[Freeipa-users] Replica Server's ipactl does not control named after reinstallation
Dmitri Pal
dpal at redhat.com
Sat Jan 10 21:39:21 UTC 2015
On 01/10/2015 04:41 AM, Sina Owolabi wrote:
> I've run ipa-dns-install after the fact now, and named is setup.
> Strange, it used to work without me having to do this manually
> (whenever I needed to take down a replica).
> However when I ran dnsconfig-mod on the new replica, I get:
>
> ipa dnsconfig-mod
> ipa: ERROR: cert validation failed for
> "CN=services01.mydom.com,O=MYDOM.COM" ((SEC_ERROR_UNTRUSTED_ISSUER)
> Peer's certificate issuer has been marked as not trusted by the user.)
> ipa: ERROR: cert validation failed for
> "CN=services.mydom.com,O=MYDOM.COM" ((SEC_ERROR_UNTRUSTED_ISSUER)
> Peer's certificate issuer has been marked as not trusted by the user.)
> ipa: ERROR: cannot connect to Gettext('any of the configured servers',
> domain='ipa', localedir=None): https://services01.mydom.com/ipa/xml,
> https://services.mydom.com/ipa/xml
Can it be that your certs have expired and were not properly renewed?
How long have you been running this setup?
More than two years?
Have you been upgrading since early versions?
>
> On Sat, Jan 10, 2015 at 10:22 AM, Sina Owolabi <notify.sina at gmail.com> wrote:
>> I did run it with --setup-dns.
>>
>> [root at services01 ~]# ipa-replica-install --setup-dns
>> --forwarder=8.8.8.8 --forwarder=8.8.4.4
>> replica-info-services01.mydom.com.gpg
>>
>> How can I fix this, please?
>>
>> On Fri, Jan 9, 2015 at 8:33 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>> Sina Owolabi wrote:
>>>> Hi List,
>>>>
>>>> I've seen this happen on two occasions, now, in two different
>>>> environments, one with RHEL6.6 and RHEL 6.3.
>>>>
>>>> I have issues with a replica sever, I delete the replication
>>>> agreement, remove the server from ipa dns, run ipa-server-install
>>>> --uninstall -U.
>>>> Reboot the server, create new replication settings from the existing
>>>> master, and restore the replica.
>>>> Running ipactl status, I see:
>>>>
>>>> ipactl status
>>>> Directory Service: RUNNING
>>>> KDC Service: RUNNING
>>>> KPASSWD Service: RUNNING
>>>> MEMCACHE Service: RUNNING
>>>> HTTP Service: RUNNING
>>>>
>>>> No DNS service listed. Named is not running.
>>>>
>>>> ipactl restart
>>>> Restarting Directory Service
>>>> Shutting down dirsrv:
>>>> MYDOM-COM... [ OK ]
>>>> Starting dirsrv:
>>>> MYDOM-COM... [ OK ]
>>>> Restarting KDC Service
>>>> Stopping Kerberos 5 KDC: [ OK ]
>>>> Starting Kerberos 5 KDC: [ OK ]
>>>> Restarting KPASSWD Service
>>>> Stopping Kerberos 5 Admin Server: [ OK ]
>>>> Starting Kerberos 5 Admin Server: [ OK ]
>>>> Restarting MEMCACHE Service
>>>> Stopping ipa_memcached: [ OK ]
>>>> Starting ipa_memcached: [ OK ]
>>>> Restarting HTTP Service
>>>> Stopping httpd: [ OK ]
>>>> Starting httpd: [ OK ]
>>>>
>>>> Checking on named:
>>>> service named status
>>>> rndc: connect failed: 127.0.0.1#953: connection refused
>>>> named is stopped
>>>> # service named start
>>>> Starting named: [ OK ]
>>>> # service named status
>>>> version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
>>>> CPUs found: 2
>>>> worker threads: 2
>>>> number of zones: 19
>>>> debug level: 0
>>>> xfers running: 0
>>>> xfers deferred: 0
>>>> soa queries in progress: 0
>>>> query logging is OFF
>>>> recursive clients: 0/0/1000
>>>> tcp clients: 0/100
>>>> server is up and running
>>>> named (pid 25017) is running...
>>>>
>>>> But it does not resolve. Please what is happening and how can I fix this?
>>>> I don't know what logs to provide, but please let me know what is
>>>> necessary and I'll make them available.
>>> Bind is an optional service. You can either configure it at the time you
>>> install replica using the --setup-dns option or afterward using
>>> ipa-dns-install.
>>>
>>> rob
>>>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list