Hello,
We had two ipa replicas ipa1 with CA and ipa2. Those servers were on
Ubuntu 16.
I successfully installed ipa3 replica with CA that is running on newer
version of IPA and Centos 7. After that I stopped old ipa2 and
successfully installed new ipa2 with CA on Centos 7. Lastly I setup CA
master to be new ipa2 following
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#P...
and turned off old ipa1 server.
Problem occurred when I was installing replica with CA to new ipa1
server running at Centos 7.
I can successfully install ipa client and create ticket under admin user
but when trying to install replica it fails with "ERROR Certificate
issuance failed (CA_UNREACHABLE)". Somehow it tries to get certificates
during replica install from ipa1 server when it does not have yet httpd
installed.
I thought it could be problem that certificate was primary created at
old ipa1 and we have it signed by our own certificates as well so I
created another ipa4 server on Centos 7. And again it crashed at the
same point trying to get certificate from itself when it did not have
httpd installed yet.
OS: CentOS Linux release 7.4.1708
IPA: VERSION: 4.5.0, API_VERSION: 2.228
Attached are logs from ipa client installation and ipa replica
installation for ipa4 server.
Please ask if you require any different logs. I tried also to follow
debugging from
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
but in my case it end earlier because it try to get certificate from
itself and does not get to master. This can be also seen in output of
command getcert list(in attachement).
Thank you for checking.
With kind regards,
*Ján Gardian*
Administrator