Thanks so much you've been a big help. I'll give it a whack tomorrow morning. Thanks again.
Corey On Aug 17, 2010, at 3:06 PM, Rob Crittenden <[email protected]> wrote: > Hemminger, Corey Lee. [[email protected]] wrote: >> ok I did the updates, and edited the python files. Now when I try to run the >> replica install I get: >> >> [r...@earth bcrl]# ipa-replica-install >> /var/lib/ipa/replica-info-earth.bcrl.stcloudstate.edu.gpg -N --setup-dns >> --no-forwarder >> Directory Manager (existing master) password: >> >> root : ERROR Cannot find Reverse Address for >> earth.bcrl.stcloudstate.edu (3.2.0.10.in-addr.arpa.) >> >> I had this when installing the ipa-server and there was a --no-dns-lookup >> option but not with the replica. Before the testing updates, i did get a >> warning about the server not working for DNS lookup but still went ahead >> with install. I'm looking to set these two up and make them the DNS servers >> and currently have a simple dns setup that will get replaced by this setup. >> How do I get around the reverse address lookup on the replica install side. >> Thanks again for all the help. > > You'll need to modify /usr/sbin/ipa-replica-install. Look for the > function get_host_name(). You'll want to comment out the 5 lines > starting with try:. The comment character in python is the hash #. This > will cause it to skip the call to verify_fqdn() and your install should > proceed. > > I've opened a ticket to add this functionality to ipa-replica-install: > https://fedorahosted.org/freeipa/ticket/146 > > rob > >> >> Corey- >> ________________________________________ >> From: Rob Crittenden [[email protected]] >> Sent: Monday, August 16, 2010 2:49 PM >> To: Hemminger, Corey Lee. [[email protected]] >> Cc: [email protected] >> Subject: Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation >> problems >> >> Hemminger, Corey Lee. [[email protected]] wrote: >>> I'm using fedora 13 amd-64 version. I added the developers repo from >>> freeIPA.com for V2.0 and then did a yum install ipa-server so which ever >>> version it installed. I'm looking at dogtag and one of the packages says >>> 1.3.1-2.fc13 and the other 2 packages for dogtag say 1.3.2-2.fc13 for the >>> pki dogtag package it says 1.3.7-1.fc13 all the packages read 1.3.something >>> the pki-silent-1.3.3-1.fc13 package if that helps. I also attached the two >>> files you asked to check. I attached the ipa-serv_deplist that i created >>> from running "yum deplist ipa-server" and it has all the packages and >>> version numbers. Sorry for the choppy e-mail I'm writing and looking up the >>> stuff in pieces. >> >> Can you update the pki-* and dogtag-* packages from the updates-testing >> repo? There are a number of important fixes there. >> >> It is also going to break your replica install because a new required >> option has been added to pkisilent. You'll need to modify >> /usr/lib/python*/site-packages/ipaserver/install/cainstance.py >> >> Search for pkisilent. We create a python list of the command to execute. >> You want to patch it like this (the numbers might not exactly line up): >> >> @@ -535,6 +524,7 @@ class CAInstance(service.Service): >> "-db_name", "ipaca", >> "-key_size", "2048", >> "-key_type", "rsa", >> + "-key_algorithm", "SHA256withRSA", >> "-save_p12", "true", >> "-backup_pwd", self.admin_password, >> "-subsystem_name", self.service_name, >> >> You *might* be able to get away with just updating dogtag on the >> replica, I'm not sure. >> >> rob >> >>> ________________________________________ >>> From: Rob Crittenden [[email protected]] >>> Sent: Monday, August 16, 2010 12:35 PM >>> To: Hemminger, Corey Lee. [[email protected]] >>> Cc: [email protected] >>> Subject: Re: [Freeipa-users] FreeIPA v2.0 alpha4 replica installation >>> problems >>> >>> Hemminger, Corey Lee. [[email protected]] wrote: >>>> Hi, >>>> I'm a student admin for St. Cloud State University's Business Computing >>>> Research Lab, and we run our own seperate network inside the campus >>>> network with dedicated internet feeds and hardware for professors research >>>> as well as masters and bachelors student research and labs. We have many >>>> computers setup for workstations, clusters, clouds, etc... and I'm trying >>>> to set up a redundant FreeIPA v2.0 in virtual box to help manage the >>>> systems and control access to machines. I have setup the master with no >>>> problems, but when creating the replica I run the command >>>> "ipa-replica-install -N --setup-dns /var/lib/ipa/replica-file-from-master" >>>> and I get this error output. It created the directory fine but is having >>>> trouble with the certs. I have disabled the firewalls on both and selinux >>>> hoping they would help but still same problem. >>>> >>>> [r...@earth bcrl]# ipa-replica-install >>>> /var/lib/ipa/replica-info-earth.bcrl.stcloudstate.edu.gpg -N --setup-dns >>>> --no-forwarders >>>> >>>> An existing Directory Server has been detected. >>>> Do you wish to remove it and create a new one? [no]: yes >>>> Directory Manager (existing master) password: >>>> >>>> Warning: Hostname (earth.bcrl.stcloudstate.edu) not found in DNS >>>> Configuring directory server for the CA: >>>> [1/4]: creating directory server user >>>> [2/4]: creating directory server instance >>>> [3/4]: configuring directory to start on boot >>>> [4/4]: restarting directory server >>>> done configuring pkids. >>>> Configuring certificate server: >>>> [1/9]: creating certificate server user >>>> [2/9]: configuring certificate server instance >>>> root : CRITICAL failed to restart ca instance Command >>>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname >>>> earth.bcrl.stcloudstate.edu -cs_port 9445 -client_certdb_dir >>>> /tmp/tmp-vemQSV -client_certdb_pwd XXXXXXXX -preop_pin >>>> yhiJojW06gxaPrkvOJOK -domain_name IPA -admin_user admin -admin_email >>>> r...@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent >>>> -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject >>>> "CN=ipa-ca-agent,O=IPA" -ldap_host earth.bcrl.stcloudstate.edu -ldap_port >>>> 7389 -bind_dn "cn=Directory Manager" -bind_password XXXXXXXX -base_dn >>>> o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -save_p12 true >>>> -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal >>>> -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA" >>>> -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA" >>>> -ca_server_cert_subject_name "CN=earth.bcrl.stcloudstate.edu,O=IPA" >>>> -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA" >>>> -ca_sign_cert_subject_name "CN=Certificate ! Au > t >> h >>> o! >>>> rity,O=IPA" -external false -clone true -clone_p12_file ca.p12 >>>> -clone_p12_password XXXXXXXX -sd_hostname zeus.bcrl.stcloudstate.edu >>>> -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password XXXXXXXX >>>> -clone_uri https://zeus.bcrl.stcloudstate.edu:9444' returned non-zero exit >>>> status 255 >>>> [3/9]: creating RA agent certificate database >>>> [4/9]: importing CA chain to RA certificate database >>>> creation of replica failed: Unable to retrieve CA chain: Retrieving CA >>>> cert chain failed: Error: Failed to get certificate chain. >>>> >>>> Your system may be partly configured. >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>> >>>> Thanks for any help, >>>> Corey >>> >>> Heh, I guess I didn't fat-finger this after all... >>> >>> What distro is this? >>> >>> What version of pki-* and dogtag-* do you have installed? Can you look >>> at /var/log/ipareplica-install.log to see if there are any more details >>> on the failure? /var/log/pki-ca/debug would also be a place to look >>> though be forewarned, it is quite verbose and daunting (and has a number >>> of red herrings, particularly warnings about cipher failures). >>> >>> We had some problems creating dogtag clones while creating IPA replicas >>> in the recent pas and it would fail in the pkisilent step. This may be >>> another case of that or it may be that our current requires don't pull >>> in the right set of of dogtag packages. >>> >>> rob >> > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
