[Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process

Petr Vobornik pvoborni at redhat.com
Tue Nov 29 12:41:14 UTC 2016 

On 11/29/2016 12:43 PM, David Kupka wrote:
> On 29/11/16 12:15, David Dejaeghere wrote:
>> Seems like it is but it does not show a server cert for dirsrv
>>
>> [root at ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/
>> total 468
>> -rw-------. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0
>> 65536
>> Nov 29 11:29 cert8.db
>> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>> 65536
>> Nov 29 11:29 cert8.db.orig
>> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 
>> 1623
>> Nov 29 11:29 certmap.conf
>> -rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0    
>> 89977
>> Nov 29 11:29 dse.ldif
>> -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0    
>> 89977
>> Nov 29 11:29 dse.ldif.bak
>> -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0    
>> 89977
>> Nov 29 11:29 dse.ldif.startOK
>> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>> 36228
>> Nov 29 11:28 dse_original.ldif
>> -rw-------. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0
>> 16384
>> Nov 29 11:29 key3.db
>> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>> 16384
>> Nov 29 11:29 key3.db.orig
>> -r--------. 1 dirsrv dirsrv
>> unconfined_u:object_r:dirsrv_config_t:s0    66
>> Nov 29 11:29 pin.txt
>> -rw-------. 1 dirsrv dirsrv
>> unconfined_u:object_r:dirsrv_config_t:s0    40
>> Nov 29 11:29 pwdfile.txt
>> drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 
>> 4096
>> Nov 29 11:29 schema
>> -rw-------. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0
>> 16384
>> Nov 29 11:29 secmod.db
>> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>> 16384
>> Nov 29 11:29 secmod.db.orig
>> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>> 15142
>> Nov 29 11:28 slapd-collations.conf
>>
>> [root at ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
>>
>> Certificate Nickname                                         Trust
>> Attributes
>>
>>  SSL,S/MIME,JAR/XPI
>>
>> CN=something-PAPRIKA-CA,DC=something,DC=local                       
>> CT,C,C
>> SOMETHING.BE IPA CA                                         CT,C,C
>> [root at ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
>>
>> Certificate Nickname                                         Trust
>> Attributes
>>
>>  SSL,S/MIME,JAR/XPI
>>
>> CN=something-PAPRIKA-CA,DC=something,DC=local                       
>> CT,C,C
>> SOMETHING.BE IPA CA                                         CT,C,C
>>
>> [root at ns02 ~]# ausearch -m avc -i
>> <no matches>
>>
>>
> 
> Exactly, the NSSDB should be accessible to dirsrv and is missing the
> Server-Cert but I don't understand why there's "bad database" error in
> the errors log. I'll try to reproduce it. What version of FreeIPA are
> you using? On what system?

Right.

Seems bit similar to https://fedorahosted.org/freeipa/ticket/6514 would
be good to check if it has the same symptoms, mainly
  certmonger request is in state dbus.String(u'CA_UNREACHABLE',
variant_level=1)

in replica install log.


> 
>>
>> 2016-11-29 12:09 GMT+01:00 David Kupka <dkupka at redhat.com>:
>>
>>> On 29/11/16 11:51, David Dejaeghere wrote:
>>>
>>>> Hi,
>>>>
>>>> I have a setup where i want to add a replica.  The first master
>>>> setup has
>>>> an externally signed cert for dirsrv and httpd.  The replica is
>>>> prepapred
>>>> succesfully with ipa-client-install but the replica install then keeps
>>>> failing.  It seems that during install dirserv is not configured
>>>> correctly
>>>> with a valid server certificate. Output from the dirsrv error added to
>>>> this
>>>> email as well.
>>>>
>>>> [root at ns02 ~]# ipa-replica-install --setup-ca
>>>> WARNING: conflicting time&date synchronization service 'chronyd' will
>>>> be disabled in favor of ntpd
>>>>
>>>> Run connection check to master
>>>> Connection check OK
>>>> Configuring NTP daemon (ntpd)
>>>>   [1/4]: stopping ntpd
>>>>   [2/4]: writing configuration
>>>>   [3/4]: configuring ntpd to start on boot
>>>>   [4/4]: starting ntpd
>>>> Done configuring NTP daemon (ntpd).
>>>> Configuring directory server (dirsrv). Estimated time: 1 minute
>>>>   [1/43]: creating directory server user
>>>>   [2/43]: creating directory server instance
>>>>   [3/43]: restarting directory server
>>>>   [4/43]: adding default schema
>>>>   [5/43]: enabling memberof plugin
>>>>   [6/43]: enabling winsync plugin
>>>>   [7/43]: configuring replication version plugin
>>>>   [8/43]: enabling IPA enrollment plugin
>>>>   [9/43]: enabling ldapi
>>>>   [10/43]: configuring uniqueness plugin
>>>>   [11/43]: configuring uuid plugin
>>>>   [12/43]: configuring modrdn plugin
>>>>   [13/43]: configuring DNS plugin
>>>>   [14/43]: enabling entryUSN plugin
>>>>   [15/43]: configuring lockout plugin
>>>>   [16/43]: configuring topology plugin
>>>>   [17/43]: creating indices
>>>>   [18/43]: enabling referential integrity plugin
>>>>   [19/43]: configuring certmap.conf
>>>>   [20/43]: configure autobind for root
>>>>   [21/43]: configure new location for managed entries
>>>>   [22/43]: configure dirsrv ccache
>>>>   [23/43]: enabling SASL mapping fallback
>>>>   [24/43]: restarting directory server
>>>>   [25/43]: creating DS keytab
>>>>   [26/43]: retrieving DS Certificate
>>>>   [27/43]: restarting directory server
>>>> ipa         : CRITICAL Failed to restart the directory server (Command
>>>> '/bin/systemctl restart dirsrv at SOMETHING-BE.service' returned non-zero
>>>> exit
>>>> status 1). See the installation log for details.
>>>>   [28/43]: setting up initial replication
>>>>   [error] error: [Errno 111] Connection refused
>>>> Your system may be partly configured.
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>
>>>>
>>>> [29/Nov/2016:11:29:44.034285579 +0100] SSL alert: Security
>>>> Initialization:
>>>> Can't find certificate (Server-Cert) for family
>>>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
>>>> security library: bad database.)
>>>> [29/Nov/2016:11:29:44.045039728 +0100] SSL alert: Security
>>>> Initialization:
>>>> Unable to retrieve private key for cert Server-Cert of family
>>>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
>>>> security library: bad database.)
>>>>
>>>>
>>>>
>>>>
>>> Hello David,
>>>
>>> The error from the log indicates that either the NSSDB for dirsrv is not
>>> initialized or not accessible.
>>>
>>> Could you please send output of the following commands?
>>>
>>> # ls -lZ /etc/dirsrv/slapd-$REALM/
>>> # certutil -d /etc/dirsrv/slapd-$REALM/ -L
>>> # ausearch -m avc -i
>>>
>>>
>>> -- 
>>> David Kupka
>>>


-- 
Petr Vobornik

More information about the Freeipa-users mailing list