[389-users] Errors installing PKI Clone / chicken or egg question
Mike Mercier
mmercier at gmail.com
Thu May 21 16:29:42 UTC 2009
Hello,
Note: I have cross posted this because it seems to be related to both
applications.
The steps I have taken:
1. Install fedora 10 on 2 servers (service-1, service-2)
2. run yum update on both systems
3. on service-1 and service-2
a) yum install fedora-ds
b) setup replication agreement for
i) o=NetscapeRoot
ii) userRoot
Everything at this point seems to be fine.
4. on service-1 yum install pki-ca
a) run through setup screens
i) Create new security domain
ii) Configure this Instance as a New CA Subsystem
iii) Make this a Self-Signed Root CA within this new PKI hierarchy
iv) use 'localhost' for internal database
v) use defaults for rest of screen (exporting pkcs12)
b) pki-ca looks like it is running fine
5. on service-2 yum install pki-ca
a) run through setup screens
i) Join an Existing Security Domain (pointing to service-1:9444)
ii) type username / password
iii) chose to clone a system (only one option in drop down for service-1)
iv) import keys
v) use 'localhost' for internal database
At this point, the installation seems to hang... (see
/var/log/pki-ca/debug for what it is waiting for)
Should I not be using 'localhost' for the internal database?
An additional question:
When running through the setup for dogtag, you have the option of
using ssl for communication. What if you want to use your dogtag CA
(which you are setting up) to provide the sign the ldap certificate?
I have the following in my logs:
Service-1:
/var/log/dirsrv/slapd-TEST/errors
[21/May/2009:12:13:30 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:30 -0400] NSMMReplicationPlugin -
agmt="cn=masterAgreement1-service-2-pki-ca" (localhost:389):
Replication bind with SIMPLE auth failed: LDAP error 32 (No such
object) ()
[21/May/2009:12:13:31 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:31 -0400] NSMMReplicationPlugin -
agmt="cn=masterAgreement1-service-2-pki-ca" (localhost:389):
Replication bind with SIMPLE auth failed: LDAP error 32 (No such
object) ()
[21/May/2009:12:13:31 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:35 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:41 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:53 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:14:17 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
Service-2:
/var/log/dirsrv/slapd-TEST/errors
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allExpiredCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allInvalidCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allInValidCertsNotBefore-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allNonRevokedCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedCaCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allRevokedCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedCertsNotAfter-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedExpiredCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedOrRevokedExpiredCaCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedOrRevokedExpiredCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allValidCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allValidCertsNotAfter-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allValidOrRevokedCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caAll-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCanceled-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCanceledEnrollment-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCanceledRenewal-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCanceledRevocation-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caComplete-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCompleteEnrollment-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCompleteRenewal-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCompleteRevocation-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caEnrollment-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caPending-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caPendingEnrollment-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caPendingRenewal-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caPendingRevocation-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRejected-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caRejectedEnrollment-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caRejectedRenewal-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caRejectedRevocation-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRenewal-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRevocation-pki-caIndex
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - pki-ca: Finished indexing.
[21/May/2009:12:13:30 -0400] NSMMReplicationPlugin -
agmt="cn=cloneAgreement1-service-2-pki-ca" (service-1:389): Replica
has a different generation ID than the local data.
/var/log/pki-ca/debug - this is what shows up continuously
[21/May/2009:12:21:02][http-9444-Processor25]: DatabasePanel
comparetAndWaitEntries checking ou=people,dc=pki-ca
[21/May/2009:12:21:02][http-9444-Processor25]: DatabasePanel
comparetAndWaitEntries ou=people,dc=pki-ca not found, let's wait!
Thanks,
Mike
More information about the Fedora-directory-users
mailing list