[Freeipa-users] Re: ca replication for hosts with different dns domains

[Alexander Bokovoy via FreeIPA-users]

On ma, 06 huhti 2020, askstack--- via FreeIPA-users wrote:

Hi

IDM domain: "fist.domain"
Host name:  host1.first.domain
   host2.second.domain
I was able to run "ipa-client-install" on host2 and promoted it to a domain 
replica. After I verified domain replication was working, I tried to run ipa-ca-install. 
It failed on host2.
Redhat support said host1 and host2 are on two different dns domains so 
replication is not supported. I am not sure that is the case since two hosts 
are in the same and onlyIDM domain replication group.
Is redhat support correct?


I think there is not enough details in your request to answer that
question. I also don't know what do you mean by 'IDM domain replication
group'.

In particular, what are the errors you are seeing, exactly?

If you have a case open, please share the number and communicate within
the case, not with with an anonymous account on a public mailing list.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ca replication for hosts with different dns domains

[Ask Stack via FreeIPA-users]

 
Hi

Thanks for taking a look at this. 

'IDM domain replication group'.  

I mean it is the "Topology suffix" to connect two replicas. "Domain" suffix 
works for host2, it can receive and send updates with host1.  

"CA"suffix failed during install,

 

###

Imported certificates into /etc/pki/pki-tomcat/alias:

 

Certificate Nickname                                       Trust Attributes

                                                          SSL,S/MIME,JAR/XPI

 

caSigningCert cert-pki-ca                                  CTu,Cu,Cu

auditSigningCert cert-pki-ca                               u,u,Pu

ocspSigningCert cert-pki-ca                                u,u,u

subsystemCert cert-pki-ca                                  u,u,u

 

Installation failed: server failed to restart

 

 

2020-03-23T14:33:18Z DEBUG stderr=pkispawn    :ERROR    ... server failed to 
restart

 

2020-03-23T14:33:18Z CRITICAL Failed to configure CAinstance: Command 
'/usr/sbin/pkispawn -s CA -f /tmp/tmpV8jHPQ' returnednon-zero exit status 1

2020-03-23T14:33:18Z CRITICAL See the installation logs andthe following 
files/directories for more information:

2020-03-23T14:33:18Z CRITICAL  /var/log/pki/pki-tomcat

2020-03-23T14:33:18Z DEBUG Traceback (most recent calllast):

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",line 
567, in start_creation

    run_step(full_msg, method)

  File"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line557, 
in run_step

    method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",line 
675, in __spawn_instance

    pki_pin)

  
File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 
167, in spawn_instance

    self.handle_setup_error(e)

  
File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 
407, in handle_setup_error

    raise RuntimeError("%s configurationfailed." % self.subsystem)

RuntimeError: CA configuration failed.

 

2020-03-23T14:33:18Z DEBUG   [error] RuntimeError:CA configuration failed.

2020-03-23T14:33:18Z DEBUG   
File"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",line 
1015, in run_script

    return_value = main_function()

 

  File "/usr/sbin/ipa-ca-install", line 341,in main

    promote(safe_options, options, filename)

 

  File "/usr/sbin/ipa-ca-install", line 309,in promote

    install_replica(safe_options, options,filename)

 

  File "/usr/sbin/ipa-ca-install", line 233,in install_replica

    ca.install(True, config, options,custodia=custodia)

 

  File"/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 254,in 
install

    install_step_0(standalone, replica_config,options, custodia=custodia)

 

  File"/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 334,in 
install_step_0

    use_ldaps=standalone)

 

  File"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",line 
490, in configure_instance

    self.start_creation(runtime=runtime)

 

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",line 
567, in start_creation

    run_step(full_msg, method)

 

  File"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line557, 
in run_step

    method()

 

  File"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",line 
675, in __spawn_instance

    pki_pin)

 

  
File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 
167, in spawn_instance

    self.handle_setup_error(e)

 

  
File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 
407, in handle_setup_error

    raise RuntimeError("%s configurationfailed." % self.subsystem)

 

2020-03-23T14:33:18Z DEBUG The ipa-ca-install commandfailed, exception: 
RuntimeError: CA configuration failed.

 

###

 

 

 

On Tuesday, April 7, 2020, 02:38:35 AM EDT, Alexander Bokovoy 
 wrote:  
 
 On ma, 06 huhti 2020, askstack--- via FreeIPA-users wrote:
>Hi
>
>IDM domain: "fist.domain"
>Host name:  host1.first.domain
>                    host2.second.domain
>I was able to run "ipa-client-install" on host2 and promoted it to a domain 
>replica. After I verified domain replication was working, I tried to run 
>ipa-ca-install. It failed on host2.
>Redhat support said host1 and host2 are on two different dns domains so 
>replication is not supported. I am not sure that is the case since two hosts 
>are in the same and onlyIDM domain replication group.
>Is redhat support correct?

I think there is not enough details in your request to answer that
question. I also don't know what do you mean by 'IDM domain replication
group'.

In particular, what are the errors you are seeing, exactly?

If you have a case open, please share the number and communicate within
the case, not with with an anonymous account on a public mailing list.

-- 
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
  

[Freeipa-users] Re: ca replication for hosts with different dns domains

[Alexander Bokovoy via FreeIPA-users]

On ke, 08 huhti 2020, Ask Stack via FreeIPA-users wrote:


Hi

Thanks for taking a look at this. 

'IDM domain replication group'. 

I mean it is the "Topology suffix" to connect two replicas. "Domain" suffix 
works for host2, it can receive and send updates with host1.  

"CA"suffix failed during install,


Ok, thanks for additional details. They are still not enough but for the
list -- I received more details about the case in a private email and it
seems there is an issue during the CA replica promotion for the second
replica.

I advised the support team where to look. Since more details can only be
provided through the customer case communication, I think we can stop
this mailing thread.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org