I have looked through the mailing list as best as I know how and while I
have found some similar issues, I am unable to find anything that I
think will help me progress through this error.
We are trying to migrate FreeIPA services from centos 6.9 (IPA 3.0) to
Centos 7.5 (IPS 4.5) by performing the migration steps located on the
following link:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/migrate-6-to-7
I am trying to create a replica on a new server and then eventually
migrate all services to that version of the server.
I can add an ipa 4.5 replica to a 3.x infrastructure by performing a
replica prepare and ipa-replica-install (there are some errors with DNS
replication but I am going to ignore those for now. I will elaborate if
anyone asks).
However, when I try to add a CA with the ipa-ca-install command is where
I run into trouble.
I run the following on the newly created replica:
ipa-ca-install -p "CENSORED" -w "CENSORED" -d --skip-conncheck
/var/lib/ipa/replica-info-newreplica.domain.com.gpg
This generates the following error:
2018-09-12T06:30:59Z DEBUG [22/26]: migrating certificate profiles to LDAP
2018-09-12T06:30:59Z DEBUG Created connection context.ldap2_140117177941904
2018-09-12T06:30:59Z DEBUG Destroyed connection
context.ldap2_140117177941904
2018-09-12T06:30:59Z DEBUG request GET
https://ipaserver01.domain.com:8443/ca/rest/account/login
2018-09-12T06:30:59Z DEBUG request body ''
2018-09-12T06:30:59Z DEBUG httplib request failed:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line
218, in _httplib_request
conn.request(method, uri, body=request_body, headers=headers)
File "/usr/lib64/python2.7/httplib.py", line 1041, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python2.7/httplib.py", line 1075, in _send_request
self.endheaders(body)
File "/usr/lib64/python2.7/httplib.py", line 1037, in endheaders
self._send_output(message_body)
File "/usr/lib64/python2.7/httplib.py", line 881, in _send_output
self.send(msg)
File "/usr/lib64/python2.7/httplib.py", line 843, in send
self.connect()
File "/usr/lib64/python2.7/httplib.py", line 1251, in connect
HTTPConnection.connect(self)
File "/usr/lib64/python2.7/httplib.py", line 824, in connect
self.timeout, self.source_address)
File "/usr/lib64/python2.7/socket.py", line 571, in create_connection
raise err
error: [Errno 111] Connection refused
2018-09-12T06:30:59Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 504, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 494, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1732, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1738, in _create_dogtag_profile
with api.Backend.ra_certprofile as profile_api:
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py",
line 1293, in __enter__
method='GET'
File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line
165, in https_request
method=method, headers=headers)
File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line
227, in _httplib_request
raise NetworkError(uri=uri, error=str(e))
NetworkError: cannot connect to
'https://ipaserver01.domain.com:8443/ca/rest/account/login': [Errno 111]
Connection refused
2018-09-12T06:30:59Z DEBUG [error] NetworkError: cannot connect to
'https://ipaserver01.domain.com:8443/ca/rest/account/login': [Errno 111]
Connection refused
2018-09-12T06:30:59Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 998, in run_script
return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 311, in main
install(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 250, in install
install_replica(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 207, in install_replica
ca.install(True, config, options, custodia=custodia)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
202, in install
install_step_0(standalone, replica_config, options, custodia=custodia)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
279, in install_step_0
use_ldaps=standalone)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
448, in configure_instance
self.start_creation(runtime=runtime)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 504, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 494, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1732, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1738, in _create_dogtag_profile
with api.Backend.ra_certprofile as profile_api:
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py",
line 1293, in __enter__
method='GET'
File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line
165, in https_request
method=method, headers=headers)
File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line
227, in _httplib_request
raise NetworkError(uri=uri, error=str(e))
2018-09-12T06:30:59Z DEBUG The ipa-ca-install command failed, exception:
NetworkError: cannot connect to
'https://ipaserver01.domain.com:8443/ca/rest/account/login': [Errno 111]
Connection refused
On the Centos 7.5 server, there is a Tomcat (I think) process listening
on port 8443 but on the older machine, there is nothing listening on
this port. This certainly seems like an obvious problem but I just
don't know where to go from here.
SELinux is running in permissive mode on both servers. I've considered
disabling this to see if there's any effect but this seems like a reach.
Any help would be greatly appreciated.
Thanks,
Collin
CONFIDENTIALITY NOTICE: We intend only the individual or entity to which we
have addressed this electronic message to view it. This message w/attachments
(message) may contain information that is privileged, confidential or
proprietary. You may not disseminate, distribute, copy or otherwise disclose
the contents of this communication without our prior written consent. If you
are not the intended recipient, or if you have received this communication in
error, notify us immediately by return e-mail and delete the original message
and any copies of it from your computer system.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
