[Freeipa-users] problem creating replica

Pete Brown rendhalver at gmail.com
Fri Jul 19 04:14:30 UTC 2013 

I was just trying this again and noticed there is a
/var/log/pki/pki-ca-spawn.20130719140342.log file with what i assume
is the logging for the attempt to create the pki.
right at the end is this entry.

2013-07-19 14:04:42 pkispawn    : INFO     ....... unable to access
security domain through REST interface.  Trying old interface. 503
Server Error: Service Unavailable

Does anyone know what that means and how to fix it?


On 19 July 2013 12:46, Pete Brown <rendhalver at gmail.com> wrote:
> On 18 July 2013 19:50, Petr Viktorin <pviktori at redhat.com> wrote:
>> On 07/18/2013 03:31 AM, Pete Brown wrote:
>>>
>>> I opened all the ports that seemed to be listening n the master.
>>> I also ran the setup again without disabling the connection check to
>>> see what else needed fixing.
>>> It seems after much investigation and log dredging it seems my admin
>>> password had expired.
>>> I wasn't aware that was possible.
>>> I reset the password and it seemed to get further.
>>> This for some reason not mentioned in the documentation the replica is
>>> trying to ssh into the master as admin.
>>> I managed to fix that by changing my setup and ssh config files.
>>>
>>> Then it actually managed to start the setup process.
>>> But again it fails at exactly the same point mentioned in my initial
>>> email.
>>>
>>> After some further digging with reference to the log output below it
>>> seems I have run into a bug that seems to have been fixed.
>>> https://fedorahosted.org/freeipa/ticket/3213
>>> As I mentioned I am running current Fedora 18 so freeipa is
>>> 3.1.5-1.fc18 is that fixed in my version?
>>
>>
>> Yes, that bug was fixed in 3.1.0.
>
> Well the script is still complaining about not being able to find
> dogtag_master_ds_port and the option still appears in my version of
> the script.
> Which from the bug seems to be what was causing the issue and the
> ipareplica-install log I included below says this is the case.
> It seems a bit odd because this is a fresh install of 3.1.5.
>
>
>
>>> It also seems the dogatg and IPA directories will be or have been merged?
>>> Which version did this happen in and will it get applied to my server?
>>
>>
>> Also in 3.1.0; new servers installed using that version have merged
>> databases.
>
> I still seem to have split instances.
> I did the install before Fedora 18 was released because I wanted ipa 3
> and that was the only way I could get it.
> Will they get merged at some point or can I do it manually?
>
>>
>>> Can anyone suggest how I go about fixing this issue?
>>
>>
>> Well, ipa-server-uninstall can misbehave if CA installation goes wrong
>> (ticket #2796).
>> So I would start by uninstalling, then running the following command to make
>> sure CA is not left:
>>     sudo pkidestroy -s CA -i pki-tomcat
>> then installing again.
>
> Ran that on my replica after the install and before the clean and it said this.
> That would make sense because it fails during the ca creation stage.
>
> root at ipa2 ~]# pkidestroy -s CA -i pki-tomcat
> ERROR:  PKI instance '/var/lib/pki/pki-tomcat' does NOT exist!
>
>
>>
>> Can you also provide logs without the --skip-conncheck flag? Specifically
>> the /var/log/ipareplica-conncheck.log should be interesting.
>
> From what I can tell all the tests in the connection check passed.
>
>>
>>
>>> I wanted to create a replica so I could upgrade to fedora 19 and not
>>> have to take my single instance of FreeIPA offline while that was
>>> happening.
>>> Will I need to upgrade to Fedora 19 to fix my issue?
>>
>>
>>
>>> For reference this is the point of failure in the
>>> /var/log/ipareplica-install.log file
>>>
>>> 2013-07-18T01:06:16Z DEBUG Starting external process
>>> 2013-07-18T01:06:16Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW
>>> 2013-07-18T01:08:16Z DEBUG Process finished, return code=1
>>> 2013-07-18T01:08:16Z DEBUG stdout=Loading deployment configuration
>>> from /tmp/tmpFKBxMW.
>>> ERROR:  Unable to access security domain: 503 Server Error: Service
>>> Unavailable
>>
>>
>> Please also check logs on the existing server. Is the CA available?
>> Does e.g. `ipa cert-show 1` work?
>>
>>> 2013-07-18T01:08:16Z DEBUG stderr=
>>> 2013-07-18T01:08:16Z CRITICAL failed to configure ca instance Command
>>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW' returned non-zero exit
>>> status 1
>>> 2013-07-18T01:08:16Z INFO   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>> line 619, in run_script
>>>      return_value = main_function()
>>>
>>>    File "/usr/sbin/ipa-replica-install", line 652, in main
>>>      (CA, cs) = cainstance.install_replica_ca(config,
>>> dogtag_master_ds_port)
>>>
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>> line 1809, in install_replica_ca
>>>      subject_base=config.subject_base)
>>>
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>> line 625, in configure_instance
>>>      self.start_creation(runtime=210)
>>>
>>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 358, in start_creation
>>>      method()
>>>
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>> line 744, in __spawn_instance
>>>      raise RuntimeError('Configuration of CA failed')
>>>
>>> 2013-07-18T01:08:16Z INFO The ipa-replica-install command failed,
>>> exception: RuntimeError: Configuration of CA failed
>>>
>>> On 17 July 2013 15:52, Pete Brown <rendhalver at gmail.com> wrote:
>>>>
>>>> Hi everyone,
>>>>
>>>> I am attempting to create a replica of my freeipa server.
>>>> I am following the docs but they are not working for me.
>>>> I am getting the vague impression I am missing a step that doesn't
>>>> seem to be documented.
>>>>
>>>> For the record all the posts listed are open and it was a clean
>>>> install of Fedora 18.
>>>>
>>>> I thought the server may need to be a client of the master before I
>>>> set it up as a replica but it just said I needed to uninstall the
>>>> client setup.
>>>>
>>>> After running ipa-replica-prepare on the master and scping the file to
>>>> the new replica.
>>>> I ran this command on the new replica
>>>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
>>>> --forwarder=XXX.XXX.XXX.XX --forwarder=XX.XXX.XXX.XXX
>>>> /var/lib/ipa/replica-info-ipa2.domain.com.gpg
>>>>
>>>> The error I am seeing is from that command is this:
>>>> Cannot acquire Kerberos ticket: kinit: Cannot read password while
>>>> getting initial credentials
>>>>
>>>> Connection check failed!
>>>> Please fix your network settings according to error messages above.
>>>> If the check results are not valid it can be skipped with
>>>> --skip-conncheck parameter.
>>>>
>>>> So I cleaned everything off (i think) and tried it with this command
>>>>
>>>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
>>>> --forwarder=61.9.211.33 --forwarder=61.9.211.1 --skip-conncheck
>>>> /var/lib/ipa/replica-info-ipa2.webgatetec.com.gpg
>>>>
>>>> This seems to actually start the install and setup process i remember
>>>> from installing the ipa server initially
>>>>
>>>> This it fails with this output
>>>>
>>>> WARNING: conflicting time&date synchronization service 'chronyd' will
>>>> be disabled in favor of ntpd
>>>>
>>>> Directory Manager (existing master) password:
>>>>
>>>> Configuring NTP daemon (ntpd)
>>>>    [1/4]: stopping ntpd
>>>>    [2/4]: writing configuration
>>>>    [3/4]: configuring ntpd to start on boot
>>>>    [4/4]: starting ntpd
>>>> Done configuring NTP daemon (ntpd).
>>>> Configuring directory server (dirsrv): Estimated time 1 minute
>>>>    [1/31]: creating directory server user
>>>>    [2/31]: creating directory server instance
>>>>    [3/31]: adding default schema
>>>>    [4/31]: enabling memberof plugin
>>>>    [5/31]: enabling winsync plugin
>>>>    [6/31]: configuring replication version plugin
>>>>    [7/31]: enabling IPA enrollment plugin
>>>>    [8/31]: enabling ldapi
>>>>    [9/31]: configuring uniqueness plugin
>>>>    [10/31]: configuring uuid plugin
>>>>    [11/31]: configuring modrdn plugin
>>>>    [12/31]: configuring DNS plugin
>>>>    [13/31]: enabling entryUSN plugin
>>>>    [14/31]: configuring lockout plugin
>>>>    [15/31]: creating indices
>>>>    [16/31]: enabling referential integrity plugin
>>>>    [17/31]: configuring ssl for ds instance
>>>>    [18/31]: configuring certmap.conf
>>>>    [19/31]: configure autobind for root
>>>>    [20/31]: configure new location for managed entries
>>>>    [21/31]: restarting directory server
>>>>    [22/31]: setting up initial replication
>>>> Starting replication, please wait until this has completed.
>>>> Update in progress
>>>> Update in progress
>>>> Update in progress
>>>> Update in progress
>>>> Update succeeded
>>>>    [23/31]: adding replication acis
>>>>    [24/31]: setting Auto Member configuration
>>>>    [25/31]: enabling S4U2Proxy delegation
>>>>    [26/31]: initializing group membership
>>>>    [27/31]: adding master entry
>>>>    [28/31]: configuring Posix uid/gid generation
>>>>    [29/31]: enabling compatibility plugin
>>>>    [30/31]: tuning directory server
>>>>    [31/31]: configuring directory to start on boot
>>>> Done configuring directory server (dirsrv).
>>>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
>>>> 30 seconds
>>>>    [1/17]: creating certificate server user
>>>>    [2/17]: configuring certificate server instance
>>>> ipa         : CRITICAL failed to configure ca instance Command
>>>> '/usr/sbin/pkispawn -s CA -f /tmp/tmptGcdgB' returned non-zero exit
>>>> status 1
>>>>
>>>> Your system may be partly configured.
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>
>>>> Configuration of CA failed
>>>>
>>>> I even tried cleaning it again at that point and made sure all the
>>>> ports were open and still got the same error.
>>>>
>>>> I also switched selinux to permissive mode cleaned up and rebooted but
>>>> that didn't help either
>>>>
>>>> Can someone please point out what I need to do to get this working.
>>>>
>>>> Thanks in advance.
>>>> Pete.
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>>
>> --
>> Petrł

More information about the Freeipa-users mailing list