[Freeipa-users] RHEL 7 Upgrade experience so far
Martin Kosek
mkosek at redhat.com
Mon Aug 4 11:01:47 UTC 2014
On 08/04/2014 04:45 AM, Erinn Looney-Triggs wrote:
>
>
>
>
>> Whether related or not I am getting the following in my RHEL 6.5
>> IPA instance /var/log/dirsrv/slapd-PKI-CA/debug log:
>
>> [26/Jul/2014:20:23:23 +0000] slapi_ldap_bind - Error: could not
>> send startTLS re quest: error -1 (Can't contact LDAP server) errno
>> 107 (Transport endpoint is not connected) [26/Jul/2014:20:23:23
>> +0000] NSMMReplicationPlugin - agmt="cn=masterAgreement1-i
>> pa2.example.com-pki-ca" (ipa2:7389): Replication bind with SIMPLE
>> auth failed: LD AP error -1 (Can't contact LDAP server) ((null))
>> [26/Jul/2014:20:23:37 +0000] slapi_ldap_bind - Error: could not
>> send startTLS re quest: error -1 (Can't contact LDAP server) errno
>> 107 (Transport endpoint is not connected) [26/Jul/2014:20:23:48
>> +0000] slapi_ldap_bind - Error: could not send startTLS re quest:
>> error -1 (Can't contact LDAP server) errno 107 (Transport endpoint
>> is not connected)
>
>> And these errors just continue to be logged.
>
>> When attempting to run ipa-ca-install -d on the RHEL 7 replica
>> (all other services are on there running fine) I receive the
>> following:
>
>> ipa : CRITICAL failed to configure ca instance Command
>> '/usr/sbin/pkispawn -vv -s CA -f /tmp/tmpqd0WwF' returned non-zero
>> exit status 1 ipa : DEBUG File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>
>
> line 638, in run_script
>> return_value = main_function()
>
>> File "/usr/sbin/ipa-ca-install", line 179, in main CA =
>> cainstance.install_replica_ca(config, postinstall=True)
>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>
>
> line 1678, in install_replica_ca
>> subject_base=config.subject_base)
>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>
>
> line 478, in configure_instance
>> self.start_creation(runtime=210)
>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 364, in start_creation method()
>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>
>
> line 604, in __spawn_instance
>> raise RuntimeError('Configuration of CA failed')
>
>> ipa : DEBUG The ipa-ca-install command failed,
>> exception: RuntimeError: Configuration of CA failed
>
>> Your system may be partly configured. Run
>> /usr/sbin/ipa-server-install --uninstall to clean up.
>
>> Configuration of CA failed
>
>
>> So this behavior changed after restarting the IPA service on the
>> RHEL 6.5 system.
>
>> So at this point I have a RHEL 6.5 system and a RHEL 7 replica of
>> everything except the CA. The RHEL 6.5 system, when the IPA service
>> is restarted throws an error, perhaps from schema change?
>
>> Any ideas?
>
>> -Erinn
>
>
>
> I went in and debugged this a bit further by changing the verbosity
> for nsslapd-errorlog-level. It appears that the rhel 6.5 system is
> attempting to connect to the RHEL 7 system on port 7389 and since the
> RHEL 7 system does not have the CA installed this would obviously
> fail. This leads me to believe that there is cruft in the directory
> that is pointing to the wrong place. I don't think this will fix my
> second group of errors, but how does one view the replication
> agreements specifically for the ca?
>
> As well I omitted to lines from the ipa-ca-install error which are
> probably pertinent:
>
> ERROR: Unable to access directory server: Server is unwilling to perform
>
> ipa : DEBUG stderr=
>
> -Erinn
This is strange. ipa-ca-install/ipa-replica-install --setup-ca should create
the replication agreement pointing at port 389 on RHEL-7.0, given that the 2
originally separated DS databases were merged.
It looks like this is some replication agreement left over from previous tests.
Anyway, to list all hosts with PKI, try:
# ipa-csreplica-manage list
Directory Manager password:
vm-089.idm.lab.bos.redhat.com: master
vm-086.idm.lab.bos.redhat.com: master
"master" means that this server has PKI service installed. It will show
different value if there is no PKI service.
To check PKI replication agreements for specific hostname, run:
# ipa-csreplica-manage list `hostname`
Directory Manager password:
vm-089.idm.lab.bos.redhat.com
Check "man ipa-csreplica-manage" for advise how to delete or create the PKI
agreements.
HTH,
Martin
More information about the Freeipa-users
mailing list