-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 07/27/2014 12:02 AM, Erinn Looney-Triggs wrote: > On 07/26/2014 07:12 PM, Erinn Looney-Triggs wrote: >> On 07/26/2014 05:25 PM, Erinn Looney-Triggs wrote: >>> Well it hasn't been all the pretty trying to move from RHEL >>> 6.5 to RHEL 7. > >>> I have two servers providing my ipa instances ipa and ipa2. >>> Given that I don't have a great deal of spare capacity the >>> plan was to remove ipa2 from the replication agreement, modify >>> DNS so that only IPA was available in SRV logs (IPA does not >>> manage DNS at this point, was waiting for DNSSEC). As well, I >>> would change my sudo-ldap config files to point to ipa and >>> remove ipa2. > >>> Well that all worked well, installed RHEL 7 on the system and >>> began working through the steps in the upgrade guide. > >>> First major problem was running into this bug: >>> https://fedorahosted.org/freeipa/ticket/4375 ValueError: >>> nsDS5ReplicaId has 2 values, one expected. > >>> Went and patched the replication.py file to get around that >>> issue, and we moved on. > >>> Next up is my current issue: Exception from Java Configuration >>> Servlet: Clone does not have all the required certificates. > >>> I suspect this is because I am running the CA as a subordinate >>> to an AD CS instance, but I am unsure at this point. > >>> It has been a haul to get here, despite the short explanation. >>> It seems that my primary ipa instance is working on only a hit >>> or miss basis for kerberos tickets which has made all this a >>> bit of a pain. You can kinit as admin once it will fail unable >>> to find KDC, try again another three times, it will work. I >>> have even modified the krb5.conf file to point directly at the >>> server, thus bypassing DNS SRV lookups, however, that hasn't >>> worked. > >>> Point is, any help would be appreciated on the aforementioned >>> error. > >>> -Erinn > > >> To reply to myself here, I believe the problem may be that I had >> to renew the CA certificates and as such the certificates in >> /root/cacert.p12 are no longer valid. It is this file that gets >> bundled up with whatever else using ipa-replica-prepare, so I >> will have to create a new one that has the valid certificates in >> it. > >> One way or another though, if it isn't already documented, during >> a CA renewal this file should probably be updated with the >> correct certificates. > >> -Erinn > >> -Erinn > > > > Well thanks to this: > http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password > > I have gotten a little further down the road an created a new > cacert.p12 which looks to be complete. > > However, installation still fails in the same place: > > 2014-07-27T06:33:04Z DEBUG Starting external process > 2014-07-27T06:33:04Z DEBUG args=/usr/sbin/pkispawn -s CA -f > /tmp/tmp5QGhUx 2014-07-27T06:33:25Z DEBUG Process finished, return > code=1 2014-07-27T06:33:25Z DEBUG stdout=Loading deployment > configuration from /tmp/tmp5QGhUx. Installing CA into > /var/lib/pki/pki-tomcat. Storing deployment configuration into > /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. > Installation failed. > > > 2014-07-27T06:33:25Z DEBUG stderr=pkispawn : WARNING ....... > unable to validate security domain user/password through REST > interface. Interface not available pkispawn : ERROR ....... > Exception from Java Configuration Servlet: Clone does not have all > the required certificates > > 2014-07-27T06:33:25Z CRITICAL failed to configure ca instance > Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp5QGhUx' returned > non-zero exit status 1 2014-07-27T06:33:25Z DEBUG File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > > line 638, in run_script > return_value = main_function() > > File "/usr/sbin/ipa-replica-install", line 667, in main CA = > cainstance.install_replica_ca(config) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > > line 1678, in install_replica_ca > subject_base=config.subject_base) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > > line 478, in configure_instance > self.start_creation(runtime=210) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 364, in start_creation method() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > > line 604, in __spawn_instance > raise RuntimeError('Configuration of CA failed') > > 2014-07-27T06:33:25Z DEBUG The ipa-replica-install command failed, > exception: RuntimeError: Configuration of CA failed > > > So some of the required certificates must be missing still. > > Unhelpfully, the ipa-server-install --uninstall process is not > cleaning up everything after this failure, it leaves the CA intact > and the next run through the installer believes the CA is working > so it does not configure it. As such, I guess a re-install is > necessary or some other steps to truly clean everything that I > haven't found yet. > > -Erinn
Continuing on, in order to remove the CA I am manually running: pkidestroy -s CA -i pki-tomcat And indeed there is a bug: https://fedorahosted.org/freeipa/ticket/2796 Interesting that the installer detects that the CA is installed, but the uninstaller does not detect it. I guess they are doing their detection in different ways. At this point I wanted to explore how feasible it would be to have a RHEL 7 replica without the CA replica portion, this ought to alleviate the KDC issues I seem to be having on the primary, which I have still to figure out. So any reason not to do that? Would I simply be able to do a ipa-ca-install on the rhel 7 system at a future juncture and then perform the rest of the migration? Thanks, - -Erinn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJT1SlZAAoJEFg7BmJL2iPOVzkIAKtnfbiJNTgBQp000w5L+YAm PkbSsFyfO2aqxdEt9g3Oc05P5M28kXQViLGqDPR+kYZkEcmJ+ZosOygJT7yXQI3f iQ3IGwp3u9q3k/v6DPm9Jd0eyB+FMb31Kuix4yFTvOfLz8bYS4QrLmbykz9I/HW+ knrjZIGrunpzGS1kv/IG3i/JYgDH0sgf+DoELoh1ar1wEnXK3OVXYyxHt1flXeGF NpLB03QOX8c1YYjvA4jKihIUZlajUCFj3Y8EqR4HUG4aCRIajPxClzJwqAdScBKD +6OByXkO0I8L2zkfT2XwED/yFCAcGBU91NMkIxT7uyvf/Hmv7Jt5bh5v87VPsmY= =8Fdn -----END PGP SIGNATURE----- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project