[Freeipa-users] Replica and CA mess
Sigbjorn Lie
sigbjorn at nixtra.com
Mon Nov 28 18:02:47 UTC 2011
>> * Where did the CA instance go? I see nothing in the documentation about
>> this, but I found a ipa-ca-install command. ipa-ca-install yelded the
>> error below. Same error occour if I attempt to --setup-ca while doing
>> the ipa-replica-install:
>>
>> Configuring certificate server: Estimated time 3 minutes 30 seconds
>> [1/11]: creating certificate server user
>> [2/11]: creating pki-ca instance
>> [3/11]: configuring certificate server instance
>> root : CRITICAL failed to configure ca instance Command '/usr/bin/perl
>> /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipa03.ix.test.com'
>> '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-GyGkkW'
>> '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'BZiIPv9BeXIPIKs7hJrv'
>> '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email'
>> 'root at localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent'
>> '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject'
>> 'CN=ipa-ca-agent,O=IX.TEST.COM' '-ldap_host' 'ipa03.ix.test.com'
>> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password'
>> XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048'
>> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true'
>> '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name'
>> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA
>> Subsystem,O=IX.TEST.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP
>> Subsystem,O=IX.TEST.COM' '-ca_server_cert_subject_name'
>> 'CN=ipa03.ix.test.com,O=IX.TEST.COM'
>> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=IX.TEST.COM'
>> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=IX.TEST.COM'
>> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
>> '-clone_p12_password' XXXXXXXX '-sd_hostname' 'ipa01.ix.test.com'
>> '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password'
>> XXXXXXXX '-clone_start_tls' 'true' '-clone_uri'
>> 'https://ipa01.ix.test.com:443'' returned non-zero exit status 255
>> creation of replica failed: Configuration of CA failed
>
> More details on the install failure may be in
> /var/log/ipareplica-ca-install.log and /var/log/pki-ca/debug. I wonder
> if they are related to the DNS errors you are seeing.
I'll send you these in private.
>
>>
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>>
>> Running ipa-ca-install on a IPv6 enabled host is even worse off:
>>
>> root : DEBUG stderr=gpg: WARNING: unsafe permissions on homedir
>> `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg'
>> gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/secring.gpg' created
>> gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/pubring.gpg' created
>> gpg: CAST5 encrypted data
>> gpg: encrypted with 1 passphrase
>> gpg: WARNING: message was not integrity protected
>>
>> root : DEBUG args=tar xf /tmp/tmpQ_4Prsipa/files.tar -C
>> /tmp/tmpQ_4Prsipa
>> root : DEBUG stdout=
>> root : DEBUG stderr=
>> creation of replica failed: The network address 2001:db8:abab:2::21 does
>> not match the DNS lookup 192.168.1.21. Check /etc/hosts and ensure that
>> 2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com
>> root : DEBUG The network address 2001:db8:abab:2::21 does not match the
>> DNS lookup 192.168.1.21. Check /etc/hosts and ensure that
>> 2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com
>> File "/usr/sbin/ipa-ca-install", line 156, in <module>
>
> Are these IPs pointing to the right hostnames?
I posted scrambeled IP's to the list, but they are configured correctly,
yes. And they work for any other traffic.
Rgds,
Siggi
More information about the Freeipa-users
mailing list