The IPA server is version 2.0.0 R3 which is supposed to install on fc14 with some packages from updates-testing repo, while the replica install is on server 2.0.1 <br><br>Yes, there is no dogtagcert.p12 file; here are the files contained:<br>
realm_info/httpcert.p12<br> realm_info/cacert.p12<br> realm_info/ldappwd<br> realm_info/ra.p12<br> realm_info/http_pin.txt<br> realm_info/realm_info<br> realm_info/configure.jar<br> realm_info/dscert.p12<br> realm_info/dirsrv_pin.txt<br>
realm_info/pwdfile.txt.ori<br> realm_info/pwdfile.txt<br> realm_info/kpasswd.keytab<br> realm_info/preferences.htm<br> realm_info/ca.crt<br><br>I have upgraded the IPA box to fc15 and freeipa-2.0.1 in the quest to get a correct replica package but that seems to have created another problem as it has broken the tomcat and thus pki-ca.<br>
<br>Jun 3, 2011 10:09:29 AM org.apache.catalina.loader.WebappLoader start<br>SEVERE: LifecycleException <br>java.io.IOException: Failed to access resource /WEB-INF/lib/jakarta-commons-collections.jar<br> at org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1050)<br>
at org.apache.catalina.loader.WebappLoader.start(WebappLoader.java:681)<br> at org.apache.catalina.core.StandardContext.start(StandardContext.java:4541)<br> at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799)<br>
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779)<br> at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546)<br> at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)<br>
at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)<br> at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)<br> at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)<br>
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)<br> at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)<br> at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1061)<br>
at org.apache.catalina.core.StandardHost.start(StandardHost.java:785)<br> at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)<br> at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463)<br>
at org.apache.catalina.core.StandardService.start(StandardService.java:525)<br> at org.apache.catalina.core.StandardServer.start(StandardServer.java:701)<br> at org.apache.catalina.startup.Catalina.start(Catalina.java:585)<br>
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)<br> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br>
at java.lang.reflect.Method.invoke(Method.java:616)<br> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)<br> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)<br>Caused by: javax.naming.NamingException: Resource jakarta-commons-collections.jar not found<br>
at org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:209)<br> at org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1048)<br> ... 24 more<br><br>It seems to me that it is looking for jakarta-commons-collections.jar which exist but is a package from the old tomcat6-6.0.26.<br>
<br><br>Thanks<br><br>__Ide<br><br><br><br><div class="gmail_quote">On Thu, Jun 2, 2011 at 11:08 AM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">Uzor Ide wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks Rob<br>
<br>
I did run the certutil -L -d /etc/dirsrv/slapd-PKI-IPA command; the<br>
nssdb is empty<br>
If the CA cert is supposed to exist there at that stage of install,<br>
then that would be the problem.<br>
<br>
Both the slapd-PKI-IPA error and access does not contain much. I<br>
attached them herein with the ipareplica-install.log.<br>
<br>
</blockquote>
<br></div>
How old is the prepared replica file, and was it created with an older version of IPA?<br>
<br>
In one of the last release candidates we started creating a separate SSL certificate for the 389-ds instance used by dogtag. I get the feeling that doesn't exist which would explain why SSL is failing.<br>
<br>
You can check by doing something like:<br>
# gpg -d replica-info-<your-server>.gpg | tar tvf -<br>
<br>
The file you're looking for is dogtagcert.p12<br><font color="#888888">
<br>
rob<br>
</font><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
thanks<br>
<br>
Ide<br>
<br>
<br>
On Wed, Jun 1, 2011 at 11:40 AM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br></div><div><div></div><div class="h5">
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote:<br>
<br>
Uzor Ide wrote:<br>
<br>
<br>
Hi all<br>
<br>
We are trying to setup a backup IPA server and decided to toe that<br>
replication route.<br>
The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to<br>
fedora<br>
15 and freeipa 2.0.1.<br>
Note we first did ipa-server-install --uninstall before<br>
upgrading the<br>
freeipa packages so as to make sure that the server is<br>
relatively clean.<br>
<br>
However when I run that ipa-replica-install command, I end up<br>
with the<br>
following error in the ipareplica-install.log<br>
<br>
2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart<br>
PKI-IPA<br>
2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv:<br>
PKI-IPA...[ OK ]<br>
Starting dirsrv:<br>
PKI-IPA...[FAILED]<br>
*** Warning: 1 instance(s) failed to start<br>
<br>
2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23<br>
-0400] - SSL<br>
alert: Security Initialization: Unable to authenticate (Netscape<br>
Portable Runtime error -8192 - An I/O error occurred during security<br>
authorization.)<br>
[31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed.<br>
<br>
2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status<br>
2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped<br>
<br>
2011-05-31 23:54:33,501 DEBUG stderr=<br>
2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory<br>
server.<br>
See the installation log for details.<br>
<br>
This are the tomcat rpms on the server<br>
<br>
tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch<br>
tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch<br>
tomcat6-6.0.30-6.fc15.noarch<br>
tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch<br>
tomcat6-lib-6.0.30-6.fc15.noarch<br>
tomcat6-el-2.1-api-6.0.30-6.fc15.noarch<br>
tomcatjss-2.1.1-1.fc15.noarch<br>
<br>
So the tomcat6 version is definitely greater than tomcat6-6-0.30-5.<br>
<br>
The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any<br>
other<br>
thing different from same,<br>
<br>
[31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization:<br>
Unable to authenticate (Netscape Portable Runtime error -8192 -<br>
An I/O<br>
error occurred during security authorization.)<br>
[31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed<br>
<br>
<br>
Any help will be greatly appreciated<br>
<br>
Ide<br>
<br>
<br>
I think we need more context. Can you compress and send<br>
/var/log/ipareplica-install.log ?<br>
<br>
I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and<br>
errors to see if there is anything interesting there.<br>
<br>
And can you provide the output for:<br>
<br>
certutil -L -d /etc/dirsrv/slapd-PKI-IPA<br>
<br>
It would seem that your 389-ds instance is missing a copy of the CA<br>
cert.<br>
<br>
thanks<br>
<br>
rob<br>
<br>
<br>
<br>
<br></div></div><div class="im">
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</div></blockquote>
<br>
</blockquote></div><br>