Hi, please keep the list in copy as the resolution steps can often help other users.
On Fri, Nov 25, 2022 at 4:55 PM Dushyant Khobragade <[email protected]> wrote: > Hi Flo, > Thank you for response. > I could see below logs in /var/log/ipareplica-install.log > <<Truncated>>> > 2022-11-25T15:43:46Z DEBUG certmonger request is in state > 'GENERATING_KEY_PAIR' > 2022-11-25T15:43:46Z DEBUG certmonger request is in state 'SUBMITTING' > 2022-11-25T15:44:11Z DEBUG certmonger request is in state 'CA_UNREACHABLE' > 2022-11-25T15:44:11Z DEBUG Cert request 20221125154346 failed: > CA_UNREACHABLE (Server at https://innsv01p1.mylab.domain/ipa/json failed > request, will retry: 4001 (The service principal for subject alt name > ipa-ca. mylab.domain in certificate request does not exist).) > Is IPA configured as DNS server? You can check with # ipa config-show | grep DNS IPA DNS servers: fedora36.ipa.test If there is at least one server in the IPA DNS servers list, then IPA is configured as DNS server. It should contain a DNS record for ipa-ca.mylab.domain with the IP addresses of all the CA servers: # ipa dnsrecord-show mylab.domain ipa-ca Record name: ipa-ca A record: xxx.xxx.xxx.xxx If you are using an external DNS server, make sure that there is an A record for ipa-ca. You can generate an update file using # ipa dns-update-system-records --dry-run 2022-11-25T15:44:11Z DEBUG Giving up on cert request 20221125154346 > 2022-11-25T15:44:11Z DEBUG certmonger request is in state 'GENERATING_CSR' > 2022-11-25T15:44:12Z DEBUG certmonger request is in state 'SUBMITTING' > 2022-11-25T15:44:13Z DEBUG certmonger request is in state 'POST_SAVED_CERT' > 2022-11-25T15:44:14Z DEBUG certmonger request is in state 'MONITORING' > 2022-11-25T15:44:14Z DEBUG Cert request 20221125154411 was successful > <<Truncated>>> > ldap.SERVER_DOWN: {'result': -1, 'desc': "Can't contact LDAP server", > 'ctrls': [], 'info': 'error:1416F086:SSL > routines:tls_process_server_certificate:certificate verify failed > (certificate is not yet valid)'} > 2022-11-25T15:45:40Z CRITICAL Failed to configure CA instance > It's not clear if this error or the previous one is the root cause, but the content of /var/log/pki/pki-ca-spawn.<date>.log on the replica may give some hints. *Certificate not yet valid* would strongly suggest that the dates are not in sync on the master and the replica. flo > 2022-11-25T15:45:40Z CRITICAL See the installation logs and the following > files/directories for more information: > 2022-11-25T15:45:40Z CRITICAL /var/log/pki/pki-tomcat > 2022-11-25T15:45:40Z DEBUG Traceback (most recent call last): > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 635, in start_creation > run_step(full_msg, method) > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 621, in run_step > method() > File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", > line 627, in __spawn_instance > nolog_list=nolog_list > File > "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", > line 227, in spawn_instance > self.handle_setup_error(e) > File > "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", > line 606, in handle_setup_error > ) from None > RuntimeError: CA configuration failed. > 2022-11-25T15:45:40Z DEBUG [error] RuntimeError: CA configuration failed. > 2022-11-25T15:45:40Z DEBUG Removing /root/.dogtag/pki-tomcat/ca > >>Truncted>> > > > Thanks & Regards, > Dushyant > > > > > > > On Fri, Nov 25, 2022 at 7:18 AM Florence Blanc-Renaud <[email protected]> > wrote: > >> Hi, >> >> On Fri, Nov 25, 2022 at 3:59 PM dushyant k via FreeIPA-users < >> [email protected]> wrote: >> >>> I am trying to add new replica Centos 8 IPA v.4.7 to my existing centos >>> 7 IPA cluster which has IPA version 4.6 >>> >>> I am able to add centos 8 replica as ipa client however while adding as >>> replica with setup-ca. it failing. >>> >>> Please provide the logs from the failing replica >> (/var/log/ipareplica-install.log). >> >> >>> Also it would be great if anyone can provide documents on migrating IPA >>> to centos 8 from centos 7 >>> >> The doc is available here: >> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/migrating_to_identity_management_on_rhel_8/migrate-7-to-8_migrating >> >> HTH, >> flo >> >> >>> _______________________________________________ >>> FreeIPA-users mailing list -- [email protected] >>> To unsubscribe send an email to >>> [email protected] >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
