[Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process
David Dejaeghere
david.dejaeghere at gmail.com
Tue Nov 29 12:55:40 UTC 2016
Correct. Same symptoms.
2016-11-29T10:29:42Z DEBUG certmonger request is in state
dbus.String(u'CA_UNREACHABLE', variant_level=1)
Fedora 24 Server
[root at ns02 ~]# dnf history userinstalled
Packages installed by user
freeipa-client-4.3.2-2.fc24.x86_64
freeipa-server-4.3.2-2.fc24.x86_64
grub2-1:2.02-0.34.fc24.x86_64
kernel-4.5.5-300.fc24.x86_64
kernel-4.8.8-200.fc24.x86_64
lvm2-2.02.150-2.fc24.x86_64
xfsprogs-4.5.0-2.fc24.x86_64
2016-11-29 13:41 GMT+01:00 Petr Vobornik <pvoborni at redhat.com>:
> On 11/29/2016 12:43 PM, David Kupka wrote:
> > On 29/11/16 12:15, David Dejaeghere wrote:
> >> Seems like it is but it does not show a server cert for dirsrv
> >>
> >> [root at ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/
> >> total 468
> >> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0
> >> 65536
> >> Nov 29 11:29 cert8.db
> >> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> >> 65536
> >> Nov 29 11:29 cert8.db.orig
> >> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> >> 1623
> >> Nov 29 11:29 certmap.conf
> >> -rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
> >> 89977
> >> Nov 29 11:29 dse.ldif
> >> -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
> >> 89977
> >> Nov 29 11:29 dse.ldif.bak
> >> -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
> >> 89977
> >> Nov 29 11:29 dse.ldif.startOK
> >> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> >> 36228
> >> Nov 29 11:28 dse_original.ldif
> >> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0
> >> 16384
> >> Nov 29 11:29 key3.db
> >> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> >> 16384
> >> Nov 29 11:29 key3.db.orig
> >> -r--------. 1 dirsrv dirsrv
> >> unconfined_u:object_r:dirsrv_config_t:s0 66
> >> Nov 29 11:29 pin.txt
> >> -rw-------. 1 dirsrv dirsrv
> >> unconfined_u:object_r:dirsrv_config_t:s0 40
> >> Nov 29 11:29 pwdfile.txt
> >> drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> >> 4096
> >> Nov 29 11:29 schema
> >> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0
> >> 16384
> >> Nov 29 11:29 secmod.db
> >> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> >> 16384
> >> Nov 29 11:29 secmod.db.orig
> >> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
> >> 15142
> >> Nov 29 11:28 slapd-collations.conf
> >>
> >> [root at ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
> >>
> >> Certificate Nickname Trust
> >> Attributes
> >>
> >> SSL,S/MIME,JAR/XPI
> >>
> >> CN=something-PAPRIKA-CA,DC=something,DC=local
> >> CT,C,C
> >> SOMETHING.BE IPA CA CT,C,C
> >> [root at ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
> >>
> >> Certificate Nickname Trust
> >> Attributes
> >>
> >> SSL,S/MIME,JAR/XPI
> >>
> >> CN=something-PAPRIKA-CA,DC=something,DC=local
> >> CT,C,C
> >> SOMETHING.BE IPA CA CT,C,C
> >>
> >> [root at ns02 ~]# ausearch -m avc -i
> >> <no matches>
> >>
> >>
> >
> > Exactly, the NSSDB should be accessible to dirsrv and is missing the
> > Server-Cert but I don't understand why there's "bad database" error in
> > the errors log. I'll try to reproduce it. What version of FreeIPA are
> > you using? On what system?
>
> Right.
>
> Seems bit similar to https://fedorahosted.org/freeipa/ticket/6514 would
> be good to check if it has the same symptoms, mainly
> certmonger request is in state dbus.String(u'CA_UNREACHABLE',
> variant_level=1)
>
> in replica install log.
>
>
> >
> >>
> >> 2016-11-29 12:09 GMT+01:00 David Kupka <dkupka at redhat.com>:
> >>
> >>> On 29/11/16 11:51, David Dejaeghere wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> I have a setup where i want to add a replica. The first master
> >>>> setup has
> >>>> an externally signed cert for dirsrv and httpd. The replica is
> >>>> prepapred
> >>>> succesfully with ipa-client-install but the replica install then keeps
> >>>> failing. It seems that during install dirserv is not configured
> >>>> correctly
> >>>> with a valid server certificate. Output from the dirsrv error added to
> >>>> this
> >>>> email as well.
> >>>>
> >>>> [root at ns02 ~]# ipa-replica-install --setup-ca
> >>>> WARNING: conflicting time&date synchronization service 'chronyd' will
> >>>> be disabled in favor of ntpd
> >>>>
> >>>> Run connection check to master
> >>>> Connection check OK
> >>>> Configuring NTP daemon (ntpd)
> >>>> [1/4]: stopping ntpd
> >>>> [2/4]: writing configuration
> >>>> [3/4]: configuring ntpd to start on boot
> >>>> [4/4]: starting ntpd
> >>>> Done configuring NTP daemon (ntpd).
> >>>> Configuring directory server (dirsrv). Estimated time: 1 minute
> >>>> [1/43]: creating directory server user
> >>>> [2/43]: creating directory server instance
> >>>> [3/43]: restarting directory server
> >>>> [4/43]: adding default schema
> >>>> [5/43]: enabling memberof plugin
> >>>> [6/43]: enabling winsync plugin
> >>>> [7/43]: configuring replication version plugin
> >>>> [8/43]: enabling IPA enrollment plugin
> >>>> [9/43]: enabling ldapi
> >>>> [10/43]: configuring uniqueness plugin
> >>>> [11/43]: configuring uuid plugin
> >>>> [12/43]: configuring modrdn plugin
> >>>> [13/43]: configuring DNS plugin
> >>>> [14/43]: enabling entryUSN plugin
> >>>> [15/43]: configuring lockout plugin
> >>>> [16/43]: configuring topology plugin
> >>>> [17/43]: creating indices
> >>>> [18/43]: enabling referential integrity plugin
> >>>> [19/43]: configuring certmap.conf
> >>>> [20/43]: configure autobind for root
> >>>> [21/43]: configure new location for managed entries
> >>>> [22/43]: configure dirsrv ccache
> >>>> [23/43]: enabling SASL mapping fallback
> >>>> [24/43]: restarting directory server
> >>>> [25/43]: creating DS keytab
> >>>> [26/43]: retrieving DS Certificate
> >>>> [27/43]: restarting directory server
> >>>> ipa : CRITICAL Failed to restart the directory server (Command
> >>>> '/bin/systemctl restart dirsrv at SOMETHING-BE.service' returned
> non-zero
> >>>> exit
> >>>> status 1). See the installation log for details.
> >>>> [28/43]: setting up initial replication
> >>>> [error] error: [Errno 111] Connection refused
> >>>> Your system may be partly configured.
> >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >>>>
> >>>>
> >>>> [29/Nov/2016:11:29:44.034285579 +0100] SSL alert: Security
> >>>> Initialization:
> >>>> Can't find certificate (Server-Cert) for family
> >>>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174
> -
> >>>> security library: bad database.)
> >>>> [29/Nov/2016:11:29:44.045039728 +0100] SSL alert: Security
> >>>> Initialization:
> >>>> Unable to retrieve private key for cert Server-Cert of family
> >>>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174
> -
> >>>> security library: bad database.)
> >>>>
> >>>>
> >>>>
> >>>>
> >>> Hello David,
> >>>
> >>> The error from the log indicates that either the NSSDB for dirsrv is
> not
> >>> initialized or not accessible.
> >>>
> >>> Could you please send output of the following commands?
> >>>
> >>> # ls -lZ /etc/dirsrv/slapd-$REALM/
> >>> # certutil -d /etc/dirsrv/slapd-$REALM/ -L
> >>> # ausearch -m avc -i
> >>>
> >>>
> >>> --
> >>> David Kupka
> >>>
>
>
> --
> Petr Vobornik
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161129/246cd7a2/attachment.htm>
More information about the Freeipa-users
mailing list