<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 01/10/2015 05:47 PM, Sina Owolabi
wrote:<br>
</div>
<blockquote
cite="mid:CACK8u8LCagDUEbsZyqyb+4VtajaWRzzTTKen_tn2zaZS2p9n3w@mail.gmail.com"
type="cite">
<p dir="ltr">Yes, I've had this installed more than three years,
and I upgrade from time to time, not frequently because I don't
want to break anything. I just did an upgrade to the latest RHEL
version about a week ago, when the replica started acting up.
Directory services would hang indefinitely, and nothing else
would function. So I took it down and reinstalled ipa and
resynced. <br>
Is there a fix I can apply?</p>
</blockquote>
<br>
You situation has quite similar symptoms to the case of expired
certificates.<br>
What most likely happened is that the certificates we not renewed
properly or not renewed properly on all servers.<br>
<br>
Here is the procedure <br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Howto/CA_Certificate_Renewal">http://www.freeipa.org/page/Howto/CA_Certificate_Renewal</a><br>
there have also been some threads as a lot of people hit this.<br>
<br>
Check IPA mailing archives.<br>
Rob Crittenden is the person who was hand holding other people on
the list through this and similar procedures, so look for his posts.<br>
<br>
But before you go there please check that this is actually the case
and your certs in fact expired. Check all your servers.<br>
<br>
Here is the pointer<br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Troubleshooting#PKI_Issues">http://www.freeipa.org/page/Troubleshooting#PKI_Issues</a><br>
<br>
<br>
<blockquote
cite="mid:CACK8u8LCagDUEbsZyqyb+4VtajaWRzzTTKen_tn2zaZS2p9n3w@mail.gmail.com"
type="cite">
<div class="gmail_quote">On Jan 10, 2015 10:42 PM, "Dmitri Pal"
<<a moz-do-not-send="true" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">On
01/10/2015 04:41 AM, Sina Owolabi wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
I've run ipa-dns-install after the fact now, and named is
setup.<br>
Strange, it used to work without me having to do this
manually<br>
(whenever I needed to take down a replica).<br>
However when I ran dnsconfig-mod on the new replica, I get:<br>
<br>
ipa dnsconfig-mod<br>
ipa: ERROR: cert validation failed for<br>
"CN=<a moz-do-not-send="true"
href="http://services01.mydom.com" target="_blank">services01.mydom.com</a>,O=<a
moz-do-not-send="true" href="http://MYDOM.COM"
target="_blank">MYDOM.COM</a>"
((SEC_ERROR_UNTRUSTED_ISSUER)<br>
Peer's certificate issuer has been marked as not trusted by
the user.)<br>
ipa: ERROR: cert validation failed for<br>
"CN=<a moz-do-not-send="true"
href="http://services.mydom.com" target="_blank">services.mydom.com</a>,O=<a
moz-do-not-send="true" href="http://MYDOM.COM"
target="_blank">MYDOM.COM</a>"
((SEC_ERROR_UNTRUSTED_ISSUER)<br>
Peer's certificate issuer has been marked as not trusted by
the user.)<br>
ipa: ERROR: cannot connect to Gettext('any of the configured
servers',<br>
domain='ipa', localedir=None): <a moz-do-not-send="true"
href="https://services01.mydom.com/ipa/xml"
target="_blank">https://services01.mydom.com/ipa/xml</a>,<br>
<a moz-do-not-send="true"
href="https://services.mydom.com/ipa/xml" target="_blank">https://services.mydom.com/ipa/xml</a><br>
</blockquote>
<br>
Can it be that your certs have expired and were not properly
renewed?<br>
How long have you been running this setup?<br>
More than two years?<br>
Have you been upgrading since early versions?<br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
On Sat, Jan 10, 2015 at 10:22 AM, Sina Owolabi <<a
moz-do-not-send="true" href="mailto:notify.sina@gmail.com"
target="_blank">notify.sina@gmail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
I did run it with --setup-dns.<br>
<br>
[root@services01 ~]# ipa-replica-install --setup-dns<br>
--forwarder=8.8.8.8 --forwarder=8.8.4.4<br>
replica-info-services01.mydom.com.gpg<br>
<br>
How can I fix this, please?<br>
<br>
On Fri, Jan 9, 2015 at 8:33 PM, Rob Crittenden <<a
moz-do-not-send="true" href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Sina Owolabi wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi List,<br>
<br>
I've seen this happen on two occasions, now, in two
different<br>
environments, one with RHEL6.6 and RHEL 6.3.<br>
<br>
I have issues with a replica sever, I delete the
replication<br>
agreement, remove the server from ipa dns, run
ipa-server-install<br>
--uninstall -U.<br>
Reboot the server, create new replication settings
from the existing<br>
master, and restore the replica.<br>
Running ipactl status, I see:<br>
<br>
ipactl status<br>
Directory Service: RUNNING<br>
KDC Service: RUNNING<br>
KPASSWD Service: RUNNING<br>
MEMCACHE Service: RUNNING<br>
HTTP Service: RUNNING<br>
<br>
No DNS service listed. Named is not running.<br>
<br>
ipactl restart<br>
Restarting Directory Service<br>
Shutting down dirsrv:<br>
MYDOM-COM...
[ OK ]<br>
Starting dirsrv:<br>
MYDOM-COM...
[ OK ]<br>
Restarting KDC Service<br>
Stopping Kerberos 5 KDC:
[ OK ]<br>
Starting Kerberos 5 KDC:
[ OK ]<br>
Restarting KPASSWD Service<br>
Stopping Kerberos 5 Admin Server:
[ OK ]<br>
Starting Kerberos 5 Admin Server:
[ OK ]<br>
Restarting MEMCACHE Service<br>
Stopping ipa_memcached:
[ OK ]<br>
Starting ipa_memcached:
[ OK ]<br>
Restarting HTTP Service<br>
Stopping httpd:
[ OK ]<br>
Starting httpd:
[ OK ]<br>
<br>
Checking on named:<br>
service named status<br>
rndc: connect failed: 127.0.0.1#953: connection
refused<br>
named is stopped<br>
# service named start<br>
Starting named:
[ OK ]<br>
# service named status<br>
version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1<br>
CPUs found: 2<br>
worker threads: 2<br>
number of zones: 19<br>
debug level: 0<br>
xfers running: 0<br>
xfers deferred: 0<br>
soa queries in progress: 0<br>
query logging is OFF<br>
recursive clients: 0/0/1000<br>
tcp clients: 0/100<br>
server is up and running<br>
named (pid 25017) is running...<br>
<br>
But it does not resolve. Please what is happening and
how can I fix this?<br>
I don't know what logs to provide, but please let me
know what is<br>
necessary and I'll make them available.<br>
</blockquote>
Bind is an optional service. You can either configure it
at the time you<br>
install replica using the --setup-dns option or
afterward using<br>
ipa-dns-install.<br>
<br>
rob<br>
<br>
</blockquote>
</blockquote>
</blockquote>
<br>
<br>
-- <br>
Thank you,<br>
Dmitri Pal<br>
<br>
Sr. Engineering Manager IdM portfolio<br>
Red Hat, Inc.<br>
<br>
-- <br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a moz-do-not-send="true" href="http://freeipa.org"
target="_blank">http://freeipa.org</a> for more info on the
project<br>
</blockquote>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>