[Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process
David Kupka
dkupka at redhat.com
Tue Nov 29 11:09:20 UTC 2016
On 29/11/16 11:51, David Dejaeghere wrote:
> Hi,
>
> I have a setup where i want to add a replica. The first master setup has
> an externally signed cert for dirsrv and httpd. The replica is prepapred
> succesfully with ipa-client-install but the replica install then keeps
> failing. It seems that during install dirserv is not configured correctly
> with a valid server certificate. Output from the dirsrv error added to this
> email as well.
>
> [root at ns02 ~]# ipa-replica-install --setup-ca
> WARNING: conflicting time&date synchronization service 'chronyd' will
> be disabled in favor of ntpd
>
> Run connection check to master
> Connection check OK
> Configuring NTP daemon (ntpd)
> [1/4]: stopping ntpd
> [2/4]: writing configuration
> [3/4]: configuring ntpd to start on boot
> [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv). Estimated time: 1 minute
> [1/43]: creating directory server user
> [2/43]: creating directory server instance
> [3/43]: restarting directory server
> [4/43]: adding default schema
> [5/43]: enabling memberof plugin
> [6/43]: enabling winsync plugin
> [7/43]: configuring replication version plugin
> [8/43]: enabling IPA enrollment plugin
> [9/43]: enabling ldapi
> [10/43]: configuring uniqueness plugin
> [11/43]: configuring uuid plugin
> [12/43]: configuring modrdn plugin
> [13/43]: configuring DNS plugin
> [14/43]: enabling entryUSN plugin
> [15/43]: configuring lockout plugin
> [16/43]: configuring topology plugin
> [17/43]: creating indices
> [18/43]: enabling referential integrity plugin
> [19/43]: configuring certmap.conf
> [20/43]: configure autobind for root
> [21/43]: configure new location for managed entries
> [22/43]: configure dirsrv ccache
> [23/43]: enabling SASL mapping fallback
> [24/43]: restarting directory server
> [25/43]: creating DS keytab
> [26/43]: retrieving DS Certificate
> [27/43]: restarting directory server
> ipa : CRITICAL Failed to restart the directory server (Command
> '/bin/systemctl restart dirsrv at SOMETHING-BE.service' returned non-zero exit
> status 1). See the installation log for details.
> [28/43]: setting up initial replication
> [error] error: [Errno 111] Connection refused
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
>
> [29/Nov/2016:11:29:44.034285579 +0100] SSL alert: Security Initialization:
> Can't find certificate (Server-Cert) for family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
> security library: bad database.)
> [29/Nov/2016:11:29:44.045039728 +0100] SSL alert: Security Initialization:
> Unable to retrieve private key for cert Server-Cert of family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
> security library: bad database.)
>
>
>
Hello David,
The error from the log indicates that either the NSSDB for dirsrv is not
initialized or not accessible.
Could you please send output of the following commands?
# ls -lZ /etc/dirsrv/slapd-$REALM/
# certutil -d /etc/dirsrv/slapd-$REALM/ -L
# ausearch -m avc -i
--
David Kupka
More information about the Freeipa-users
mailing list