On to, 19 huhti 2018, r hartikainen via FreeIPA-users wrote:
Hello
I got this same error with replica installation on rhel 7.4 after the
OS was hardened with openscap. Pure base OS install without any
additional hardening did work without problems. I was doing replica
immediately after setting up the new primary.
Also, with same scap policy the fresh primary ipa did not allow any
login at webui. In my case I believe it was about some security setting
but have not yet had time to debug which one. Dunno where to start the
debug though.
Please file bugs and attach the logs (audit.log most likely). We
definitely want to play well with openscap.
br,
risto
Sent from my iPad
On 19 Apr 2018, at 18.24, Jan Gardian via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
Hello,
We had two ipa replicas ipa1 with CA and ipa2. Those servers were on Ubuntu 16.
I successfully installed ipa3 replica with CA that is running on newer version
of IPA and Centos 7. After that I stopped old ipa2 and successfully installed
new ipa2 with CA on Centos 7. Lastly I setup CA master to be new ipa2 following
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_4.0_or_later
and turned off old ipa1 server.
Problem occurred when I was installing replica with CA to new ipa1 server
running at Centos 7.
I can successfully install ipa client and create ticket under admin user but when trying
to install replica it fails with "ERROR Certificate issuance failed
(CA_UNREACHABLE)". Somehow it tries to get certificates during replica install from
ipa1 server when it does not have yet httpd installed.
I thought it could be problem that certificate was primary created at old ipa1
and we have it signed by our own certificates as well so I created another ipa4
server on Centos 7. And again it crashed at the same point trying to get
certificate from itself when it did not have httpd installed yet.
OS: CentOS Linux release 7.4.1708
IPA: VERSION: 4.5.0, API_VERSION: 2.228
Attached are logs from ipa client installation and ipa replica installation for
ipa4 server.
Please ask if you require any different logs. I tried also to follow debugging
from
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/SZKAQDRCRGWV3ZIEJNAVRG2LHLDIS3MJ/
but in my case it end earlier because it try to get certificate from itself
and does not get to master. This can be also seen in output of command getcert
list(in attachement).
Thank you for checking.
With kind regards,
Ján Gardian
Administrator
<ipa4_debug>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org