[Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems
Corey Hemminger
heco0701 at stcloudstate.edu
Wed Aug 18 03:00:17 UTC 2010
Thanks so much you've been a big help. I'll give it a whack tomorrow morning. Thanks again.
Corey
On Aug 17, 2010, at 3:06 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Hemminger, Corey Lee. [heco0701 at stcloudstate.edu] wrote:
>> ok I did the updates, and edited the python files. Now when I try to run the replica install I get:
>>
>> [root at earth bcrl]# ipa-replica-install /var/lib/ipa/replica-info-earth.bcrl.stcloudstate.edu.gpg -N --setup-dns --no-forwarder
>> Directory Manager (existing master) password:
>>
>> root : ERROR Cannot find Reverse Address for earth.bcrl.stcloudstate.edu (3.2.0.10.in-addr.arpa.)
>>
>> I had this when installing the ipa-server and there was a --no-dns-lookup option but not with the replica. Before the testing updates, i did get a warning about the server not working for DNS lookup but still went ahead with install. I'm looking to set these two up and make them the DNS servers and currently have a simple dns setup that will get replaced by this setup. How do I get around the reverse address lookup on the replica install side. Thanks again for all the help.
>
> You'll need to modify /usr/sbin/ipa-replica-install. Look for the
> function get_host_name(). You'll want to comment out the 5 lines
> starting with try:. The comment character in python is the hash #. This
> will cause it to skip the call to verify_fqdn() and your install should
> proceed.
>
> I've opened a ticket to add this functionality to ipa-replica-install:
> https://fedorahosted.org/freeipa/ticket/146
>
> rob
>
>>
>> Corey-
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Monday, August 16, 2010 2:49 PM
>> To: Hemminger, Corey Lee. [heco0701 at stcloudstate.edu]
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems
>>
>> Hemminger, Corey Lee. [heco0701 at stcloudstate.edu] wrote:
>>> I'm using fedora 13 amd-64 version. I added the developers repo from freeIPA.com for V2.0 and then did a yum install ipa-server so which ever version it installed. I'm looking at dogtag and one of the packages says 1.3.1-2.fc13 and the other 2 packages for dogtag say 1.3.2-2.fc13 for the pki dogtag package it says 1.3.7-1.fc13 all the packages read 1.3.something the pki-silent-1.3.3-1.fc13 package if that helps. I also attached the two files you asked to check. I attached the ipa-serv_deplist that i created from running "yum deplist ipa-server" and it has all the packages and version numbers. Sorry for the choppy e-mail I'm writing and looking up the stuff in pieces.
>>
>> Can you update the pki-* and dogtag-* packages from the updates-testing
>> repo? There are a number of important fixes there.
>>
>> It is also going to break your replica install because a new required
>> option has been added to pkisilent. You'll need to modify
>> /usr/lib/python*/site-packages/ipaserver/install/cainstance.py
>>
>> Search for pkisilent. We create a python list of the command to execute.
>> You want to patch it like this (the numbers might not exactly line up):
>>
>> @@ -535,6 +524,7 @@ class CAInstance(service.Service):
>> "-db_name", "ipaca",
>> "-key_size", "2048",
>> "-key_type", "rsa",
>> + "-key_algorithm", "SHA256withRSA",
>> "-save_p12", "true",
>> "-backup_pwd", self.admin_password,
>> "-subsystem_name", self.service_name,
>>
>> You *might* be able to get away with just updating dogtag on the
>> replica, I'm not sure.
>>
>> rob
>>
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Monday, August 16, 2010 12:35 PM
>>> To: Hemminger, Corey Lee. [heco0701 at stcloudstate.edu]
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation problems
>>>
>>> Hemminger, Corey Lee. [heco0701 at stcloudstate.edu] wrote:
>>>> Hi,
>>>> I'm a student admin for St. Cloud State University's Business Computing Research Lab, and we run our own seperate network inside the campus network with dedicated internet feeds and hardware for professors research as well as masters and bachelors student research and labs. We have many computers setup for workstations, clusters, clouds, etc... and I'm trying to set up a redundant FreeIPA v2.0 in virtual box to help manage the systems and control access to machines. I have setup the master with no problems, but when creating the replica I run the command "ipa-replica-install -N --setup-dns /var/lib/ipa/replica-file-from-master" and I get this error output. It created the directory fine but is having trouble with the certs. I have disabled the firewalls on both and selinux hoping they would help but still same problem.
>>>>
>>>> [root at earth bcrl]# ipa-replica-install /var/lib/ipa/replica-info-earth.bcrl.stcloudstate.edu.gpg -N --setup-dns --no-forwarders
>>>>
>>>> An existing Directory Server has been detected.
>>>> Do you wish to remove it and create a new one? [no]: yes
>>>> Directory Manager (existing master) password:
>>>>
>>>> Warning: Hostname (earth.bcrl.stcloudstate.edu) not found in DNS
>>>> Configuring directory server for the CA:
>>>> [1/4]: creating directory server user
>>>> [2/4]: creating directory server instance
>>>> [3/4]: configuring directory to start on boot
>>>> [4/4]: restarting directory server
>>>> done configuring pkids.
>>>> Configuring certificate server:
>>>> [1/9]: creating certificate server user
>>>> [2/9]: configuring certificate server instance
>>>> root : CRITICAL failed to restart ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname earth.bcrl.stcloudstate.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-vemQSV -client_certdb_pwd XXXXXXXX -preop_pin yhiJojW06gxaPrkvOJOK -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA" -ldap_host earth.bcrl.stcloudstate.edu -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA" -ca_server_cert_subject_name "CN=earth.bcrl.stcloudstate.edu,O=IPA" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA" -ca_sign_cert_subject_name "CN=Certificate Au
> t
>> h
>>> o!
>>>> rity,O=IPA" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX -sd_hostname zeus.bcrl.stcloudstate.edu -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_uri https://zeus.bcrl.stcloudstate.edu:9444' returned non-zero exit status 255
>>>> [3/9]: creating RA agent certificate database
>>>> [4/9]: importing CA chain to RA certificate database
>>>> creation of replica failed: Unable to retrieve CA chain: Retrieving CA cert chain failed: Error: Failed to get certificate chain.
>>>>
>>>> Your system may be partly configured.
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>
>>>> Thanks for any help,
>>>> Corey
>>>
>>> Heh, I guess I didn't fat-finger this after all...
>>>
>>> What distro is this?
>>>
>>> What version of pki-* and dogtag-* do you have installed? Can you look
>>> at /var/log/ipareplica-install.log to see if there are any more details
>>> on the failure? /var/log/pki-ca/debug would also be a place to look
>>> though be forewarned, it is quite verbose and daunting (and has a number
>>> of red herrings, particularly warnings about cipher failures).
>>>
>>> We had some problems creating dogtag clones while creating IPA replicas
>>> in the recent pas and it would fail in the pkisilent step. This may be
>>> another case of that or it may be that our current requires don't pull
>>> in the right set of of dogtag packages.
>>>
>>> rob
>>
>
More information about the Freeipa-users
mailing list