[Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process

David Kupka dkupka at redhat.com
Tue Nov 29 11:09:20 UTC 2016 

On 29/11/16 11:51, David Dejaeghere wrote:
> Hi,
>
> I have a setup where i want to add a replica.  The first master setup has
> an externally signed cert for dirsrv and httpd.  The replica is prepapred
> succesfully with ipa-client-install but the replica install then keeps
> failing.  It seems that during install dirserv is not configured correctly
> with a valid server certificate. Output from the dirsrv error added to this
> email as well.
>
> [root at ns02 ~]# ipa-replica-install --setup-ca
> WARNING: conflicting time&date synchronization service 'chronyd' will
> be disabled in favor of ntpd
>
> Run connection check to master
> Connection check OK
> Configuring NTP daemon (ntpd)
>   [1/4]: stopping ntpd
>   [2/4]: writing configuration
>   [3/4]: configuring ntpd to start on boot
>   [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv). Estimated time: 1 minute
>   [1/43]: creating directory server user
>   [2/43]: creating directory server instance
>   [3/43]: restarting directory server
>   [4/43]: adding default schema
>   [5/43]: enabling memberof plugin
>   [6/43]: enabling winsync plugin
>   [7/43]: configuring replication version plugin
>   [8/43]: enabling IPA enrollment plugin
>   [9/43]: enabling ldapi
>   [10/43]: configuring uniqueness plugin
>   [11/43]: configuring uuid plugin
>   [12/43]: configuring modrdn plugin
>   [13/43]: configuring DNS plugin
>   [14/43]: enabling entryUSN plugin
>   [15/43]: configuring lockout plugin
>   [16/43]: configuring topology plugin
>   [17/43]: creating indices
>   [18/43]: enabling referential integrity plugin
>   [19/43]: configuring certmap.conf
>   [20/43]: configure autobind for root
>   [21/43]: configure new location for managed entries
>   [22/43]: configure dirsrv ccache
>   [23/43]: enabling SASL mapping fallback
>   [24/43]: restarting directory server
>   [25/43]: creating DS keytab
>   [26/43]: retrieving DS Certificate
>   [27/43]: restarting directory server
> ipa         : CRITICAL Failed to restart the directory server (Command
> '/bin/systemctl restart dirsrv at SOMETHING-BE.service' returned non-zero exit
> status 1). See the installation log for details.
>   [28/43]: setting up initial replication
>   [error] error: [Errno 111] Connection refused
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
>
> [29/Nov/2016:11:29:44.034285579 +0100] SSL alert: Security Initialization:
> Can't find certificate (Server-Cert) for family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
> security library: bad database.)
> [29/Nov/2016:11:29:44.045039728 +0100] SSL alert: Security Initialization:
> Unable to retrieve private key for cert Server-Cert of family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
> security library: bad database.)
>
>
>

Hello David,

The error from the log indicates that either the NSSDB for dirsrv is not 
initialized or not accessible.

Could you please send output of the following commands?

# ls -lZ /etc/dirsrv/slapd-$REALM/
# certutil -d /etc/dirsrv/slapd-$REALM/ -L
# ausearch -m avc -i


-- 
David Kupka

More information about the Freeipa-users mailing list