Hi
IDM domain: "fist.domain" Host name: host1.first.domain host2.second.domain I was able to run "ipa-client-install" on host2 and promoted it to a domain replica. After I verified domain replication was working, I tried to run ipa-ca-install. It failed on host2. Redhat support said host1 and host2 are on two different dns domains so replication is not supported. I am not sure that is the case since two hosts are in the same and onlyIDM domain replication group. Is redhat support correct? Thanks.
On ma, 06 huhti 2020, askstack--- via FreeIPA-users wrote:
Hi
IDM domain: "fist.domain" Host name: host1.first.domain host2.second.domain I was able to run "ipa-client-install" on host2 and promoted it to a domain replica. After I verified domain replication was working, I tried to run ipa-ca-install. It failed on host2. Redhat support said host1 and host2 are on two different dns domains so replication is not supported. I am not sure that is the case since two hosts are in the same and onlyIDM domain replication group. Is redhat support correct?
I think there is not enough details in your request to answer that question. I also don't know what do you mean by 'IDM domain replication group'.
In particular, what are the errors you are seeing, exactly?
If you have a case open, please share the number and communicate within the case, not with with an anonymous account on a public mailing list.
Hi
Thanks for taking a look at this.
'IDM domain replication group'.
I mean it is the "Topology suffix" to connect two replicas. "Domain" suffix works for host2, it can receive and send updates with host1.
"CA"suffix failed during install,
###
Imported certificates into /etc/pki/pki-tomcat/alias:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca CTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
Installation failed: server failed to restart
2020-03-23T14:33:18Z DEBUG stderr=pkispawn :ERROR ... server failed to restart
2020-03-23T14:33:18Z CRITICAL Failed to configure CAinstance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpV8jHPQ' returnednon-zero exit status 1
2020-03-23T14:33:18Z CRITICAL See the installation logs andthe following files/directories for more information:
2020-03-23T14:33:18Z CRITICAL /var/log/pki/pki-tomcat
2020-03-23T14:33:18Z DEBUG Traceback (most recent calllast):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",line 567, in start_creation
run_step(full_msg, method)
File"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line557, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",line 675, in __spawn_instance
pki_pin)
File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 167, in spawn_instance
self.handle_setup_error(e)
File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 407, in handle_setup_error
raise RuntimeError("%s configurationfailed." % self.subsystem)
RuntimeError: CA configuration failed.
2020-03-23T14:33:18Z DEBUG [error] RuntimeError:CA configuration failed.
2020-03-23T14:33:18Z DEBUG File"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",line 1015, in run_script
return_value = main_function()
File "/usr/sbin/ipa-ca-install", line 341,in main
promote(safe_options, options, filename)
File "/usr/sbin/ipa-ca-install", line 309,in promote
install_replica(safe_options, options,filename)
File "/usr/sbin/ipa-ca-install", line 233,in install_replica
ca.install(True, config, options,custodia=custodia)
File"/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 254,in install
install_step_0(standalone, replica_config,options, custodia=custodia)
File"/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 334,in install_step_0
use_ldaps=standalone)
File"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",line 490, in configure_instance
self.start_creation(runtime=runtime)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",line 567, in start_creation
run_step(full_msg, method)
File"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line557, in run_step
method()
File"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",line 675, in __spawn_instance
pki_pin)
File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 167, in spawn_instance
self.handle_setup_error(e)
File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 407, in handle_setup_error
raise RuntimeError("%s configurationfailed." % self.subsystem)
2020-03-23T14:33:18Z DEBUG The ipa-ca-install commandfailed, exception: RuntimeError: CA configuration failed.
###
On Tuesday, April 7, 2020, 02:38:35 AM EDT, Alexander Bokovoy abokovoy@redhat.com wrote:
On ma, 06 huhti 2020, askstack--- via FreeIPA-users wrote:
Hi
IDM domain: "fist.domain" Host name: host1.first.domain host2.second.domain I was able to run "ipa-client-install" on host2 and promoted it to a domain replica. After I verified domain replication was working, I tried to run ipa-ca-install. It failed on host2. Redhat support said host1 and host2 are on two different dns domains so replication is not supported. I am not sure that is the case since two hosts are in the same and onlyIDM domain replication group. Is redhat support correct?
I think there is not enough details in your request to answer that question. I also don't know what do you mean by 'IDM domain replication group'.
In particular, what are the errors you are seeing, exactly?
If you have a case open, please share the number and communicate within the case, not with with an anonymous account on a public mailing list.
On ke, 08 huhti 2020, Ask Stack via FreeIPA-users wrote:
Hi
Thanks for taking a look at this.
'IDM domain replication group'.
I mean it is the "Topology suffix" to connect two replicas. "Domain" suffix works for host2, it can receive and send updates with host1.
"CA"suffix failed during install,
Ok, thanks for additional details. They are still not enough but for the list -- I received more details about the case in a private email and it seems there is an issue during the CA replica promotion for the second replica.
I advised the support team where to look. Since more details can only be provided through the customer case communication, I think we can stop this mailing thread.
freeipa-users@lists.fedorahosted.org