If ipa-ca-install is run after ipa-replica-install was run against master (on any domain level) which has been updated from CA-less, it fails with:
ipa-ca-install
ipa-replica-install
... [4/23]: creating installation admin user [5/23]: setting up certificate server ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpvzAgLI' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. CA configuration failed.
I get this pki-tomcatd warning in journalctl on the replica:
journalctl
server[11870]: CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|AILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value|
And this error in /var/log/pki/pki-tomcat/ca/debug:
/var/log/pki/pki-tomcat/ca/debug
[25/Jan/2016:08:33:55][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info [25/Jan/2016:08:33:55][http-bio-8443-exec-3]: ConfigurationUtils: GET https://vm-244.abc.idm.lab.eng.brq.redhat.com:443/ca/admin/ca/getDomainXML javax.ws.rs.ProcessingException: Unable to invoke request <very long traceback> [25/Jan/2016:08:33:55][http-bio-8443-exec-3]: Failed to obtain security domain decriptor from security domain master: javax.ws.rs.ProcessingException: Unable to invoke request
On the master, there is no trace of the getDomainXML request.
There is a bug in pkispawn: https://bugzilla.redhat.com/show_bug.cgi?id=1301546
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1301687 (Red Hat Enterprise Linux 7)
PKi bug won't be ready in 4.2.4 timeframe, moving to 4.2.5.
PKI ticket 1742 was fixed.
Let's adjust IPA configuration according to information in the ticket.
master:
ipa-4-2:
ipa-4-3:
Metadata Update from @jcholast: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.2.5
Login to comment on this ticket.