[Freeipa-users] Re: recuring error during ipa-replica-install

[Florence Blanc-Renaud via FreeIPA-users]

On 2/26/20 12:42 PM, LHEUREUX Bernard via FreeIPA-users wrote:
I tried multiple times to solve the upgrade fail, but didn't I finally decided 
to completely reinstall that machine from scratch but the ipa-replica-install 
always refuse to perform to the end...
I'm really stuck...
Hi,

do you have logs at /var/log/pki/pki-ca-spawn.$DATE.log on the failing 
replica? They may help figure out which part is of the CA clone install 
is failing.

flo

-----Message d'origine-----
De : François Cami [mailto:fc...@redhat.com]
Envoyé : mercredi 26 février 2020 12:23
À : FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc : LHEUREUX Bernard <bernard.lheur...@nethys.be>
Objet : Re: [Freeipa-users] recuring error during ipa-replica-install

Hi,

On Wed, Feb 26, 2020 at 12:17 PM LHEUREUX Bernard via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:

Hi all,



I would linke to reinstall a replica for my FreeIPA infra that has
failed its ipa-server-upgrade after the updat’e of CentOS
ipa-server-4.6.5-11.el7.centos.4.x86_64, a few days ago…

How did the upgrade fail? Do you still have the upgrade logs?
Did you fix the problem in the meantime?

But everytime I try I get the following error on that machine :



Configuring ipa-custodia

   [1/4]: Generating ipa-custodia config file

   [2/4]: Generating ipa-custodia keys

   [3/4]: starting ipa-custodia

   [4/4]: configuring ipa-custodia to start on boot

Done configuring ipa-custodia.

Configuring certificate server (pki-tomcatd). Estimated time: 3
minutes

   [1/29]: creating certificate server db

   [2/29]: setting up initial replication

Starting replication, please wait until this has completed.

Update in progress, 4 seconds elapsed

Update succeeded



   [3/29]: creating ACIs for admin

   [4/29]: creating installation admin user

   [5/29]: configuring certificate server instance

ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA
instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpjRZhjK'
returned non-zero exit status 1

ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the 
following files/directories for more information:

ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat

   [error] RuntimeError: CA configuration failed.

The PKI logs at  /var/log/pki/pki-tomcat should help, but if the 
above-mentioned upgrade failed maybe something is broken in your infra, 
resulting in an inability to install new replica until you fix that.

Does CA-less replica installation work?

François


Your system may be partly configured.

Run /usr/sbin/ipa-server-install --uninstall to clean up.



ipapython.admintool: ERROR    CA configuration failed.

ipapython.admintool: ERROR    The ipa-replica-install command failed. See 
/var/log/ipareplica-install.log for more information



I cannot find any relevant info in the logs to tell me what could be
done…



Do you have an idea ?



---

Bernard Lheureux

Linux System Engineer

IT Infra





     Rue Fivé 150, B-4100 Seraing

     GSM:           +32-475-530311

     http://www.nethys.be







Ce message transmis par voie électronique ainsi que toutes ses annexes 
contiennent des informations qui peuvent être confidentielles ou protégées. Ces 
informations sont uniquement destinées à l’usage des personnes ou des entités 
précisées dans les champs ‘A’, ‘Cc’ et ‘Cci’. Si vous n’êtes pas l’un de ces 
destinataires, soyez conscient que toute forme, partielle ou complète, de 
divulgation, copie, distribution ou utilisation de ces informations est 
strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous 
en informer par téléphone ou par message électronique et détruire les 
informations immédiatement. Ce message n’engage que son signataire et 
aucunement son employeur.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor
ahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org