, > > however. > > > > As I'm not at all familiar with FreeIPA's layout, nor which server I should > > pull the logs from, can you provide me with what additional log files you > > need and which server to pull from? Note: ipa0 is the primary and ipa1 the > > replica I'm banging my head against. > > > > I appreciate you taking a look at this in depth and I'll offer all the help > > I can. > > > > - /var/log/ipareplica-install.log from replica > - /etc/pki/pki-tomcat/ca/debug from both master and replica > > Those logs should do for a start. > > I'd also like to see your /etc/pki/pki-tomcat/ca/CS.cfg from both > master and replica. Depending on where investigation goes I might > ask for some LDAP entries too, but I'm not up to that point yet. > > Feel free to send logs directly to me and/or redact them as you see > fit. > Oh, and which version of IPA are you creating the replica from?
Thanks, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org