[Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process
David Kupka
dkupka at redhat.com
Tue Nov 29 13:57:58 UTC 2016
On 29/11/16 13:55, David Dejaeghere wrote:
> Correct. Same symptoms.
>
> 2016-11-29T10:29:42Z DEBUG certmonger request is in state
> dbus.String(u'CA_UNREACHABLE', variant_level=1)
>
> Fedora 24 Server
>
> [root at ns02 ~]# dnf history userinstalled
> Packages installed by user
> freeipa-client-4.3.2-2.fc24.x86_64
> freeipa-server-4.3.2-2.fc24.x86_64
> grub2-1:2.02-0.34.fc24.x86_64
> kernel-4.5.5-300.fc24.x86_64
> kernel-4.8.8-200.fc24.x86_64
> lvm2-2.02.150-2.fc24.x86_64
> xfsprogs-4.5.0-2.fc24.x86_64
Ok. I've reproduced it by simply stopping dogtag on FreeIPA server while
installing the replica. I see the exactly same errors as you've reported
and are described in the ticket, now.
Is dogtag running on your master? Is in responding (e.g. issuing
certificates for users)? Is it accessible from the replica?
>
> 2016-11-29 13:41 GMT+01:00 Petr Vobornik <pvoborni at redhat.com>:
>
>> On 11/29/2016 12:43 PM, David Kupka wrote:
>>> On 29/11/16 12:15, David Dejaeghere wrote:
>>>> Seems like it is but it does not show a server cert for dirsrv
>>>>
>>>> [root at ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/
>>>> total 468
>>>> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0
>>>> 65536
>>>> Nov 29 11:29 cert8.db
>>>> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>>>> 65536
>>>> Nov 29 11:29 cert8.db.orig
>>>> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>>>> 1623
>>>> Nov 29 11:29 certmap.conf
>>>> -rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
>>>> 89977
>>>> Nov 29 11:29 dse.ldif
>>>> -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
>>>> 89977
>>>> Nov 29 11:29 dse.ldif.bak
>>>> -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
>>>> 89977
>>>> Nov 29 11:29 dse.ldif.startOK
>>>> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>>>> 36228
>>>> Nov 29 11:28 dse_original.ldif
>>>> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0
>>>> 16384
>>>> Nov 29 11:29 key3.db
>>>> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>>>> 16384
>>>> Nov 29 11:29 key3.db.orig
>>>> -r--------. 1 dirsrv dirsrv
>>>> unconfined_u:object_r:dirsrv_config_t:s0 66
>>>> Nov 29 11:29 pin.txt
>>>> -rw-------. 1 dirsrv dirsrv
>>>> unconfined_u:object_r:dirsrv_config_t:s0 40
>>>> Nov 29 11:29 pwdfile.txt
>>>> drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>>>> 4096
>>>> Nov 29 11:29 schema
>>>> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0
>>>> 16384
>>>> Nov 29 11:29 secmod.db
>>>> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>>>> 16384
>>>> Nov 29 11:29 secmod.db.orig
>>>> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
>>>> 15142
>>>> Nov 29 11:28 slapd-collations.conf
>>>>
>>>> [root at ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
>>>>
>>>> Certificate Nickname Trust
>>>> Attributes
>>>>
>>>> SSL,S/MIME,JAR/XPI
>>>>
>>>> CN=something-PAPRIKA-CA,DC=something,DC=local
>>>> CT,C,C
>>>> SOMETHING.BE IPA CA CT,C,C
>>>> [root at ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
>>>>
>>>> Certificate Nickname Trust
>>>> Attributes
>>>>
>>>> SSL,S/MIME,JAR/XPI
>>>>
>>>> CN=something-PAPRIKA-CA,DC=something,DC=local
>>>> CT,C,C
>>>> SOMETHING.BE IPA CA CT,C,C
>>>>
>>>> [root at ns02 ~]# ausearch -m avc -i
>>>> <no matches>
>>>>
>>>>
>>>
>>> Exactly, the NSSDB should be accessible to dirsrv and is missing the
>>> Server-Cert but I don't understand why there's "bad database" error in
>>> the errors log. I'll try to reproduce it. What version of FreeIPA are
>>> you using? On what system?
>>
>> Right.
>>
>> Seems bit similar to https://fedorahosted.org/freeipa/ticket/6514 would
>> be good to check if it has the same symptoms, mainly
>> certmonger request is in state dbus.String(u'CA_UNREACHABLE',
>> variant_level=1)
>>
>> in replica install log.
>>
>>
>>>
>>>>
>>>> 2016-11-29 12:09 GMT+01:00 David Kupka <dkupka at redhat.com>:
>>>>
>>>>> On 29/11/16 11:51, David Dejaeghere wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I have a setup where i want to add a replica. The first master
>>>>>> setup has
>>>>>> an externally signed cert for dirsrv and httpd. The replica is
>>>>>> prepapred
>>>>>> succesfully with ipa-client-install but the replica install then keeps
>>>>>> failing. It seems that during install dirserv is not configured
>>>>>> correctly
>>>>>> with a valid server certificate. Output from the dirsrv error added to
>>>>>> this
>>>>>> email as well.
>>>>>>
>>>>>> [root at ns02 ~]# ipa-replica-install --setup-ca
>>>>>> WARNING: conflicting time&date synchronization service 'chronyd' will
>>>>>> be disabled in favor of ntpd
>>>>>>
>>>>>> Run connection check to master
>>>>>> Connection check OK
>>>>>> Configuring NTP daemon (ntpd)
>>>>>> [1/4]: stopping ntpd
>>>>>> [2/4]: writing configuration
>>>>>> [3/4]: configuring ntpd to start on boot
>>>>>> [4/4]: starting ntpd
>>>>>> Done configuring NTP daemon (ntpd).
>>>>>> Configuring directory server (dirsrv). Estimated time: 1 minute
>>>>>> [1/43]: creating directory server user
>>>>>> [2/43]: creating directory server instance
>>>>>> [3/43]: restarting directory server
>>>>>> [4/43]: adding default schema
>>>>>> [5/43]: enabling memberof plugin
>>>>>> [6/43]: enabling winsync plugin
>>>>>> [7/43]: configuring replication version plugin
>>>>>> [8/43]: enabling IPA enrollment plugin
>>>>>> [9/43]: enabling ldapi
>>>>>> [10/43]: configuring uniqueness plugin
>>>>>> [11/43]: configuring uuid plugin
>>>>>> [12/43]: configuring modrdn plugin
>>>>>> [13/43]: configuring DNS plugin
>>>>>> [14/43]: enabling entryUSN plugin
>>>>>> [15/43]: configuring lockout plugin
>>>>>> [16/43]: configuring topology plugin
>>>>>> [17/43]: creating indices
>>>>>> [18/43]: enabling referential integrity plugin
>>>>>> [19/43]: configuring certmap.conf
>>>>>> [20/43]: configure autobind for root
>>>>>> [21/43]: configure new location for managed entries
>>>>>> [22/43]: configure dirsrv ccache
>>>>>> [23/43]: enabling SASL mapping fallback
>>>>>> [24/43]: restarting directory server
>>>>>> [25/43]: creating DS keytab
>>>>>> [26/43]: retrieving DS Certificate
>>>>>> [27/43]: restarting directory server
>>>>>> ipa : CRITICAL Failed to restart the directory server (Command
>>>>>> '/bin/systemctl restart dirsrv at SOMETHING-BE.service' returned
>> non-zero
>>>>>> exit
>>>>>> status 1). See the installation log for details.
>>>>>> [28/43]: setting up initial replication
>>>>>> [error] error: [Errno 111] Connection refused
>>>>>> Your system may be partly configured.
>>>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>>>
>>>>>>
>>>>>> [29/Nov/2016:11:29:44.034285579 +0100] SSL alert: Security
>>>>>> Initialization:
>>>>>> Can't find certificate (Server-Cert) for family
>>>>>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174
>> -
>>>>>> security library: bad database.)
>>>>>> [29/Nov/2016:11:29:44.045039728 +0100] SSL alert: Security
>>>>>> Initialization:
>>>>>> Unable to retrieve private key for cert Server-Cert of family
>>>>>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174
>> -
>>>>>> security library: bad database.)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Hello David,
>>>>>
>>>>> The error from the log indicates that either the NSSDB for dirsrv is
>> not
>>>>> initialized or not accessible.
>>>>>
>>>>> Could you please send output of the following commands?
>>>>>
>>>>> # ls -lZ /etc/dirsrv/slapd-$REALM/
>>>>> # certutil -d /etc/dirsrv/slapd-$REALM/ -L
>>>>> # ausearch -m avc -i
>>>>>
>>>>>
>>>>> --
>>>>> David Kupka
>>>>>
>>
>>
>> --
>> Petr Vobornik
>>
>
--
David Kupka
More information about the Freeipa-users
mailing list