Anybody with idea why my replication setup is hanging at stage 4 of the 11 stage process. ######################################################### Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 6 minutes [1/11]: creating certificate server user [2/11]: creating pki-ca instance [3/11]: restarting certificate server [4/11]: configuring certificate server instance ############################################################### When I checked the pki-ca debug log, everything is okay until it gets to the this stage and it keeps repeating the last entry. #################################################################### [06/Jun/2011:16:00:13][http-9445-1]: DatabasePanel initializeConsumer: initializeConsumer host: <a href="http://company.domain.com">company.domain.com</a> port: 7389 [06/Jun/2011:16:00:13][http-9445-1]: DatabasePanel initializeConsumer: start modifying [06/Jun/2011:16:00:14][http-9445-1]: DatabasePanel initializeConsumer: Finish modification. [06/Jun/2011:16:00:14][http-9445-1]: DatabasePanel initializeConsumer: thread sleeping for 5 seconds. [06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel initializeConsumer: finish sleeping. [06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel initializeConsumer: Successfully initialize consumer [06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel comparetAndWaitEntries checking ou=people,o=ipaca [06/Jun/2011:16:00:30][http-9445-1]: DatabasePanel comparetAndWaitEntries ou=people,o=ipaca not found, let's wait! [06/Jun/2011:16:00:35][http-9445-1]: DatabasePanel comparetAndWaitEntries checking ou=people,o=ipaca [06/Jun/2011:16:00:35][http-9445-1]: DatabasePanel comparetAndWaitEntries ou=people,o=ipaca not found, let's wait! ######################################################################## If leave for hours, it will continue will keep repeating the last entry. In the catalina.out log, I get the following java execption ########################################################################### INFO: Deploying web application directory ca Jun 6, 2011 3:58:36 PM org.apache.catalina.startup.Catalina stopServer SEVERE: Catalina.stop: java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384) at java.net.Socket.connect(Socket.java:546) at java.net.Socket.connect(Socket.java:495) at java.net.Socket.<init>(Socket.java:392) at java.net.Socket.<init>(Socket.java:206) at org.apache.catalina.startup.Catalina.stopServer(Catalina.java:412) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:338) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:416) 32-bit osutil library loaded 32-bit osutil library loaded CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| Server is started. Jun 6, 2011 3:58:44 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory ROOT ############################################################# While this points to connection failure, I don't know why that is so because there is not firewall running on the two boxes, also I disabled selinux just to make sure but it did not make any difference. There is a bug number 643449 with this exception thrown here in bugzilla but that issue was supposed to be caused by missing xalan-j2-serializer.jar file in the tomcat5. This is tomcat6. Please any help will be appreciated. Thanks __Ide <div class="gmail_quote">On Fri, Jun 3, 2011 at 2:32 PM, Uzor Ide <<a href="mailto:ide4you@gmail.com">ide4you@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">I have corrected the problem with the ipa server, from the broken tomcat/pki-ca; The problem comes a sym link that was created during the setup of pki-ca from PKI-HOME for jakarta-commons-collections.jar to /usr/share/java/jakarta-commons-collections.jar. This file is a member of jakarta-commons-collections rpm package in fc14. In fc15 jakarta-commons-collections package appears to have been renamed to apache-commons-collections and an equivalent file apache-commons-collections.jar is contained. However when you upgrade, at least in my own case using preupgrade, it leaves /var/lib/pki-ca/webapps/ca/WEB-INF/lib/jakarta-commons-collections.jar link orphaned. recreating the sym link to /usr/share/java/apache-commons-collections.jar fixes the problem. I have create a new replica package and I see that it contained the dogtagcert.p12 file. I will try to install the replica and see how it goes. Thanks __Ide<div><div> </div><div class="h5"> <blockquote class="gmail_quote"></blockquote> <blockquote class="gmail_quote"></blockquote> <blockquote class="gmail_quote"></blockquote> <div class="gmail_quote">On Fri, Jun 3, 2011 at 10:28 AM, Uzor Ide <<a href="mailto:ide4you@gmail.com" target="_blank">ide4you@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The IPA server is version 2.0.0 R3 which is supposed to install on fc14 with some packages from updates-testing repo, while the replica install is on server 2.0.1 Yes, there is no dogtagcert.p12 file; here are the files contained: realm_info/httpcert.p12 realm_info/cacert.p12 realm_info/ldappwd realm_info/ra.p12 realm_info/http_pin.txt realm_info/realm_info realm_info/configure.jar realm_info/dscert.p12 realm_info/dirsrv_pin.txt realm_info/pwdfile.txt.ori realm_info/pwdfile.txt realm_info/kpasswd.keytab realm_info/preferences.htm realm_info/ca.crt I have upgraded the IPA box to fc15 and freeipa-2.0.1 in the quest to get a correct replica package but that seems to have created another problem as it has broken the tomcat and thus pki-ca. Jun 3, 2011 10:09:29 AM org.apache.catalina.loader.WebappLoader start SEVERE: LifecycleException java.io.IOException: Failed to access resource /WEB-INF/lib/jakarta-commons-collections.jar at org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1050) at org.apache.catalina.loader.WebappLoader.start(WebappLoader.java:681) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4541) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1061) at org.apache.catalina.core.StandardHost.start(StandardHost.java:785) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463) at org.apache.catalina.core.StandardService.start(StandardService.java:525) at org.apache.catalina.core.StandardServer.start(StandardServer.java:701) at org.apache.catalina.startup.Catalina.start(Catalina.java:585) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Caused by: javax.naming.NamingException: Resource jakarta-commons-collections.jar not found at org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:209) at org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1048) ... 24 more It seems to me that it is looking for jakarta-commons-collections.jar which exist but is a package from the old tomcat6-6.0.26. Thanks __Ide<div><div></div><div> <div class="gmail_quote">On Thu, Jun 2, 2011 at 11:08 AM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div>Uzor Ide wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Thanks Rob I did run the certutil -L -d /etc/dirsrv/slapd-PKI-IPA command; the nssdb is empty If the CA cert is supposed to exist there at that stage of install, then that would be the problem. Both the slapd-PKI-IPA error and access does not contain much. I attached them herein with the ipareplica-install.log. </blockquote> </div> How old is the prepared replica file, and was it created with an older version of IPA? In one of the last release candidates we started creating a separate SSL certificate for the 389-ds instance used by dogtag. I get the feeling that doesn't exist which would explain why SSL is failing. You can check by doing something like: # gpg -d replica-info-<your-server>.gpg | tar tvf - The file you're looking for is dogtagcert.p12 rob <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div> thanks Ide On Wed, Jun 1, 2011 at 11:40 AM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> </div><div><div></div><div> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote: Uzor Ide wrote: Hi all We are trying to setup a backup IPA server and decided to toe that replication route. The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to fedora 15 and freeipa 2.0.1. Note we first did ipa-server-install --uninstall before upgrading the freeipa packages so as to make sure that the server is relatively clean. However when I run that ipa-replica-install command, I end up with the following error in the ipareplica-install.log 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart PKI-IPA 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv: PKI-IPA...[ OK ] Starting dirsrv: PKI-IPA...[FAILED] *** Warning: 1 instance(s) failed to start 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed. 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped 2011-05-31 23:54:33,501 DEBUG stderr= 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory server. See the installation log for details. This are the tomcat rpms on the server tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch tomcat6-6.0.30-6.fc15.noarch tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch tomcat6-lib-6.0.30-6.fc15.noarch tomcat6-el-2.1-api-6.0.30-6.fc15.noarch tomcatjss-2.1.1-1.fc15.noarch So the tomcat6 version is definitely greater than tomcat6-6-0.30-5. The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any other thing different from same, [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed Any help will be greatly appreciated Ide I think we need more context. Can you compress and send /var/log/ipareplica-install.log ? I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and errors to see if there is anything interesting there. And can you provide the output for: certutil -L -d /etc/dirsrv/slapd-PKI-IPA It would seem that your 389-ds instance is missing a copy of the CA cert. thanks rob </div></div><div> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </div></blockquote> </blockquote></div> </div></div></blockquote></div> </div></div></blockquote></div>