This issue is due to the fact we hardcode the cloneUri of the maste to be at port 443 which is not the case for old masters.

Mine uses port 9444, we should detect what is the port, not hardcoded it.

Another issue is that older ipa-repica-prepare scripts do not refresh /root/cacert.p12 so the replica will get expired certs (if the master is old and went through one or more cert refreshes) and will fail to clone the CA.

Replying to [comment:3 simo]:

Another issue is that older ipa-repica-prepare scripts do not refresh /root/cacert.p12 so the replica will get expired certs (if the master is old and went through one or more cert refreshes) and will fail to clone the CA.

note: this is fixed in master, so probably this is just a backport for older systems like F18 or RHEL6/CentOS6

Replying to [comment:4 simo]:

Replying to [comment:3 simo]:

Another issue is that older ipa-repica-prepare scripts do not refresh /root/cacert.p12 so the replica will get expired certs (if the master is old and went through one or more cert refreshes) and will fail to clone the CA.

note: this is fixed in master, so probably this is just a backport for older systems like F18 or RHEL6/CentOS6

But note that the master code does not check what alias database it should use so a direct port would fail, as new dogtag instances use /etc/pki/pki-tomcat/* paths but old ones used /etc/pki-ca and /var/lib/pki-cad/alias ...

note: this is fixed in master, so probably this is just a backport for older systems like F18 or RHEL6/CentOS6

Do we know which patch fixes it and what release it was introduced in? May be it is already fixed in RHEL6.5. Can we check?

I think we are diving too deep in what to fix. I do not plan to do any new FreeIPA 3.0.x build, I think we just need to fix FreeIPA 3.3.4 to be able to be created as a replica of F18 FreeIPA and prepare a procedure/help to hotfix old FreeIPA so that the migration can continue.

Replying to [comment:6 dpal]:

note: this is fixed in master, so probably this is just a backport for older systems like F18 or RHEL6/CentOS6

Do we know which patch fixes it and what release it was introduced in? May be it is already fixed in RHEL6.5. Can we check?

We can. Simo, what patch exactly do you mean by "this"?

I think the only related documentation to updating /root/cacert.p12 is this howto.

We discussed this ticket in yesterday's devel meeting and scoped this ticket. Follows list of all identified issues and proposed actions:

• Old IPA server proxy is missing: Simo to add the proxy in his old F18 instance so that new instance can connect to port 443, ideally document the process
• /root/cacert.p12 was not updated andhad old, expired certs in it: Simo to use following guide to refresh the cert: http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
• ipa-replica-conncheck does not check the right port - this is something we need to fix in 3.3.x - ticket #4240 created.

It would be also beneficial to document the list of all workarounds needed for replicating from old masters to new FreeIPA master, potentially extend the Troubleshooting page.

Lowering the priority to critical as the only identified issue we want to fix ipa-replica-conncheck.

We also found that second F20 replica with CA may not be installed due to missing D9 database migration: #4243.

#4240 was fixed:

master:

• bd1df14 Fix ipa.service restart

ipa-3-3:

• fcb2cd4 Fix ipa.service restart

This addresses the last TODO item identified in comment:9. Closing the ticket.