If ipa-replica-install is run with replica file prepared on master which has been updated from CA-less to CA-full and ipa-certupdate was executed on it, it fails with:
ipa-replica-install
ipa-certupdate
... [10/15]: publish CA cert [11/15]: creating a keytab for httpd [error] CalledProcessError: Command ''kadmin.local' '-q' 'addprinc -randkey HTTP/vm-162.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' '-x' 'ipa-setup-override-restrictions'' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-install.log for details: CalledProcessError: Command ''kadmin.local' '-q' 'addprinc -randkey HTTP/vm-162.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' '-x' 'ipa-setup-override-restrictions'' returned non-zero exit status 1
This was hit on https://www.redhat.com/archives/freeipa-users/2016-January/msg00272.html, I would suggest increasing priority.
I've hit a similar issue without updating from CA-less to CA-ful.
My install is FreeIPA 4.2/Centos 7.2 with fresh CA-ful install. I've installed 3rd party SSL certificate for HTTP/LDAP together with 3 root/chain certificates. When I've run ipa-certupdate it didn't populate /etc/pki/pki-tomcat/alias database with the root certificates and as a result pki-tomcatd didn't start and I was unable to start FreeIPA.
The whole experience has been described at https://www.redhat.com/archives/freeipa-users/2016-January/msg00222.html
After fixing #5595, I can no longer reproduce this.
Closing as duplicate.
Metadata Update from @jcholast: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.2.4
Login to comment on this ticket.