Created attachment 1449768 [details] replica-install.log Description of problem: Trying to setup a new replica against a CentOS 7.5 server (FreeIPA 4.5.4). A "normal" replica installs just fine, but if if try to make it a CA replica too (either by ipa-ca-install or ipa-replica-install --setup-ca), it fails on the step: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [4/26]: configuring certificate server instance Version-Release number of selected component (if applicable): existing master is running 4.5.4 on centos 7.5, new replica is running fedora 28 freeipa 4.6.90.pre2. How reproducible: I really don't know if this is too specific to my versions of the packages, so, just a "simple" recreate of the environment should do it. Steps to Reproduce: 1. ipa-replica-install --setup-ca (or ipa-ca-install after a successfully ipa-replica-install) Actual results: [4/26]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpimcgo2by'] returned non-zero exit status 1: '') ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Expected results: Sucessfull install Additional info:
Created attachment 1449769 [details] server-side.log log of the server side (existing master freeipa server) when the errors occurs while setting up the ca replica.
Hi, the log: INFO: PKIAuthenticator: Authenticating with BASIC authentication Invalid Credential. points to wrong credentials. Did you specify the admin password when running ipa-replica-install (with -w ADMIN_PASSWORD)? What was your exact procedure (ipa-client-install, kinit admin, ipa-replica-install --setup-ca or in a single step ipa-replica-install)?
Hi Florence. Yeah, I saw the invalid credential part, but I tried this several times :) I didn't use "-w", it was just a simple ipa-replica-install --setup-ca --setup-dns. I also tried with just "ipa-ca-install" after a successfull ipa-replica-install, and it gives the same error. I did the ipa-client-install, (didn't kinit admin, because it asks for the admin password), and then ipa-replica-install --setup-ca. Also, just to complement the information, I just tried to setup a CentOS replica against the same server adn it worked.
Hi, I am definitely unable to reproduce this behavior. Can you provide the full /var/log/pki/pki-ca-spawn.$DATE.log (from the replica) and /var/log/dirsrv/slapd-DOMAIN-COM/access (from the master)? On a running topology, I remember the installer creates a temp entry with DN: uid=admin-replica.domain.com,ou=people,o=ipaca and a random password and pkispawn performs the bind with this id. Let's see in the logs if the entry is created and if a BIND is attempted around the time you see the log "GET /ca/rest/securityDomain/domainInfo" in /var/log/pki/pki-tomcat/localhost_access_log.$DATE.txt You can also try to run ipa-client-install kinit admin ipa-replica-install --setup-ca and see if the behavior is different. Note that you will probably need to run ipa-server-install --uninstall -U on the failing replica + ipa-replica-manage del <replica> on the master before being able to re-install the replica.
Closing due to insufficient information.
I can't reproduce this now (sorry the mail spam)