[Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process
Florence Blanc-Renaud
flo at redhat.com
Tue Nov 29 21:16:00 UTC 2016
On 11/29/2016 03:19 PM, David Dejaeghere wrote:
> Can you give me a couple of test commands?
> I am not familiar with Dogtag.
>
Hi,
To reproduce the issue:
1. install IPA server
2. On the replica, run ipa-client-install
3. On the server, stop dogtag with
$ systemctl stop pki-tomcatd at pki-tomcat.service
4. On the replica, run ipa-replica-install
When you want to restart dogtag, you can run
$ systemctl start pki-tomcatd at pki-tomcat.service
If you want to check if dogtag is running:
$ systemctl status pki-tomcatd at pki-tomcat.service
You may find more information on Dogtag here:
http://pki.fedoraproject.org/wiki/PKI_Main_Page
http://pki.fedoraproject.org/wiki/IPA
http://pki.fedoraproject.org/wiki/Debugging_the_state_of_dogtag_in_an_ipa_install
Flo
> Groeten,
>
> David
>
> 2016-11-29 14:57 GMT+01:00 David Kupka <dkupka at redhat.com
> <mailto:dkupka at redhat.com>>:
>
> On 29/11/16 13:55, David Dejaeghere wrote:
>
> Correct. Same symptoms.
>
> 2016-11-29T10:29:42Z DEBUG certmonger request is in state
> dbus.String(u'CA_UNREACHABLE', variant_level=1)
>
> Fedora 24 Server
>
> [root at ns02 ~]# dnf history userinstalled
> Packages installed by user
> freeipa-client-4.3.2-2.fc24.x86_64
> freeipa-server-4.3.2-2.fc24.x86_64
> grub2-1:2.02-0.34.fc24.x86_64
> kernel-4.5.5-300.fc24.x86_64
> kernel-4.8.8-200.fc24.x86_64
> lvm2-2.02.150-2.fc24.x86_64
> xfsprogs-4.5.0-2.fc24.x86_64
>
>
> Ok. I've reproduced it by simply stopping dogtag on FreeIPA server
> while installing the replica. I see the exactly same errors as
> you've reported and are described in the ticket, now.
>
> Is dogtag running on your master? Is in responding (e.g. issuing
> certificates for users)? Is it accessible from the replica?
>
>
>
> 2016-11-29 13:41 GMT+01:00 Petr Vobornik <pvoborni at redhat.com
> <mailto:pvoborni at redhat.com>>:
>
> On 11/29/2016 12:43 PM, David Kupka wrote:
>
> On 29/11/16 12:15, David Dejaeghere wrote:
>
> Seems like it is but it does not show a server cert
> for dirsrv
>
> [root at ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/
> total 468
> -rw-------. 1 dirsrv root
> unconfined_u:object_r:dirsrv_config_t:s0
> 65536
> Nov 29 11:29 cert8.db
> -rw-rw----. 1 dirsrv dirsrv
> unconfined_u:object_r:dirsrv_config_t:s0
> 65536
> Nov 29 11:29 cert8.db.orig
> -r--r-----. 1 dirsrv dirsrv
> unconfined_u:object_r:dirsrv_config_t:s0
> 1623
> Nov 29 11:29 certmap.conf
> -rw-------. 1 dirsrv dirsrv
> system_u:object_r:dirsrv_config_t:s0
> 89977
> Nov 29 11:29 dse.ldif
> -rw-------. 2 dirsrv dirsrv
> system_u:object_r:dirsrv_config_t:s0
> 89977
> Nov 29 11:29 dse.ldif.bak
> -rw-------. 2 dirsrv dirsrv
> system_u:object_r:dirsrv_config_t:s0
> 89977
> Nov 29 11:29 dse.ldif.startOK
> -r--r-----. 1 dirsrv dirsrv
> unconfined_u:object_r:dirsrv_config_t:s0
> 36228
> Nov 29 11:28 dse_original.ldif
> -rw-------. 1 dirsrv root
> unconfined_u:object_r:dirsrv_config_t:s0
> 16384
> Nov 29 11:29 key3.db
> -rw-rw----. 1 dirsrv dirsrv
> unconfined_u:object_r:dirsrv_config_t:s0
> 16384
> Nov 29 11:29 key3.db.orig
> -r--------. 1 dirsrv dirsrv
> unconfined_u:object_r:dirsrv_config_t:s0 66
> Nov 29 11:29 pin.txt
> -rw-------. 1 dirsrv dirsrv
> unconfined_u:object_r:dirsrv_config_t:s0 40
> Nov 29 11:29 pwdfile.txt
> drwxrwx---. 2 dirsrv dirsrv
> unconfined_u:object_r:dirsrv_config_t:s0
> 4096
> Nov 29 11:29 schema
> -rw-------. 1 dirsrv root
> unconfined_u:object_r:dirsrv_config_t:s0
> 16384
> Nov 29 11:29 secmod.db
> -rw-rw----. 1 dirsrv dirsrv
> unconfined_u:object_r:dirsrv_config_t:s0
> 16384
> Nov 29 11:29 secmod.db.orig
> -r--r-----. 1 dirsrv dirsrv
> unconfined_u:object_r:dirsrv_config_t:s0
> 15142
> Nov 29 11:28 slapd-collations.conf
>
> [root at ns02 ~]# certutil -d
> /etc/dirsrv/slapd-SOMETHING-BE -L
>
> Certificate Nickname
> Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> CN=something-PAPRIKA-CA,DC=something,DC=local
> CT,C,C
> SOMETHING.BE <http://SOMETHING.BE> IPA CA
> CT,C,C
> [root at ns02 ~]# certutil -d
> /etc/dirsrv/slapd-SOMETHING-BE -L
>
> Certificate Nickname
> Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> CN=something-PAPRIKA-CA,DC=something,DC=local
> CT,C,C
> SOMETHING.BE <http://SOMETHING.BE> IPA CA
> CT,C,C
>
> [root at ns02 ~]# ausearch -m avc -i
> <no matches>
>
>
>
> Exactly, the NSSDB should be accessible to dirsrv and is
> missing the
> Server-Cert but I don't understand why there's "bad
> database" error in
> the errors log. I'll try to reproduce it. What version
> of FreeIPA are
> you using? On what system?
>
>
> Right.
>
> Seems bit similar to
> https://fedorahosted.org/freeipa/ticket/6514
> <https://fedorahosted.org/freeipa/ticket/6514> would
> be good to check if it has the same symptoms, mainly
> certmonger request is in state dbus.String(u'CA_UNREACHABLE',
> variant_level=1)
>
> in replica install log.
>
>
>
>
> 2016-11-29 12:09 GMT+01:00 David Kupka
> <dkupka at redhat.com <mailto:dkupka at redhat.com>>:
>
> On 29/11/16 11:51, David Dejaeghere wrote:
>
> Hi,
>
> I have a setup where i want to add a
> replica. The first master
> setup has
> an externally signed cert for dirsrv and
> httpd. The replica is
> prepapred
> succesfully with ipa-client-install but the
> replica install then keeps
> failing. It seems that during install
> dirserv is not configured
> correctly
> with a valid server certificate. Output from
> the dirsrv error added to
> this
> email as well.
>
> [root at ns02 ~]# ipa-replica-install --setup-ca
> WARNING: conflicting time&date
> synchronization service 'chronyd' will
> be disabled in favor of ntpd
>
> Run connection check to master
> Connection check OK
> Configuring NTP daemon (ntpd)
> [1/4]: stopping ntpd
> [2/4]: writing configuration
> [3/4]: configuring ntpd to start on boot
> [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv).
> Estimated time: 1 minute
> [1/43]: creating directory server user
> [2/43]: creating directory server instance
> [3/43]: restarting directory server
> [4/43]: adding default schema
> [5/43]: enabling memberof plugin
> [6/43]: enabling winsync plugin
> [7/43]: configuring replication version plugin
> [8/43]: enabling IPA enrollment plugin
> [9/43]: enabling ldapi
> [10/43]: configuring uniqueness plugin
> [11/43]: configuring uuid plugin
> [12/43]: configuring modrdn plugin
> [13/43]: configuring DNS plugin
> [14/43]: enabling entryUSN plugin
> [15/43]: configuring lockout plugin
> [16/43]: configuring topology plugin
> [17/43]: creating indices
> [18/43]: enabling referential integrity plugin
> [19/43]: configuring certmap.conf
> [20/43]: configure autobind for root
> [21/43]: configure new location for
> managed entries
> [22/43]: configure dirsrv ccache
> [23/43]: enabling SASL mapping fallback
> [24/43]: restarting directory server
> [25/43]: creating DS keytab
> [26/43]: retrieving DS Certificate
> [27/43]: restarting directory server
> ipa : CRITICAL Failed to restart the
> directory server (Command
> '/bin/systemctl restart
> dirsrv at SOMETHING-BE.service' returned
>
> non-zero
>
> exit
> status 1). See the installation log for details.
> [28/43]: setting up initial replication
> [error] error: [Errno 111] Connection refused
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall
> to clean up.
>
>
> [29/Nov/2016:11:29:44.034285579 +0100] SSL
> alert: Security
> Initialization:
> Can't find certificate (Server-Cert) for family
> cn=RSA,cn=encryption,cn=config (Netscape
> Portable Runtime error -8174
>
> -
>
> security library: bad database.)
> [29/Nov/2016:11:29:44.045039728 +0100] SSL
> alert: Security
> Initialization:
> Unable to retrieve private key for cert
> Server-Cert of family
> cn=RSA,cn=encryption,cn=config (Netscape
> Portable Runtime error -8174
>
> -
>
> security library: bad database.)
>
>
>
>
> Hello David,
>
> The error from the log indicates that either the
> NSSDB for dirsrv is
>
> not
>
> initialized or not accessible.
>
> Could you please send output of the following
> commands?
>
> # ls -lZ /etc/dirsrv/slapd-$REALM/
> # certutil -d /etc/dirsrv/slapd-$REALM/ -L
> # ausearch -m avc -i
>
>
> --
> David Kupka
>
>
>
> --
> Petr Vobornik
>
>
>
>
> --
> David Kupka
>
>
>
>
More information about the Freeipa-users
mailing list