[Freeipa-users] Re: Adding a KRA

Mon, 19 Oct 2020 02:42:02 -0700 

On 02.10.20 11:43, Ronald Wimmer via FreeIPA-users wrote:

On 02.10.20 11:29, Florence Blanc-Renaud wrote:

On 10/2/20 11:03 AM, Ronald Wimmer via FreeIPA-users wrote:
At the moment we only have KRA on one of our eight IPA servers. Is it sufficient to issue the ipa-kra-install command on a replica where the CA role is already present? 


Hi,

yes, ipa-kra-install can be used to install a replica KRA. No 
additional steps required.



Looks like that did not work as expected. The only KRA server at the 
moment is pipa02. pipa06 should become an additional KRA server.


Last login: Fri Oct  2 11:16:49 2020 from 172.20.73.225
[root@pipa06 ~]# ipa-kra-install
Directory Manager password:


/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py:72: 
The SecurityDomainClient.get_security_domain_info() has been deprecated 
(https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes).
/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py:85: 
The DomainInfo.systems has been deprecated 
(https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes).
Lookup failed: Preferred host pipa06.linux.mydomain.at does not provide 
KRA.

Custodia uses 'pipa02.linux.mydomain.at' as master peer.

===================================================================
This program will setup Dogtag KRA for the IPA Server.



Your system may be partly configured.
If you run into issues, you may have to re-install IPA on this server.


401 Client Error: Unauthorized for url: 
https://pipa02.linux.mydomain.at/ipa/keys/ca/auditSigningCert%20cert-pki-kra?type=kem&value=<undisclosed> 

The ipa-kra-install command failed. See 
/var/log/ipaserver-kra-install.log for more information



I could not find anything useful in the log file. Any hints on what I 
could try next?

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org






















					Reply via email to