Hi all,
I'm trying to set up a replica from RHEL6.9 FreeIPA 3.0.0 to RHEL7.3 RHEL 4.4.0.
What I'm trying to achieve is an isolated FreeIPA 4.4 server that we could replace
the original FreeIPA 3.0 infrastrcuture with. The way I'm doing this is:
1) prepare replica file on production ipa01 and copy to ipasync
2) install replica with CA on ipasync and then remove all connections to ipa01, ipa02
and ipa03 (which is the entire production infrastructure)
3) Upgrade schema on ipasync and upgrade to RHEL 6.9 (from RHEL 6.7)
4) Prepare replica file on ipasync and copy to ipa01 (a new clean installation in test
that should later replace ipa01 in prod)
5) install replica with CA on ipa01 and then remove all connections to ipasync
* Right now I'm failing at the create CA phase in step 5 with:
[2/27]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance:
Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpDsKVFr' returned non-zero exit status
1
* I can see that it fails on the subsystem Clone URI in /var/log/ipareplica-install.log
Installation failed:
com.netscape.certsrv.base.BadRequestException: Clone URI does not match available
subsystems:
https://ipasync.xxx.com:443
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2017-07-11T15:24:52Z DEBUG stderr=pkispawn : WARNING ....... unable to validate
security domain user/password through REST interface. Interface not available
* To get more details I check the debug log for tomcat and find that it still tries to
match against the old infrastructure and not the ipasync server:
# cat /var/log/pki/pki-tomcat/ca/debug
...
[11/Jul/2017:17:24:52][http-bio-8443-exec-3]: len is 3
[11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa01.xxx.com>
[11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443>
[11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa02.xxx.com>
[11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443>
[11/Jul/2017:17:24:52][http-bio-8443-exec-3]: hostname: <ipa03.xxx.com>
[11/Jul/2017:17:24:52][http-bio-8443-exec-3]: admin_port: <443>
[11/Jul/2017:17:24:52][http-bio-8443-exec-3]: === Subsystem Configuration ===
[11/Jul/2017:17:24:52][http-bio-8443-exec-3]: SystemConfigService: validate clone URI:
https://ipasync.xxx.com:443
[11/Jul/2017:17:24:52][http-bio-8443-exec-3]: Clone URI does not match available
subsystems:
https://ipasync.xxx.com:443
* I validate this by checking the calist in getDomainXML:
# wget --no-check-certificate
https://ipasync.xxx.com:443/ca/admin/ca/getDomainXML
# cat getDomainXML | xmllint --format -
...
<CAList>
<CA>
<DomainManager>TRUE</DomainManager>
<SubsystemName>pki-cad</SubsystemName>
<Clone>FALSE</Clone>
<UnSecurePort>80</UnSecurePort>
<SecureEEClientAuthPort>443</SecureEEClientAuthPort>
<SecureAdminPort>443</SecureAdminPort>
<SecureAgentPort>443</SecureAgentPort>
<SecurePort>443</SecurePort>
<Host>ipa01.xxx.com</Host>
</CA>
<CA>
<SubsystemName>pki-cad</SubsystemName>
<Clone>TRUE</Clone>
<DomainManager>TRUE</DomainManager>
<SecureEEClientAuthPort>443</SecureEEClientAuthPort>
<UnSecurePort>80</UnSecurePort>
<SecureAdminPort>443</SecureAdminPort>
<SecureAgentPort>443</SecureAgentPort>
<SecurePort>443</SecurePort>
<Host>ipa02.xxx.com</Host>
</CA>
<CA>
<SubsystemName>pki-cad</SubsystemName>
<Clone>TRUE</Clone>
<DomainManager>TRUE</DomainManager>
<SecureEEClientAuthPort>443</SecureEEClientAuthPort>
<UnSecurePort>80</UnSecurePort>
<SecureAdminPort>443</SecureAdminPort>
<SecureAgentPort>443</SecureAgentPort>
<SecurePort>443</SecurePort>
<Host>ipa03.xxx.com</Host>
</CA>
<SubsystemCount>3</SubsystemCount>
</CAList>
...
Why does it still have the old ipa servers and why is not ipasync included? Am I doing
something wrong here, for example do I need to manually add ipasync to the pki-cad list of
CAs?
I don't believe uninstalling an IPA master will update this list as it
is maintained by dogtag and other than removing the replication
agreements I'm not aware of any other notification that a server is
going away.
Endi, do you know what needs to happen here?
rob