On 02/19/2015 05:14 PM, Dmitri Pal wrote: > On 02/19/2015 10:07 AM, Jani West wrote: >> Trying to migrate from CentOS 6.6 with FreeIPA 3.0.0-42 to CentOS 7.0 with >> FreeIPA 3.3.3-28 by using replication. >> >> I have prepared replication file and moved it to the new replica server. >> Configured the firewalld and installed Ipa and other needed packages via yum. >> >> When running "ipa-replica-install --setup-ca -d" installation will always >> stuck on: >> >> ---------------------------------------------------------------------- >> "Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 >> seconds >> [2/19]: configuring certificate server instance >> ipa : DEBUG Starting external process >> ipa : DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5 >> ipa : DEBUG Process finished, return code=1 >> ipa : DEBUG stdout=Loading deployment configuration from >> /tmp/tmpHJBhR5. >> Installing CA into /var/lib/pki/pki-tomcat. >> Storing deployment configuration into >> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. >> Installation failed. >> >> >> ipa : DEBUG stderr=pkispawn : WARNING ....... unable to >> validate security domain user/password through REST interface. Interface not >> available >> pkispawn : ERROR ....... Exception from Java Configuration Servlet: >> Error while updating security domain: java.io.IOException: >> java.io.IOException: SocketException cannot read on socket >> >> ipa : CRITICAL failed to configure ca instance Command >> '/usr/sbin/pkispawn -s CA -f /tmp/tmpHJBhR5' returned non-zero exit status 1 >> ---------------------------------------------------------------------- >> >> Betwee the attempts I have cleaned yu ipa and pki configurations and >> deleteted the old replication agreement. >> >> >> Apache logs on old CentOS 6 server have these errors. >> ---------------------------------------------------------------------- >> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST >> /ca/admin/ca/getDomainXML HTTP/1.0" 200 1158 >> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST >> /ca/admin/ca/updateDomainXML HTTP/1.0" 404 - >> 192.168.177.8 - - [19/Feb/2015:11:38:44 +0200] "POST >> /ca/agent/ca/updateDomainXML HTTP/1.0" 403 323 >> [Thu Feb 19 11:38:44 2015] [error] Bad remote server certificate: -8181 >> [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has >> expired >> [Thu Feb 19 11:38:44 2015] [error] Re-negotiation handshake failed: Not >> accepted by client!? >> ---------------------------------------------------------------------- >> >> What certificate this means? ca.crt have more than five years left. >> >> Clocks are synced, /ca/admin/ca/updateDomainXML can be found on >> ipa-pki-proxy.conf and there are no obvious reason. Any hints? > > Are CA ports accessible on your master? Can you check your FW please? >
This line makes me think that expired certs may be involved: [Thu Feb 19 11:38:44 2015] [error] SSL Library Error: -8181 Certificate has expired CCing JanCh who have the best context in this area. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
