hi guys,
I have a working domain off Centos 7's VERSION: 4.6.8, API_VERSION: 2.237 and now I'm adding Centos 8's VERSION: 4.8.4, API_VERSION: 2.235. Adding Centos 8 replica worked okey and now with on that new replica/master:
$ ipa-ca-install
I get:
Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/27]: creating certificate server db [2/27]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 8 seconds elapsed Update succeeded
[3/27]: creating ACIs for admin [4/27]: creating installation admin user [5/27]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpwodqkt5b'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nWARNING: Unable to modify o=ipaca: netscape.ldap.LDAPException: error result (20); Type or value exists\nERROR: Exception: Server unreachable due to SSL error: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:897)\n File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 562, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 836, in spawn\n request_timeout=status_request_timeout,\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelper.py", line 911, in wait_for_startup\n raise Exception('Server unreachable due to SSL error: %s' % reason) from exc\n\n') ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed.
and I wonder if it fails because it should, because these two versions will not! work together or the problem of some other cause not related to the fact different versions are used?
Many thanks, L.
lejeczek via FreeIPA-users wrote:
hi guys,
I have a working domain off Centos 7's VERSION: 4.6.8, API_VERSION: 2.237 and now I'm adding Centos 8's VERSION: 4.8.4, API_VERSION: 2.235. Adding Centos 8 replica worked okey and now with on that new replica/master:
$ ipa-ca-install
I get:
Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/27]: creating certificate server db [2/27]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 8 seconds elapsed Update succeeded
[3/27]: creating ACIs for admin [4/27]: creating installation admin user [5/27]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpwodqkt5b'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nWARNING: Unable to modify o=ipaca: netscape.ldap.LDAPException: error result (20); Type or value exists\nERROR: Exception: Server unreachable due to SSL error: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:897)\n File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 562, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 836, in spawn\n request_timeout=status_request_timeout,\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelper.py", line 911, in wait_for_startup\n raise Exception('Server unreachable due to SSL error: %s' % reason) from exc\n\n') ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed.
and I wonder if it fails because it should, because these two versions will not! work together or the problem of some other cause not related to the fact different versions are used?
This isn't an issue with mixed versions. The problem is openjdk 1.8.0.272 whcih caused some TLS regressions (https://bugzilla.redhat.com/show_bug.cgi?id=1892216). Downgrade to 1.8.0.265 and it should work.
rob
freeipa-users@lists.fedorahosted.org
-
lejeczek -
Rob Crittenden