Andrey Bondarenko via FreeIPA-users wrote: > Hello, > > I have IPA cluster with several nodes and I have a problem installing > there another replica with CA enabled. If I want to add CA role to one > of the nodes: > > [root@ipa01:~] ipa-ca-install -w SECRET > Directory Manager (existing master) password: > > Run connection check to master > Connection check OK > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes > [1/25]: creating certificate server db > [2/25]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 953 seconds elapsed > Update succeeded > > [3/25]: creating installation admin user > [4/25]: configuring certificate server instance > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to > configure CA instance: Command '/usr/sbin/pkispawn -s CA -f > /mnt/tmp/tmpXXXXXX' returned non-zero exit status 1 > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the > installation logs and the following files/directories for more information: > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > /var/log/pki/pki-tomcat > [error] RuntimeError: CA configuration failed. > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > CA configuration failed. > > In the log file, the only error I see is > > WARNING: The 'pki_ssl_server_nickname' in [CA] has been deprecated. Use > 'pki_sslserver_nickname' instead. > WARNING: The 'pki_ssl_server_subject_dn' in [CA] has been deprecated. > Use 'pki_sslserver_subject_dn' instead. > ERROR: Unable to access security domain: 503 Server Error: Service > Unavailable > > Where should I dig?
You need to look at the dogtag logs, /var/log/pki/pki-ca-spawn-*.log and /var/log/pki/pki-tomcat/ca/debug rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org