Installing an IdM replica on RHEL 7.6 fails if the IdM master runs on RHEL 6
With the update of the pki-core package provided by the RHBA-2019:XXXX advisory, certain ciphers are no longer enabled by default in the Identity Management (IdM) Certificate Authority (CA). As a consequence, setting up an IdM server with integrated CA on RHEL 7.6 as a replica of a master running on RHEL 6 fails with a "CRITICAL Failed to configure CA instance" error. To work around the problem, append the following entry to the end of the NSSCipherSuite parameter in the /etc/httpd/conf.d/nss.conf file:
As a result, the IdM installation on RHEL 7.6 no longer fails. Note that installing a CA-less IdM replica on RHEL 7.6 works as expected even without this workaround.
Created attachment 1521546 [details]
pki spwan log file
Description of problem:
pki instance creation fails during replica install on RHEL-7.6 master from RHEL6.10 master.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp8tf06l' returned non-zero exit status 1
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: ERROR CA configuration failed.
ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install IPA master on RHEL-6.10
2. Copy copy-schema-to-ca.py from 7.6 replica on Master and execute it
3. Generate replica gpg file on RHEL-6.10 master
4. Install replica on 7.6 replica with --setup-ca option
Replica install fails
Replica install should be successful
1. Replica install without --setup-ca option is successful
2. log files of pki instance are attached.
Created attachment 1521547 [details]
ipa replica install log file