メインコンテンツに移動

AlmaLinux/FreeIPA

FreeIPAインストール

最後に,「こうしたらはよ済んだ」をまとめるべきなのでは・・・

  • 2025年3月25日: このやり方では DNS Fowardしない. 

# dig ntp.kuins.net
; <<>> DiG 9.16.23-RH <<>> ntp.kuins.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41655   ここが治らず,外部サイトの名前解決ができねえ

  • /etc/resolv.conf の nameserver に, 最初に nameserver 10.249.229.246  とか置き換え対象のDNSサーバ書けば, 一応は使える.
    • バグじゃねえのか?それか,インストールのやり方の問題なのか?別マシンで試してから考える
    • 今回は /etc/resolv.conf nameserver=10.249.229.111 って書いた段階でインストールしたから,かな?ネットワークカードのインストールでも書いたしな. 
    • それと食い違ってるのがダメなのかなあ?

事前準備

現行サーバーのパスワードを確認

sun1 (10.249.229.111) admin いつものいつもの
sun0 (10.249.229.246) admin いつものいつもの 

どうせなので生きているか確認:

sun0# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
sun1# ipactl status
...

/etc/selinux/configを編集 

SELINUX=disabled  ←なんやかんや手数が増えるので止めてしまおう
SELINUXTYPE=targeted     訂正間違えるととっても大変なので,注意

/etc/NetworkManager/NetworkManager.conf の[main]に以下を追記

dns=none  ←/etc/resolv.confの書き換え禁止

firewalldを停止 

# systemctl disable firewalld  ←なんやかんや手数が増えるので止めてしまおう
# systemctl stop firewalld

firewalldを再開 

CentOSStream8ではFirewall動かしているとIPAが動作せず???であったが,今回は,Firewallが停止していると, どうやらIPAが動作しないので再開する.

# systemctl enable firewalld
# systemctl start firewalld 
# firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns}  --permanent
# firewall-cmd --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,88/udp,
464/tcp,464/udp,53/tcp,53/udp,123/udp} --permanent
# firewall-cmd --reload
# firewall-cmd --list-all
public (active)
 target: default
 icmp-block-inversion: no
 interfaces: bond0 enp0s25 enp12s0 enp3s0
 sources:
 services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps ssh
 ports: 80/tcp 443/tcp 389/tcp 636/tcp 88/tcp 88/udp 464/tcp 464/udp 53/tcp 53/udp 123/udp
 protocols:
 forward: yes
 masquerade: no
 forward-ports:
 source-ports:
 icmp-blocks:
 rich rules:

/etc/hostsを確認

/etc/hostsに自分を登録:

10.249.229.123 h123.229.249.10.1016485.vlan.kuins.net

ここで再起動. 

ダウンロード

CentOSStream8では
# dnf module install -y idm:DL1 ←なんのこっちゃさっぱりわからんかったが

今回は

# dnf -y install freeipa-server freeipa-server-dns freeipa-client

バージョン調べとこ

ipa --version と pki --versionで調べると

現行サーバー ipa version: 4.9.12 API_VERSION 2.251 PKI_Command Line Interface  10.12.0-3.module_el8.7.0+1172+b9bb9c8d
AlmaLinux9.5 ipa version: 4.12.2 API_VERSION 2.254 PKI_Command Line Interface 11.5.1-SNAPSHOT

クライアント設定

CenOSStream8では, 一度失敗するとOSの再インストールが必要であった:
# ipa-client-install --force-join

今回は, 失敗すると正常に元通りになるので安心である.

インストール

# ipa-client-install
Version 4.12.2
Do you want to configure chrony with NTP server or pool address? [no]:yes
Enter NTP source server addresses separated by comma, or press Enter to skip: ntp.kuins.net
Enter a NTP source pool address, or press Enter to skip:ぽこ
Client hostname: h123.229.249.10.1016485.vlan.kuins.net
Realm: 229.249.10.1016485.VLAN.KUINS.NET
DNS Domain: 229.249.10.1016485.vlan.kuins.net
IPA Server: h246.229.249.10.1016485.vlan.kuins.net
BaseDN: dc=229,dc=249,dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net
NTP server: ntp.kuins.net
Continue to configure the system with these values? [no]:yes
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers:admin
Password for admin@229.249.10.1016485.VLAN.KUINS.NET:いつものいつもの
Successfully retrieved CA cert
   Subject:     CN=Certificate Authority,O=229.249.10.1016485.VLAN.KUINS.NET
   Issuer:      CN=Certificate Authority,O=229.249.10.1016485.VLAN.KUINS.NET
   Valid From:  2019-12-04 02:14:30+00:00
   Valid Until: 2039-12-04 02:14:30+00:00
Enrolled in IPA realm 229.249.10.1016485.VLAN.KUINS.NET
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring 229.249.10.1016485.vlan.kuins.net as NIS domain.
Configured /etc/krb5.conf for IPA realm 229.249.10.1016485.VLAN.KUINS.NET
Client configuration complete.
The ipa-client-install command was successful
# ipa-client-automount
Searching for IPA server...
IPA server: DNS discovery
Location: default
Continue to configure the system with these values? [no]: yes
Configured /etc/idmapd.conf
Restarting sssd, waiting for it to become available.
Started autofs

/etc/auto.masterを設定

/etc/auto.masterを編集,

#/net   -hosts     ←我々のと定義が違うのをコメントアウト

  • ここまでで, /net/sun0 とか見えるし, ユーザー名でのログインも可能になった.
  • IPAサーバーには, h123.249.229.10.1016485.vlan.kuins.net のSSH PublicKeyが登録された.

再起動しておく.

レプリカ設定

ここが一番参考になるのか・・・

現状のサーバーを確認

こういう感じらしい. 実際に営業しているのは, h111(sun1)と, h246(sun0)だけである.h223とh225は,前回のお引越しの際のテストマシンである.

インストール

# kinit admin
Password for admin@229.249.10.1016485.VLAN.KUINS.NET:いつものいつもの
# ipa-replica-install --setup-dns --forwarder 10.224.253.1 --forwarder 10.224.254.1
2025-03-23T09:09:40Z DEBUG The ipa-replica-install command failed, exception: NetworkError: cannot
 connect to 'ldaps://h111.229.249.10.1016485.vlan.kuins.net': システムコール割り込み
2025-03-23T09:09:40Z ERROR cannot connect to 'ldaps://h111.229.249.10.1016485.vlan.kuins.net': システム>コール割り込み

ありゃ?エラーしたぞ. /var/log/ipareplica-install.log をみると

...
The ipa-certupdate command was successful
...
2025-03-23T09:09:40Z DEBUG Destroyed connection context.jsonclient_140044891621072
2025-03-23T09:09:40Z DEBUG   File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 219, in execute
  return_value = self.run()

とかでエラーしているんだが. よくわからんからもう一回:

# ipa-replica-install --setup-dns --forwarder 10.224.253.1 --forwarder 10.224.254.1
Lookup failed: Preferred host h123.229.249.10.1016485.vlan.kuins.net does not provide DNS.
←[1] あれ?なんかsystemctl忘れたのかな?
Checking DNS forwarders, please wait ...
WARNING: 92 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.   ← WindowsのActiveDirectoryの何かができてないよ,と言っているっぽい.
うちにはWindowsマシンが存在しないので,いらない.
Do you want to run the ipa-sidgen task? [no]: no
Run connection check to master
Connection check OK
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds
 [1/40]: creating directory server instance
Validate installation settings ...
Create file system structures ...
selinux is disabled, will not relabel ports or files.
Create database backend: dc=229,dc=249,dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net ...
Perform post-installation tasks ...
 [2/40]: tune ldbm plugin
 [3/40]: adding default schema
 [4/40]: enabling memberof plugin
 [5/40]: enabling winsync plugin
 [6/40]: configure password logging
 [7/40]: configuring replication version plugin
 [8/40]: enabling IPA enrollment plugin
 [9/40]: configuring uniqueness plugin
 [10/40]: configuring uuid plugin
 [11/40]: configuring modrdn plugin
 [12/40]: configuring DNS plugin
 [13/40]: enabling entryUSN plugin
 [14/40]: configuring lockout plugin
 [15/40]: configuring graceperiod plugin
 [16/40]: configuring topology plugin
 [17/40]: creating indices
 [18/40]: enabling referential integrity plugin
 [19/40]: configuring certmap.conf
 [20/40]: configure new location for managed entries
 [21/40]: configure dirsrv ccache and keytab
 [22/40]: enabling SASL mapping fallback
 [23/40]: restarting directory server
 [24/40]: creating DS keytab
 [25/40]: ignore time skew for initial replication
 [26/40]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded
 [27/40]: prevent time skew after initial replication
 [28/40]: adding sasl mappings to the directory
 [29/40]: updating schema
 [30/40]: setting Auto Member configuration
 [31/40]: enabling S4U2Proxy delegation
 [32/40]: initializing group membership
 [33/40]: adding master entry
 [34/40]: initializing domain level
 [35/40]: configuring Posix uid/gid generation
 [36/40]: adding replication acis
 [37/40]: activating sidgen plugin
 [38/40]: activating extdom plugin
 [39/40]: configuring directory to start on boot
 [40/40]: restarting directory server
Done configuring directory server (dirsrv).
[2] Replica DNS records could not be added on master: Insufficient access:
 Insufficient 'add' privilege to add the entry 'idnsname=h123,idnsname=
229.249.10.1016485.vlan.kuins.net.,cn=dns,dc=229,dc=249,dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net'.
Configuring Kerberos KDC (krb5kdc)
 [1/6]: configuring KDC
 [2/6]: adding the password extension to the directory
 [3/6]: creating anonymous principal
 [4/6]: starting the KDC
 [5/6]: configuring KDC to start on boot
 [6/6]: enable PAC ticket signature support
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
 [1/2]: starting kadmin
 [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
 [1/3]: configuring TLS for DS instance
 [error] RuntimeError: Certificate issuance failed (CA_REJECTED: Server at https://h111.229.249
.10.1016485.vlan.kuins.net/ipa/json denied our request, giving up: 2100 (Insufficient access:
 SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide
 more information (Credential cache is empty)).)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Certificate issuance failed (CA_REJECTED: Server at https://h111.229.249.10.1016485.vlan.kuins.
net/ipa/json denied our request, giving up: 2100 (Insufficient access: SASL(-1): generic failure
: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credential cache is empty)).)
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

前回よりは進んだぞ. だが,

  • [1] DNSってなんか起動しなきゃだっけか?忘れたぞ.
    • 昔は, ipa-serverをインストールすると, /etc/resolv.conf が
      • nameserver 127.0.0.1
    • となってて,なるほどなと思ったものだが.今回は, /etc/resolv.conf が何も変更されてねえな.
    • てゆうか,今から h123 はDNSサーバーになるので,失敗してるので,これはエラーが変だよね.
  • [2] IPAサーバーにDNSの何かを書き込もうとして失敗したそうだが. 
  • CAサーバー h111 が, なにかを拒絶したらしいぞ.
  • もう一回試す前には, ipa-server-install --uninstall しろってさ.

ここのまねしてみゆお

  • ログをよく見ろ. どのDNSサーバーにアクセスしているのか?
    • どうやら途中で
      Check if h111.229.249.10.1016485.vlan.kuins.net is a primary hostname for localhost
      Creating LDAP connection to h111.229.249.10.1016485.vlan.kuins.net
      Search DNS server h111.229.249.10.1016485.vlan.kuins.net (['10.249.229.111', '10.249.229.111'
       とか言ってるので, sun1をみてるっぽい
    • だが途中で
      Checking DNS server: 10.224.253.1
      Checking DNS server: 10.224.254.1
      will use DNS forwarders: [CheckedIPAddressLoopback('10.224.253.1')....
      とか言っているので, KUINSのサーバーも見ているのかも
  • では, そのDNSサーバーでエラーが出てるのではないか?
    • 読んでもよくわからんなあ・・・ sun1:/var/log//dirsrv/slapd-229-249-10-1016485-VLAN-KUINS-NET/errors

[23/Mar/2025:18:31:51.813369834 +0900] - ERR
- NSMMReplicationPlugin - update_consumer_schema - [S] Schema agmt="cn=meToh123.229.249.10.1016485.vlan.kuins.net" (h123:389)
 must not be overwritten (set replication log for additional info)
[23/Mar/2025:18:31:55.892627763 +0900] - ERR
- NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToh123.229.249.10.1016485.vlan.kuins.net" (h123:389)
- Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) ()
[23/Mar/2025:18:31:59.383537614 +0900] - ERR 
- NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToh123.229.249.10.1016485.vlan.kuins.net" (h123:389)
- Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()

インストールしようとしているマシンの/var/log/ipareplica-install.log では

2025-03-23T09:32:08Z DEBUG Cert request 20250323093206 failed: CA_REJECTED
(Server at https://h111.229.249.10.1016485.vlan.kuins.net/ipa/json denied our request, giving up: 2100
(Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
 Minor code may provide more information (Credential cache is empty)).)
RuntimeError: Certificate issuance failed (CA_REJECTED: Server at https://h111.229.249.10.1016485.vlan.kuins.net/ipa/json
denied our request, giving up: 2100 (Insufficient access: SASL(-1):generic failure:
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credential cache is empty)).)

時間が9:00ずれてるが,それは標準時だね.赤字のところが共通点,か.

CAのインストールに失敗しているって感じなのか?ここに「ここでは --setup-dns だけを行ったのは今は昔で,
現在は --setup-dns と --setup-ca を両方つけとかないと,エラーする.いやどうだろう.誰か試してみれ」という謎な記述があるなあ.

アンインストール

# /usr/sbin/ipa-server-install --uninstall
WARNING:
IPA server is not configured on this system. If you want to install the
IPA server, please install it using 'ipa-server-install'.
This is a NON REVERSIBLE operation and will delete all data and configuration!
It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding.
Are you sure you want to continue with the uninstall procedure? [no]: yes
Lookup failed: Preferred host h123.229.249.10.1016485.vlan.kuins.net does not provide CA.
Updating DNS system records
Forcing removal of h123.229.249.10.1016485.vlan.kuins.net
Failed to remove server from security domain: cannot connect to
 'https://h111.229.249.10.1016485.vlan.kuins.net:443/ca/rest/account/login': [Errno 2] No such file or directory
Failed to cleanup h123.229.249.10.1016485.vlan.kuins.net DNS entries: no matching entry found
You may need to manually remove them from the tree
-----------------------------------------------------------
Deleted IPA server "h123.229.249.10.1016485.vlan.kuins.net"
-----------------------------------------------------------
Shutting down all IPA services
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
selinux is disabled, will not relabel ports or files.
selinux is disabled, will not relabel ports or files.
selinux is disabled, will not relabel ports or files.
selinux is disabled, will not relabel ports or files.
Removing IPA client configuration
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Systemwide CA database updated.
Client uninstall complete.
The ipa-client-install command was successful
The ipa-server-install command was successful

これをやっても,Topologyグラフから消えるわけではない.

再起動する.すると,無事に全部消えている.ipa-serverのみならず, ipa-clientでさえなくなっているのだ!

クライアント再インストール

# ipa-client-install --force-join   ←2回目以降は, --force-joinが必要なので注意
....(同じ)...
# ipa-client-automount
....(同じ)...

再起動. 正常に元に戻る.CentOS8 Streamでは,元には戻らなかったが,さすがは新バージョンである.

レプリカ再インストール

  • クライアントをレプリカにする場合,  --domain=229.249.10.1016485.vlan.kuins.net --server=h111.229.249.10.1016485.vlan.kuins.net を入れることはできない.
    • ミスると,「クライアント再インストール」からやり直す.
  • 一度失敗してレプリカ一覧に出現している場合,先に削除する必要がある.
sun1# kinit admin
Password for admin@229.249.10.1016485.VLAN.KUINS.NET:いつものいつもの
sun1# ipa server-del h123.229.249.10.1016485.vlan.kuins.net --force
Removing h123.229.249.10.1016485.vlan.kuins.net from replication topology, please wait...
ipa: WARNING: Forcing removal of h123.229.249.10.1016485.vlan.kuins.net
ipa: WARNING: Failed to cleanup h123.229.249.10.1016485.vlan.kuins.net DNS entries: no matching entry found
ipa: WARNING: You may need to manually remove them from the tree
-----------------------------------------------------------
Deleted IPA server "h123.229.249.10.1016485.vlan.kuins.net"
-----------------------------------------------------------

これで, Topology表示から消えた.

# kinit admin
Password for admin@229.249.10.1016485.VLAN.KUINS.NET:いつものいつもの
# ipa-replica-install --setup-ca --setup-dns --forwarder 10.224.253.1 --forwarder 10.224.254.1
Lookup failed: Preferred host h123.229.249.10.1016485.vlan.kuins.net does not provide DNS.
Reverse DNS resolution of address 10.249.229.123 (h123.229.249.10.1016485.vlan.kuins.net) failed.
Clients may not function properly. Please check your DNS setup.
(Note that this check queries IPA DNS directly and ignores /etc/hosts.)     

げげえ.ipa server-de lの時に, 逆引きDNS一覧から削除されとる・・・訂正して,続行する.

Continue? [no]: yes
Checking DNS forwarders, please wait ...
WARNING: 92 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.
Do you want to run the ipa-sidgen task? [no]: no
Run connection check to master
Connection check OK
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds
 [1/40]: creating directory server instance
Validate installation settings ...
Create file system structures ...
selinux is disabled, will not relabel ports or files.
Create database backend: dc=229,dc=249,dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net ...
Perform post-installation tasks ...
 [2/40]: tune ldbm plugin
 [3/40]: adding default schema
 [4/40]: enabling memberof plugin
 [5/40]: enabling winsync plugin
 [6/40]: configure password logging
 [7/40]: configuring replication version plugin
 [8/40]: enabling IPA enrollment plugin
 [9/40]: configuring uniqueness plugin
 [10/40]: configuring uuid plugin
 [11/40]: configuring modrdn plugin
 [12/40]: configuring DNS plugin
 [13/40]: enabling entryUSN plugin
 [14/40]: configuring lockout plugin
 [15/40]: configuring graceperiod plugin
 [16/40]: configuring topology plugin
 [17/40]: creating indices
 [18/40]: enabling referential integrity plugin
 [19/40]: configuring certmap.conf
 [20/40]: configure new location for managed entries
 [21/40]: configure dirsrv ccache and keytab
 [22/40]: enabling SASL mapping fallback
 [23/40]: restarting directory server
 [24/40]: creating DS keytab
 [25/40]: ignore time skew for initial replication
 [26/40]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 8 seconds elapsed
Update succeeded
 [27/40]: prevent time skew after initial replication
 [28/40]: adding sasl mappings to the directory
 [29/40]: updating schema
 [30/40]: setting Auto Member configuration
 [31/40]: enabling S4U2Proxy delegation
 [32/40]: initializing group membership
 [33/40]: adding master entry
 [34/40]: initializing domain level
 [35/40]: configuring Posix uid/gid generation
 [36/40]: adding replication acis
 [37/40]: activating sidgen plugin
 [38/40]: activating extdom plugin
 [39/40]: configuring directory to start on boot
 [40/40]: restarting directory server
Done configuring directory server (dirsrv).
Replica DNS records could not be added on master: Insufficient access: Insufficient 'add' privilege
to add the entry 'idnsname=h123,idnsname=229.249.10.1016485.vlan.kuins.net.,cn=dns,dc=229,dc=249,
dc=10,dc=1016485,dc=vlan,dc=kuins,dc=net'.
Configuring Kerberos KDC (krb5kdc)
 [1/6]: configuring KDC
 [2/6]: adding the password extension to the directory
 [3/6]: creating anonymous principal
 [4/6]: starting the KDC
 [5/6]: configuring KDC to start on boot
 [6/6]: enable PAC ticket signature support
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
 [1/2]: starting kadmin
 [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
 [1/3]: configuring TLS for DS instance
 [2/3]: importing CA certificates from LDAP
 [3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
 [1/22]: stopping httpd
 [2/22]: backing up ssl.conf
 [3/22]: disabling nss.conf
 [4/22]: configuring mod_ssl certificate paths
 [5/22]: setting mod_ssl protocol list
 [6/22]: configuring mod_ssl log directory
 [7/22]: disabling mod_ssl OCSP
 [8/22]: adding URL rewriting rules
 [9/22]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf
 [10/22]: setting up httpd keytab
 [11/22]: configuring Gssproxy
 [12/22]: setting up ssl
 [13/22]: configure certmonger for renewals
 [14/22]: publish CA cert
 [15/22]: clean up any existing httpd ccaches
 [16/22]: enable ccache sweep
 [17/22]: configuring SELinux for httpd
 [18/22]: create KDC proxy config
 [19/22]: enable KDC proxy
 [20/22]: starting httpd
 [21/22]: configuring httpd to start on boot
 [22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd
 [1/2]: starting ipa-otpd
 [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Custodia uses 'h111.229.249.10.1016485.vlan.kuins.net' as master peer.
Configuring ipa-custodia
 [1/4]: Generating ipa-custodia config file
 [2/4]: Generating ipa-custodia keys
 [3/4]: starting ipa-custodia
 [4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
 [1/33]: creating certificate server db
 [2/33]: ignore time skew for initial replication
 [3/33]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 6 seconds elapsed
Update succeeded
 [4/33]: revert time skew after initial replication
 [5/33]: creating ACIs for admin
 [6/33]: creating installation admin user
 [7/33]: configuring certificate server instance
 [8/33]: stopping certificate server instance to update CS.cfg
 [9/33]: backing up CS.cfg
 [10/33]: Add ipa-pki-wait-running
 [11/33]: secure AJP connector
 [12/33]: reindex attributes
 [13/33]: exporting Dogtag certificate store pin
 [14/33]: disabling nonces
 [15/33]: set up CRL publishing
 [16/33]: enable PKIX certificate path discovery and validation
 [17/33]: authorizing RA to modify profiles
 [18/33]: authorizing RA to manage lightweight CAs
 [19/33]: Ensure lightweight CAs container exists
 [20/33]: Enable lightweight CA monitor
 [21/33]: Ensuring backward compatibility
 [22/33]: destroying installation admin user
 [23/33]: starting certificate server instance
 [24/33]: Finalize replication settings
 [25/33]: configure certmonger for renewals
 [26/33]: Importing RA key
 [27/33]: configure certificate renewals
 [28/33]: Configure HTTP to proxy connections
 [29/33]: updating IPA configuration
 [30/33]: enabling CA instance
 [31/33]: importing IPA certificate profiles
Lookup failed: Preferred host h123.229.249.10.1016485.vlan.kuins.net does not provide CA.
 [32/33]: configuring certmonger renewal for lightweight CAs
 [33/33]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
 [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
 [1/10]: stopping directory server
 [2/10]: saving configuration
 [3/10]: disabling listeners
 [4/10]: enabling DS global lock
 [5/10]: disabling Schema Compat
 [6/10]: starting directory server
 [7/10]: upgrading server
 [8/10]: stopping directory server
 [9/10]: restoring configuration
 [10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC
dnssec-validation yes
Configuring DNS (named)
 [1/9]: generating rndc key file
 [2/9]: setting up our own record
 [3/9]: adding NS record to the zones
 [4/9]: setting up kerberos principal
 [5/9]: setting up LDAPI autobind
 [6/9]: setting up named.conf
created new /etc/named.conf
created named user config '/etc/named/ipa-ext.conf'
created named user config '/etc/named/ipa-options-ext.conf'
created named user config '/etc/named/ipa-logging-ext.conf'
 [7/9]: setting up server configuration
 [8/9]: configuring named to start on boot
 [9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
 [1/7]: checking status
 [2/7]: setting up bind-dyndb-ldap working directory
 [3/7]: setting up kerberos principal
 [4/7]: setting up SoftHSM
 [5/7]: adding DNSSEC containers
DNSSEC container exists (step skipped)
 [6/7]: creating replica keys
 [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files
Configuring SID generation
 [1/7]: adding RID bases
RID bases already set, nothing to do
 [2/7]: creating samba domain object
Samba domain object already exists
 [3/7]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
 [4/7]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
 [5/7]: activating sidgen task
 [6/7]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
 [7/7]: adding fallback group
Fallback group already set, nothing to do
Done.
The ipa-replica-install command was successful

できたっぽい.    

一発でCAまでできた!

Webサーバーは見えるのかな,ここ

ブラウザによっては,ちゃんと見えるからいいかな

SafariとChromeではアクセスできるが, FireFoxではダメだ・・・なんでだろうね.てか,この「信頼できない」Webサイト直したいところだが.