[Freeipa-users] Re: IPA Replica installation is failing - Missing certificate Server-Cert cert-pki-ca a

[Rob Crittenden via FreeIPA-users]

Try this:
$ pki-server sd-subsystem-find

You should get basically nothing because we know its empty.

Populate it with your server:
$ pki-server sd-subsystem-add --subsystem CA --hostname ipa.example.test
    --secure-port 443 "CA ipa.example.test 443"

Be sure to replace both instances of 'ipa.example.test' with your CA
hostname.

Then try your replica install again.

rob

John Tor via FreeIPA-users wrote:
> [root@server ~]#  ipa server-role-find --status enabled
> ----------------------
> 2 server roles matched
> ----------------------
>   Server name: ipa.example.test
>   Role name: CA server
>   Role status: enabled
> 
>   Server name: ipa.example.test
>   Role name: DNS server
>   Role status: enabled
> ----------------------------
> Number of entries returned 2
> ----------------------------
> [root@server ~]# ldapsearch -x -D 'cn=directory manager' -W -b "ou=Security 
> Domain,o=ipaca"
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <ou=Security Domain,o=ipaca> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # Security Domain, ipaca
> dn: ou=Security Domain,o=ipaca
> objectClass: top
> objectClass: pkiSecurityDomain
> name: IPA
> ou: Security Domain
> 
> # CAList, Security Domain, ipaca
> dn: cn=CAList,ou=Security Domain,o=ipaca
> objectClass: top
> objectClass: pkiSecurityGroup
> cn: CAList
> 
> # OCSPList, Security Domain, ipaca
> dn: cn=OCSPList,ou=Security Domain,o=ipaca
> objectClass: top
> objectClass: pkiSecurityGroup
> cn: OCSPList
> 
> # KRAList, Security Domain, ipaca
> dn: cn=KRAList,ou=Security Domain,o=ipaca
> objectClass: top
> objectClass: pkiSecurityGroup
> cn: KRAList
> 
> # RAList, Security Domain, ipaca
> dn: cn=RAList,ou=Security Domain,o=ipaca
> objectClass: top
> objectClass: pkiSecurityGroup
> cn: RAList
> 
> # TKSList, Security Domain, ipaca
> dn: cn=TKSList,ou=Security Domain,o=ipaca
> objectClass: top
> objectClass: pkiSecurityGroup
> cn: TKSList
> 
> # TPSList, Security Domain, ipaca
> dn: cn=TPSList,ou=Security Domain,o=ipaca
> objectClass: top
> objectClass: pkiSecurityGroup
> cn: TPSList
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 8
> # numEntries: 7
> [root@srvad01 ~]#
> 

-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue