Bug 1283430 - ipa-kra-install: fails to apply updates
ipa-kra-install: fails to apply updates
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
: ZStream
Depends On:
Blocks: 1283884
  Show dependency treegraph
 
Reported: 2015-11-18 18:17 EST by Petr Vobornik
Modified: 2016-11-04 01:40 EDT (History)
7 users (show)

See Also:
Fixed In Version: ipa-4.2.0-16.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1283884 (view as bug list)
Environment:
Last Closed: 2016-11-04 01:40:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 09:56:18 EDT

  None (edit)
Description Petr Vobornik 2015-11-18 18:17:39 EST
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5346

How to reproduce:
1. install master
1. install kra on master
1. ipa-replica-prepare
1. install replica (without CA)
1. ipa-ca-install
1. ipa-kra-install

Result of ipa-kra-install on replica:
{{{
# ipa-kra-install /root/ipatests/replica-info.gpg -p Secret123 -U

===================================================================
This program will setup Dogtag KRA for the FreeIPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
[1/7]: configuring KRA instance
[2/7]: restarting KRA
[3/7]: configure certmonger for renewals
[4/7]: configure certificate renewals
[5/7]: configure HTTP to proxy connections
[6/7]: add vault container
[7/7]: apply LDAP updates
Failed to load vault.ldif: Command ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpcuO7cy' '-H' 'ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmp74Y4AY'' returned non-zero exit status 68
Done configuring KRA server (pki-tomcatd).
Restarting the directory and KRA servers
Restarting the directory server
The ipa-kra-install command was successful
}}}

It blows up at adding KRA container:
{{{
2015-10-06T19:39:40Z DEBUG   [6/7]: add vault container
2015-10-06T19:39:40Z DEBUG Starting external process
2015-10-06T19:39:40Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpZM0et9' '-H' 'ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpq0gJZ0'
2015-10-06T19:39:40Z DEBUG Process finished, return code=68
2015-10-06T19:39:40Z DEBUG stdout=add objectClass:
        top
        nsContainer
add cn:
        kra
adding new entry "cn=kra,dc=ipa,dc=test"


2015-10-06T19:39:40Z DEBUG stderr=ldap_initialize( ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket/??base )
ldap_add: Already exists (68)

2015-10-06T19:39:40Z CRITICAL Failed to load vault.ldif: Command ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpZM0et9' '-H' 'ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket' '-x' '-D' 'cn=Director
y Manager' '-y' '/tmp/tmpq0gJZ0'' returned non-zero exit status 68
2015-10-06T19:39:40Z DEBUG   duration: 0 seconds

}}}
Comment 6 Scott Poore 2016-07-20 14:35:02 EDT
Verified.

Version ::

ipa-server-4.4.0-2.1.el7.x86_64


Results ::

Due to the changes in IPA 4.4, I did not have to use ipa-replica-prepare or a prepare file with either the ipa-replica-install or ipa-kra-install on the replica.

on Master:

[root@rhel7-1 ~]# ipa-server-install --setup-dns --forwarder=192.168.122.1 --reverse-zone=122.168.192.in-addr.arpa.  --allow-zone-overlap -r EXAMPLE.COM -a Secret123 -p Secret123 -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Warning: skipping DNS resolution of host rhel7-1.example.com
The domain name has been determined based on the host name.

Checking DNS domain example.com., please wait ...
Checking DNS forwarders, please wait ...
Using reverse zone(s) 122.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:       rhel7-1.example.com
IP address(es): 192.168.122.71
Domain name:    example.com
Realm name:     EXAMPLE.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       192.168.122.1
Forward policy:   only
Reverse zone(s):  122.168.192.in-addr.arpa.

Adding [192.168.122.71 rhel7-1.example.com] to your /etc/hosts file
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/47]: creating directory server user
  [2/47]: creating directory server instance
  [3/47]: updating configuration in dse.ldif
  [4/47]: restarting directory server
  [5/47]: adding default schema
  [6/47]: enabling memberof plugin
  [7/47]: enabling winsync plugin
  [8/47]: configuring replication version plugin
  [9/47]: enabling IPA enrollment plugin
  [10/47]: enabling ldapi
  [11/47]: configuring uniqueness plugin
  [12/47]: configuring uuid plugin
  [13/47]: configuring modrdn plugin
  [14/47]: configuring DNS plugin
  [15/47]: enabling entryUSN plugin
  [16/47]: configuring lockout plugin
  [17/47]: configuring topology plugin
  [18/47]: creating indices
  [19/47]: enabling referential integrity plugin
  [20/47]: configuring certmap.conf
  [21/47]: configure autobind for root
  [22/47]: configure new location for managed entries
  [23/47]: configure dirsrv ccache
  [24/47]: enabling SASL mapping fallback
  [25/47]: restarting directory server
  [26/47]: adding sasl mappings to the directory
  [27/47]: adding default layout
  [28/47]: adding delegation layout
  [29/47]: creating container for managed entries
  [30/47]: configuring user private groups
  [31/47]: configuring netgroups from hostgroups
  [32/47]: creating default Sudo bind user
  [33/47]: creating default Auto Member layout
  [34/47]: adding range check plugin
  [35/47]: creating default HBAC rule allow_all
  [36/47]: adding sasl mappings to the directory
  [37/47]: adding entries for topology management
  [38/47]: initializing group membership
  [39/47]: adding master entry
  [40/47]: initializing domain level
  [41/47]: configuring Posix uid/gid generation
  [42/47]: adding replication acis
  [43/47]: enabling compatibility plugin
  [44/47]: activating sidgen plugin
  [45/47]: activating extdom plugin
  [46/47]: tuning directory server
  [47/47]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/31]: creating certificate server user
  [2/31]: configuring certificate server instance
  [3/31]: stopping certificate server instance to update CS.cfg
  [4/31]: backing up CS.cfg
  [5/31]: disabling nonces
  [6/31]: set up CRL publishing
  [7/31]: enable PKIX certificate path discovery and validation
  [8/31]: starting certificate server instance
  [9/31]: creating RA agent certificate database
  [10/31]: importing CA chain to RA certificate database
  [11/31]: fixing RA database permissions
  [12/31]: setting up signing cert profile
  [13/31]: setting audit signing renewal to 2 years
  [14/31]: restarting certificate server
  [15/31]: requesting RA certificate from CA
  [16/31]: issuing RA agent certificate
  [17/31]: adding RA agent as a trusted user
  [18/31]: authorizing RA to modify profiles
  [19/31]: authorizing RA to manage lightweight CAs
  [20/31]: Ensure lightweight CAs container exists
  [21/31]: configure certmonger for renewals
  [22/31]: configure certificate renewals
  [23/31]: configure RA certificate renewal
  [24/31]: configure Server-Cert certificate renewal
  [25/31]: Configure HTTP to proxy connections
  [26/31]: restarting certificate server
  [27/31]: migrating certificate profiles to LDAP
  [28/31]: importing IPA certificate profiles
  [29/31]: adding default CA ACL
  [30/31]: adding 'ipa' CA entry
  [31/31]: updating IPA configuration
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv). Estimated time: 10 seconds
  [1/3]: configuring ssl for ds instance
  [2/3]: restarting directory server
  [3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
  [1/9]: adding kerberos container to the directory
  [2/9]: configuring KDC
  [3/9]: initialize kerberos container
  [4/9]: adding default ACIs
  [5/9]: creating a keytab for the directory
  [6/9]: creating a keytab for the machine
  [7/9]: adding the password extension to the directory
  [8/9]: starting the KDC
  [9/9]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
  [1/5]: Generating ipa-custodia config file
  [2/5]: Making sure custodia container exists
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring the web interface (httpd). Estimated time: 1 minute
  [1/21]: setting mod_nss port to 443
  [2/21]: setting mod_nss cipher suite
  [3/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [4/21]: setting mod_nss password file
  [5/21]: enabling mod_nss renegotiate
  [6/21]: adding URL rewriting rules
  [7/21]: configuring httpd
  [8/21]: configure certmonger for renewals
  [9/21]: setting up httpd keytab
  [10/21]: setting up ssl
  [11/21]: importing CA certificates from LDAP
  [12/21]: setting up browser autoconfig
  [13/21]: publish CA cert
  [14/21]: clean up any existing httpd ccache
  [15/21]: configuring SELinux for httpd
  [16/21]: create KDC proxy user
  [17/21]: create KDC proxy config
  [18/21]: enable KDC proxy
  [19/21]: restarting httpd
  [20/21]: configuring httpd to start on boot
  [21/21]: enabling oddjobd
Done configuring the web interface (httpd).
Applying LDAP updates
Upgrading IPA:
  [1/9]: stopping directory server
  [2/9]: saving configuration
  [3/9]: disabling listeners
  [4/9]: enabling DS global lock
  [5/9]: starting directory server
  [6/9]: upgrading server
  [7/9]: stopping directory server
  [8/9]: restoring configuration
  [9/9]: starting directory server
Done.
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
  [1/12]: generating rndc key file
  [2/12]: adding DNS container
  [3/12]: setting up our zone
  [4/12]: setting up reverse zone
  [5/12]: setting up our own record
  [6/12]: setting up records for other masters
  [7/12]: adding NS record to the zones
  [8/12]: setting up kerberos principal
  [9/12]: setting up named.conf
  [10/12]: setting up server configuration
  [11/12]: configuring named to start on boot
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Restarting the web server
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: rhel7-1.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: rhel7-1.example.com
BaseDN: dc=example,dc=com

Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://rhel7-1.example.com/ipa/json
Forwarding 'schema' to json server 'https://rhel7-1.example.com/ipa/json'
trying https://rhel7-1.example.com/ipa/json
Forwarding 'ping' to json server 'https://rhel7-1.example.com/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://rhel7-1.example.com/ipa/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://rhel7-1.example.com/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.
Client configuration complete.

==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these

[root@rhel7-1 ~]# ipa-kra-install -p Secret123 -U

===================================================================
This program will setup Dogtag KRA for the IPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: configuring KRA instance
  [2/8]: create KRA agent
  [3/8]: restarting KRA
  [4/8]: configure certmonger for renewals
  [5/8]: configure certificate renewals
  [6/8]: configure HTTP to proxy connections
  [7/8]: add vault container
  [8/8]: apply LDAP updates
Done configuring KRA server (pki-tomcatd).
Restarting the directory server
The ipa-kra-install command was successful


on Replica:

[root@rhel7-2 ~]# ipa-replica-install --setup-dns --forwarder=192.168.122.1 -P admin -w Secret123 -U
Configuring client side components
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Client hostname: rhel7-2.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: rhel7-1.example.com
BaseDN: dc=example,dc=com

Skipping synchronizing time with NTP server.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
    Valid From:  Wed Jul 20 17:35:37 2016 UTC
    Valid Until: Sun Jul 20 17:35:37 2036 UTC

Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://rhel7-1.example.com/ipa/json
Forwarding 'schema' to json server 'https://rhel7-1.example.com/ipa/json'
trying https://rhel7-1.example.com/ipa/json
Forwarding 'ping' to json server 'https://rhel7-1.example.com/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://rhel7-1.example.com/ipa/json'
Systemwide CA database updated.
Hostname (rhel7-2.example.com) does not have A/AAAA record.
Missing reverse record(s) for address(es): 192.168.122.72.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://rhel7-1.example.com/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.
Client configuration complete.

WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

ipa         : ERROR    Reverse DNS resolution of address 192.168.122.72 (rhel7-2.example.com) failed. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.)
Checking DNS forwarders, please wait ...
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/44]: creating directory server user
  [2/44]: creating directory server instance
  [3/44]: updating configuration in dse.ldif
  [4/44]: restarting directory server
  [5/44]: adding default schema
  [6/44]: enabling memberof plugin
  [7/44]: enabling winsync plugin
  [8/44]: configuring replication version plugin
  [9/44]: enabling IPA enrollment plugin
  [10/44]: enabling ldapi
  [11/44]: configuring uniqueness plugin
  [12/44]: configuring uuid plugin
  [13/44]: configuring modrdn plugin
  [14/44]: configuring DNS plugin
  [15/44]: enabling entryUSN plugin
  [16/44]: configuring lockout plugin
  [17/44]: configuring topology plugin
  [18/44]: creating indices
  [19/44]: enabling referential integrity plugin
  [20/44]: configuring certmap.conf
  [21/44]: configure autobind for root
  [22/44]: configure new location for managed entries
  [23/44]: configure dirsrv ccache
  [24/44]: enabling SASL mapping fallback
  [25/44]: restarting directory server
  [26/44]: creating DS keytab
  [27/44]: retrieving DS Certificate
  [28/44]: restarting directory server
  [29/44]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 9 seconds elapsed
Update succeeded

  [30/44]: adding sasl mappings to the directory
  [31/44]: updating schema
  [32/44]: setting Auto Member configuration
  [33/44]: enabling S4U2Proxy delegation
  [34/44]: importing CA certificates from LDAP
  [35/44]: initializing group membership
  [36/44]: adding master entry
  [37/44]: initializing domain level
  [38/44]: configuring Posix uid/gid generation
  [39/44]: adding replication acis
  [40/44]: enabling compatibility plugin
  [41/44]: activating sidgen plugin
  [42/44]: activating extdom plugin
  [43/44]: tuning directory server
  [44/44]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring ipa-custodia
  [1/5]: Generating ipa-custodia config file
  [2/5]: Generating ipa-custodia keys
  [3/5]: Importing RA Key
/usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SecurityWarning
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
  [1/4]: configuring KDC
  [2/4]: adding the password extension to the directory
  [3/4]: starting the KDC
  [4/4]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd). Estimated time: 1 minute
  [1/19]: setting mod_nss port to 443
  [2/19]: setting mod_nss cipher suite
  [3/19]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [4/19]: setting mod_nss password file
  [5/19]: enabling mod_nss renegotiate
  [6/19]: adding URL rewriting rules
  [7/19]: configuring httpd
  [8/19]: configure certmonger for renewals
  [9/19]: setting up httpd keytab
  [10/19]: setting up ssl
  [11/19]: importing CA certificates from LDAP
  [12/19]: clean up any existing httpd ccache
  [13/19]: configuring SELinux for httpd
  [14/19]: create KDC proxy user
  [15/19]: create KDC proxy config
  [16/19]: enable KDC proxy
  [17/19]: restarting httpd
  [18/19]: configuring httpd to start on boot
  [19/19]: enabling oddjobd
Done configuring the web interface (httpd).
Applying LDAP updates
Upgrading IPA:
  [1/9]: stopping directory server
  [2/9]: saving configuration
  [3/9]: disabling listeners
  [4/9]: enabling DS global lock
  [5/9]: starting directory server
  [6/9]: upgrading server
  [7/9]: stopping directory server
  [8/9]: restoring configuration
  [9/9]: starting directory server
Done.
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring DNS (named)
  [1/8]: generating rndc key file
  [2/8]: setting up our own record
  [3/8]: adding NS record to the zones
  [4/8]: setting up kerberos principal
  [5/8]: setting up named.conf
  [6/8]: setting up server configuration
  [7/8]: configuring named to start on boot
  [8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

[root@rhel7-2 ~]# ipa-ca-install -P admin -p Secret123 -w Secret123 -U
Run connection check to master
Connection check OK
/usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SecurityWarning
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/25]: creating certificate server user
  [2/25]: creating certificate server db
  [3/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

  [4/25]: creating installation admin user
  [5/25]: setting up certificate server
  [6/25]: stopping instance to update CS.cfg
  [7/25]: backing up CS.cfg
  [8/25]: disabling nonces
  [9/25]: set up CRL publishing
  [10/25]: enable PKIX certificate path discovery and validation
  [11/25]: set up client auth to db
  [12/25]: destroying installation admin user
  [13/25]: Ensure lightweight CAs container exists
  [14/25]: Configure lightweight CA key retrieval
  [15/25]: starting instance
  [16/25]: importing CA chain to RA certificate database
  [17/25]: fixing RA database permissions
  [18/25]: setting up signing cert profile
  [19/25]: setting audit signing renewal to 2 years
  [20/25]: configure certificate renewals
  [21/25]: configure Server-Cert certificate renewal
  [22/25]: Configure HTTP to proxy connections
  [23/25]: updating IPA configuration
  [24/25]: Restart HTTP server to pick up changes
  [25/25]: enabling CA instance
Done configuring certificate server (pki-tomcatd).
Updating DNS system records
[root@rhel7-2 ~]# ipa-kra-install -p Secret123 -U

===================================================================
This program will setup Dogtag KRA for the IPA Server.


/usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SecurityWarning
Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: creating installation admin user
  [2/8]: configuring KRA instance
  [3/8]: destroying installation admin user
  [4/8]: restarting KRA
  [5/8]: configure certmonger for renewals
  [6/8]: configure certificate renewals
  [7/8]: add vault container
  [8/8]: enabling KRA instance
Done configuring KRA server (pki-tomcatd).
The ipa-kra-install command was successful
Comment 8 errata-xmlrpc 2016-11-04 01:40:41 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.