[Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process
Petr Vobornik
pvoborni at redhat.com
Tue Nov 29 12:41:14 UTC 2016
On 11/29/2016 12:43 PM, David Kupka wrote:
> On 29/11/16 12:15, David Dejaeghere wrote:
>> Seems like it is but it does not show a server cert for dirsrv
>>
>> [root at ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/
>> total 468
>> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0
>> 65536
>> Nov 29 11:29 cert8.db
>> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>> 65536
>> Nov 29 11:29 cert8.db.orig
>> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>> 1623
>> Nov 29 11:29 certmap.conf
>> -rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
>> 89977
>> Nov 29 11:29 dse.ldif
>> -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
>> 89977
>> Nov 29 11:29 dse.ldif.bak
>> -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
>> 89977
>> Nov 29 11:29 dse.ldif.startOK
>> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>> 36228
>> Nov 29 11:28 dse_original.ldif
>> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0
>> 16384
>> Nov 29 11:29 key3.db
>> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>> 16384
>> Nov 29 11:29 key3.db.orig
>> -r--------. 1 dirsrv dirsrv
>> unconfined_u:object_r:dirsrv_config_t:s0 66
>> Nov 29 11:29 pin.txt
>> -rw-------. 1 dirsrv dirsrv
>> unconfined_u:object_r:dirsrv_config_t:s0 40
>> Nov 29 11:29 pwdfile.txt
>> drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>> 4096
>> Nov 29 11:29 schema
>> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0
>> 16384
>> Nov 29 11:29 secmod.db
>> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>> 16384
>> Nov 29 11:29 secmod.db.orig
>> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>> 15142
>> Nov 29 11:28 slapd-collations.conf
>>
>> [root at ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
>>
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> CN=something-PAPRIKA-CA,DC=something,DC=local
>> CT,C,C
>> SOMETHING.BE IPA CA CT,C,C
>> [root at ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
>>
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> CN=something-PAPRIKA-CA,DC=something,DC=local
>> CT,C,C
>> SOMETHING.BE IPA CA CT,C,C
>>
>> [root at ns02 ~]# ausearch -m avc -i
>> <no matches>
>>
>>
>
> Exactly, the NSSDB should be accessible to dirsrv and is missing the
> Server-Cert but I don't understand why there's "bad database" error in
> the errors log. I'll try to reproduce it. What version of FreeIPA are
> you using? On what system?
Right.
Seems bit similar to https://fedorahosted.org/freeipa/ticket/6514 would
be good to check if it has the same symptoms, mainly
certmonger request is in state dbus.String(u'CA_UNREACHABLE',
variant_level=1)
in replica install log.
>
>>
>> 2016-11-29 12:09 GMT+01:00 David Kupka <dkupka at redhat.com>:
>>
>>> On 29/11/16 11:51, David Dejaeghere wrote:
>>>
>>>> Hi,
>>>>
>>>> I have a setup where i want to add a replica. The first master
>>>> setup has
>>>> an externally signed cert for dirsrv and httpd. The replica is
>>>> prepapred
>>>> succesfully with ipa-client-install but the replica install then keeps
>>>> failing. It seems that during install dirserv is not configured
>>>> correctly
>>>> with a valid server certificate. Output from the dirsrv error added to
>>>> this
>>>> email as well.
>>>>
>>>> [root at ns02 ~]# ipa-replica-install --setup-ca
>>>> WARNING: conflicting time&date synchronization service 'chronyd' will
>>>> be disabled in favor of ntpd
>>>>
>>>> Run connection check to master
>>>> Connection check OK
>>>> Configuring NTP daemon (ntpd)
>>>> [1/4]: stopping ntpd
>>>> [2/4]: writing configuration
>>>> [3/4]: configuring ntpd to start on boot
>>>> [4/4]: starting ntpd
>>>> Done configuring NTP daemon (ntpd).
>>>> Configuring directory server (dirsrv). Estimated time: 1 minute
>>>> [1/43]: creating directory server user
>>>> [2/43]: creating directory server instance
>>>> [3/43]: restarting directory server
>>>> [4/43]: adding default schema
>>>> [5/43]: enabling memberof plugin
>>>> [6/43]: enabling winsync plugin
>>>> [7/43]: configuring replication version plugin
>>>> [8/43]: enabling IPA enrollment plugin
>>>> [9/43]: enabling ldapi
>>>> [10/43]: configuring uniqueness plugin
>>>> [11/43]: configuring uuid plugin
>>>> [12/43]: configuring modrdn plugin
>>>> [13/43]: configuring DNS plugin
>>>> [14/43]: enabling entryUSN plugin
>>>> [15/43]: configuring lockout plugin
>>>> [16/43]: configuring topology plugin
>>>> [17/43]: creating indices
>>>> [18/43]: enabling referential integrity plugin
>>>> [19/43]: configuring certmap.conf
>>>> [20/43]: configure autobind for root
>>>> [21/43]: configure new location for managed entries
>>>> [22/43]: configure dirsrv ccache
>>>> [23/43]: enabling SASL mapping fallback
>>>> [24/43]: restarting directory server
>>>> [25/43]: creating DS keytab
>>>> [26/43]: retrieving DS Certificate
>>>> [27/43]: restarting directory server
>>>> ipa : CRITICAL Failed to restart the directory server (Command
>>>> '/bin/systemctl restart dirsrv at SOMETHING-BE.service' returned non-zero
>>>> exit
>>>> status 1). See the installation log for details.
>>>> [28/43]: setting up initial replication
>>>> [error] error: [Errno 111] Connection refused
>>>> Your system may be partly configured.
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>
>>>>
>>>> [29/Nov/2016:11:29:44.034285579 +0100] SSL alert: Security
>>>> Initialization:
>>>> Can't find certificate (Server-Cert) for family
>>>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
>>>> security library: bad database.)
>>>> [29/Nov/2016:11:29:44.045039728 +0100] SSL alert: Security
>>>> Initialization:
>>>> Unable to retrieve private key for cert Server-Cert of family
>>>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
>>>> security library: bad database.)
>>>>
>>>>
>>>>
>>>>
>>> Hello David,
>>>
>>> The error from the log indicates that either the NSSDB for dirsrv is not
>>> initialized or not accessible.
>>>
>>> Could you please send output of the following commands?
>>>
>>> # ls -lZ /etc/dirsrv/slapd-$REALM/
>>> # certutil -d /etc/dirsrv/slapd-$REALM/ -L
>>> # ausearch -m avc -i
>>>
>>>
>>> --
>>> David Kupka
>>>
--
Petr Vobornik
More information about the Freeipa-users
mailing list