[Freeipa-users] can't add replica: failed to start the directory server
Florence Blanc-Renaud
flo at redhat.com
Mon Feb 20 08:28:45 UTC 2017
On 02/17/2017 10:36 AM, Tiemen Ruiten wrote:
> I went through that bugreport, particularly this section...
>
> OK, I think I found the error. On the logs I get something like this
> *before* the failing dirsrv restart:
>
> 2017-01-14T03:41:28Z DEBUG [27/44]: retrieving DS Certificate
> 2017-01-14T03:41:28Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
> 2017-01-14T03:41:28Z DEBUG Starting external process
> 2017-01-14T03:41:28Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM <http://EXAMPLE.COM> IPA CA -a
> 2017-01-14T03:41:28Z DEBUG Process finished, return code=255
> 2017-01-14T03:41:28Z DEBUG stdout=
> 2017-01-14T03:41:28Z DEBUG stderr=certutil: Could not find cert: EXAMPLE.COM <http://EXAMPLE.COM> IPA CA
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
Hi,
this error shows that the server certificate for the LDAP server is not
present in the NSS database. I am pretty sure that if you run
$ getcert list -d /etc/dirsrv/slapd-DOMAIN
you will get an error like this one:
status: CA_UNREACHABLE
ca-error: Server at https://ipa.EXAMPLE.COM/ipa/xml failed request,
will retry: 4301 (RPC failed at server. Certificate operation cannot be
completed: Unable to communicate with CMS (503)).
Make sure that the file /etc/pki/pki-tomcat/server.xml (on all the
masters) defines the AJP connector like this:
<Connector port="8009"
protocol="AJP/1.3"
redirectPort="8443"
address="localhost" />
and that the /etc/hosts file (on all the masters) properly defines
localhost:
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4
::1 localhost localhost.localdomain localhost6
localhost6.localdomain6
Then restart the PKI service on the masters:
systemctl stop pki-tomcatd at pki-tomcat.service
After this, you should be able to re-run ipa-replica-install without any
problem.
HTH,
Flo.
> So, when the process stopped, I run the command again:
>
> # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM <http://EXAMPLE.COM> IPA CA -a
> certutil: Could not find cert: EXAMPLE.COM <http://EXAMPLE.COM>
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
> and thought "wait... something is missing there":
>
> # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n "EXAMPLE.COM <http://EXAMPLE.COM> IPA CA" -a
> -----BEGIN CERTIFICATE-----
> <strip>
> -----END CERTIFICATE-----
>
> So, could this be the problem?
>
>
> ...and indeed when I run
>
> [tiemen at copernicum ipapython]$ sudo /usr/bin/certutil -d
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM
> <http://IPA.RDMEDIA.COM> IPA CA -a
> [sudo] password for tiemen:
> certutil: Could not find cert: IPA.RDMEDIA.COM <http://IPA.RDMEDIA.COM>
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
>
> and when I run
>
> [tiemen at copernicum ipapython]$ sudo /usr/bin/certutil -d
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n "IPA.RDMEDIA.COM
> <http://IPA.RDMEDIA.COM> IPA CA" -a
> -----BEGIN CERTIFICATE-----
> <snip>
> -----END CERTIFICATE-----
>
> valid certificate output. Where can I change this command to quote this
> string?
>
>
> On 16 February 2017 at 17:29, Jeff Goddard <jgoddard at emerlyn.com
> <mailto:jgoddard at emerlyn.com>> wrote:
>
> Might be another instance of this:
> https://fedorahosted.org/freeipa/ticket/6613
> <https://fedorahosted.org/freeipa/ticket/6613>
>
> Jeff
>
> On Thu, Feb 16, 2017 at 11:21 AM, Tiemen Ruiten
> <t.ruiten at rdmedia.com <mailto:t.ruiten at rdmedia.com>> wrote:
>
> Hello,
>
> I'm trying to add a third replica to a FreeIPA 4.4 domain (level
> 1), but I'm getting this error:
>
> [tiemen at copernicum ~]$ sudo ipa-replica-install -P admin -w
> "XXXXXXXXXX" --mkhomedir --setup-dns --forwarder 8.8.8.8
> --forwarder 8.8.4.4
> Checking DNS forwarders, please wait ...
> Run connection check to master
> Connection check OK
> Configuring NTP daemon (ntpd)
> [1/4]: stopping ntpd
> [2/4]: writing configuration
> [3/4]: configuring ntpd to start on boot
> [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv). Estimated time: 1 minute
> [1/44]: creating directory server user
> [2/44]: creating directory server instance
> [3/44]: updating configuration in dse.ldif
> [4/44]: restarting directory server
> [5/44]: adding default schema
> [6/44]: enabling memberof plugin
> [7/44]: enabling winsync plugin
> [8/44]: configuring replication version plugin
> [9/44]: enabling IPA enrollment plugin
> [10/44]: enabling ldapi
> [11/44]: configuring uniqueness plugin
> [12/44]: configuring uuid plugin
> [13/44]: configuring modrdn plugin
> [14/44]: configuring DNS plugin
> [15/44]: enabling entryUSN plugin
> [16/44]: configuring lockout plugin
> [17/44]: configuring topology plugin
> [18/44]: creating indices
> [19/44]: enabling referential integrity plugin
> [20/44]: configuring certmap.conf
> [21/44]: configure autobind for root
> [22/44]: configure new location for managed entries
> [23/44]: configure dirsrv ccache
> [24/44]: enabling SASL mapping fallback
> [25/44]: restarting directory server
> [26/44]: creating DS keytab
> [27/44]: retrieving DS Certificate
> [28/44]: restarting directory server
> ipa : CRITICAL Failed to restart the directory
> server (Command '/bin/systemctl restart
> dirsrv at IPA-RDMEDIA-COM.service' returned non-zero exit
> status 1). See the installation log for details.
> [29/44]: setting up initial replication
> [error] error: [Errno 111] Connection refused
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> ipa.ipapython.install.cli.install_tool(Replica): ERROR
> [Errno 111] Connection refused
> ipa.ipapython.install.cli.install_tool(Replica): ERROR
> The ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for more information
>
>
> In /var/log/ipareplica-install.log we find:
>
> 2017-02-16T15:53:59Z DEBUG [27/44]: retrieving DS Certificate
> 2017-02-16T15:53:59Z DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2017-02-16T15:53:59Z DEBUG Starting external process
> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM
> <http://IPA.RDMEDIA.COM> IPA CA -a
> 2017-02-16T15:53:59Z DEBUG Process finished, return code=255
> 2017-02-16T15:53:59Z DEBUG stdout=
> *2017-02-16T15:53:59Z DEBUG stderr=certutil: Could not find
> cert: IPA.RDMEDIA.COM <http://IPA.RDMEDIA.COM> IPA CA
> : PR_FILE_NOT_FOUND_ERROR: File not found*
> 2017-02-16T15:53:59Z DEBUG Starting external process
> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -N -f
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM//pwdfile.txt
> 2017-02-16T15:53:59Z DEBUG Process finished, return code=0
> 2017-02-16T15:53:59Z DEBUG stdout=
> 2017-02-16T15:53:59Z DEBUG stderr=
> 2017-02-16T15:53:59Z DEBUG Starting external process
> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -A -n IPA.RDMEDIA.COM
> <http://IPA.RDMEDIA.COM> IPA CA -t CT,C,C -a
> 2017-02-16T15:53:59Z DEBUG Process finished, return code=0
> 2017-02-16T15:53:59Z DEBUG stdout=
> 2017-02-16T15:53:59Z DEBUG stderr=
> 2017-02-16T15:53:59Z DEBUG certmonger request is in state
> dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1)
> 2017-02-16T15:54:04Z DEBUG certmonger request is in state
> dbus.String(u'CA_UNREACHABLE', variant_level=1)
> 2017-02-16T15:54:04Z DEBUG flushing
> ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket from
> SchemaCache
> 2017-02-16T15:54:04Z DEBUG retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x74efd40>
> 2017-02-16T15:54:05Z DEBUG duration: 5 seconds
> 2017-02-16T15:54:05Z DEBUG [28/44]: restarting directory
> server
> 2017-02-16T15:54:05Z DEBUG Starting external process
> 2017-02-16T15:54:05Z DEBUG args=/bin/systemctl --system
> daemon-reload
> 2017-02-16T15:54:05Z DEBUG Process finished, return code=0
> 2017-02-16T15:54:05Z DEBUG stdout=
> 2017-02-16T15:54:05Z DEBUG stderr=
> 2017-02-16T15:54:05Z DEBUG Starting external process
> 2017-02-16T15:54:05Z DEBUG args=/bin/systemctl restart
> dirsrv at IPA-RDMEDIA-COM.service
> 2017-02-16T15:54:06Z DEBUG Process finished, return code=1
> 2017-02-16T15:54:06Z DEBUG stdout=
> 2017-02-16T15:54:06Z DEBUG stderr=Job for
> dirsrv at IPA-RDMEDIA-COM.service failed because the control
> process exited with error code. See "systemctl status
> dirsrv at IPA-RDMEDIA-COM.service" and "journalctl -xe" for
> details.
> 2017-02-16T15:54:06Z CRITICAL Failed to restart the
> directory server (Command '/bin/systemctl restart
> dirsrv at IPA-RDMEDIA-COM.service' returned non-zero exit
> status 1). See the installation log for details.
> 2017-02-16T15:54:06Z DEBUG duration: 1 seconds
> 2017-02-16T15:54:06Z DEBUG [29/44]: setting up initial
> replication
> 2017-02-16T15:54:16Z DEBUG Traceback (most recent call last):
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 449, in start_creation
> run_step(full_msg, method)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 439, in run_step
> method()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
> line 405, in __setup_replica
> self.dm_password)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> line 118, in enable_replication_version_checking
> conn.do_simple_bind(bindpw=dirman_passwd)
> File
> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
> line 1665, in do_simple_bind
> self.__bind_with_wait(self.simple_bind, timeout, binddn,
> bindpw)
> File
> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
> line 1660, in __bind_with_wait
> self.__wait_for_connection(timeout)
> File
> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
> line 1643, in __wait_for_connection
> wait_for_open_socket(lurl.hostport, timeout)
> File
> "/usr/lib/python2.7/site-packages/ipapython/ipautil.py",
> line 1286, in wait_for_open_socket
> raise e
> error: [Errno 111] Connection refused
> 2017-02-16T15:54:16Z DEBUG [error] error: [Errno 111]
> Connection refused
> 2017-02-16T15:54:16Z DEBUG Destroyed connection
> context.ldap2_78478480
> 2017-02-16T15:54:16Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
> line 171, in execute
> return_value = self.run()
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
> line 318, in run
> cfgr.run()
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 310, in run
> self.execute()
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 332, in execute
> for nothing in self._executor():
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 372, in __runner
> self._handle_exception(exc_info)
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 394, in _handle_exception
> six.reraise(*exc_info)
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 362, in __runner
> step()
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 359, in <lambda>
> step = lambda: next(self.__gen)
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
> 81, in run_generator_with_yield_from
> six.reraise(*exc_info)
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
> 59, in run_generator_with_yield_from
> value = gen.send(prev_value)
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 586, in _configure
> next(executor)
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 372, in __runner
> self._handle_exception(exc_info)
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 449, in _handle_exception
> self.__parent._handle_exception(exc_info)
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 394, in _handle_exception
> six.reraise(*exc_info)
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 446, in _handle_exception
> super(ComponentBase, self)._handle_exception(exc_info)
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 394, in _handle_exception
> six.reraise(*exc_info)
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 362, in __runner
> step()
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 359, in <lambda>
> step = lambda: next(self.__gen)
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
> 81, in run_generator_with_yield_from
> six.reraise(*exc_info)
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
> 59, in run_generator_with_yield_from
> value = gen.send(prev_value)
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
> line 63, in _install
> for nothing in self._installer(self.parent):
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 1714, in main
> promote(self)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 364, in decorated
> func(installer)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 1415, in promote
> promote=True, pkcs12_info=dirsrv_pkcs12_info)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 127, in install_replica_ds
> api=remote_api,
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
> line 399, in create_replica
> self.start_creation(runtime=60)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 449, in start_creation
> run_step(full_msg, method)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 439, in run_step
> method()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
> line 405, in __setup_replica
> self.dm_password)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> line 118, in enable_replication_version_checking
> conn.do_simple_bind(bindpw=dirman_passwd)
> File
> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
> line 1665, in do_simple_bind
> self.__bind_with_wait(self.simple_bind, timeout, binddn,
> bindpw)
> File
> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
> line 1660, in __bind_with_wait
> self.__wait_for_connection(timeout)
> File
> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
> line 1643, in __wait_for_connection
> wait_for_open_socket(lurl.hostport, timeout)
> File
> "/usr/lib/python2.7/site-packages/ipapython/ipautil.py",
> line 1286, in wait_for_open_socket
> raise e
> 2017-02-16T15:54:16Z DEBUG The ipa-replica-install command
> failed, exception: error: [Errno 111] Connection refused
> 2017-02-16T15:54:16Z ERROR [Errno 111] Connection refused
> 2017-02-16T15:54:16Z ERROR The ipa-replica-install command
> failed. See /var/log/ipareplica-install.log for more information
>
>
> How can I troubleshoot this?
>
>
>
> --
> Tiemen Ruiten
> Systems Engineer
> R&D Media
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>
> Go to http://freeipa.org for more info on the project
>
>
>
>
>
>
>
>
> --
> Tiemen Ruiten
> Systems Engineer
> R&D Media
>
>
More information about the Freeipa-users
mailing list