[Freeipa-users] can't add replica: failed to start the directory server
Tiemen Ruiten
t.ruiten at rdmedia.com
Tue Feb 21 08:37:18 UTC 2017
Flo,
Do you have any pointers?
On 20 February 2017 at 10:05, Tiemen Ruiten <t.ruiten at rdmedia.com> wrote:
> Hello Flo,
>
> Thanks for your response. I ran that command and I seem to have a
> different problem (connectors are defined as you indicated):
>
> [tiemen at copernicum ~]$ sudo getcert list -d /etc/dirsrv/slapd-IPA-RDMEDIA-
>> COM/
>> [sudo] password for tiemen:
>> Number of certificates and requests being tracked: 2.
>> Request ID '20170217130857':
>> status: CA_UNREACHABLE
>> ca-error: Server at https://moscovium.ipa.rdmedia.com/ipa/xml failed
>> request, will retry: 4301 (RPC failed at server. Certificate operation
>> cannot be completed: FAILURE (*CA not found:
>> 1ba8130c-56b8-4bd9-ae8a-8b0333d71b80*)).
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/
>> dirsrv/slapd-IPA-RDMEDIA-COM',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-RDMEDIA-COM//pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-RDMEDIA-COM',
>> nickname='Server-Cert'
>> CA: IPA
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>
>
>
>
>
>
>
> On 20 February 2017 at 09:28, Florence Blanc-Renaud <flo at redhat.com>
> wrote:
>
>> On 02/17/2017 10:36 AM, Tiemen Ruiten wrote:
>>
>>> I went through that bugreport, particularly this section...
>>>
>>> OK, I think I found the error. On the logs I get something like this
>>> *before* the failing dirsrv restart:
>>>
>>> 2017-01-14T03:41:28Z DEBUG [27/44]: retrieving DS Certificate
>>> 2017-01-14T03:41:28Z DEBUG Loading Index file from
>>> '/var/lib/ipa/sysrestore/sysrestore.index'
>>> 2017-01-14T03:41:28Z DEBUG Starting external process
>>> 2017-01-14T03:41:28Z DEBUG args=/usr/bin/certutil -d
>>> /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM <http://EXAMPLE.COM>
>>> IPA CA -a
>>> 2017-01-14T03:41:28Z DEBUG Process finished, return code=255
>>> 2017-01-14T03:41:28Z DEBUG stdout=
>>> 2017-01-14T03:41:28Z DEBUG stderr=certutil: Could not find cert:
>>> EXAMPLE.COM <http://EXAMPLE.COM> IPA CA
>>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>>
>>>
>> Hi,
>>
>> this error shows that the server certificate for the LDAP server is not
>> present in the NSS database. I am pretty sure that if you run
>> $ getcert list -d /etc/dirsrv/slapd-DOMAIN
>> you will get an error like this one:
>> status: CA_UNREACHABLE
>> ca-error: Server at https://ipa.EXAMPLE.COM/ipa/xml failed
>> request, will retry: 4301 (RPC failed at server. Certificate operation
>> cannot be completed: Unable to communicate with CMS (503)).
>>
>> Make sure that the file /etc/pki/pki-tomcat/server.xml (on all the
>> masters) defines the AJP connector like this:
>> <Connector port="8009"
>> protocol="AJP/1.3"
>> redirectPort="8443"
>> address="localhost" />
>> and that the /etc/hosts file (on all the masters) properly defines
>> localhost:
>> 127.0.0.1 localhost localhost.localdomain localhost4
>> localhost4.localdomain4
>> ::1 localhost localhost.localdomain localhost6
>> localhost6.localdomain6
>> Then restart the PKI service on the masters:
>> systemctl stop pki-tomcatd at pki-tomcat.service
>>
>> After this, you should be able to re-run ipa-replica-install without any
>> problem.
>> HTH,
>> Flo.
>>
>> So, when the process stopped, I run the command again:
>>>
>>> # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM
>>> <http://EXAMPLE.COM> IPA CA -a
>>> certutil: Could not find cert: EXAMPLE.COM <http://EXAMPLE.COM>
>>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>>
>>> and thought "wait... something is missing there":
>>>
>>> # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n "EXAMPLE.COM
>>> <http://EXAMPLE.COM> IPA CA" -a
>>> -----BEGIN CERTIFICATE-----
>>> <strip>
>>> -----END CERTIFICATE-----
>>>
>>> So, could this be the problem?
>>>
>>>
>>> ...and indeed when I run
>>>
>>> [tiemen at copernicum ipapython]$ sudo /usr/bin/certutil -d
>>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM
>>> <http://IPA.RDMEDIA.COM> IPA CA -a
>>> [sudo] password for tiemen:
>>> certutil: Could not find cert: IPA.RDMEDIA.COM <
>>> http://IPA.RDMEDIA.COM>
>>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>>
>>>
>>> and when I run
>>>
>>> [tiemen at copernicum ipapython]$ sudo /usr/bin/certutil -d
>>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n "IPA.RDMEDIA.COM
>>> <http://IPA.RDMEDIA.COM> IPA CA" -a
>>> -----BEGIN CERTIFICATE-----
>>> <snip>
>>> -----END CERTIFICATE-----
>>>
>>> valid certificate output. Where can I change this command to quote this
>>> string?
>>>
>>>
>>> On 16 February 2017 at 17:29, Jeff Goddard <jgoddard at emerlyn.com
>>> <mailto:jgoddard at emerlyn.com>> wrote:
>>>
>>> Might be another instance of this:
>>> https://fedorahosted.org/freeipa/ticket/6613
>>> <https://fedorahosted.org/freeipa/ticket/6613>
>>>
>>> Jeff
>>>
>>> On Thu, Feb 16, 2017 at 11:21 AM, Tiemen Ruiten
>>> <t.ruiten at rdmedia.com <mailto:t.ruiten at rdmedia.com>> wrote:
>>>
>>> Hello,
>>>
>>> I'm trying to add a third replica to a FreeIPA 4.4 domain (level
>>> 1), but I'm getting this error:
>>>
>>> [tiemen at copernicum ~]$ sudo ipa-replica-install -P admin -w
>>> "XXXXXXXXXX" --mkhomedir --setup-dns --forwarder 8.8.8.8
>>> --forwarder 8.8.4.4
>>> Checking DNS forwarders, please wait ...
>>> Run connection check to master
>>> Connection check OK
>>> Configuring NTP daemon (ntpd)
>>> [1/4]: stopping ntpd
>>> [2/4]: writing configuration
>>> [3/4]: configuring ntpd to start on boot
>>> [4/4]: starting ntpd
>>> Done configuring NTP daemon (ntpd).
>>> Configuring directory server (dirsrv). Estimated time: 1
>>> minute
>>> [1/44]: creating directory server user
>>> [2/44]: creating directory server instance
>>> [3/44]: updating configuration in dse.ldif
>>> [4/44]: restarting directory server
>>> [5/44]: adding default schema
>>> [6/44]: enabling memberof plugin
>>> [7/44]: enabling winsync plugin
>>> [8/44]: configuring replication version plugin
>>> [9/44]: enabling IPA enrollment plugin
>>> [10/44]: enabling ldapi
>>> [11/44]: configuring uniqueness plugin
>>> [12/44]: configuring uuid plugin
>>> [13/44]: configuring modrdn plugin
>>> [14/44]: configuring DNS plugin
>>> [15/44]: enabling entryUSN plugin
>>> [16/44]: configuring lockout plugin
>>> [17/44]: configuring topology plugin
>>> [18/44]: creating indices
>>> [19/44]: enabling referential integrity plugin
>>> [20/44]: configuring certmap.conf
>>> [21/44]: configure autobind for root
>>> [22/44]: configure new location for managed entries
>>> [23/44]: configure dirsrv ccache
>>> [24/44]: enabling SASL mapping fallback
>>> [25/44]: restarting directory server
>>> [26/44]: creating DS keytab
>>> [27/44]: retrieving DS Certificate
>>> [28/44]: restarting directory server
>>> ipa : CRITICAL Failed to restart the directory
>>> server (Command '/bin/systemctl restart
>>> dirsrv at IPA-RDMEDIA-COM.service' returned non-zero exit
>>> status 1). See the installation log for details.
>>> [29/44]: setting up initial replication
>>> [error] error: [Errno 111] Connection refused
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR
>>> [Errno 111] Connection refused
>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR
>>> The ipa-replica-install command failed. See
>>> /var/log/ipareplica-install.log for more information
>>>
>>>
>>> In /var/log/ipareplica-install.log we find:
>>>
>>> 2017-02-16T15:53:59Z DEBUG [27/44]: retrieving DS
>>> Certificate
>>> 2017-02-16T15:53:59Z DEBUG Loading Index file from
>>> '/var/lib/ipa/sysrestore/sysrestore.index'
>>> 2017-02-16T15:53:59Z DEBUG Starting external process
>>> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
>>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM
>>> <http://IPA.RDMEDIA.COM> IPA CA -a
>>> 2017-02-16T15:53:59Z DEBUG Process finished, return code=255
>>> 2017-02-16T15:53:59Z DEBUG stdout=
>>> *2017-02-16T15:53:59Z DEBUG stderr=certutil: Could not find
>>> cert: IPA.RDMEDIA.COM <http://IPA.RDMEDIA.COM> IPA CA
>>> : PR_FILE_NOT_FOUND_ERROR: File not found*
>>> 2017-02-16T15:53:59Z DEBUG Starting external process
>>> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
>>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -N -f
>>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM//pwdfile.txt
>>> 2017-02-16T15:53:59Z DEBUG Process finished, return code=0
>>> 2017-02-16T15:53:59Z DEBUG stdout=
>>> 2017-02-16T15:53:59Z DEBUG stderr=
>>> 2017-02-16T15:53:59Z DEBUG Starting external process
>>> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
>>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -A -n IPA.RDMEDIA.COM
>>> <http://IPA.RDMEDIA.COM> IPA CA -t CT,C,C -a
>>>
>>> 2017-02-16T15:53:59Z DEBUG Process finished, return code=0
>>> 2017-02-16T15:53:59Z DEBUG stdout=
>>> 2017-02-16T15:53:59Z DEBUG stderr=
>>> 2017-02-16T15:53:59Z DEBUG certmonger request is in state
>>> dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1)
>>> 2017-02-16T15:54:04Z DEBUG certmonger request is in state
>>> dbus.String(u'CA_UNREACHABLE', variant_level=1)
>>> 2017-02-16T15:54:04Z DEBUG flushing
>>> ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket from
>>> SchemaCache
>>> 2017-02-16T15:54:04Z DEBUG retrieving schema for SchemaCache
>>> url=ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket
>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at
>>> 0x74efd40>
>>> 2017-02-16T15:54:05Z DEBUG duration: 5 seconds
>>> 2017-02-16T15:54:05Z DEBUG [28/44]: restarting directory
>>> server
>>> 2017-02-16T15:54:05Z DEBUG Starting external process
>>> 2017-02-16T15:54:05Z DEBUG args=/bin/systemctl --system
>>> daemon-reload
>>> 2017-02-16T15:54:05Z DEBUG Process finished, return code=0
>>> 2017-02-16T15:54:05Z DEBUG stdout=
>>> 2017-02-16T15:54:05Z DEBUG stderr=
>>> 2017-02-16T15:54:05Z DEBUG Starting external process
>>> 2017-02-16T15:54:05Z DEBUG args=/bin/systemctl restart
>>> dirsrv at IPA-RDMEDIA-COM.service
>>> 2017-02-16T15:54:06Z DEBUG Process finished, return code=1
>>> 2017-02-16T15:54:06Z DEBUG stdout=
>>> 2017-02-16T15:54:06Z DEBUG stderr=Job for
>>> dirsrv at IPA-RDMEDIA-COM.service failed because the control
>>> process exited with error code. See "systemctl status
>>> dirsrv at IPA-RDMEDIA-COM.service" and "journalctl -xe" for
>>> details.
>>> 2017-02-16T15:54:06Z CRITICAL Failed to restart the
>>> directory server (Command '/bin/systemctl restart
>>> dirsrv at IPA-RDMEDIA-COM.service' returned non-zero exit
>>> status 1). See the installation log for details.
>>> 2017-02-16T15:54:06Z DEBUG duration: 1 seconds
>>> 2017-02-16T15:54:06Z DEBUG [29/44]: setting up initial
>>> replication
>>> 2017-02-16T15:54:16Z DEBUG Traceback (most recent call last):
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.
>>> py",
>>> line 449, in start_creation
>>> run_step(full_msg, method)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.
>>> py",
>>> line 439, in run_step
>>> method()
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstan
>>> ce.py",
>>> line 405, in __setup_replica
>>> self.dm_password)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replicat
>>> ion.py",
>>> line 118, in enable_replication_version_checking
>>> conn.do_simple_bind(bindpw=dirman_passwd)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>> line 1665, in do_simple_bind
>>> self.__bind_with_wait(self.simple_bind, timeout, binddn,
>>> bindpw)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>> line 1660, in __bind_with_wait
>>> self.__wait_for_connection(timeout)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>> line 1643, in __wait_for_connection
>>> wait_for_open_socket(lurl.hostport, timeout)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/ipautil.py",
>>> line 1286, in wait_for_open_socket
>>> raise e
>>> error: [Errno 111] Connection refused
>>> 2017-02-16T15:54:16Z DEBUG [error] error: [Errno 111]
>>> Connection refused
>>> 2017-02-16T15:54:16Z DEBUG Destroyed connection
>>> context.ldap2_78478480
>>> 2017-02-16T15:54:16Z DEBUG File
>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
>>> line 171, in execute
>>> return_value = self.run()
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
>>> line 318, in run
>>> cfgr.run()
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line
>>> 310, in run
>>> self.execute()
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line
>>> 332, in execute
>>> for nothing in self._executor():
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line
>>> 372, in __runner
>>> self._handle_exception(exc_info)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line
>>> 394, in _handle_exception
>>> six.reraise(*exc_info)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line
>>> 362, in __runner
>>> step()
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line
>>> 359, in <lambda>
>>> step = lambda: next(self.__gen)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>> line
>>> 81, in run_generator_with_yield_from
>>> six.reraise(*exc_info)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>> line
>>> 59, in run_generator_with_yield_from
>>> value = gen.send(prev_value)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line
>>> 586, in _configure
>>> next(executor)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line
>>> 372, in __runner
>>> self._handle_exception(exc_info)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line
>>> 449, in _handle_exception
>>> self.__parent._handle_exception(exc_info)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line
>>> 394, in _handle_exception
>>> six.reraise(*exc_info)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line
>>> 446, in _handle_exception
>>> super(ComponentBase, self)._handle_exception(exc_info)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line
>>> 394, in _handle_exception
>>> six.reraise(*exc_info)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line
>>> 362, in __runner
>>> step()
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line
>>> 359, in <lambda>
>>> step = lambda: next(self.__gen)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>> line
>>> 81, in run_generator_with_yield_from
>>> six.reraise(*exc_info)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>> line
>>> 59, in run_generator_with_yield_from
>>> value = gen.send(prev_value)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/install/common.p
>>> y",
>>> line 63, in _install
>>> for nothing in self._installer(self.parent):
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/r
>>> eplicainstall.py",
>>> line 1714, in main
>>> promote(self)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/r
>>> eplicainstall.py",
>>> line 364, in decorated
>>> func(installer)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/r
>>> eplicainstall.py",
>>> line 1415, in promote
>>> promote=True, pkcs12_info=dirsrv_pkcs12_info)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/r
>>> eplicainstall.py",
>>> line 127, in install_replica_ds
>>> api=remote_api,
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstan
>>> ce.py",
>>> line 399, in create_replica
>>> self.start_creation(runtime=60)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.
>>> py",
>>> line 449, in start_creation
>>> run_step(full_msg, method)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.
>>> py",
>>> line 439, in run_step
>>> method()
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstan
>>> ce.py",
>>> line 405, in __setup_replica
>>> self.dm_password)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replicat
>>> ion.py",
>>> line 118, in enable_replication_version_checking
>>> conn.do_simple_bind(bindpw=dirman_passwd)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>> line 1665, in do_simple_bind
>>> self.__bind_with_wait(self.simple_bind, timeout, binddn,
>>> bindpw)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>> line 1660, in __bind_with_wait
>>> self.__wait_for_connection(timeout)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>> line 1643, in __wait_for_connection
>>> wait_for_open_socket(lurl.hostport, timeout)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipapython/ipautil.py",
>>> line 1286, in wait_for_open_socket
>>> raise e
>>> 2017-02-16T15:54:16Z DEBUG The ipa-replica-install command
>>> failed, exception: error: [Errno 111] Connection refused
>>> 2017-02-16T15:54:16Z ERROR [Errno 111] Connection refused
>>> 2017-02-16T15:54:16Z ERROR The ipa-replica-install command
>>> failed. See /var/log/ipareplica-install.log for more
>>> information
>>>
>>>
>>> How can I troubleshoot this?
>>>
>>>
>>>
>>> --
>>> Tiemen Ruiten
>>> Systems Engineer
>>> R&D Media
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> <https://www.redhat.com/mailman/listinfo/freeipa-users>
>>> Go to http://freeipa.org for more info on the project
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Tiemen Ruiten
>>> Systems Engineer
>>> R&D Media
>>>
>>>
>>>
>>
>
>
> --
> Tiemen Ruiten
> Systems Engineer
> R&D Media
>
--
Tiemen Ruiten
Systems Engineer
R&D Media
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170221/804c5314/attachment.htm>
More information about the Freeipa-users
mailing list