I'm trying to migrate away from CentOS 6. The biggest barrier right now is our ipa server which is running on CentOS 6.6. I realize that is extremely out of date, but I inherited these problems from the previous sysadmin and am working to rectify it. I am also a fairly amateur admin and am out of my depth here.
There are two systems right now: "manage.companyname.com" and "centos7test.companyname.com".
Anyway, I've installed CentOS 7.9.2009 and installed ipa-server and ipa-server-dns. I created an ipa replica file on manage:
Code: Select all
ipa-replica-prepare centos7test.companyname.com
Code: Select all
ipa-replica-install --setup-dns --forwarder=<manage's ip> replica-info-centos7test.companyname.com.gpg
1. manually create an HTTP service for the new ipa server
2. manually add a KDC entry for the new server to LDAP.
That initial replication succeeds. I then tried to make centos7test a CA:
Code: Select all
ipa-ca-install replica-info-centos7test.companyname.com.gpg
Code: Select all
Installation failed: Command failed: certutil -M -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile -n caSigningCert cert-pki-ca -t CTu,Cu,Cu
2021-08-19T21:23:34Z DEBUG stderr=pkispawn : WARNING ....... unable to validate security domain user/password through REST interface. Interface not available
certutil: could not find certificate named "caSigningCert cert-pki-ca": SEC_ERROR_BAD_DATABASE: security library: bad database.
Code: Select all
[root@centos7test pki]# certutil -L -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/pfile
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
Certificate Authority - COMPANYNAME.COM u,u,u
auditSigningCert cert-pki-ca u,u,u
Thanks