Hi Rob, I see CentOS 7.9 has IPA VERSION 4.6 and Alma Linux 8.6 has IPA version 4.9
So direct jump from ipa version 4.6 to 4.9 will work or do i need to do intermediate updates Thank you On Wed, Nov 30, 2022, 2:03 AM Rob Crittenden <[email protected]> wrote: > Dushyant Khobragade via FreeIPA-users wrote: > > Hi Flo, > > > > Thanks, I was able to resolve the issue by following your feedback. > > It was time sync issue between IPA master and new IPA replica. > > > > Moving further, I would like to check with you on recommended path on > > upgrading IPA from Centos 7.9 (IPA v 4.6) to Alma Linux 8.6. Can we > > directly add linux 8.6 replica on existing Centos 7.9 IPA master and > > then promote it to CA certificate renewal node and decommission older > > version. > > Yes. > > There is documentation guide on upgrading: > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/migrating_to_identity_management_on_rhel_8/index > > rob > > > > > Thanks & Regards, > > Dushyant > > > > > > > > > > > > > > > > On Fri, Nov 25, 2022 at 9:01 AM Florence Blanc-Renaud <[email protected] > > <mailto:[email protected]>> wrote: > > > > Hi, > > > > please keep the list in copy as the resolution steps can often help > > other users. > > > > On Fri, Nov 25, 2022 at 4:55 PM Dushyant Khobragade > > <[email protected] <mailto:[email protected]>> wrote: > > > > Hi Flo, > > Thank you for response. > > I could see below logs in /var/log/ipareplica-install.log > > <<Truncated>>> > > 2022-11-25T15:43:46Z DEBUG certmonger request is in state > > 'GENERATING_KEY_PAIR' > > 2022-11-25T15:43:46Z DEBUG certmonger request is in state > > 'SUBMITTING' > > 2022-11-25T15:44:11Z DEBUG certmonger request is in state > > 'CA_UNREACHABLE' > > 2022-11-25T15:44:11Z DEBUG Cert request 20221125154346 failed: > > CA_UNREACHABLE (Server at > > https://innsv01p1.mylab.domain/ipa/json failed request, will > > retry: 4001 (The service principal for subject alt name ipa-ca. > > mylab.domain in certificate request does not exist).) > > > > > > Is IPA configured as DNS server? You can check with > > # ipa config-show | grep DNS > > IPA DNS servers: fedora36.ipa.test > > > > If there is at least one server in the IPA DNS servers list, then > > IPA is configured as DNS server. It should contain a DNS record for > > ipa-ca.mylab.domain with the IP addresses of all the CA servers: > > # ipa dnsrecord-show mylab.domain ipa-ca > > Record name: ipa-ca > > A record: xxx.xxx.xxx.xxx > > > > If you are using an external DNS server, make sure that there is an > > A record for ipa-ca. You can generate an update file using > > # ipa dns-update-system-records --dry-run > > > > > > 2022-11-25T15:44:11Z DEBUG Giving up on cert request > 20221125154346 > > 2022-11-25T15:44:11Z DEBUG certmonger request is in state > > 'GENERATING_CSR' > > 2022-11-25T15:44:12Z DEBUG certmonger request is in state > > 'SUBMITTING' > > 2022-11-25T15:44:13Z DEBUG certmonger request is in state > > 'POST_SAVED_CERT' > > 2022-11-25T15:44:14Z DEBUG certmonger request is in state > > 'MONITORING' > > 2022-11-25T15:44:14Z DEBUG Cert request 20221125154411 was > > successful > > <<Truncated>>> > > ldap.SERVER_DOWN: {'result': -1, 'desc': "Can't contact LDAP > > server", 'ctrls': [], 'info': 'error:1416F086:SSL > > routines:tls_process_server_certificate:certificate verify > > failed (certificate is not yet valid)'} > > 2022-11-25T15:45:40Z CRITICAL Failed to configure CA instance > > > > It's not clear if this error or the previous one is the root cause, > > but the content of /var/log/pki/pki-ca-spawn.<date>.log on the > > replica may give some hints. > > /Certificate not yet valid/ would strongly suggest that the dates > > are not in sync on the master and the replica. > > > > flo > > > > > > 2022-11-25T15:45:40Z CRITICAL See the installation logs and the > > following files/directories for more information: > > 2022-11-25T15:45:40Z CRITICAL /var/log/pki/pki-tomcat > > 2022-11-25T15:45:40Z DEBUG Traceback (most recent call last): > > File > > "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > > line 635, in start_creation > > run_step(full_msg, method) > > File > > "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > > line 621, in run_step > > method() > > File > > > "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", > > line 627, in __spawn_instance > > nolog_list=nolog_list > > File > > > "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", > > line 227, in spawn_instance > > self.handle_setup_error(e) > > File > > > "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", > > line 606, in handle_setup_error > > ) from None > > RuntimeError: CA configuration failed. > > 2022-11-25T15:45:40Z DEBUG [error] RuntimeError: CA > > configuration failed. > > 2022-11-25T15:45:40Z DEBUG Removing /root/.dogtag/pki-tomcat/ca > > >>Truncted>> > > > > > > Thanks & Regards, > > Dushyant > > > > > > > > > > > > > > On Fri, Nov 25, 2022 at 7:18 AM Florence Blanc-Renaud > > <[email protected] <mailto:[email protected]>> wrote: > > > > Hi, > > > > On Fri, Nov 25, 2022 at 3:59 PM dushyant k via FreeIPA-users > > <[email protected] > > <mailto:[email protected]>> wrote: > > > > I am trying to add new replica Centos 8 IPA v.4.7 to my > > existing centos 7 IPA cluster which has IPA version 4.6 > > > > I am able to add centos 8 replica as ipa client however > > while adding as replica with setup-ca. it failing. > > > > Please provide the logs from the failing replica > > (/var/log/ipareplica-install.log). > > > > > > Also it would be great if anyone can provide documents > > on migrating IPA to centos 8 from centos 7 > > > > The doc is available here: > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/migrating_to_identity_management_on_rhel_8/migrate-7-to-8_migrating > > > > HTH, > > flo > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- > > [email protected] > > <mailto:[email protected]> > > To unsubscribe send an email to > > [email protected] > > <mailto:[email protected]> > > Fedora Code of Conduct: > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > > https://lists.fedorahosted.org/archives/list/[email protected] > > Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to > [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
