[Freeipa-users] ipa-replica-install fails at CA setup
Qing Chang
tmpchq at gmail.com
Wed Apr 29 18:17:06 UTC 2015
ipareplica-install is big, folowing starts at around step 34/35 for
directory server config (see
red lines), and then CA steup sopped at second step. Relaevnt logs in error
and access are
attched too. It appears at the time when CA setup eed access to dirsrv, it
was down?
----- ipareplica-install log -----
2015-04-29T13:40:03Z DEBUG Final value after applying updates
2015-04-29T13:40:03Z DEBUG dn: cn=groups,cn=Schema
Compatibility,cn=plugins,cn=config
2015-04-29T13:40:03Z DEBUG schema-compat-entry-attribute:
2015-04-29T13:40:03Z DEBUG objectclass=posixGroup
2015-04-29T13:40:03Z DEBUG gidNumber=%{gidNumber}
2015-04-29T13:40:03Z DEBUG memberUid=%{memberUid}
2015-04-29T13:40:03Z DEBUG memberUid=%deref_r("member","uid")
2015-04-29T13:40:03Z DEBUG
%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
2015-04-29T13:40:03Z DEBUG
%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:mr.ric:%{ipauniqueid}","")
2015-04-29T13:40:03Z DEBUG ipaanchoruuid=%{ipaanchoruuid}
2015-04-29T13:40:03Z DEBUG
%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
2015-04-29T13:40:03Z DEBUG cn:
2015-04-29T13:40:03Z DEBUG groups
2015-04-29T13:40:03Z DEBUG objectClass:
2015-04-29T13:40:03Z DEBUG top
2015-04-29T13:40:03Z DEBUG extensibleObject
2015-04-29T13:40:03Z DEBUG schema-compat-search-filter:
2015-04-29T13:40:03Z DEBUG objectclass=posixGroup
2015-04-29T13:40:03Z DEBUG schema-compat-container-rdn:
2015-04-29T13:40:03Z DEBUG cn=groups
2015-04-29T13:40:03Z DEBUG schema-compat-entry-rdn:
2015-04-29T13:40:03Z DEBUG cn=%{cn}
2015-04-29T13:40:03Z DEBUG schema-compat-search-base:
2015-04-29T13:40:03Z DEBUG cn=groups, cn=accounts, dc=mr,dc=ric
2015-04-29T13:40:03Z DEBUG schema-compat-container-group:
2015-04-29T13:40:03Z DEBUG cn=compat, dc=mr,dc=ric
2015-04-29T13:40:03Z DEBUG duration: 1 seconds
2015-04-29T13:40:03Z DEBUG [34/35]: tuning directory server
2015-04-29T13:40:04Z DEBUG Starting external process
2015-04-29T13:40:04Z DEBUG args='/usr/sbin/selinuxenabled'
2015-04-29T13:40:04Z DEBUG Process finished, return code=0
2015-04-29T13:40:04Z DEBUG stdout=
2015-04-29T13:40:04Z DEBUG stderr=
2015-04-29T13:40:04Z DEBUG Starting external process
2015-04-29T13:40:04Z DEBUG args='/sbin/restorecon'
'/etc/sysconfig/dirsrv.systemd'
2015-04-29T13:40:04Z DEBUG Process finished, return code=0
2015-04-29T13:40:04Z DEBUG stdout=
2015-04-29T13:40:04Z DEBUG stderr=
2015-04-29T13:40:04Z DEBUG Starting external process
2015-04-29T13:40:04Z DEBUG args='/bin/systemctl' '--system' 'daemon-reload'
2015-04-29T13:40:04Z DEBUG Process finished, return code=0
2015-04-29T13:40:04Z DEBUG stdout=
2015-04-29T13:40:04Z DEBUG stderr=
2015-04-29T13:40:04Z DEBUG Starting external process
2015-04-29T13:40:04Z DEBUG args='/bin/systemctl' 'restart'
'dirsrv at MR-RIC.service'
2015-04-29T13:40:06Z DEBUG Process finished, return code=0
2015-04-29T13:40:06Z DEBUG stdout=
2015-04-29T13:40:06Z DEBUG stderr=
2015-04-29T13:40:06Z DEBUG Starting external process
2015-04-29T13:40:06Z DEBUG args='/bin/systemctl' 'is-active'
'dirsrv at MR-RIC.service'
2015-04-29T13:40:06Z DEBUG Process finished, return code=0
2015-04-29T13:40:06Z DEBUG stdout=active
2015-04-29T13:40:06Z DEBUG stderr=
2015-04-29T13:40:06Z DEBUG wait_for_open_ports: localhost [389] timeout 300
2015-04-29T13:40:10Z DEBUG Starting external process
2015-04-29T13:40:10Z DEBUG args='/bin/systemctl' 'is-active'
'dirsrv at MR-RIC.service'
2015-04-29T13:40:10Z DEBUG Process finished, return code=0
2015-04-29T13:40:10Z DEBUG stdout=active
2015-04-29T13:40:10Z DEBUG stderr=
2015-04-29T13:40:10Z DEBUG Starting external process
2015-04-29T13:40:10Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f'
'/tmp/tmpH_pfpG' '-H' 'ldap://mripa2.mr.ric:389' '-x' '-D' 'cn=Directory
Manager' '-y' '/tmp/tmpqvAwmY'
2015-04-29T13:40:10Z DEBUG Process finished, return code=0
2015-04-29T13:40:10Z DEBUG stdout=replace nsslapd-maxdescriptors:
8192
replace nsslapd-reservedescriptors:
64
modifying entry "cn=config"
modify complete
2015-04-29T13:40:10Z DEBUG stderr=ldap_initialize(
ldap://mripa2.mr.ric:389/??base )
2015-04-29T13:40:10Z DEBUG duration: 6 seconds
2015-04-29T13:40:10Z DEBUG [35/35]: configuring directory to start on boot
2015-04-29T13:40:10Z DEBUG Starting external process
2015-04-29T13:40:10Z DEBUG args='/bin/systemctl' 'is-enabled'
'dirsrv at MR-RIC.service'
2015-04-29T13:40:10Z DEBUG Process finished, return code=0
2015-04-29T13:40:10Z DEBUG stdout=enabled
2015-04-29T13:40:10Z DEBUG stderr=
2015-04-29T13:40:10Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-04-29T13:40:10Z DEBUG Starting external process
2015-04-29T13:40:10Z DEBUG args='/bin/systemctl' 'disable'
'dirsrv at MR-RIC.service'
2015-04-29T13:40:11Z DEBUG Process finished, return code=0
2015-04-29T13:40:11Z DEBUG stdout=
2015-04-29T13:40:11Z DEBUG stderr=rm
'/etc/systemd/system/dirsrv.target.wants/dirsrv at MR-RIC.service'
2015-04-29T13:40:11Z DEBUG duration: 0 seconds
2015-04-29T13:40:11Z DEBUG Done configuring directory server (dirsrv).
2015-04-29T13:40:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-04-29T13:40:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-04-29T13:40:11Z DEBUG Configuring certificate server (pki-tomcatd):
Estimated time 3 minutes 30 seconds
2015-04-29T13:40:11Z DEBUG [1/22]: creating certificate server user
2015-04-29T13:40:11Z DEBUG group pkiuser exists
2015-04-29T13:40:11Z DEBUG user pkiuser exists
2015-04-29T13:40:11Z DEBUG duration: 0 seconds
2015-04-29T13:40:11Z DEBUG [2/22]: configuring certificate server instance
2015-04-29T13:40:11Z DEBUG Contents of pkispawn configuration file
(/tmp/tmpaUGoKX):
[CA]
pki_security_domain_name = IPA
pki_enable_proxy = True
pki_restart_configured_instance = False
pki_backup_keys = True
pki_backup_password = XXXXXXXX
pki_client_database_dir = /tmp/tmp-RwhQYk
pki_client_database_password = XXXXXXXX
pki_client_database_purge = False
pki_client_pkcs12_password = XXXXXXXX
pki_admin_name = admin
pki_admin_uid = admin
pki_admin_email = root at localhost
pki_admin_password = XXXXXXXX
pki_admin_nickname = ipa-ca-agent
pki_admin_subject_dn = cn=ipa-ca-agent,O=MR.RIC
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_ds_ldap_port = 389
pki_ds_password = XXXXXXXX
pki_ds_base_dn = o=ipaca
pki_ds_database = ipaca
pki_subsystem_subject_dn = cn=CA Subsystem,O=MR.RIC
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=MR.RIC
pki_ssl_server_subject_dn = cn=mripa2.mr.ric,O=MR.RIC
pki_audit_signing_subject_dn = cn=CA Audit,O=MR.RIC
pki_ca_signing_subject_dn = cn=Certificate Authority,O=MR.RIC
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ssl_server_nickname = Server-Cert cert-pki-ca
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_ca_signing_nickname = caSigningCert cert-pki-ca
pki_ca_signing_key_algorithm = SHA256withRSA
pki_security_domain_hostname = mripa1.mr.ric
pki_security_domain_https_port = 443
pki_security_domain_user = admin
pki_security_domain_password = XXXXXXXX
pki_clone = True
pki_clone_pkcs12_path = /tmp/ca.p12
pki_clone_pkcs12_password = XXXXXXXX
pki_clone_replication_security = TLS
pki_clone_replication_master_port = 389
pki_clone_replication_clone_port = 389
pki_clone_replicate_schema = False
pki_clone_uri = https://mripa1.mr.ric:443
2015-04-29T13:40:11Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-04-29T13:40:11Z DEBUG Starting external process
2015-04-29T13:40:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpaUGoKX'
2015-04-29T13:40:51Z DEBUG Process finished, return code=1
2015-04-29T13:40:51Z DEBUG stdout=Loading deployment configuration from
/tmp/tmpaUGoKX.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
2015-04-29T13:40:51Z DEBUG stderr=pkispawn : ERROR ....... Exception
from Java Configuration Servlet: Error in populating database: Could not
connect to LDAP server host mrip
a2.mr.ric port 389 Error netscape.ldap.LDAPException: failed to connect to
server ldap://mripa2.mr.ric:389 (91)
2015-04-29T13:40:51Z CRITICAL failed to configure ca instance Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned non-zero
exit status 1
2015-04-29T13:40:51Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 673, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
RuntimeError: Configuration of CA failed
2015-04-29T13:40:51Z DEBUG [error] RuntimeError: Configuration of CA
failed
2015-04-29T13:40:51Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
646, in run_script
return_value = main_function()
File "/usr/sbin/ipa-replica-install", line 703, in main
CA = cainstance.install_replica_ca(config)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 1869, in install_replica_ca
subject_base=config.subject_base)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 520, in configure_instance
self.start_creation(runtime=210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 673, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
2015-04-29T13:40:51Z DEBUG The ipa-replica-install command failed,
exception: RuntimeError: Configuration of CA failed
-----
----- error log -----
[29/Apr/2015:09:39:26 -0400] - WARNING: Import is running with
nsslapd-db-private-import-mem on; No other process is allowed to access the
database
[29/Apr/2015:09:39:26 -0400] - check_and_set_import_cache: pagesize: 4096,
pages: 471119, procpages: 54357
[29/Apr/2015:09:39:26 -0400] - Import allocates 753788KB import cache.
[29/Apr/2015:09:39:27 -0400] - import userRoot: Beginning import job...
[29/Apr/2015:09:39:27 -0400] - import userRoot: Index buffering enabled
with bucket size 100
[29/Apr/2015:09:39:28 -0400] - import userRoot: Processing file
"/var/lib/dirsrv/boot.ldif"
[29/Apr/2015:09:39:28 -0400] - import userRoot: Finished scanning file
"/var/lib/dirsrv/boot.ldif" (1 entries)
[29/Apr/2015:09:39:28 -0400] - import userRoot: Workers finished; cleaning
up...
[29/Apr/2015:09:39:28 -0400] - import userRoot: Workers cleaned up.
[29/Apr/2015:09:39:28 -0400] - import userRoot: Cleaning up producer
thread...
[29/Apr/2015:09:39:29 -0400] - import userRoot: Indexing complete.
Post-processing...
[29/Apr/2015:09:39:29 -0400] - import userRoot: Generating numsubordinates
(this may take several minutes to complete)...
[29/Apr/2015:09:39:29 -0400] - import userRoot: Generating numSubordinates
complete.
[29/Apr/2015:09:39:29 -0400] - import userRoot: Gathering ancestorid
non-leaf IDs...
[29/Apr/2015:09:39:29 -0400] - import userRoot: Finished gathering
ancestorid non-leaf IDs.
[29/Apr/2015:09:39:29 -0400] - Nothing to do to build ancestorid index
[29/Apr/2015:09:39:29 -0400] - import userRoot: Created ancestorid index
(new idl).
[29/Apr/2015:09:39:29 -0400] - import userRoot: Flushing caches...
[29/Apr/2015:09:39:29 -0400] - import userRoot: Closing files...
[29/Apr/2015:09:39:29 -0400] - All database threads now stopped
[29/Apr/2015:09:39:29 -0400] - import userRoot: Import complete. Processed
1 entries in 2 seconds. (0.50 entries/sec)
[29/Apr/2015:09:39:31 -0400] - 389-Directory/1.3.3.1 B2015.118.1941
starting up
[29/Apr/2015:09:39:31 -0400] - 389-Directory/1.3.3.1 B2015.118.1941
starting up
[29/Apr/2015:09:39:31 -0400] - Db home directory is not set. Possibly
nsslapd-directory (optionally nsslapd-db-home-directory) is missing in the
config file.
[29/Apr/2015:09:39:31 -0400] - I'm resizing my cache now...cache was
771878912 and is now 6400000
[29/Apr/2015:09:39:32 -0400] - slapd started. Listening on All Interfaces
port 389 for LDAP requests
[29/Apr/2015:09:39:33 -0400] - The change of nsslapd-ldapilisten will not
take effect until the server is restarted
[29/Apr/2015:09:39:36 -0400] - Warning: Adding configuration attribute
"nsslapd-security"
[29/Apr/2015:09:39:37 -0400] - slapd shutting down - signaling operation
threads - op stack size 2 max work q size 1 max work q stack size 1
[29/Apr/2015:09:39:37 -0400] - slapd shutting down - waiting for 29 threads
to terminate
[29/Apr/2015:09:39:37 -0400] - slapd shutting down - closing down internal
subsystems and plugins
[29/Apr/2015:09:39:37 -0400] - Waiting for 4 database threads to stop
[29/Apr/2015:09:39:38 -0400] - All database threads now stopped
[29/Apr/2015:09:39:38 -0400] - slapd shutting down - freed 1 work q stack
objects - freed 2 op stack objects
[29/Apr/2015:09:39:38 -0400] - slapd stopped.
[29/Apr/2015:09:39:40 -0400] SSL Initialization - Configured SSL version
range: min: TLS1.0, max: TLS1.2
[29/Apr/2015:09:39:40 -0400] - SSL alert: Configured NSS Ciphers
[29/Apr/2015:09:39:40 -0400] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[29/Apr/2015:09:39:40 -0400] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[29/Apr/2015:09:39:40 -0400] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[29/Apr/2015:09:39:40 -0400] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[29/Apr/2015:09:39:40 -0400] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[29/Apr/2015:09:39:40 -0400] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[29/Apr/2015:09:39:40 -0400] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[29/Apr/2015:09:39:40 -0400] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[29/Apr/2015:09:39:40 -0400] - SSL alert:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[29/Apr/2015:09:39:40 -0400] - SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[29/Apr/2015:09:39:40 -0400] - SSL alert:
TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
[29/Apr/2015:09:39:40 -0400] - SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[29/Apr/2015:09:39:40 -0400] - SSL alert:
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
[29/Apr/2015:09:39:41 -0400] - SSL alert:
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled
[29/Apr/2015:09:39:41 -0400] - SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[29/Apr/2015:09:39:41 -0400] - SSL alert:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
[29/Apr/2015:09:39:41 -0400] - SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[29/Apr/2015:09:39:41 -0400] - SSL alert:
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
[29/Apr/2015:09:39:41 -0400] - SSL alert:
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled
[29/Apr/2015:09:39:41 -0400] - SSL alert:
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled
[29/Apr/2015:09:39:41 -0400] - SSL alert:
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled
[29/Apr/2015:09:39:41 -0400] - SSL alert:
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled
[29/Apr/2015:09:39:41 -0400] - SSL alert:
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled
[29/Apr/2015:09:39:41 -0400] - SSL alert:
TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA:
enabled
[29/Apr/2015:09:39:41 -0400] - SSL alert:
TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[29/Apr/2015:09:39:41 -0400] - SSL alert:
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
[29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA:
enabled
[29/Apr/2015:09:39:41 -0400] - SSL alert:
TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[29/Apr/2015:09:39:41 -0400] - SSL alert:
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
[29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA:
enabled
[29/Apr/2015:09:39:41 -0400] - 389-Directory/1.3.3.1 B2015.118.1941
starting up
[29/Apr/2015:09:39:41 -0400] - I'm resizing my cache now...cache was
6400000 and is now 5120000
[29/Apr/2015:09:39:42 -0400] attrcrypt - No symmetric key found for cipher
AES in backend userRoot, attempting to create one...
[29/Apr/2015:09:39:42 -0400] attrcrypt - Key for cipher AES successfully
generated and stored
[29/Apr/2015:09:39:42 -0400] attrcrypt - No symmetric key found for cipher
3DES in backend userRoot, attempting to create one...
[29/Apr/2015:09:39:42 -0400] attrcrypt - Key for cipher 3DES successfully
generated and stored
[29/Apr/2015:09:39:42 -0400] ipalockout_get_global_config - [file
ipa_lockout.c, line 185]: Failed to get default realm (-1765328160)
[29/Apr/2015:09:39:42 -0400] ipaenrollment_start - [file ipa_enrollment.c,
line 393]: Failed to get default realm?!
[29/Apr/2015:09:39:43 -0400] - slapd started. Listening on All Interfaces
port 389 for LDAP requests
[29/Apr/2015:09:39:43 -0400] - Listening on All Interfaces port 636 for
LDAPS requests
[29/Apr/2015:09:39:43 -0400] - Listening on /var/run/slapd-MR-RIC.socket
for LDAPI requests
[29/Apr/2015:09:39:44 -0400] - slapd shutting down - signaling operation
threads - op stack size 1 max work q size 1 max work q stack size 1
[29/Apr/2015:09:39:44 -0400] - slapd shutting down - waiting for 27 threads
to terminate
[29/Apr/2015:09:39:44 -0400] - slapd shutting down - closing down internal
subsystems and plugins
[29/Apr/2015:09:39:44 -0400] - Waiting for 4 database threads to stop
[29/Apr/2015:09:39:45 -0400] - All database threads now stopped
[29/Apr/2015:09:39:45 -0400] - slapd shutting down - freed 1 work q stack
objects - freed 1 op stack objects
[29/Apr/2015:09:39:45 -0400] - slapd stopped.
[29/Apr/2015:09:39:46 -0400] SSL Initialization - Configured SSL version
range: min: TLS1.0, max: TLS1.2
[29/Apr/2015:09:39:46 -0400] - SSL alert: Configured NSS Ciphers
[29/Apr/2015:09:39:46 -0400] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[29/Apr/2015:09:39:46 -0400] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[29/Apr/2015:09:39:46 -0400] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[29/Apr/2015:09:39:46 -0400] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[29/Apr/2015:09:39:46 -0400] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[29/Apr/2015:09:39:46 -0400] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA:
enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA:
enabled
[29/Apr/2015:09:39:47 -0400] - SSL alert:
TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[29/Apr/2015:09:39:48 -0400] - SSL alert:
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
[29/Apr/2015:09:39:48 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA:
enabled
[29/Apr/2015:09:39:48 -0400] - 389-Directory/1.3.3.1 B2015.118.1941
starting up
[29/Apr/2015:09:39:48 -0400] - I'm resizing my cache now...cache was
5120000 and is now 4096000
[29/Apr/2015:09:39:48 -0400] ipalockout_get_global_config - [file
ipa_lockout.c, line 185]: Failed to get default realm (-1765328160)
[29/Apr/2015:09:39:48 -0400] ipaenrollment_start - [file ipa_enrollment.c,
line 393]: Failed to get default realm?!
[29/Apr/2015:09:39:48 -0400] - slapd started. Listening on All Interfaces
port 389 for LDAP requests
[29/Apr/2015:09:39:48 -0400] - Listening on All Interfaces port 636 for
LDAPS requests
[29/Apr/2015:09:39:48 -0400] - Listening on /var/run/slapd-MR-RIC.socket
for LDAPI requests
[29/Apr/2015:09:39:50 -0400] NSMMReplicationPlugin -
agmt="cn=meTomripa1.mr.ric" (mripa1:389): The remote replica has a
different database generation ID than the local database. Y
ou may have to reinitialize the remote replica, or the local replica.
[29/Apr/2015:09:39:51 -0400] NSMMReplicationPlugin -
multimaster_be_state_change: replica dc=mr,dc=ric is going offline;
disabling replication
[29/Apr/2015:09:39:52 -0400] - WARNING: Import is running with
nsslapd-db-private-import-mem on; No other process is allowed to access the
database
[29/Apr/2015:09:39:55 -0400] - import userRoot: Workers finished; cleaning
up...
[29/Apr/2015:09:39:55 -0400] - import userRoot: Workers cleaned up.
[29/Apr/2015:09:39:55 -0400] - import userRoot: Indexing complete.
Post-processing...
[29/Apr/2015:09:39:55 -0400] - import userRoot: Generating numsubordinates
(this may take several minutes to complete)...
[29/Apr/2015:09:39:55 -0400] - import userRoot: Generating numSubordinates
complete.
[29/Apr/2015:09:39:55 -0400] - import userRoot: Gathering ancestorid
non-leaf IDs...
[29/Apr/2015:09:39:55 -0400] - import userRoot: Finished gathering
ancestorid non-leaf IDs.
[29/Apr/2015:09:39:55 -0400] - import userRoot: Creating ancestorid index
(new idl)...
[29/Apr/2015:09:39:56 -0400] - import userRoot: Created ancestorid index
(new idl).
[29/Apr/2015:09:39:56 -0400] - import userRoot: Flushing caches...
[29/Apr/2015:09:39:56 -0400] - import userRoot: Closing files...
[29/Apr/2015:09:39:57 -0400] - import userRoot: Import complete. Processed
422 entries in 5 seconds. (84.40 entries/sec)
[29/Apr/2015:09:39:57 -0400] NSMMReplicationPlugin -
multimaster_be_state_change: replica dc=mr,dc=ric is coming online;
enabling replication
[29/Apr/2015:09:39:57 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=mr,dc=ric--no CoS Templates found, which should be
added before the CoS Definition.
[29/Apr/2015:09:39:57 -0400] NSACLPlugin - The ACL target
cn=keys,cn=sec,cn=dns,dc=mr,dc=ric does not exist
[29/Apr/2015:09:39:58 -0400] NSACLPlugin - The ACL target
cn=groups,cn=compat,dc=mr,dc=ric does not exist
[29/Apr/2015:09:39:58 -0400] NSACLPlugin - The ACL target
cn=computers,cn=compat,dc=mr,dc=ric does not exist
[29/Apr/2015:09:39:58 -0400] NSACLPlugin - The ACL target
cn=ng,cn=compat,dc=mr,dc=ric does not exist
[29/Apr/2015:09:39:58 -0400] NSACLPlugin - The ACL target
ou=sudoers,dc=mr,dc=ric does not exist
[29/Apr/2015:09:39:58 -0400] NSACLPlugin - The ACL target
cn=users,cn=compat,dc=mr,dc=ric does not exist
[29/Apr/2015:09:39:58 -0400] NSACLPlugin - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=mr,dc=ric does not exist
[29/Apr/2015:09:39:58 -0400] NSACLPlugin - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=mr,dc=ric does not exist
[29/Apr/2015:09:40:03 -0400] - slapd shutting down - signaling operation
threads - op stack size 3 max work q size 1 max work q stack size 1
[29/Apr/2015:09:40:03 -0400] - slapd shutting down - waiting for 22 threads
to terminate
[29/Apr/2015:09:40:03 -0400] - slapd shutting down - closing down internal
subsystems and plugins
[29/Apr/2015:09:40:04 -0400] NSMMReplicationPlugin -
agmt="cn=meTomripa1.mr.ric" (mripa1:389): Warning: Attempting to release
replica, but unable to receive endReplication extended
operation response from the replica. Error -5 (Timed out)
[29/Apr/2015:09:40:04 -0400] - Waiting for 4 database threads to stop
[29/Apr/2015:09:40:04 -0400] - All database threads now stopped
[29/Apr/2015:09:40:04 -0400] - slapd shutting down - freed 1 work q stack
objects - freed 3 op stack objects
[29/Apr/2015:09:40:04 -0400] - slapd stopped.
[29/Apr/2015:09:40:06 -0400] SSL Initialization - Configured SSL version
range: min: TLS1.0, max: TLS1.2
[29/Apr/2015:09:40:06 -0400] - SSL alert: Configured NSS Ciphers
[29/Apr/2015:09:40:06 -0400] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[29/Apr/2015:09:40:06 -0400] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[29/Apr/2015:09:40:06 -0400] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert:
TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA:
enabled
[29/Apr/2015:09:40:08 -0400] - SSL alert:
TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[29/Apr/2015:09:40:08 -0400] - SSL alert:
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
[29/Apr/2015:09:40:08 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA:
enabled
[29/Apr/2015:09:40:08 -0400] - SSL alert:
TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[29/Apr/2015:09:40:08 -0400] - SSL alert:
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
[29/Apr/2015:09:40:08 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA:
enabled
[29/Apr/2015:09:40:08 -0400] - 389-Directory/1.3.3.1 B2015.118.1941
starting up
[29/Apr/2015:09:40:08 -0400] - I'm resizing my cache now...cache was
10240000 and is now 3276800
[29/Apr/2015:09:40:09 -0400] schema-compat-plugin - warning: no entries set
up under cn=computers, cn=compat,dc=mr,dc=ric
[29/Apr/2015:09:40:09 -0400] schema-compat-plugin - no RDN for
ipauniqueid=f0186aa0-eab1-11e4-b498-000c29fa12eb,cn=sudorules,cn=sudo,dc=mr,dc=ric,
unsetting domain/map/id "ou=sudoe
rs,dc=mr,dc=ric"/""/("ipauniqueid=f0186aa0-eab1-11e4-b498-000c29fa12eb,cn=sudorules,cn=sudo,dc=mr,dc=ric")
[29/Apr/2015:09:40:09 -0400] schema-compat-plugin - warning: no entries set
up under ou=sudoers,dc=mr,dc=ric
[29/Apr/2015:09:40:09 -0400] NSACLPlugin - The ACL target
cn=keys,cn=sec,cn=dns,dc=mr,dc=ric does not exist
[29/Apr/2015:09:40:09 -0400] NSACLPlugin - The ACL target
cn=groups,cn=compat,dc=mr,dc=ric does not exist
[29/Apr/2015:09:40:09 -0400] NSACLPlugin - The ACL target
cn=computers,cn=compat,dc=mr,dc=ric does not exist
[29/Apr/2015:09:40:09 -0400] NSACLPlugin - The ACL target
cn=ng,cn=compat,dc=mr,dc=ric does not exist
[29/Apr/2015:09:40:09 -0400] NSACLPlugin - The ACL target
ou=sudoers,dc=mr,dc=ric does not exist
[29/Apr/2015:09:40:09 -0400] NSACLPlugin - The ACL target
cn=users,cn=compat,dc=mr,dc=ric does not exist
[29/Apr/2015:09:40:09 -0400] NSACLPlugin - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=mr,dc=ric does not exist
[29/Apr/2015:09:40:09 -0400] NSACLPlugin - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=mr,dc=ric does not exist
[29/Apr/2015:09:40:09 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=mr,dc=ric--no CoS Templates found, which should be
added before the CoS Definition.
[29/Apr/2015:09:40:09 -0400] ipalockout_get_global_config - [file
ipa_lockout.c, line 185]: Failed to get default realm (-1765328160)
[29/Apr/2015:09:40:09 -0400] ipaenrollment_start - [file ipa_enrollment.c,
line 393]: Failed to get default realm?!
[29/Apr/2015:09:40:10 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=mr,dc=ric--no CoS Templates found, which should be
added before the CoS Definition.
[29/Apr/2015:09:40:10 -0400] - slapd started. Listening on All Interfaces
port 389 for LDAP requests
[29/Apr/2015:09:40:10 -0400] - Listening on All Interfaces port 636 for
LDAPS requests
[29/Apr/2015:09:40:10 -0400] - Listening on /var/run/slapd-MR-RIC.socket
for LDAPI requests
[29/Apr/2015:09:40:10 -0400] - The change of nsslapd-maxdescriptors will
not take effect until the server is restarted
-----
----- access log ----
[29/Apr/2015:09:40:11 -0400] conn=3 fd=64 slot=64 connection from
172.25.12.161 to 172.25.12.161
[29/Apr/2015:09:40:11 -0400] conn=3 op=0 SRCH base="" scope=0
filter="(objectClass=*)" attrs=ALL
[29/Apr/2015:09:40:11 -0400] conn=3 op=0 RESULT err=0 tag=101 nentries=1
etime=0
[29/Apr/2015:09:40:11 -0400] conn=3 op=1 BIND dn="cn=Directory Manager"
method=128 version=3
[29/Apr/2015:09:40:11 -0400] conn=3 op=1 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[29/Apr/2015:09:40:11 -0400] conn=3 op=2 SRCH base="o=ipaca" scope=0
filter="(objectClass=*)" attrs=ALL
[29/Apr/2015:09:40:11 -0400] conn=3 op=2 RESULT err=32 tag=101 nentries=0
etime=0
[29/Apr/2015:09:40:11 -0400] conn=3 op=3 UNBIND
[29/Apr/2015:09:40:11 -0400] conn=3 op=3 fd=64 closed - U1
-----
On Wed, Apr 29, 2015 at 12:14 PM, Rob Crittenden <rcritten at redhat.com>
wrote:
> Qing Chang wrote:
> > mripa2.mr.ric is the server to be setup as replica. I wonder if the ldap
> > service was available at all at installation stage.
>
> I think we'd need to see the full ipareplica-install.log.
>
> You might also want to see if a ns-slapd process is running and check
> /var/log/dirsrv/slapd-REALM/errors for anything interesting.
>
> rob
>
> >
> > Thanks,
> > Qing
> >
> > On Wed, Apr 29, 2015 at 10:29 AM, Qing Chang <tmpchq at gmail.com
> > <mailto:tmpchq at gmail.com>> wrote:
> >
> > CentOS7.1 with IPA server 4.1.
> >
> > "ipa-replica-install --setup-ca --setup-dns ..." fails with this
> > error message:
> > -----
> > [2/22]: configuring certificate server instance
> > ipa : CRITICAL failed to configure ca instance Command
> > ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned
> > non-zero exit status 1
> > [error] RuntimeError: Configuration of CA failed
> > -----
> >
> > ipareplica-install.log shows this:
> > -----
> > 2015-04-29T13:40:11Z DEBUG Saving StateFile to
> > '/var/lib/ipa/sysrestore/sysrestore.state'
> > 2015-04-29T13:40:11Z DEBUG Starting external process
> > 2015-04-29T13:40:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
> > '/tmp/tmpaUGoKX'
> > 2015-04-29T13:40:51Z DEBUG Process finished, return code=1
> > 2015-04-29T13:40:51Z DEBUG stdout=Loading deployment configuration
> > from /tmp/tmpaUGoKX.
> > Installing CA into /var/lib/pki/pki-tomcat.
> > Storing deployment configuration into
> > /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
> >
> > Installation failed.
> >
> >
> > 2015-04-29T13:40:51Z DEBUG stderr=pkispawn : ERROR .......
> > Exception from Java Configuration Servlet: Error in populating
> > database: Could not connect to LDAP server host mrip
> > a2.mr.ric port 389 Error netscape.ldap.LDAPException: failed to
> > connect to server ldap://mripa2.mr.ric:389 (91)
> >
> > 2015-04-29T13:40:51Z CRITICAL failed to configure ca instance
> > Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX''
> > returned non-zero exit status 1
> > 2015-04-29T13:40:51Z DEBUG Traceback (most recent call last):
> > File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> > line 382, in start_creation
> > run_step(full_msg, method)
> > File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> > line 372, in run_step
> > method()
> > File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> > line 673, in __spawn_instance
> > raise RuntimeError('Configuration of CA failed')
> > RuntimeError: Configuration of CA failed
> > -----
> >
> > I hope this is enough information.
> >
> > Thanks in advance,
> >
> > Qing Chang
> >
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150429/07031ab9/attachment.htm>
More information about the Freeipa-users
mailing list