<div dir="ltr">I went through that bugreport, particularly this section...<div><br></div><div><p style="color:rgb(0,0,0);font-family:verdana,arial,"bitstream vera sans",helvetica,sans-serif;font-size:13px">OK, I think I found the error. On the logs I get something like this *before* the failing dirsrv restart:</p><pre class="gmail-wiki" style="background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;background-color:rgb(247,247,247);border:1px solid rgb(215,215,215);margin:1em 1.75em;padding:0.25em;overflow:auto;color:rgb(0,0,0);font-size:13px">2017-01-14T03:41:28Z DEBUG [27/44]: retrieving DS Certificate
2017-01-14T03:41:28Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2017-01-14T03:41:28Z DEBUG Starting external process
2017-01-14T03:41:28Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n <a href="http://EXAMPLE.COM">EXAMPLE.COM</a> IPA CA -a
2017-01-14T03:41:28Z DEBUG Process finished, return code=255
2017-01-14T03:41:28Z DEBUG stdout=
2017-01-14T03:41:28Z DEBUG stderr=certutil: Could not find cert: <a href="http://EXAMPLE.COM">EXAMPLE.COM</a> IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found
</pre><p style="color:rgb(0,0,0);font-family:verdana,arial,"bitstream vera sans",helvetica,sans-serif;font-size:13px">So, when the process stopped, I run the command again:</p><pre class="gmail-wiki" style="background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;background-color:rgb(247,247,247);border:1px solid rgb(215,215,215);margin:1em 1.75em;padding:0.25em;overflow:auto;color:rgb(0,0,0);font-size:13px"># /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n <a href="http://EXAMPLE.COM">EXAMPLE.COM</a> IPA CA -a
certutil: Could not find cert: <a href="http://EXAMPLE.COM">EXAMPLE.COM</a>
: PR_FILE_NOT_FOUND_ERROR: File not found
</pre><p style="color:rgb(0,0,0);font-family:verdana,arial,"bitstream vera sans",helvetica,sans-serif;font-size:13px">and thought "wait... something is missing there":</p><pre class="gmail-wiki" style="background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;background-color:rgb(247,247,247);border:1px solid rgb(215,215,215);margin:1em 1.75em;padding:0.25em;overflow:auto;color:rgb(0,0,0);font-size:13px"># /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n "<a href="http://EXAMPLE.COM">EXAMPLE.COM</a> IPA CA" -a
-----BEGIN CERTIFICATE-----
<strip>
-----END CERTIFICATE-----
</pre><p style="color:rgb(0,0,0);font-family:verdana,arial,"bitstream vera sans",helvetica,sans-serif;font-size:13px">So, could this be the problem?</p><div><br></div><div>...and indeed when I run </div></div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">[tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n <a href="http://IPA.RDMEDIA.COM">IPA.RDMEDIA.COM</a> IPA CA -a<br>[sudo] password for tiemen: <br>certutil: Could not find cert: <a href="http://IPA.RDMEDIA.COM">IPA.RDMEDIA.COM</a><br>: PR_FILE_NOT_FOUND_ERROR: File not found</blockquote><div><br></div><div>and when I run</div><div> </div></div><div><div>[tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n "<a href="http://IPA.RDMEDIA.COM">IPA.RDMEDIA.COM</a> IPA CA" -a</div><div>-----BEGIN CERTIFICATE-----</div></div><div><snip></div><div>-----END CERTIFICATE-----<br></div><div><br></div><div>valid certificate output. Where can I change this command to quote this string?</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 16 February 2017 at 17:29, Jeff Goddard <span dir="ltr"><<a href="mailto:jgoddard@emerlyn.com" target="_blank">jgoddard@emerlyn.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Might be another instance of this: <a href="https://fedorahosted.org/freeipa/ticket/6613" target="_blank">https://fedorahosted.org/<wbr>freeipa/ticket/6613</a><br><br></div>Jeff<br><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Thu, Feb 16, 2017 at 11:21 AM, Tiemen Ruiten <span dir="ltr"><<a href="mailto:t.ruiten@rdmedia.com" target="_blank">t.ruiten@rdmedia.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr">Hello,<div><br></div><div>I'm trying to add a third replica to a FreeIPA 4.4 domain (level 1), but I'm getting this error:</div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">[tiemen@copernicum ~]$ sudo ipa-replica-install -P admin -w "XXXXXXXXXX" --mkhomedir --setup-dns --forwarder 8.8.8.8 --forwarder 8.8.4.4<br>Checking DNS forwarders, please wait ...<br>Run connection check to master<br>Connection check OK<br>Configuring NTP daemon (ntpd)<br> [1/4]: stopping ntpd<br> [2/4]: writing configuration<br> [3/4]: configuring ntpd to start on boot<br> [4/4]: starting ntpd<br>Done configuring NTP daemon (ntpd).<br>Configuring directory server (dirsrv). Estimated time: 1 minute<br> [1/44]: creating directory server user<br> [2/44]: creating directory server instance<br> [3/44]: updating configuration in dse.ldif<br> [4/44]: restarting directory server<br> [5/44]: adding default schema<br> [6/44]: enabling memberof plugin<br> [7/44]: enabling winsync plugin<br> [8/44]: configuring replication version plugin<br> [9/44]: enabling IPA enrollment plugin<br> [10/44]: enabling ldapi<br> [11/44]: configuring uniqueness plugin<br> [12/44]: configuring uuid plugin<br> [13/44]: configuring modrdn plugin<br> [14/44]: configuring DNS plugin<br> [15/44]: enabling entryUSN plugin<br> [16/44]: configuring lockout plugin<br> [17/44]: configuring topology plugin<br> [18/44]: creating indices<br> [19/44]: enabling referential integrity plugin<br> [20/44]: configuring certmap.conf<br> [21/44]: configure autobind for root<br> [22/44]: configure new location for managed entries<br> [23/44]: configure dirsrv ccache<br> [24/44]: enabling SASL mapping fallback<br> [25/44]: restarting directory server<br> [26/44]: creating DS keytab<br> [27/44]: retrieving DS Certificate<br> [28/44]: restarting directory server<br>ipa : CRITICAL Failed to restart the directory server (Command '/bin/systemctl restart dirsrv@IPA-RDMEDIA-COM.service<wbr>' returned non-zero exit status 1). See the installation log for details.<br> [29/44]: setting up initial replication<br> [error] error: [Errno 111] Connection refused<br>Your system may be partly configured.<br>Run /usr/sbin/ipa-server-install --uninstall to clean up.<br>ipa.ipapython.install.cli.inst<wbr>all_tool(Replica): ERROR [Errno 111] Connection refused<br>ipa.ipapython.install.cli.inst<wbr>all_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.lo<wbr>g for more information</blockquote></div><div><br></div><div>In /var/log/ipareplica-install.lo<wbr>g we find:</div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">2017-02-16T15:53:59Z DEBUG [27/44]: retrieving DS Certificate<br>2017-02-16T15:53:59Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysre<wbr>store.index'<br>2017-02-16T15:53:59Z DEBUG Starting external process<br>2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-IPA-RDMEDIA-<wbr>COM/ -L -n <a href="http://IPA.RDMEDIA.COM" target="_blank">IPA.RDMEDIA.COM</a> IPA CA -a<br>2017-02-16T15:53:59Z DEBUG Process finished, return code=255<br>2017-02-16T15:53:59Z DEBUG stdout=<br><b>2017-02-16T15:53:59Z DEBUG stderr=certutil: Could not find cert: <a href="http://IPA.RDMEDIA.COM" target="_blank">IPA.RDMEDIA.COM</a> IPA CA<br>: PR_FILE_NOT_FOUND_ERROR: File not found</b><br>2017-02-16T15:53:59Z DEBUG Starting external process<br>2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-IPA-RDMEDIA-<wbr>COM/ -N -f /etc/dirsrv/slapd-IPA-RDMEDIA-<wbr>COM//pwdfile.txt<br>2017-02-16T15:53:59Z DEBUG Process finished, return code=0<br>2017-02-16T15:53:59Z DEBUG stdout=<br>2017-02-16T15:53:59Z DEBUG stderr=<br>2017-02-16T15:53:59Z DEBUG Starting external process<br>2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-IPA-RDMEDIA-<wbr>COM/ -A -n <a href="http://IPA.RDMEDIA.COM" target="_blank">IPA.RDMEDIA.COM</a> IPA CA -t CT,C,C -a<br>2017-02-16T15:53:59Z DEBUG Process finished, return code=0<br>2017-02-16T15:53:59Z DEBUG stdout=<br>2017-02-16T15:53:59Z DEBUG stderr=<br>2017-02-16T15:53:59Z DEBUG certmonger request is in state dbus.String(u'NEWLY_ADDED_READ<wbr>ING_KEYINFO', variant_level=1)<br>2017-02-16T15:54:04Z DEBUG certmonger request is in state dbus.String(u'CA_UNREACHABLE', variant_level=1)<br>2017-02-16T15:54:04Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-I<wbr>PA-RDMEDIA-COM.socket from SchemaCache<br>2017-02-16T15:54:04Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fsla<wbr>pd-IPA-RDMEDIA-COM.socket conn=<ldap.ldapobject.SimpleLD<wbr>APObject instance at 0x74efd40><br>2017-02-16T15:54:05Z DEBUG duration: 5 seconds<br>2017-02-16T15:54:05Z DEBUG [28/44]: restarting directory server<br>2017-02-16T15:54:05Z DEBUG Starting external process<br>2017-02-16T15:54:05Z DEBUG args=/bin/systemctl --system daemon-reload<br>2017-02-16T15:54:05Z DEBUG Process finished, return code=0<br>2017-02-16T15:54:05Z DEBUG stdout=<br>2017-02-16T15:54:05Z DEBUG stderr=<br>2017-02-16T15:54:05Z DEBUG Starting external process<br>2017-02-16T15:54:05Z DEBUG args=/bin/systemctl restart dirsrv@IPA-RDMEDIA-COM.service<br>2017-02-16T15:54:06Z DEBUG Process finished, return code=1<br>2017-02-16T15:54:06Z DEBUG stdout=<br>2017-02-16T15:54:06Z DEBUG stderr=Job for dirsrv@IPA-RDMEDIA-COM.service failed because the control process exited with error code. See "systemctl status dirsrv@IPA-RDMEDIA-COM.service<wbr>" and "journalctl -xe" for details.<br>2017-02-16T15:54:06Z CRITICAL Failed to restart the directory server (Command '/bin/systemctl restart dirsrv@IPA-RDMEDIA-COM.service<wbr>' returned non-zero exit status 1). See the installation log for details.<br>2017-02-16T15:54:06Z DEBUG duration: 1 seconds<br>2017-02-16T15:54:06Z DEBUG [29/44]: setting up initial replication<br>2017-02-16T15:54:16Z DEBUG Traceback (most recent call last):<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipaserver/install/service.<wbr>py", line 449, in start_creation<br> run_step(full_msg, method)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipaserver/install/service.<wbr>py", line 439, in run_step<br> method()<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipaserver/install/dsinstan<wbr>ce.py", line 405, in __setup_replica<br> self.dm_password)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipaserver/install/replicat<wbr>ion.py", line 118, in enable_replication_version_che<wbr>cking<br> conn.do_simple_bind(bindpw=dir<wbr>man_passwd)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/ipaldap.py", line 1665, in do_simple_bind<br> self.__bind_with_wait(self.sim<wbr>ple_bind, timeout, binddn, bindpw)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/ipaldap.py", line 1660, in __bind_with_wait<br> self.__wait_for_connection(tim<wbr>eout)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/ipaldap.py", line 1643, in __wait_for_connection<br> wait_for_open_socket(lurl.host<wbr>port, timeout)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/ipautil.py", line 1286, in wait_for_open_socket<br> raise e<br>error: [Errno 111] Connection refused<br>2017-02-16T15:54:16Z DEBUG [error] error: [Errno 111] Connection refused<br>2017-02-16T15:54:16Z DEBUG Destroyed connection context.ldap2_78478480<br>2017-02-16T15:54:16Z DEBUG File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/admintool.py", line 171, in execute<br> return_value = self.run()<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/cli.py", line 318, in run<br> cfgr.run()<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/core.py"<wbr>, line 310, in run<br> self.execute()<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/core.py"<wbr>, line 332, in execute<br> for nothing in self._executor():<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/core.py"<wbr>, line 372, in __runner<br> self._handle_exception(exc_inf<wbr>o)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/core.py"<wbr>, line 394, in _handle_exception<br> six.reraise(*exc_info)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/core.py"<wbr>, line 362, in __runner<br> step()<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/core.py"<wbr>, line 359, in <lambda><br> step = lambda: next(self.__gen)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/util.py"<wbr>, line 81, in run_generator_with_yield_from<br> six.reraise(*exc_info)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/util.py"<wbr>, line 59, in run_generator_with_yield_from<br> value = gen.send(prev_value)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/core.py"<wbr>, line 586, in _configure<br> next(executor)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/core.py"<wbr>, line 372, in __runner<br> self._handle_exception(exc_inf<wbr>o)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/core.py"<wbr>, line 449, in _handle_exception<br> self.__parent._handle_exceptio<wbr>n(exc_info)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/core.py"<wbr>, line 394, in _handle_exception<br> six.reraise(*exc_info)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/core.py"<wbr>, line 446, in _handle_exception<br> super(ComponentBase, self)._handle_exception(exc_in<wbr>fo)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/core.py"<wbr>, line 394, in _handle_exception<br> six.reraise(*exc_info)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/core.py"<wbr>, line 362, in __runner<br> step()<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/core.py"<wbr>, line 359, in <lambda><br> step = lambda: next(self.__gen)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/util.py"<wbr>, line 81, in run_generator_with_yield_from<br> six.reraise(*exc_info)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/util.py"<wbr>, line 59, in run_generator_with_yield_from<br> value = gen.send(prev_value)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/install/common.<wbr>py", line 63, in _install<br> for nothing in self._installer(self.parent):<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipaserver/install/server/<wbr>replicainstall.py", line 1714, in main<br> promote(self)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipaserver/install/server/<wbr>replicainstall.py", line 364, in decorated<br> func(installer)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipaserver/install/server/<wbr>replicainstall.py", line 1415, in promote<br> promote=True, pkcs12_info=dirsrv_pkcs12_info<wbr>)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipaserver/install/server/<wbr>replicainstall.py", line 127, in install_replica_ds<br> api=remote_api,<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipaserver/install/dsinstan<wbr>ce.py", line 399, in create_replica<br> self.start_creation(runtime=60<wbr>)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipaserver/install/service.<wbr>py", line 449, in start_creation<br> run_step(full_msg, method)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipaserver/install/service.<wbr>py", line 439, in run_step<br> method()<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipaserver/install/dsinstan<wbr>ce.py", line 405, in __setup_replica<br> self.dm_password)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipaserver/install/replicat<wbr>ion.py", line 118, in enable_replication_version_che<wbr>cking<br> conn.do_simple_bind(bindpw=dir<wbr>man_passwd)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/ipaldap.py", line 1665, in do_simple_bind<br> self.__bind_with_wait(self.sim<wbr>ple_bind, timeout, binddn, bindpw)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/ipaldap.py", line 1660, in __bind_with_wait<br> self.__wait_for_connection(tim<wbr>eout)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/ipaldap.py", line 1643, in __wait_for_connection<br> wait_for_open_socket(lurl.host<wbr>port, timeout)<br> File "/usr/lib/python2.7/site-packa<wbr>ges/ipapython/ipautil.py", line 1286, in wait_for_open_socket<br> raise e<br>2017-02-16T15:54:16Z DEBUG The ipa-replica-install command failed, exception: error: [Errno 111] Connection refused<br>2017-02-16T15:54:16Z ERROR [Errno 111] Connection refused<br>2017-02-16T15:54:16Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.lo<wbr>g for more information<br></blockquote><div><br></div><div>How can I troubleshoot this? </div></div><span class="m_8555230813825615390HOEnZb"><font color="#888888"><div><br></div><div><div><br></div><div><br></div>-- <br><div class="m_8555230813825615390m_-1130432640133991243gmail_signature"><div dir="ltr">Tiemen Ruiten<br>Systems Engineer<br>R&D Media<br></div></div>
</div></font></span></div>
<br></div></div><span class="HOEnZb"><font color="#888888">--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman<wbr>/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br></font></span></blockquote></div><br><br clear="all"><br><br>
</div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Tiemen Ruiten<br>Systems Engineer<br>R&D Media<br></div></div>
</div>