Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1343798
Created attachment 1165795 ipareplicat-install.log for the failed ipa replicate installation Description of problem: Cannot install the IPA replica Version-Release number of selected component (if applicable): [root@eupreprd-ops-ipa-01 etc]# rpm -qa | grep ipa python-libipa_hbac-1.13.0-40.el7_2.1.x86_64 ipa-server-4.2.0-15.el7_2.3.x86_64 python-iniparse-0.4-9.el7.noarch libipa_hbac-1.13.0-40.el7_2.1.x86_64 ipa-python-4.2.0-15.el7_2.3.x86_64 ipa-client-4.2.0-15.el7_2.3.x86_64 redhat-access-plugin-ipa-0.9.1-2.el7.noarch sssd-ipa-1.13.0-40.el7_2.1.x86_64 ipa-admintools-4.2.0-15.el7_2.3.x86_64 ipa-server-dns-4.2.0-15.el7_2.3.x86_64 How reproducible: Everytime Steps to Reproduce: [root@usqa-ops-ipa-01 ec2-user]# ipa-replica-prepare --ip-address=10.0.10.249 eupreprd-ops-ipa-01.internal.com [root@eupreprd-ops-ipa-01 ec2-user]# ipa-replica-install --ip-address=10.0.10.249 --setup-dns --no-forwarders /home/ec2-user/eupreprd.gpg Actual results: [28/38]: importing CA certificates from LDAP [error] CalledProcessError: Command ''/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-INTERNAL-COM/' '-A' '-n' 'INTERNAL.COM IPA CA' '-t' 'CT,C,C'' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR Command ''/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-INTERNAL-COM/' '-A' '-n' 'INTERNAL.COM IPA CA' '-t' 'CT,C,C'' returned non-zero exit status 255 Expected results: Install OK Additional info: ipareplicat-install.log for the failed ipa replicate installation is also attached. And in the master IPA servers, no expired certificates: [root@usqa-ops-ipa-01 ec2-user]# getcert list | grep expire expires: 2017-12-21 22:46:08 UTC expires: 2018-03-26 22:59:53 UTC expires: 2018-03-26 22:58:50 UTC expires: 2018-03-26 22:58:44 UTC expires: 2034-05-14 21:13:57 UTC expires: 2017-12-10 23:21:54 UTC expires: 2017-12-21 22:46:10 UTC expires: 2018-03-26 23:01:58 UTC
Metadata Update from @mbasti: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
I was not able to reproduce this issue with ipa-server 4.6.4-10.el7.
I tried in domain-level1 with the following scenario: [master]# ipa-server-install [...] [master]# getcert resubmit -i $<id_for_IPA_CA> [master]# ipa-certupdate
[replica]# ipa-replica-install
The replica is successfully installed and the original + renewed IPA CA certs are available in slapd db: [replica]# certutil -L -d /etc/dirsrv/slapd-DOMAIN-COM
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
DOMAIN.COM IPA CA CT,C,C DOMAIN.COM IPA CA CT,C,C Server-Cert u,u,u
Hence closing as worksforme.
Metadata Update from @frenaud: - Issue close_status updated to: worksforme - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.