ca replication for hosts with different dns domains

List overview All Threads
Download

newer

older

Domain controllers switch to LDAPS

Migration (in place)

askstack＠yahoo.com

6 Apr 2020 6 Apr '20

2:37 p.m.

IDM domain: "fist.domain" Host name: host1.first.domain host2.second.domain I was able to run "ipa-client-install" on host2 and promoted it to a domain replica. After I verified domain replication was working, I tried to run ipa-ca-install. It failed on host2. Redhat support said host1 and host2 are on two different dns domains so replication is not supported. I am not sure that is the case since two hosts are in the same and onlyIDM domain replication group. Is redhat support correct? Thanks.

Show replies by date

Alexander Bokovoy

7 Apr 7 Apr

1:38 a.m.

New subject: ca replication for hosts with different dns domains

On ma, 06 huhti 2020, askstack--- via FreeIPA-users wrote:

...

Hi

IDM domain: "fist.domain" Host name: host1.first.domain host2.second.domain I was able to run "ipa-client-install" on host2 and promoted it to a domain replica. After I verified domain replication was working, I tried to run ipa-ca-install. It failed on host2. Redhat support said host1 and host2 are on two different dns domains so replication is not supported. I am not sure that is the case since two hosts are in the same and onlyIDM domain replication group. Is redhat support correct?

I think there is not enough details in your request to answer that question. I also don't know what do you mean by 'IDM domain replication group'.

In particular, what are the errors you are seeing, exactly?

If you have a case open, please share the number and communicate within the case, not with with an anonymous account on a public mailing list.

-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

Ask Stack

8 Apr 8 Apr

9:48 a.m.

New subject: ca replication for hosts with different dns domains

Thanks for taking a look at this.

'IDM domain replication group'.

I mean it is the "Topology suffix" to connect two replicas. "Domain" suffix works for host2, it can receive and send updates with host1.

"CA"suffix failed during install,

###

Imported certificates into /etc/pki/pki-tomcat/alias:

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca CTu,Cu,Cu

auditSigningCert cert-pki-ca u,u,Pu

ocspSigningCert cert-pki-ca u,u,u

subsystemCert cert-pki-ca u,u,u

Installation failed: server failed to restart

2020-03-23T14:33:18Z DEBUG stderr=pkispawn :ERROR ... server failed to restart

2020-03-23T14:33:18Z CRITICAL Failed to configure CAinstance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpV8jHPQ' returnednon-zero exit status 1

2020-03-23T14:33:18Z CRITICAL See the installation logs andthe following files/directories for more information:

2020-03-23T14:33:18Z CRITICAL /var/log/pki/pki-tomcat

2020-03-23T14:33:18Z DEBUG Traceback (most recent calllast):

File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",line 567, in start_creation

run_step(full_msg, method)

File"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line557, in run_step

method()

File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",line 675, in __spawn_instance

pki_pin)

File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 167, in spawn_instance

self.handle_setup_error(e)

File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 407, in handle_setup_error

raise RuntimeError("%s configurationfailed." % self.subsystem)

RuntimeError: CA configuration failed.

2020-03-23T14:33:18Z DEBUG [error] RuntimeError:CA configuration failed.

2020-03-23T14:33:18Z DEBUG File"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",line 1015, in run_script

return_value = main_function()

File "/usr/sbin/ipa-ca-install", line 341,in main

promote(safe_options, options, filename)

File "/usr/sbin/ipa-ca-install", line 309,in promote

install_replica(safe_options, options,filename)

File "/usr/sbin/ipa-ca-install", line 233,in install_replica

ca.install(True, config, options,custodia=custodia)

File"/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 254,in install

install_step_0(standalone, replica_config,options, custodia=custodia)

File"/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 334,in install_step_0

use_ldaps=standalone)

File"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",line 490, in configure_instance

self.start_creation(runtime=runtime)

File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",line 567, in start_creation

run_step(full_msg, method)

File"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line557, in run_step

method()

File"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",line 675, in __spawn_instance

pki_pin)

File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 167, in spawn_instance

self.handle_setup_error(e)

File"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",line 407, in handle_setup_error

raise RuntimeError("%s configurationfailed." % self.subsystem)

2020-03-23T14:33:18Z DEBUG The ipa-ca-install commandfailed, exception: RuntimeError: CA configuration failed.

###

On Tuesday, April 7, 2020, 02:38:35 AM EDT, Alexander Bokovoy abokovoy@redhat.com wrote:

On ma, 06 huhti 2020, askstack--- via FreeIPA-users wrote:

...

Hi

IDM domain: "fist.domain" Host name: host1.first.domain host2.second.domain I was able to run "ipa-client-install" on host2 and promoted it to a domain replica. After I verified domain replication was working, I tried to run ipa-ca-install. It failed on host2. Redhat support said host1 and host2 are on two different dns domains so replication is not supported. I am not sure that is the case since two hosts are in the same and onlyIDM domain replication group. Is redhat support correct?

I think there is not enough details in your request to answer that question. I also don't know what do you mean by 'IDM domain replication group'.

In particular, what are the errors you are seeing, exactly?

If you have a case open, please share the number and communicate within the case, not with with an anonymous account on a public mailing list.

-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

Alexander Bokovoy

10:28 a.m.

New subject: ca replication for hosts with different dns domains

On ke, 08 huhti 2020, Ask Stack via FreeIPA-users wrote:

...

Hi

Thanks for taking a look at this.

'IDM domain replication group'.

I mean it is the "Topology suffix" to connect two replicas. "Domain" suffix works for host2, it can receive and send updates with host1.

"CA"suffix failed during install,

Ok, thanks for additional details. They are still not enough but for the list -- I received more details about the case in a private email and it seems there is an issue during the CA replica promotion for the second replica.

I advised the support team where to look. Since more details can only be provided through the customer case communication, I think we can stop this mailing thread.

-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

1485

Age (days ago)

1487

Last active (days ago)

freeipa-users@lists.fedorahosted.org

3 comments

3 participants

tags (0)

participants (3)

Alexander Bokovoy
Ask Stack
askstack＠yahoo.com