<p dir="ltr">Yes, I've had this installed more than three years, and I upgrade from time to time, not frequently because I don't want to break anything. I just did an upgrade to the latest RHEL version about a week ago, when the replica started acting up. Directory services would hang indefinitely, and nothing else would function. So I took it down and reinstalled ipa and resynced. <br>
Is there a fix I can apply?</p>
<div class="gmail_quote">On Jan 10, 2015 10:42 PM, "Dmitri Pal" <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 01/10/2015 04:41 AM, Sina Owolabi wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I've run ipa-dns-install after the fact now, and named is setup.<br>
Strange, it used to work without me having to do this manually<br>
(whenever I needed to take down a replica).<br>
However when I ran dnsconfig-mod on the new replica, I get:<br>
<br>
ipa dnsconfig-mod<br>
ipa: ERROR: cert validation failed for<br>
"CN=<a href="http://services01.mydom.com" target="_blank">services01.mydom.com</a>,O=<a href="http://MYDOM.COM" target="_blank">MYD<u></u>OM.COM</a>" ((SEC_ERROR_UNTRUSTED_ISSUER)<br>
Peer's certificate issuer has been marked as not trusted by the user.)<br>
ipa: ERROR: cert validation failed for<br>
"CN=<a href="http://services.mydom.com" target="_blank">services.mydom.com</a>,O=<a href="http://MYDOM.COM" target="_blank">MYDOM<u></u>.COM</a>" ((SEC_ERROR_UNTRUSTED_ISSUER)<br>
Peer's certificate issuer has been marked as not trusted by the user.)<br>
ipa: ERROR: cannot connect to Gettext('any of the configured servers',<br>
domain='ipa', localedir=None): <a href="https://services01.mydom.com/ipa/xml" target="_blank">https://services01.mydom.com/<u></u>ipa/xml</a>,<br>
<a href="https://services.mydom.com/ipa/xml" target="_blank">https://services.mydom.com/<u></u>ipa/xml</a><br>
</blockquote>
<br>
Can it be that your certs have expired and were not properly renewed?<br>
How long have you been running this setup?<br>
More than two years?<br>
Have you been upgrading since early versions?<br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
On Sat, Jan 10, 2015 at 10:22 AM, Sina Owolabi <<a href="mailto:notify.sina@gmail.com" target="_blank">notify.sina@gmail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I did run it with --setup-dns.<br>
<br>
[root@services01 ~]# ipa-replica-install --setup-dns<br>
--forwarder=8.8.8.8 --forwarder=8.8.4.4<br>
replica-info-services01.mydom.<u></u>com.gpg<br>
<br>
How can I fix this, please?<br>
<br>
On Fri, Jan 9, 2015 at 8:33 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Sina Owolabi wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi List,<br>
<br>
I've seen this happen on two occasions, now, in two different<br>
environments, one with RHEL6.6 and RHEL 6.3.<br>
<br>
I have issues with a replica sever, I delete the replication<br>
agreement, remove the server from ipa dns, run ipa-server-install<br>
--uninstall -U.<br>
Reboot the server, create new replication settings from the existing<br>
master, and restore the replica.<br>
Running ipactl status, I see:<br>
<br>
ipactl status<br>
Directory Service: RUNNING<br>
KDC Service: RUNNING<br>
KPASSWD Service: RUNNING<br>
MEMCACHE Service: RUNNING<br>
HTTP Service: RUNNING<br>
<br>
No DNS service listed. Named is not running.<br>
<br>
ipactl restart<br>
Restarting Directory Service<br>
Shutting down dirsrv:<br>
MYDOM-COM... [ OK ]<br>
Starting dirsrv:<br>
MYDOM-COM... [ OK ]<br>
Restarting KDC Service<br>
Stopping Kerberos 5 KDC: [ OK ]<br>
Starting Kerberos 5 KDC: [ OK ]<br>
Restarting KPASSWD Service<br>
Stopping Kerberos 5 Admin Server: [ OK ]<br>
Starting Kerberos 5 Admin Server: [ OK ]<br>
Restarting MEMCACHE Service<br>
Stopping ipa_memcached: [ OK ]<br>
Starting ipa_memcached: [ OK ]<br>
Restarting HTTP Service<br>
Stopping httpd: [ OK ]<br>
Starting httpd: [ OK ]<br>
<br>
Checking on named:<br>
service named status<br>
rndc: connect failed: 127.0.0.1#953: connection refused<br>
named is stopped<br>
# service named start<br>
Starting named: [ OK ]<br>
# service named status<br>
version: 9.8.2rc1-RedHat-9.8.2-0.23.<u></u>rc1.el6_5.1<br>
CPUs found: 2<br>
worker threads: 2<br>
number of zones: 19<br>
debug level: 0<br>
xfers running: 0<br>
xfers deferred: 0<br>
soa queries in progress: 0<br>
query logging is OFF<br>
recursive clients: 0/0/1000<br>
tcp clients: 0/100<br>
server is up and running<br>
named (pid 25017) is running...<br>
<br>
But it does not resolve. Please what is happening and how can I fix this?<br>
I don't know what logs to provide, but please let me know what is<br>
necessary and I'll make them available.<br>
</blockquote>
Bind is an optional service. You can either configure it at the time you<br>
install replica using the --setup-dns option or afterward using<br>
ipa-dns-install.<br>
<br>
rob<br>
<br>
</blockquote></blockquote></blockquote>
<br>
<br>
-- <br>
Thank you,<br>
Dmitri Pal<br>
<br>
Sr. Engineering Manager IdM portfolio<br>
Red Hat, Inc.<br>
<br>
-- <br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/<u></u>mailman/listinfo/freeipa-users</a><br>
Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br>
</blockquote></div>