[Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process
David Dejaeghere
david.dejaeghere at gmail.com
Wed Nov 30 14:27:16 UTC 2016
Hi,
The Pki service is running and I cannot find any issues with it. I can run
a curl request to the master hostname on port 8443 and communication works
fine.
Any other idea why this replica install code would fail and log
CA_UNREACHABLE?
Regards,
David
2016-11-29 22:16 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
> On 11/29/2016 03:19 PM, David Dejaeghere wrote:
>
>> Can you give me a couple of test commands?
>> I am not familiar with Dogtag.
>>
>> Hi,
>
> To reproduce the issue:
> 1. install IPA server
> 2. On the replica, run ipa-client-install
> 3. On the server, stop dogtag with
> $ systemctl stop pki-tomcatd at pki-tomcat.service
> 4. On the replica, run ipa-replica-install
>
> When you want to restart dogtag, you can run
> $ systemctl start pki-tomcatd at pki-tomcat.service
>
> If you want to check if dogtag is running:
> $ systemctl status pki-tomcatd at pki-tomcat.service
>
> You may find more information on Dogtag here:
> http://pki.fedoraproject.org/wiki/PKI_Main_Page
> http://pki.fedoraproject.org/wiki/IPA
> http://pki.fedoraproject.org/wiki/Debugging_the_state_of_dog
> tag_in_an_ipa_install
>
> Flo
>
> Groeten,
>>
>> David
>>
>> 2016-11-29 14:57 GMT+01:00 David Kupka <dkupka at redhat.com
>> <mailto:dkupka at redhat.com>>:
>>
>> On 29/11/16 13:55, David Dejaeghere wrote:
>>
>> Correct. Same symptoms.
>>
>> 2016-11-29T10:29:42Z DEBUG certmonger request is in state
>> dbus.String(u'CA_UNREACHABLE', variant_level=1)
>>
>> Fedora 24 Server
>>
>> [root at ns02 ~]# dnf history userinstalled
>> Packages installed by user
>> freeipa-client-4.3.2-2.fc24.x86_64
>> freeipa-server-4.3.2-2.fc24.x86_64
>> grub2-1:2.02-0.34.fc24.x86_64
>> kernel-4.5.5-300.fc24.x86_64
>> kernel-4.8.8-200.fc24.x86_64
>> lvm2-2.02.150-2.fc24.x86_64
>> xfsprogs-4.5.0-2.fc24.x86_64
>>
>>
>> Ok. I've reproduced it by simply stopping dogtag on FreeIPA server
>> while installing the replica. I see the exactly same errors as
>> you've reported and are described in the ticket, now.
>>
>> Is dogtag running on your master? Is in responding (e.g. issuing
>> certificates for users)? Is it accessible from the replica?
>>
>>
>>
>> 2016-11-29 13:41 GMT+01:00 Petr Vobornik <pvoborni at redhat.com
>> <mailto:pvoborni at redhat.com>>:
>>
>>
>> On 11/29/2016 12:43 PM, David Kupka wrote:
>>
>> On 29/11/16 12:15, David Dejaeghere wrote:
>>
>> Seems like it is but it does not show a server cert
>> for dirsrv
>>
>> [root at ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/
>> total 468
>> -rw-------. 1 dirsrv root
>> unconfined_u:object_r:dirsrv_config_t:s0
>> 65536
>> Nov 29 11:29 cert8.db
>> -rw-rw----. 1 dirsrv dirsrv
>> unconfined_u:object_r:dirsrv_config_t:s0
>> 65536
>> Nov 29 11:29 cert8.db.orig
>> -r--r-----. 1 dirsrv dirsrv
>> unconfined_u:object_r:dirsrv_config_t:s0
>> 1623
>> Nov 29 11:29 certmap.conf
>> -rw-------. 1 dirsrv dirsrv
>> system_u:object_r:dirsrv_config_t:s0
>> 89977
>> Nov 29 11:29 dse.ldif
>> -rw-------. 2 dirsrv dirsrv
>> system_u:object_r:dirsrv_config_t:s0
>> 89977
>> Nov 29 11:29 dse.ldif.bak
>> -rw-------. 2 dirsrv dirsrv
>> system_u:object_r:dirsrv_config_t:s0
>> 89977
>> Nov 29 11:29 dse.ldif.startOK
>> -r--r-----. 1 dirsrv dirsrv
>> unconfined_u:object_r:dirsrv_config_t:s0
>> 36228
>> Nov 29 11:28 dse_original.ldif
>> -rw-------. 1 dirsrv root
>> unconfined_u:object_r:dirsrv_config_t:s0
>> 16384
>> Nov 29 11:29 key3.db
>> -rw-rw----. 1 dirsrv dirsrv
>> unconfined_u:object_r:dirsrv_config_t:s0
>> 16384
>> Nov 29 11:29 key3.db.orig
>> -r--------. 1 dirsrv dirsrv
>> unconfined_u:object_r:dirsrv_config_t:s0 66
>> Nov 29 11:29 pin.txt
>> -rw-------. 1 dirsrv dirsrv
>> unconfined_u:object_r:dirsrv_config_t:s0 40
>> Nov 29 11:29 pwdfile.txt
>> drwxrwx---. 2 dirsrv dirsrv
>> unconfined_u:object_r:dirsrv_config_t:s0
>> 4096
>> Nov 29 11:29 schema
>> -rw-------. 1 dirsrv root
>> unconfined_u:object_r:dirsrv_config_t:s0
>> 16384
>> Nov 29 11:29 secmod.db
>> -rw-rw----. 1 dirsrv dirsrv
>> unconfined_u:object_r:dirsrv_config_t:s0
>> 16384
>> Nov 29 11:29 secmod.db.orig
>> -r--r-----. 1 dirsrv dirsrv
>> unconfined_u:object_r:dirsrv_config_t:s0
>> 15142
>> Nov 29 11:28 slapd-collations.conf
>>
>> [root at ns02 ~]# certutil -d
>> /etc/dirsrv/slapd-SOMETHING-BE -L
>>
>> Certificate Nickname
>> Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> CN=something-PAPRIKA-CA,DC=something,DC=local
>> CT,C,C
>> SOMETHING.BE <http://SOMETHING.BE> IPA CA
>> CT,C,C
>> [root at ns02 ~]# certutil -d
>> /etc/dirsrv/slapd-SOMETHING-BE -L
>>
>> Certificate Nickname
>> Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> CN=something-PAPRIKA-CA,DC=something,DC=local
>> CT,C,C
>> SOMETHING.BE <http://SOMETHING.BE> IPA CA
>> CT,C,C
>>
>> [root at ns02 ~]# ausearch -m avc -i
>> <no matches>
>>
>>
>>
>> Exactly, the NSSDB should be accessible to dirsrv and is
>> missing the
>> Server-Cert but I don't understand why there's "bad
>> database" error in
>> the errors log. I'll try to reproduce it. What version
>> of FreeIPA are
>> you using? On what system?
>>
>>
>> Right.
>>
>> Seems bit similar to
>> https://fedorahosted.org/freeipa/ticket/6514
>> <https://fedorahosted.org/freeipa/ticket/6514> would
>> be good to check if it has the same symptoms, mainly
>> certmonger request is in state
>> dbus.String(u'CA_UNREACHABLE',
>> variant_level=1)
>>
>> in replica install log.
>>
>>
>>
>>
>> 2016-11-29 12:09 GMT+01:00 David Kupka
>> <dkupka at redhat.com <mailto:dkupka at redhat.com>>:
>>
>>
>> On 29/11/16 11:51, David Dejaeghere wrote:
>>
>> Hi,
>>
>> I have a setup where i want to add a
>> replica. The first master
>> setup has
>> an externally signed cert for dirsrv and
>> httpd. The replica is
>> prepapred
>> succesfully with ipa-client-install but the
>> replica install then keeps
>> failing. It seems that during install
>> dirserv is not configured
>> correctly
>> with a valid server certificate. Output from
>> the dirsrv error added to
>> this
>> email as well.
>>
>> [root at ns02 ~]# ipa-replica-install --setup-ca
>> WARNING: conflicting time&date
>> synchronization service 'chronyd' will
>> be disabled in favor of ntpd
>>
>> Run connection check to master
>> Connection check OK
>> Configuring NTP daemon (ntpd)
>> [1/4]: stopping ntpd
>> [2/4]: writing configuration
>> [3/4]: configuring ntpd to start on boot
>> [4/4]: starting ntpd
>> Done configuring NTP daemon (ntpd).
>> Configuring directory server (dirsrv).
>> Estimated time: 1 minute
>> [1/43]: creating directory server user
>> [2/43]: creating directory server instance
>> [3/43]: restarting directory server
>> [4/43]: adding default schema
>> [5/43]: enabling memberof plugin
>> [6/43]: enabling winsync plugin
>> [7/43]: configuring replication version
>> plugin
>> [8/43]: enabling IPA enrollment plugin
>> [9/43]: enabling ldapi
>> [10/43]: configuring uniqueness plugin
>> [11/43]: configuring uuid plugin
>> [12/43]: configuring modrdn plugin
>> [13/43]: configuring DNS plugin
>> [14/43]: enabling entryUSN plugin
>> [15/43]: configuring lockout plugin
>> [16/43]: configuring topology plugin
>> [17/43]: creating indices
>> [18/43]: enabling referential integrity
>> plugin
>> [19/43]: configuring certmap.conf
>> [20/43]: configure autobind for root
>> [21/43]: configure new location for
>> managed entries
>> [22/43]: configure dirsrv ccache
>> [23/43]: enabling SASL mapping fallback
>> [24/43]: restarting directory server
>> [25/43]: creating DS keytab
>> [26/43]: retrieving DS Certificate
>> [27/43]: restarting directory server
>> ipa : CRITICAL Failed to restart the
>> directory server (Command
>> '/bin/systemctl restart
>> dirsrv at SOMETHING-BE.service' returned
>>
>> non-zero
>>
>> exit
>> status 1). See the installation log for
>> details.
>> [28/43]: setting up initial replication
>> [error] error: [Errno 111] Connection
>> refused
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall
>> to clean up.
>>
>>
>> [29/Nov/2016:11:29:44.034285579 +0100] SSL
>> alert: Security
>> Initialization:
>> Can't find certificate (Server-Cert) for
>> family
>> cn=RSA,cn=encryption,cn=config (Netscape
>> Portable Runtime error -8174
>>
>> -
>>
>> security library: bad database.)
>> [29/Nov/2016:11:29:44.045039728 +0100] SSL
>> alert: Security
>> Initialization:
>> Unable to retrieve private key for cert
>> Server-Cert of family
>> cn=RSA,cn=encryption,cn=config (Netscape
>> Portable Runtime error -8174
>>
>> -
>>
>> security library: bad database.)
>>
>>
>>
>>
>> Hello David,
>>
>> The error from the log indicates that either the
>> NSSDB for dirsrv is
>>
>> not
>>
>> initialized or not accessible.
>>
>> Could you please send output of the following
>> commands?
>>
>> # ls -lZ /etc/dirsrv/slapd-$REALM/
>> # certutil -d /etc/dirsrv/slapd-$REALM/ -L
>> # ausearch -m avc -i
>>
>>
>> --
>> David Kupka
>>
>>
>>
>> --
>> Petr Vobornik
>>
>>
>>
>>
>> --
>> David Kupka
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161130/1d22c62b/attachment.htm>
More information about the Freeipa-users
mailing list