You're probably hitting the same issue.
Check the docs [1] to see the minimum requirements.
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
On 02/08/2018 06:37 PM, Andrew Meyer via FreeIPA-users wrote:
> Ok, I launched a new instance using 1CPU x 2GB. I got further. And
> then all of sudden the promotion script killed itself?
>
> Done configuring ipa-custodia.
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
> [1/27]: creating certificate server db
> [2/27]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 5 seconds elapsed
> Update succeeded
>
> [3/27]: creating installation admin user
> [4/27]: configuring certificate server instance
> [5/27]: exporting Dogtag certificate store pin
> [6/27]: stopping certificate server instance to update CS.cfg
> [7/27]: backing up CS.cfg
> [8/27]: disabling nonces
> [9/27]: set up CRL publishing
> [10/27]: enable PKIX certificate path discovery and validation
> [11/27]: destroying installation admin user
> [12/27]: starting certificate server instance
> [13/27]: configure certmonger for renewals
> [14/27]: Importing RA key
> [15/27]: setting up signing cert profile
> [16/27]: setting audit signing renewal to 2 years
> [17/27]: restarting certificate server
> Killed
>
> This is what is in the ipareplica-install.log. It looks like it worked
> but for some reason killed itself?
>
> 2018-02-08T20:32:24Z DEBUG Starting external process
> 2018-02-08T20:32:24Z DEBUG args=/usr/bin/openssl pkcs12 -in
> /tmp/tmpTxzHP7 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin
> pass:XXXXXXXX
> 2018-02-08T20:32:24Z DEBUG Process finished, return code=0
> 2018-02-08T20:32:24Z DEBUG stdout=
> 2018-02-08T20:32:24Z DEBUG stderr=MAC verified OK
>
> 2018-02-08T20:32:24Z DEBUG Starting external process
> 2018-02-08T20:32:24Z DEBUG args=/usr/sbin/selinuxenabled
> 2018-02-08T20:32:24Z DEBUG Process finished, return code=1
> 2018-02-08T20:32:24Z DEBUG stdout=
> 2018-02-08T20:32:24Z DEBUG stderr=
> 2018-02-08T20:32:24Z DEBUG Starting external process
> 2018-02-08T20:32:24Z DEBUG args=/usr/sbin/selinuxenabled
> 2018-02-08T20:32:24Z DEBUG Process finished, return code=1
> 2018-02-08T20:32:24Z DEBUG stdout=
> 2018-02-08T20:32:24Z DEBUG stderr=
> 2018-02-08T20:32:25Z DEBUG duration: 2 seconds
> 2018-02-08T20:32:25Z DEBUG [15/27]: setting up signing cert profile
> 2018-02-08T20:32:25Z DEBUG duration: 0 seconds
> 2018-02-08T20:32:25Z DEBUG [16/27]: setting audit signing renewal to 2 years
> 2018-02-08T20:32:25Z DEBUG caSignedLogCert.cfg profile validity range is 720
> 2018-02-08T20:32:25Z DEBUG duration: 0 seconds
> 2018-02-08T20:32:25Z DEBUG [17/27]: restarting certificate server
> 2018-02-08T20:32:25Z DEBUG Starting external process
> 2018-02-08T20:32:25Z DEBUG args=/bin/systemctl restart
> pki-tomcatd(a)pki-tomcat.service
> 2018-02-08T20:32:39Z DEBUG Process finished, return code=0
> 2018-02-08T20:32:39Z DEBUG stdout=
> 2018-02-08T20:32:39Z DEBUG stderr=
> 2018-02-08T20:32:39Z DEBUG Starting external process
> 2018-02-08T20:32:39Z DEBUG args=/bin/systemctl is-active
> pki-tomcatd(a)pki-tomcat.service
> 2018-02-08T20:32:39Z DEBUG Process finished, return code=0
> 2018-02-08T20:32:39Z DEBUG stdout=active
>
> 2018-02-08T20:32:39Z DEBUG stderr=
> 2018-02-08T20:32:39Z DEBUG wait_for_open_ports: localhost [8080, 8443]
> timeout 300
> 2018-02-08T20:32:39Z DEBUG waiting for port: 8080
> 2018-02-08T20:32:39Z DEBUG Failed to connect to port 8080 tcp on 127.0.0.1
> 2018-02-08T20:32:54Z DEBUG SUCCESS: port: 8080
> 2018-02-08T20:32:54Z DEBUG waiting for port: 8443
> 2018-02-08T20:32:54Z DEBUG Failed to connect to port 8443 tcp on 127.0.0.1
> 2018-02-08T20:32:57Z DEBUG SUCCESS: port: 8443
> 2018-02-08T20:32:57Z DEBUG Waiting until the CA is running
> 2018-02-08T20:32:57Z DEBUG request POST
>
http://infra-freeipa01-aws.gatewayblend.net:8080/ca/admin/ca/getStatus
> 2018-02-08T20:32:57Z DEBUG request body ''
>
>
> On Thursday, February 8, 2018 11:29 AM, Andrew Meyer via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org> wrote:
>
>
> That's what I thought. Thank you for confirming that!
>
>
> On Thursday, February 8, 2018 11:26 AM, Rob Crittenden via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org> wrote:
>
>
> Andrew Meyer via FreeIPA-users wrote:
> > Ok, I got further this time. Now I am getting this error:
> >
> > [2/27]: setting up initial replication
> > Starting replication, please wait until this has completed.
> > Update in progress, 5 seconds elapsed
> > Update succeeded
> >
> > [3/27]: creating installation admin user
> > [4/27]: configuring certificate server instance
> > [error] OSError: [Errno 12] Cannot allocate memory
> > Your system may be partly configured.
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> > ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
> > ERROR [Errno 12] Cannot allocate memory
> > ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
> > ERROR The ipa-replica-install command failed. See
> > /var/log/ipareplica-install.log for more information
>
> How much RAM does your instance have? You need 2GB minimum.
>
> rob
>
> >
> >
> > On Thursday, February 8, 2018 8:01 AM, Andrew Meyer via FreeIPA-users
> > <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
> >
> >
> > Thank you, I also did some digging and found that there is a bug
> > directly related this an version 4.5.2 which is what i'm running.
> > Apparently it is fixed in 4.6.3 but it hasn't reached CentOS 7 EPEL repo.
> >
> >
> > On Thursday, February 8, 2018 7:29 AM, Florence Blanc-Renaud via
> > FreeIPA-users <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
> >
> >
> > On 02/07/2018 10:53 PM, Andrew Meyer via FreeIPA-users wrote:
> >> I just got FreeIPA added as a client and then I tried to promote it as
> > a replica. I got the following error:
> >>
> >> Done configuring kadmin.
> >> Configuring directory server (dirsrv)
> >> [1/3]: configuring TLS for DS instance
> >> [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
> >> Your system may be partly configured.
> >> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >>
> >> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
> > ERROR Certificate issuance failed (CA_REJECTED)
> >> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
> > ERROR The ipa-replica-install command failed. See
> > /var/log/ipareplica-install.log for more information
> >> [ec2-user@freeipa-replica-aws <mailto:ec2-user@freeipa-replica-aws>
> <mailto:ec2-user@freeipa-replica-aws
> <mailto:ec2-user@freeipa-replica-aws>> ~]$
> >> _______________________________________________
> >> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> >> To unsubscribe send an email to
> > freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> >>
> > Hi,
> >
> > During a replication installation, the replica will use certmonger to
> > request certificates for 389-ds and httpd. Then certmonger (on the
> > replica-to-be) contacts a FreeIPA master with a cert_request command,
> > and the master communicates with Dogtag to issue the certificate.
> >
> > When this fails, you may get more information with the following command:
> > - on the client that you try to promote: sudo getcert list
> > It may contain an error message with an explanation
> >
> > - on the FreeIPA master, check the logs in /var/log/httpd/error_log.
> > They should contain some lines like:
> >
> > [...date...] [:error] [pid 9337] ipa: INFO: [xmlserver]
> > host/vm-replica.ipadomain.com(a)IPADOMAIN.COM
> <mailto:vm-replica.ipadomain.com@IPADOMAIN.COM>
> > <mailto:vm-replica.ipadomain.com@IPADOMAIN.COM
> <mailto:vm-replica.ipadomain.com@IPADOMAIN.COM>>:
> > cert_request(u'MII...MJUs6', profile_id=u'caIPAserviceCert',
> > principal=u'ldap/replica.ipadomain.com(a)IPADOMAIN.COM
> <mailto:replica.ipadomain.com@IPADOMAIN.COM>
> > <mailto:replica.ipadomain.com@IPADOMAIN.COM
> <mailto:replica.ipadomain.com@IPADOMAIN.COM>>', add=True,
> > version=u'2.51'): XXX
> >
> > where XXX will contain the reason for the failure. The PKI logs in
> > /var/log/pki/pki-tomcat/ on the master may also help diagnose.
> >
> > HTH,
> > Flo
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > To unsubscribe send an email to
> > freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > To unsubscribe send an email to
> > freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> >
> >
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> >
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>