[Freeipa-users] Issue with replication install
Rob Crittenden
rcritten at redhat.com
Thu Jun 2 15:08:31 UTC 2011
Uzor Ide wrote:
> Thanks Rob
>
> I did run the certutil -L -d /etc/dirsrv/slapd-PKI-IPA command; the
> nssdb is empty
> If the CA cert is supposed to exist there at that stage of install,
> then that would be the problem.
>
> Both the slapd-PKI-IPA error and access does not contain much. I
> attached them herein with the ipareplica-install.log.
>
How old is the prepared replica file, and was it created with an older
version of IPA?
In one of the last release candidates we started creating a separate SSL
certificate for the 389-ds instance used by dogtag. I get the feeling
that doesn't exist which would explain why SSL is failing.
You can check by doing something like:
# gpg -d replica-info-<your-server>.gpg | tar tvf -
The file you're looking for is dogtagcert.p12
rob
> thanks
>
> Ide
>
>
> On Wed, Jun 1, 2011 at 11:40 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Uzor Ide wrote:
>
>
> Hi all
>
> We are trying to setup a backup IPA server and decided to toe that
> replication route.
> The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to
> fedora
> 15 and freeipa 2.0.1.
> Note we first did ipa-server-install --uninstall before
> upgrading the
> freeipa packages so as to make sure that the server is
> relatively clean.
>
> However when I run that ipa-replica-install command, I end up
> with the
> following error in the ipareplica-install.log
>
> 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart
> PKI-IPA
> 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv:
> PKI-IPA...[ OK ]
> Starting dirsrv:
> PKI-IPA...[FAILED]
> *** Warning: 1 instance(s) failed to start
>
> 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23
> -0400] - SSL
> alert: Security Initialization: Unable to authenticate (Netscape
> Portable Runtime error -8192 - An I/O error occurred during security
> authorization.)
> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed.
>
> 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status
> 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped
>
> 2011-05-31 23:54:33,501 DEBUG stderr=
> 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory
> server.
> See the installation log for details.
>
> This are the tomcat rpms on the server
>
> tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch
> tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch
> tomcat6-6.0.30-6.fc15.noarch
> tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch
> tomcat6-lib-6.0.30-6.fc15.noarch
> tomcat6-el-2.1-api-6.0.30-6.fc15.noarch
> tomcatjss-2.1.1-1.fc15.noarch
>
> So the tomcat6 version is definitely greater than tomcat6-6-0.30-5.
>
> The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any
> other
> thing different from same,
>
> [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization:
> Unable to authenticate (Netscape Portable Runtime error -8192 -
> An I/O
> error occurred during security authorization.)
> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed
>
>
> Any help will be greatly appreciated
>
> Ide
>
>
> I think we need more context. Can you compress and send
> /var/log/ipareplica-install.log ?
>
> I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and
> errors to see if there is anything interesting there.
>
> And can you provide the output for:
>
> certutil -L -d /etc/dirsrv/slapd-PKI-IPA
>
> It would seem that your 389-ds instance is missing a copy of the CA
> cert.
>
> thanks
>
> rob
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list