[Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process
David Dejaeghere
david.dejaeghere at gmail.com
Tue Nov 29 11:15:20 UTC 2016
Seems like it is but it does not show a server cert for dirsrv
[root at ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/
total 468
-rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 65536
Nov 29 11:29 cert8.db
-rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 65536
Nov 29 11:29 cert8.db.orig
-r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 1623
Nov 29 11:29 certmap.conf
-rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 89977
Nov 29 11:29 dse.ldif
-rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 89977
Nov 29 11:29 dse.ldif.bak
-rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 89977
Nov 29 11:29 dse.ldif.startOK
-r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 36228
Nov 29 11:28 dse_original.ldif
-rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 16384
Nov 29 11:29 key3.db
-rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 16384
Nov 29 11:29 key3.db.orig
-r--------. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 66
Nov 29 11:29 pin.txt
-rw-------. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 40
Nov 29 11:29 pwdfile.txt
drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 4096
Nov 29 11:29 schema
-rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 16384
Nov 29 11:29 secmod.db
-rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 16384
Nov 29 11:29 secmod.db.orig
-r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 15142
Nov 29 11:28 slapd-collations.conf
[root at ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CN=something-PAPRIKA-CA,DC=something,DC=local CT,C,C
SOMETHING.BE IPA CA CT,C,C
[root at ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CN=something-PAPRIKA-CA,DC=something,DC=local CT,C,C
SOMETHING.BE IPA CA CT,C,C
[root at ns02 ~]# ausearch -m avc -i
<no matches>
2016-11-29 12:09 GMT+01:00 David Kupka <dkupka at redhat.com>:
> On 29/11/16 11:51, David Dejaeghere wrote:
>
>> Hi,
>>
>> I have a setup where i want to add a replica. The first master setup has
>> an externally signed cert for dirsrv and httpd. The replica is prepapred
>> succesfully with ipa-client-install but the replica install then keeps
>> failing. It seems that during install dirserv is not configured correctly
>> with a valid server certificate. Output from the dirsrv error added to
>> this
>> email as well.
>>
>> [root at ns02 ~]# ipa-replica-install --setup-ca
>> WARNING: conflicting time&date synchronization service 'chronyd' will
>> be disabled in favor of ntpd
>>
>> Run connection check to master
>> Connection check OK
>> Configuring NTP daemon (ntpd)
>> [1/4]: stopping ntpd
>> [2/4]: writing configuration
>> [3/4]: configuring ntpd to start on boot
>> [4/4]: starting ntpd
>> Done configuring NTP daemon (ntpd).
>> Configuring directory server (dirsrv). Estimated time: 1 minute
>> [1/43]: creating directory server user
>> [2/43]: creating directory server instance
>> [3/43]: restarting directory server
>> [4/43]: adding default schema
>> [5/43]: enabling memberof plugin
>> [6/43]: enabling winsync plugin
>> [7/43]: configuring replication version plugin
>> [8/43]: enabling IPA enrollment plugin
>> [9/43]: enabling ldapi
>> [10/43]: configuring uniqueness plugin
>> [11/43]: configuring uuid plugin
>> [12/43]: configuring modrdn plugin
>> [13/43]: configuring DNS plugin
>> [14/43]: enabling entryUSN plugin
>> [15/43]: configuring lockout plugin
>> [16/43]: configuring topology plugin
>> [17/43]: creating indices
>> [18/43]: enabling referential integrity plugin
>> [19/43]: configuring certmap.conf
>> [20/43]: configure autobind for root
>> [21/43]: configure new location for managed entries
>> [22/43]: configure dirsrv ccache
>> [23/43]: enabling SASL mapping fallback
>> [24/43]: restarting directory server
>> [25/43]: creating DS keytab
>> [26/43]: retrieving DS Certificate
>> [27/43]: restarting directory server
>> ipa : CRITICAL Failed to restart the directory server (Command
>> '/bin/systemctl restart dirsrv at SOMETHING-BE.service' returned non-zero
>> exit
>> status 1). See the installation log for details.
>> [28/43]: setting up initial replication
>> [error] error: [Errno 111] Connection refused
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>>
>> [29/Nov/2016:11:29:44.034285579 +0100] SSL alert: Security
>> Initialization:
>> Can't find certificate (Server-Cert) for family
>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
>> security library: bad database.)
>> [29/Nov/2016:11:29:44.045039728 +0100] SSL alert: Security
>> Initialization:
>> Unable to retrieve private key for cert Server-Cert of family
>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
>> security library: bad database.)
>>
>>
>>
>>
> Hello David,
>
> The error from the log indicates that either the NSSDB for dirsrv is not
> initialized or not accessible.
>
> Could you please send output of the following commands?
>
> # ls -lZ /etc/dirsrv/slapd-$REALM/
> # certutil -d /etc/dirsrv/slapd-$REALM/ -L
> # ausearch -m avc -i
>
>
> --
> David Kupka
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161129/145e82eb/attachment.htm>
More information about the Freeipa-users
mailing list