[Freeipa-users] ipa-replica-install hangs: starting certificate server instance
Martin Bašti
mbasti at redhat.com
Thu May 18 12:28:50 UTC 2017
ipa-ca-install will install on top of FreeIPA CA-less replica, nothing
else, you really don't want to do it manually.
On 18.05.2017 14:12, Callum Guy wrote:
> Thanks Martin, really appreciate the additional information.
>
> Are you aware of a separate guide for installing DogTag/PKI on top of
> FreeIPA - basically I am happy to install separately if it doesn't
> compromise the FreeIPA server configuration, i'm not clear on whether
> this is possible without a major time investment.
>
> On Thu, May 18, 2017 at 12:46 PM Martin Bašti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>> wrote:
>
>
> Please note that commits in #6766 will not fix this issue, the
> issue is on dogtag side, please see
> https://pagure.io/dogtagpki/issue/2646
>
> Sorry for troubles
>
>
> On 18.05.2017 12:19, Callum Guy wrote:
>> Haha, looks like i'm going CA-less for a while on the replica. I
>> don't see any immediate requirement for one so time to get on
>> with my life!
>>
>> I'll post back if anything changes but I'm probably stuck waiting
>> for the upgrade too..
>>
>> On Thu, May 18, 2017 at 11:01 AM Lachlan Musicman
>> <datakid at gmail.com <mailto:datakid at gmail.com>> wrote:
>>
>> Sorry cobber. We only found 6766 today - we've been tackling
>> it on and off for a couple of weeks :)
>>
>> ------
>> "Mission Statement: To provide hope and inspiration for
>> collective action, to build collective power, to achieve
>> collective transformation, rooted in grief and rage but
>> pointed towards vision and dreams."
>>
>> - Patrice Cullors, /Black Lives Matter founder/
>>
>> On 18 May 2017 at 19:53, Callum Guy <callum.guy at x-on.co.uk
>> <mailto:callum.guy at x-on.co.uk>> wrote:
>>
>> Ah, thanks for that Lachlan - its always reassuring to
>> hear that its not just me!
>>
>> As mentioned above I have it running without the CA so
>> that's a good start. I am sure we will upgrade as well
>> once 4.5 becomes stable and GA for CentOS. I'm not
>> expecting that to happen quickly so will have to work
>> with what we have for now.
>>
>> Do you happen to know if there is any way to build the CA
>> component separately?
>>
>> On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman
>> <datakid at gmail.com <mailto:datakid at gmail.com>> wrote:
>>
>> https://pagure.io/freeipa/issue/6766
>>
>> 4.5.1 - I stand corrected. Can add more tomorrow.
>>
>> ------
>> "Mission Statement: To provide hope and inspiration
>> for collective action, to build collective power, to
>> achieve collective transformation, rooted in grief
>> and rage but pointed towards vision and dreams."
>>
>> - Patrice Cullors, /Black Lives Matter founder/
>>
>> On 18 May 2017 at 19:34, Lachlan Musicman
>> <datakid at gmail.com <mailto:datakid at gmail.com>> wrote:
>>
>> We are seeing this. I'm not at work, but I think
>> it's bug report 6766.
>>
>> Patch has already been committed (bot by us),
>> we're waiting for IPA 4.5.
>>
>> cheers
>> L.
>>
>> ------
>> "Mission Statement: To provide hope and
>> inspiration for collective action, to build
>> collective power, to achieve collective
>> transformation, rooted in grief and rage but
>> pointed towards vision and dreams."
>>
>> - Patrice Cullors, /Black Lives Matter founder/
>>
>> On 18 May 2017 at 18:57, Callum Guy
>> <callum.guy at x-on.co.uk
>> <mailto:callum.guy at x-on.co.uk>> wrote:
>>
>> Hi All,
>>
>> I am currently stuck trying to setup the
>> first replica of our master IPA server. I
>> have tried a number of different approaches
>> including escalating from a client and
>> nothing is working for me. I perform a full
>> OS reset each time I get stuck.
>>
>> I'm running CentOS 7.2 with the FreeIPA 4.4.0
>> (rpm -q reports this version however having
>> performed ipa-server-upgrade - does this mean
>> i'm on 4.4.4?).
>>
>> The command is shown below - note that i am
>> skipping the conn check as my platforms
>> security settings do not allow the SSH
>> session to be established back on the master,
>> all ports should be available to the
>> application however.
>>
>> [root at ipa2 ~]# ipa-replica-install
>> --ip-address=172.24.0.101 --setup-ca
>> --setup-dns --skip-conncheck
>> --no-forwarders SITE.net.gpg
>>
>> Directory Manager (existing master) password:
>>
>> ipa : ERROR Could not resolve
>> hostname ipa2.SITE.net <http://ipa2.SITE.net>
>> usis check queries IPA DNS directly and
>> ignores /etc/hosts.)
>> Continue? [no]: yes
>> Configuring NTP daemon (ntpd)
>> [1/4]: stopping ntpd
>> [2/4]: writing configuration
>> [3/4]: configuring ntpd to start on boot
>> [4/4]: starting ntpd
>> Done configuring NTP daemon (ntpd).
>> Configuring directory server (dirsrv).
>> Estimated time: 1 minute
>> [1/42]: creating directory server user
>> [2/42]: creating directory server instance
>> [3/42]: updating configuration in dse.ldif
>> [4/42]: restarting directory server
>> [5/42]: adding default schema
>> [6/42]: enabling memberof plugin
>> [7/42]: enabling winsync plugin
>> [8/42]: configuring replication version plugin
>> [9/42]: enabling IPA enrollment plugin
>> [10/42]: enabling ldapi
>> [11/42]: configuring uniqueness plugin
>> [12/42]: configuring uuid plugin
>> [13/42]: configuring modrdn plugin
>> [14/42]: configuring DNS plugin
>> [15/42]: enabling entryUSN plugin
>> [16/42]: configuring lockout plugin
>> [17/42]: configuring topology plugin
>> [18/42]: creating indices
>> [19/42]: enabling referential integrity plugin
>> [20/42]: configuring ssl for ds instance
>> [21/42]: configuring certmap.conf
>> [22/42]: configure autobind for root
>> [23/42]: configure new location for managed
>> entries
>> [24/42]: configure dirsrv ccache
>> [25/42]: enabling SASL mapping fallback
>> [26/42]: restarting directory server
>> [27/42]: setting up initial replication
>> Starting replication, please wait until this
>> has completed.
>> Update in progress, 4 seconds elapsed
>> Update succeeded
>>
>> [28/42]: adding sasl mappings to the directory
>> [29/42]: updating schema
>> [30/42]: setting Auto Member configuration
>> [31/42]: enabling S4U2Proxy delegation
>> [32/42]: importing CA certificates from LDAP
>> [33/42]: initializing group membership
>> [34/42]: adding master entry
>> [35/42]: initializing domain level
>> [36/42]: configuring Posix uid/gid generation
>> [37/42]: adding replication acis
>> [38/42]: enabling compatibility plugin
>> [39/42]: activating sidgen plugin
>> [40/42]: activating extdom plugin
>> [41/42]: tuning directory server
>> [42/42]: configuring directory to start on boot
>> Done configuring directory server (dirsrv).
>> Configuring certificate server (pki-tomcatd).
>> Estimated time: 3 minutes 30 seconds
>> [1/27]: creating certificate server user
>> [2/27]: configuring certificate server instance
>> [3/27]: stopping certificate server
>> instance to update CS.cfg
>> [4/27]: backing up CS.cfg
>> [5/27]: disabling nonces
>> [6/27]: set up CRL publishing
>> [7/27]: enable PKIX certificate path
>> discovery and validation
>> [8/27]: starting certificate server instance
>>
>> And here is stays and refuses to move on. The
>> ipareplica-install.log log reports:
>> 2017-05-18T08:40:07Z DEBUG
>> wait_for_open_ports: localhost [8080, 8443]
>> timeout 300
>> 2017-05-18T08:40:09Z DEBUG Waiting until the
>> CA is running
>> 2017-05-18T08:40:09Z DEBUG request POST
>> http://ipa2.SITE.net:8080/ca/admin/ca/getStatus
>> 2017-05-18T08:40:09Z DEBUG request body ''
>>
>> I have tried and that port is indeed
>> inaccessible but I can't establish a way to
>> progress this issue from any of the the other
>> log files. Also I have seen in the 4.4.4
>> release notes that IPv6 being disabled on the
>> master can cause issues, re-enabling (at
>> least in /etc/hosts) did not seem to help.
>>
>> If anyone is able to offer ideas that would
>> be very much appreciated. I am tempted to
>> remove the --setup-ca option to see if this
>> helps.
>>
>> Thanks,
>>
>> Callum
>>
>>
>>
>> *^0333 332 0000 | www.x-on.co.uk
>> <http://www.x-on.co.uk> |
>> _**_^<https://www.linkedin.com/company/x-on>
>> <https://www.facebook.com/XonTel>
>> <https://twitter.com/xonuk> *
>> X-on is a trading name of Storacall
>> Technology Ltd a limited company registered
>> in England and Wales.
>> Registered Office : Avaland House, 110 London
>> Road, Apsley, Hemel Hempstead, Herts, HP3
>> 9SD. Company Registration No. 2578478.
>> The information in this e-mail is
>> confidential and for use by the addressee(s)
>> only. If you are not the intended recipient,
>> please notify X-on immediately on +44(0)333
>> 332 0000 <tel:+44%20333%20332%200000> and
>> delete the
>> message from your computer. If you are not a
>> named addressee you must not use, disclose,
>> disseminate, distribute, copy, print or reply
>> to this email. Views or opinions expressed by
>> an individual
>> within this email may not necessarily reflect
>> the views of X-on or its associated
>> companies. Although X-on routinely screens
>> for viruses, addressees should scan this
>> email and any attachments
>> for viruses. X-on makes no representation or
>> warranty as to the absence of viruses in this
>> email or any attachments.
>>
>>
>> --
>> Manage your subscription for the
>> Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the
>> project
>>
>>
>>
>>
>>
>> *^0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk>
>> | _**_^<https://www.linkedin.com/company/x-on>
>> <https://www.facebook.com/XonTel>
>> <https://twitter.com/xonuk> *
>> X-on is a trading name of Storacall Technology Ltd a
>> limited company registered in England and Wales.
>> Registered Office : Avaland House, 110 London Road,
>> Apsley, Hemel Hempstead, Herts, HP3 9SD. Company
>> Registration No. 2578478.
>> The information in this e-mail is confidential and for
>> use by the addressee(s) only. If you are not the intended
>> recipient, please notify X-on immediately on +44(0)333
>> 332 0000 <tel:+44%20333%20332%200000> and delete the
>> message from your computer. If you are not a named
>> addressee you must not use, disclose, disseminate,
>> distribute, copy, print or reply to this email. Views or
>> opinions expressed by an individual
>> within this email may not necessarily reflect the views
>> of X-on or its associated companies. Although X-on
>> routinely screens for viruses, addressees should scan
>> this email and any attachments
>> for viruses. X-on makes no representation or warranty as
>> to the absence of viruses in this email or any attachments.
>>
>>
>>
>>
>> *^0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> |
>> _**_^<https://www.linkedin.com/company/x-on>
>> <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> *
>> X-on is a trading name of Storacall Technology Ltd a limited
>> company registered in England and Wales.
>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
>> The information in this e-mail is confidential and for use by the
>> addressee(s) only. If you are not the intended recipient, please
>> notify X-on immediately on +44(0)333 332 0000
>> <tel:+44%20333%20332%200000> and delete the
>> message from your computer. If you are not a named addressee you
>> must not use, disclose, disseminate, distribute, copy, print or
>> reply to this email. Views or opinions expressed by an individual
>> within this email may not necessarily reflect the views of X-on
>> or its associated companies. Although X-on routinely screens for
>> viruses, addressees should scan this email and any attachments
>> for viruses. X-on makes no representation or warranty as to the
>> absence of viruses in this email or any attachments.
>>
>>
>>
>
> --
> Martin Bašti
> Software Engineer
> Red Hat Czech
>
>
>
> *^0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> |
> _**_^<https://www.linkedin.com/company/x-on>
> <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> *
> X-on is a trading name of Storacall Technology Ltd a limited company
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the
> addressee(s) only. If you are not the intended recipient, please
> notify X-on immediately on +44(0)333 332 0000 and delete the
> message from your computer. If you are not a named addressee you must
> not use, disclose, disseminate, distribute, copy, print or reply to
> this email. Views or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its
> associated companies. Although X-on routinely screens for viruses,
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the
> absence of viruses in this email or any attachments.
>
--
Martin Bašti
Software Engineer
Red Hat Czech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170518/5fbf2da6/attachment.htm>
More information about the Freeipa-users
mailing list