Ok, I launched a new instance using 1CPU x 2GB. I got further. And then all
of sudden the promotion script killed itself?
Done configuring ipa-custodia.Configuring certificate server (pki-tomcatd).
Estimated time: 3 minutes [1/27]: creating certificate server db [2/27]:
setting up initial replicationStarting replication, please wait until this has
completed.Update in progress, 5 seconds elapsedUpdate succeeded
[3/27]: creating installation admin user [4/27]: configuring certificate
server instance [5/27]: exporting Dogtag certificate store pin [6/27]:
stopping certificate server instance to update CS.cfg [7/27]: backing up
CS.cfg [8/27]: disabling nonces [9/27]: set up CRL publishing [10/27]:
enable PKIX certificate path discovery and validation [11/27]: destroying
installation admin user [12/27]: starting certificate server instance
[13/27]: configure certmonger for renewals [14/27]: Importing RA key [15/27]:
setting up signing cert profile [16/27]: setting audit signing renewal to 2
years [17/27]: restarting certificate serverKilled
This is what is in the ipareplica-install.log. It looks like it worked but for
some reason killed itself?
2018-02-08T20:32:24Z DEBUG Starting external process2018-02-08T20:32:24Z DEBUG
args=/usr/bin/openssl pkcs12 -in /tmp/tmpTxzHP7 -nocerts -nodes -out
/var/lib/ipa/ra-agent.key -passin pass:XXXXXXXX2018-02-08T20:32:24Z DEBUG
Process finished, return code=02018-02-08T20:32:24Z DEBUG
stdout=2018-02-08T20:32:24Z DEBUG stderr=MAC verified OK
2018-02-08T20:32:24Z DEBUG Starting external process2018-02-08T20:32:24Z DEBUG
args=/usr/sbin/selinuxenabled2018-02-08T20:32:24Z DEBUG Process finished,
return code=12018-02-08T20:32:24Z DEBUG stdout=2018-02-08T20:32:24Z DEBUG
stderr=2018-02-08T20:32:24Z DEBUG Starting external process2018-02-08T20:32:24Z
DEBUG args=/usr/sbin/selinuxenabled2018-02-08T20:32:24Z DEBUG Process finished,
return code=12018-02-08T20:32:24Z DEBUG stdout=2018-02-08T20:32:24Z DEBUG
stderr=2018-02-08T20:32:25Z DEBUG duration: 2 seconds2018-02-08T20:32:25Z
DEBUG [15/27]: setting up signing cert profile2018-02-08T20:32:25Z DEBUG
duration: 0 seconds2018-02-08T20:32:25Z DEBUG [16/27]: setting audit signing
renewal to 2 years2018-02-08T20:32:25Z DEBUG caSignedLogCert.cfg profile
validity range is 7202018-02-08T20:32:25Z DEBUG duration: 0
seconds2018-02-08T20:32:25Z DEBUG [17/27]: restarting certificate
server2018-02-08T20:32:25Z DEBUG Starting external process2018-02-08T20:32:25Z
DEBUG args=/bin/systemctl restart
[email protected]:32:39Z DEBUG Process finished,
return code=02018-02-08T20:32:39Z DEBUG stdout=2018-02-08T20:32:39Z DEBUG
stderr=2018-02-08T20:32:39Z DEBUG Starting external process2018-02-08T20:32:39Z
DEBUG args=/bin/systemctl is-active
[email protected]:32:39Z DEBUG Process finished,
return code=02018-02-08T20:32:39Z DEBUG stdout=active
2018-02-08T20:32:39Z DEBUG stderr=2018-02-08T20:32:39Z DEBUG
wait_for_open_ports: localhost [8080, 8443] timeout 3002018-02-08T20:32:39Z
DEBUG waiting for port: 80802018-02-08T20:32:39Z DEBUG Failed to connect to
port 8080 tcp on 127.0.0.12018-02-08T20:32:54Z DEBUG SUCCESS: port:
80802018-02-08T20:32:54Z DEBUG waiting for port: 84432018-02-08T20:32:54Z DEBUG
Failed to connect to port 8443 tcp on 127.0.0.12018-02-08T20:32:57Z DEBUG
SUCCESS: port: 84432018-02-08T20:32:57Z DEBUG Waiting until the CA is
running2018-02-08T20:32:57Z DEBUG request POST
http://infra-freeipa01-aws.gatewayblend.net:8080/ca/admin/ca/getStatus2018-02-08T20:32:57Z
DEBUG request body ''
On Thursday, February 8, 2018 11:29 AM, Andrew Meyer via FreeIPA-users
<[email protected]> wrote:
That's what I thought. Thank you for confirming that!
On Thursday, February 8, 2018 11:26 AM, Rob Crittenden via FreeIPA-users
<[email protected]> wrote:
Andrew Meyer via FreeIPA-users wrote:
> Ok, I got further this time. Now I am getting this error:
>
> [2/27]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 5 seconds elapsed
> Update succeeded
>
> [3/27]: creating installation admin user
> [4/27]: configuring certificate server instance
> [error] OSError: [Errno 12] Cannot allocate memory
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
> ERROR [Errno 12] Cannot allocate memory
> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
> ERROR The ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for more information
How much RAM does your instance have? You need 2GB minimum.
rob
>
>
> On Thursday, February 8, 2018 8:01 AM, Andrew Meyer via FreeIPA-users
> <[email protected]> wrote:
>
>
> Thank you, I also did some digging and found that there is a bug
> directly related this an version 4.5.2 which is what i'm running.
> Apparently it is fixed in 4.6.3 but it hasn't reached CentOS 7 EPEL repo.
>
>
> On Thursday, February 8, 2018 7:29 AM, Florence Blanc-Renaud via
> FreeIPA-users <[email protected]> wrote:
>
>
> On 02/07/2018 10:53 PM, Andrew Meyer via FreeIPA-users wrote:
>> I just got FreeIPA added as a client and then I tried to promote it as
> a replica. I got the following error:
>>
>> Done configuring kadmin.
>> Configuring directory server (dirsrv)
>> [1/3]: configuring TLS for DS instance
>> [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
> ERROR Certificate issuance failed (CA_REJECTED)
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
> ERROR The ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for more information
>> [ec2-user@freeipa-replica-aws <mailto:ec2-user@freeipa-replica-aws> ~]$
>> _______________________________________________
>> FreeIPA-users mailing list -- [email protected]
> <mailto:[email protected]>
>> To unsubscribe send an email to
> [email protected]
> <mailto:[email protected]>
>>
> Hi,
>
> During a replication installation, the replica will use certmonger to
> request certificates for 389-ds and httpd. Then certmonger (on the
> replica-to-be) contacts a FreeIPA master with a cert_request command,
> and the master communicates with Dogtag to issue the certificate.
>
> When this fails, you may get more information with the following command:
> - on the client that you try to promote: sudo getcert list
> It may contain an error message with an explanation
>
> - on the FreeIPA master, check the logs in /var/log/httpd/error_log.
> They should contain some lines like:
>
> [...date...] [:error] [pid 9337] ipa: INFO: [xmlserver]
> host/[email protected]
> <mailto:[email protected]>:
> cert_request(u'MII...MJUs6', profile_id=u'caIPAserviceCert',
> principal=u'ldap/[email protected]
> <mailto:[email protected]>', add=True,
> version=u'2.51'): XXX
>
> where XXX will contain the reason for the failure. The PKI logs in
> /var/log/pki/pki-tomcat/ on the master may also help diagnose.
>
> HTH,
> Flo
>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> <mailto:[email protected]>
> To unsubscribe send an email to
> [email protected]
> <mailto:[email protected]>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> <mailto:[email protected]>
> To unsubscribe send an email to
> [email protected]
> <mailto:[email protected]>
>
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
