[Freeipa-users] backing up and starting over...

Robert Story rstory at tislabs.com
Fri Dec 23 06:12:42 UTC 2016 

On Thu, 22 Dec 2016 16:48:10 -0500 Robert wrote:
RS> I tried to create a replica. It went well for the directory server, but
RS> then:
RS> 
RS> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
RS> seconds [1/27]: creating certificate server user
RS>   [2/27]: configuring certificate server instance
RS> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
RS> CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpqYyqJJ' returned
RS> non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance:
RS> CRITICAL See the installation logs and the following files/directories for
RS> more information: ipa.ipaserver.install.cainstance.CAInstance:
RS> CRITICAL   /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration
RS> failed.
RS> [...]
RS> So this looks like the culprit:
RS> 
RS> [22/Dec/2016:16:07:48][http-bio-8443-exec-3]: updateNumberRange: Failed to contact master using admin portjavax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error

So eventually I found proxy errors like this in a logfile:

  proxy_ajp:error (70007)The timeout specified has expired:

I added large timeouts to /etc/httpd/conf.d/ipa-pki-proxy.conf

 Timeout 900
 ProxyTimeout 900

This allowed my replica install to complete. However, when I logged in to
the new replica, I was getting the same long timeout trying to load users.
The error log had this:

[Fri Dec 23 00:50:39.206858 2016] [proxy_ajp:error] [pid 31182]
[client 10.71.10.118:49784] AH00896: failed to make connection to backend: localhost

This started ringing a little bell in my head about localhost and ipv4 vs
ipv6. I disabled ipv6 in /etc/sysctl.conf, and voila, users load in less
than 5 seconds instead of 5 minutes or timing out.

Hopefully this will also resolve the other weirdness I've been seeing. I'm
keeping my fingers crossed.


Robert

-- 
Senior Software Engineer @ Parsons
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161223/49968ec2/attachment.sig>

More information about the Freeipa-users mailing list