Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1371519
Description of problem: During ipa replica install on 7.3 from replica file created on 6.8 IPA Master, pki instance creation fails with following error message. 2016-08-30 17:18:30 pkispawn : INFO ....... modifying '/etc/pki/pki-tomcat/alias/secmod.db' 2016-08-30 17:18:30 pkispawn : DEBUG ........... chmod 600 /etc/pki/pki-tomcat/alias/secmod.db 2016-08-30 17:18:30 pkispawn : DEBUG ........... chown 17:17 /etc/pki/pki-tomcat/alias/secmod.db 2016-08-30 17:18:36 pkispawn : DEBUG ....... Error Type: CalledProcessError 2016-08-30 17:18:36 pkispawn : DEBUG ....... Error Message: Command '['certutil', '-M', '-d', '/etc/pki/pki-tomcat/alias', '-f', '/etc/pki/pki-tomcat/pfile', '-n', 'caSigningCert cert-pki-ca', '-t', 'CTu,Cu,Cu']' returned non-zero exit status 255 2016-08-30 17:18:36 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 528, in main scriptlet.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/secur ity_databases.py", line 159, in spawn trust_attributes='CTu,Cu,Cu') File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 165, in modify_cert subprocess.check_call(cmd) File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call raise CalledProcessError(retcode, cmd) Version-Release number of selected component (if applicable): How reproducible: [root@dhcp207-47 ~]# rpm -q ipa-server pki-ca ipa-server-4.4.0-8.el7.x86_64 pki-ca-10.3.3-7.el7.noarch [root@dhcp207-47 ~]# Steps to Reproduce: 1. Prepare a RHEL 6.8 IPA Master and generate replica install file on it. 2. Copy replica install file on RHEL 7.3 replica and install replica 3. Actual results: Replica install fails on RHEL 7.3 Expected results: Replica install should be successful on RHEL 7.3 Additional info: (1) Please find the attached console output file for more info
Adopted a different strategy to fix this issue. The code should be fixed on the master side (i.e. fix ipa-replica-prepare so that it creates a gpg file containing the right certificates + nicknames).
See BZ 1369470 https://bugzilla.redhat.com/show_bug.cgi?id=1369470
Metadata Update from @pvoborni: - Issue assigned to frenaud - Issue set to the milestone: FreeIPA 4.4.2
Login to comment on this ticket.