[Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process
David Kupka
dkupka at redhat.com
Tue Nov 29 11:43:26 UTC 2016
On 29/11/16 12:15, David Dejaeghere wrote:
> Seems like it is but it does not show a server cert for dirsrv
>
> [root at ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/
> total 468
> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 65536
> Nov 29 11:29 cert8.db
> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 65536
> Nov 29 11:29 cert8.db.orig
> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 1623
> Nov 29 11:29 certmap.conf
> -rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 89977
> Nov 29 11:29 dse.ldif
> -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 89977
> Nov 29 11:29 dse.ldif.bak
> -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 89977
> Nov 29 11:29 dse.ldif.startOK
> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 36228
> Nov 29 11:28 dse_original.ldif
> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 16384
> Nov 29 11:29 key3.db
> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 16384
> Nov 29 11:29 key3.db.orig
> -r--------. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 66
> Nov 29 11:29 pin.txt
> -rw-------. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 40
> Nov 29 11:29 pwdfile.txt
> drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 4096
> Nov 29 11:29 schema
> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 16384
> Nov 29 11:29 secmod.db
> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 16384
> Nov 29 11:29 secmod.db.orig
> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 15142
> Nov 29 11:28 slapd-collations.conf
>
> [root at ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> CN=something-PAPRIKA-CA,DC=something,DC=local CT,C,C
> SOMETHING.BE IPA CA CT,C,C
> [root at ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> CN=something-PAPRIKA-CA,DC=something,DC=local CT,C,C
> SOMETHING.BE IPA CA CT,C,C
>
> [root at ns02 ~]# ausearch -m avc -i
> <no matches>
>
>
Exactly, the NSSDB should be accessible to dirsrv and is missing the
Server-Cert but I don't understand why there's "bad database" error in
the errors log. I'll try to reproduce it. What version of FreeIPA are
you using? On what system?
>
> 2016-11-29 12:09 GMT+01:00 David Kupka <dkupka at redhat.com>:
>
>> On 29/11/16 11:51, David Dejaeghere wrote:
>>
>>> Hi,
>>>
>>> I have a setup where i want to add a replica. The first master setup has
>>> an externally signed cert for dirsrv and httpd. The replica is prepapred
>>> succesfully with ipa-client-install but the replica install then keeps
>>> failing. It seems that during install dirserv is not configured correctly
>>> with a valid server certificate. Output from the dirsrv error added to
>>> this
>>> email as well.
>>>
>>> [root at ns02 ~]# ipa-replica-install --setup-ca
>>> WARNING: conflicting time&date synchronization service 'chronyd' will
>>> be disabled in favor of ntpd
>>>
>>> Run connection check to master
>>> Connection check OK
>>> Configuring NTP daemon (ntpd)
>>> [1/4]: stopping ntpd
>>> [2/4]: writing configuration
>>> [3/4]: configuring ntpd to start on boot
>>> [4/4]: starting ntpd
>>> Done configuring NTP daemon (ntpd).
>>> Configuring directory server (dirsrv). Estimated time: 1 minute
>>> [1/43]: creating directory server user
>>> [2/43]: creating directory server instance
>>> [3/43]: restarting directory server
>>> [4/43]: adding default schema
>>> [5/43]: enabling memberof plugin
>>> [6/43]: enabling winsync plugin
>>> [7/43]: configuring replication version plugin
>>> [8/43]: enabling IPA enrollment plugin
>>> [9/43]: enabling ldapi
>>> [10/43]: configuring uniqueness plugin
>>> [11/43]: configuring uuid plugin
>>> [12/43]: configuring modrdn plugin
>>> [13/43]: configuring DNS plugin
>>> [14/43]: enabling entryUSN plugin
>>> [15/43]: configuring lockout plugin
>>> [16/43]: configuring topology plugin
>>> [17/43]: creating indices
>>> [18/43]: enabling referential integrity plugin
>>> [19/43]: configuring certmap.conf
>>> [20/43]: configure autobind for root
>>> [21/43]: configure new location for managed entries
>>> [22/43]: configure dirsrv ccache
>>> [23/43]: enabling SASL mapping fallback
>>> [24/43]: restarting directory server
>>> [25/43]: creating DS keytab
>>> [26/43]: retrieving DS Certificate
>>> [27/43]: restarting directory server
>>> ipa : CRITICAL Failed to restart the directory server (Command
>>> '/bin/systemctl restart dirsrv at SOMETHING-BE.service' returned non-zero
>>> exit
>>> status 1). See the installation log for details.
>>> [28/43]: setting up initial replication
>>> [error] error: [Errno 111] Connection refused
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>>
>>> [29/Nov/2016:11:29:44.034285579 +0100] SSL alert: Security
>>> Initialization:
>>> Can't find certificate (Server-Cert) for family
>>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
>>> security library: bad database.)
>>> [29/Nov/2016:11:29:44.045039728 +0100] SSL alert: Security
>>> Initialization:
>>> Unable to retrieve private key for cert Server-Cert of family
>>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
>>> security library: bad database.)
>>>
>>>
>>>
>>>
>> Hello David,
>>
>> The error from the log indicates that either the NSSDB for dirsrv is not
>> initialized or not accessible.
>>
>> Could you please send output of the following commands?
>>
>> # ls -lZ /etc/dirsrv/slapd-$REALM/
>> # certutil -d /etc/dirsrv/slapd-$REALM/ -L
>> # ausearch -m avc -i
>>
>>
>> --
>> David Kupka
>>
>
--
David Kupka
More information about the Freeipa-users
mailing list