[Freeipa-users] can't add replica: failed to start the directory server

Tiemen Ruiten t.ruiten at rdmedia.com
Mon Feb 20 08:19:05 UTC 2017 

Any help would be much appreciated! I really need to add this replica (and
others)...

On 17 February 2017 at 10:36, Tiemen Ruiten <t.ruiten at rdmedia.com> wrote:

> I went through that bugreport, particularly this section...
>
> OK, I think I found the error. On the logs I get something like this
> *before* the failing dirsrv restart:
>
> 2017-01-14T03:41:28Z DEBUG   [27/44]: retrieving DS Certificate
> 2017-01-14T03:41:28Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
> 2017-01-14T03:41:28Z DEBUG Starting external process
> 2017-01-14T03:41:28Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM IPA CA -a
> 2017-01-14T03:41:28Z DEBUG Process finished, return code=255
> 2017-01-14T03:41:28Z DEBUG stdout=
> 2017-01-14T03:41:28Z DEBUG stderr=certutil: Could not find cert: EXAMPLE.COM IPA CA
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
> So, when the process stopped, I run the command again:
>
> # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM IPA CA -a
> certutil: Could not find cert: EXAMPLE.COM
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
>
> and thought "wait... something is missing there":
>
> # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n "EXAMPLE.COM IPA CA" -a
> -----BEGIN CERTIFICATE-----
> <strip>
> -----END CERTIFICATE-----
>
> So, could this be the problem?
>
> ...and indeed when I run
>
> [tiemen at copernicum ipapython]$ sudo /usr/bin/certutil -d
>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM IPA CA -a
>> [sudo] password for tiemen:
>> certutil: Could not find cert: IPA.RDMEDIA.COM
>> : PR_FILE_NOT_FOUND_ERROR: File not found
>
>
> and when I run
>
> [tiemen at copernicum ipapython]$ sudo /usr/bin/certutil -d
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n "IPA.RDMEDIA.COM IPA CA" -a
> -----BEGIN CERTIFICATE-----
> <snip>
> -----END CERTIFICATE-----
>
> valid certificate output. Where can I change this command to quote this
> string?
>
>
> On 16 February 2017 at 17:29, Jeff Goddard <jgoddard at emerlyn.com> wrote:
>
>> Might be another instance of this: https://fedorahosted.org/freei
>> pa/ticket/6613
>>
>> Jeff
>>
>> On Thu, Feb 16, 2017 at 11:21 AM, Tiemen Ruiten <t.ruiten at rdmedia.com>
>> wrote:
>>
>>> Hello,
>>>
>>> I'm trying to add a third replica to a FreeIPA 4.4 domain (level 1), but
>>> I'm getting this error:
>>>
>>> [tiemen at copernicum ~]$ sudo ipa-replica-install -P admin -w
>>>> "XXXXXXXXXX" --mkhomedir --setup-dns --forwarder 8.8.8.8 --forwarder 8.8.4.4
>>>> Checking DNS forwarders, please wait ...
>>>> Run connection check to master
>>>> Connection check OK
>>>> Configuring NTP daemon (ntpd)
>>>>   [1/4]: stopping ntpd
>>>>   [2/4]: writing configuration
>>>>   [3/4]: configuring ntpd to start on boot
>>>>   [4/4]: starting ntpd
>>>> Done configuring NTP daemon (ntpd).
>>>> Configuring directory server (dirsrv). Estimated time: 1 minute
>>>>   [1/44]: creating directory server user
>>>>   [2/44]: creating directory server instance
>>>>   [3/44]: updating configuration in dse.ldif
>>>>   [4/44]: restarting directory server
>>>>   [5/44]: adding default schema
>>>>   [6/44]: enabling memberof plugin
>>>>   [7/44]: enabling winsync plugin
>>>>   [8/44]: configuring replication version plugin
>>>>   [9/44]: enabling IPA enrollment plugin
>>>>   [10/44]: enabling ldapi
>>>>   [11/44]: configuring uniqueness plugin
>>>>   [12/44]: configuring uuid plugin
>>>>   [13/44]: configuring modrdn plugin
>>>>   [14/44]: configuring DNS plugin
>>>>   [15/44]: enabling entryUSN plugin
>>>>   [16/44]: configuring lockout plugin
>>>>   [17/44]: configuring topology plugin
>>>>   [18/44]: creating indices
>>>>   [19/44]: enabling referential integrity plugin
>>>>   [20/44]: configuring certmap.conf
>>>>   [21/44]: configure autobind for root
>>>>   [22/44]: configure new location for managed entries
>>>>   [23/44]: configure dirsrv ccache
>>>>   [24/44]: enabling SASL mapping fallback
>>>>   [25/44]: restarting directory server
>>>>   [26/44]: creating DS keytab
>>>>   [27/44]: retrieving DS Certificate
>>>>   [28/44]: restarting directory server
>>>> ipa         : CRITICAL Failed to restart the directory server (Command
>>>> '/bin/systemctl restart dirsrv at IPA-RDMEDIA-COM.service' returned
>>>> non-zero exit status 1). See the installation log for details.
>>>>   [29/44]: setting up initial replication
>>>>   [error] error: [Errno 111] Connection refused
>>>> Your system may be partly configured.
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR    [Errno 111]
>>>> Connection refused
>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR    The
>>>> ipa-replica-install command failed. See /var/log/ipareplica-install.log
>>>> for more information
>>>
>>>
>>> In /var/log/ipareplica-install.log we find:
>>>
>>> 2017-02-16T15:53:59Z DEBUG   [27/44]: retrieving DS Certificate
>>>> 2017-02-16T15:53:59Z DEBUG Loading Index file from
>>>> '/var/lib/ipa/sysrestore/sysrestore.index'
>>>> 2017-02-16T15:53:59Z DEBUG Starting external process
>>>> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
>>>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM IPA CA -a
>>>> 2017-02-16T15:53:59Z DEBUG Process finished, return code=255
>>>> 2017-02-16T15:53:59Z DEBUG stdout=
>>>>
>>>> *2017-02-16T15:53:59Z DEBUG stderr=certutil: Could not find cert:
>>>> IPA.RDMEDIA.COM <http://IPA.RDMEDIA.COM> IPA CA: PR_FILE_NOT_FOUND_ERROR:
>>>> File not found*
>>>> 2017-02-16T15:53:59Z DEBUG Starting external process
>>>> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
>>>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -N -f /etc/dirsrv/slapd-IPA-RDMEDIA-
>>>> COM//pwdfile.txt
>>>> 2017-02-16T15:53:59Z DEBUG Process finished, return code=0
>>>> 2017-02-16T15:53:59Z DEBUG stdout=
>>>> 2017-02-16T15:53:59Z DEBUG stderr=
>>>> 2017-02-16T15:53:59Z DEBUG Starting external process
>>>> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
>>>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -A -n IPA.RDMEDIA.COM IPA CA -t
>>>> CT,C,C -a
>>>> 2017-02-16T15:53:59Z DEBUG Process finished, return code=0
>>>> 2017-02-16T15:53:59Z DEBUG stdout=
>>>> 2017-02-16T15:53:59Z DEBUG stderr=
>>>> 2017-02-16T15:53:59Z DEBUG certmonger request is in state
>>>> dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1)
>>>> 2017-02-16T15:54:04Z DEBUG certmonger request is in state
>>>> dbus.String(u'CA_UNREACHABLE', variant_level=1)
>>>> 2017-02-16T15:54:04Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket
>>>> from SchemaCache
>>>> 2017-02-16T15:54:04Z DEBUG retrieving schema for SchemaCache
>>>> url=ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket
>>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x74efd40>
>>>> 2017-02-16T15:54:05Z DEBUG   duration: 5 seconds
>>>> 2017-02-16T15:54:05Z DEBUG   [28/44]: restarting directory server
>>>> 2017-02-16T15:54:05Z DEBUG Starting external process
>>>> 2017-02-16T15:54:05Z DEBUG args=/bin/systemctl --system daemon-reload
>>>> 2017-02-16T15:54:05Z DEBUG Process finished, return code=0
>>>> 2017-02-16T15:54:05Z DEBUG stdout=
>>>> 2017-02-16T15:54:05Z DEBUG stderr=
>>>> 2017-02-16T15:54:05Z DEBUG Starting external process
>>>> 2017-02-16T15:54:05Z DEBUG args=/bin/systemctl restart
>>>> dirsrv at IPA-RDMEDIA-COM.service
>>>> 2017-02-16T15:54:06Z DEBUG Process finished, return code=1
>>>> 2017-02-16T15:54:06Z DEBUG stdout=
>>>> 2017-02-16T15:54:06Z DEBUG stderr=Job for dirsrv at IPA-RDMEDIA-COM.service
>>>> failed because the control process exited with error code. See "systemctl
>>>> status dirsrv at IPA-RDMEDIA-COM.service" and "journalctl -xe" for
>>>> details.
>>>> 2017-02-16T15:54:06Z CRITICAL Failed to restart the directory server
>>>> (Command '/bin/systemctl restart dirsrv at IPA-RDMEDIA-COM.service'
>>>> returned non-zero exit status 1). See the installation log for details.
>>>> 2017-02-16T15:54:06Z DEBUG   duration: 1 seconds
>>>> 2017-02-16T15:54:06Z DEBUG   [29/44]: setting up initial replication
>>>> 2017-02-16T15:54:16Z DEBUG Traceback (most recent call last):
>>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 449, in start_creation
>>>>     run_step(full_msg, method)
>>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 439, in run_step
>>>>     method()
>>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
>>>> line 405, in __setup_replica
>>>>     self.dm_password)
>>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>>>> line 118, in enable_replication_version_checking
>>>>     conn.do_simple_bind(bindpw=dirman_passwd)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>>>> 1665, in do_simple_bind
>>>>     self.__bind_with_wait(self.simple_bind, timeout, binddn, bindpw)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>>>> 1660, in __bind_with_wait
>>>>     self.__wait_for_connection(timeout)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>>>> 1643, in __wait_for_connection
>>>>     wait_for_open_socket(lurl.hostport, timeout)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line
>>>> 1286, in wait_for_open_socket
>>>>     raise e
>>>> error: [Errno 111] Connection refused
>>>> 2017-02-16T15:54:16Z DEBUG   [error] error: [Errno 111] Connection
>>>> refused
>>>> 2017-02-16T15:54:16Z DEBUG Destroyed connection context.ldap2_78478480
>>>> 2017-02-16T15:54:16Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
>>>> line 171, in execute
>>>>     return_value = self.run()
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
>>>> line 318, in run
>>>>     cfgr.run()
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 310, in run
>>>>     self.execute()
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 332, in execute
>>>>     for nothing in self._executor():
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 372, in __runner
>>>>     self._handle_exception(exc_info)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 394, in _handle_exception
>>>>     six.reraise(*exc_info)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 362, in __runner
>>>>     step()
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 359, in <lambda>
>>>>     step = lambda: next(self.__gen)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>>> line 81, in run_generator_with_yield_from
>>>>     six.reraise(*exc_info)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>>> line 59, in run_generator_with_yield_from
>>>>     value = gen.send(prev_value)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 586, in _configure
>>>>     next(executor)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 372, in __runner
>>>>     self._handle_exception(exc_info)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 449, in _handle_exception
>>>>     self.__parent._handle_exception(exc_info)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 394, in _handle_exception
>>>>     six.reraise(*exc_info)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 446, in _handle_exception
>>>>     super(ComponentBase, self)._handle_exception(exc_info)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 394, in _handle_exception
>>>>     six.reraise(*exc_info)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 362, in __runner
>>>>     step()
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 359, in <lambda>
>>>>     step = lambda: next(self.__gen)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>>> line 81, in run_generator_with_yield_from
>>>>     six.reraise(*exc_info)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>>> line 59, in run_generator_with_yield_from
>>>>     value = gen.send(prev_value)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
>>>> line 63, in _install
>>>>     for nothing in self._installer(self.parent):
>>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>>>> line 1714, in main
>>>>     promote(self)
>>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>>>> line 364, in decorated
>>>>     func(installer)
>>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>>>> line 1415, in promote
>>>>     promote=True, pkcs12_info=dirsrv_pkcs12_info)
>>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>>>> line 127, in install_replica_ds
>>>>     api=remote_api,
>>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
>>>> line 399, in create_replica
>>>>     self.start_creation(runtime=60)
>>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 449, in start_creation
>>>>     run_step(full_msg, method)
>>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 439, in run_step
>>>>     method()
>>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
>>>> line 405, in __setup_replica
>>>>     self.dm_password)
>>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>>>> line 118, in enable_replication_version_checking
>>>>     conn.do_simple_bind(bindpw=dirman_passwd)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>>>> 1665, in do_simple_bind
>>>>     self.__bind_with_wait(self.simple_bind, timeout, binddn, bindpw)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>>>> 1660, in __bind_with_wait
>>>>     self.__wait_for_connection(timeout)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>>>> 1643, in __wait_for_connection
>>>>     wait_for_open_socket(lurl.hostport, timeout)
>>>>   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line
>>>> 1286, in wait_for_open_socket
>>>>     raise e
>>>> 2017-02-16T15:54:16Z DEBUG The ipa-replica-install command failed,
>>>> exception: error: [Errno 111] Connection refused
>>>> 2017-02-16T15:54:16Z ERROR [Errno 111] Connection refused
>>>> 2017-02-16T15:54:16Z ERROR The ipa-replica-install command failed. See
>>>> /var/log/ipareplica-install.log for more information
>>>>
>>>
>>> How can I troubleshoot this?
>>>
>>>
>>>
>>> --
>>> Tiemen Ruiten
>>> Systems Engineer
>>> R&D Media
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>>
>>
>>
>
>
> --
> Tiemen Ruiten
> Systems Engineer
> R&D Media
>



-- 
Tiemen Ruiten
Systems Engineer
R&D Media
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170220/df508428/attachment.htm>

More information about the Freeipa-users mailing list