[Freeipa-users] ipa-replica-install hangs: starting certificate server instance

Callum Guy callum.guy at x-on.co.uk
Thu May 18 09:33:17 UTC 2017 

Hi All,

Just following on from this, I have performed an installation without
--setup-ca and it has completed successfully.

I now need to understand what impact this might have, is it the case that I
can still install/configure the CA component? Is there any documentation on
this action?

Also in the event of a failure of my master server (I only have these two)
will all my certificates be invalidated and lost or will the replica still
be able to handle these certificates until a time where a new master has
been created?

Thanks,

Callum


On Thu, May 18, 2017 at 9:57 AM Callum Guy <callum.guy at x-on.co.uk> wrote:

> Hi All,
>
> I am currently stuck trying to setup the first replica of our master IPA
> server. I have tried a number of different approaches including escalating
> from a client and nothing is working for me. I perform a full OS reset each
> time I get stuck.
>
> I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm -q reports this version
> however having performed ipa-server-upgrade - does this mean i'm on 4.4.4?).
>
> The command is shown below - note that i am skipping the conn check as my
> platforms security settings do not allow the SSH session to be established
> back on the master, all ports should be available to the application
> however.
>
> [root at ipa2 ~]# ipa-replica-install --ip-address=172.24.0.101 --setup-ca
> --setup-dns --skip-conncheck --no-forwarders SITE.net.gpg
>
> Directory Manager (existing master) password:
>
> ipa         : ERROR    Could not resolve hostname ipa2.SITE.net usis
> check queries IPA DNS directly and ignores /etc/hosts.)
> Continue? [no]: yes
> Configuring NTP daemon (ntpd)
>   [1/4]: stopping ntpd
>   [2/4]: writing configuration
>   [3/4]: configuring ntpd to start on boot
>   [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv). Estimated time: 1 minute
>   [1/42]: creating directory server user
>   [2/42]: creating directory server instance
>   [3/42]: updating configuration in dse.ldif
>   [4/42]: restarting directory server
>   [5/42]: adding default schema
>   [6/42]: enabling memberof plugin
>   [7/42]: enabling winsync plugin
>   [8/42]: configuring replication version plugin
>   [9/42]: enabling IPA enrollment plugin
>   [10/42]: enabling ldapi
>   [11/42]: configuring uniqueness plugin
>   [12/42]: configuring uuid plugin
>   [13/42]: configuring modrdn plugin
>   [14/42]: configuring DNS plugin
>   [15/42]: enabling entryUSN plugin
>   [16/42]: configuring lockout plugin
>   [17/42]: configuring topology plugin
>   [18/42]: creating indices
>   [19/42]: enabling referential integrity plugin
>   [20/42]: configuring ssl for ds instance
>   [21/42]: configuring certmap.conf
>   [22/42]: configure autobind for root
>   [23/42]: configure new location for managed entries
>   [24/42]: configure dirsrv ccache
>   [25/42]: enabling SASL mapping fallback
>   [26/42]: restarting directory server
>   [27/42]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 4 seconds elapsed
> Update succeeded
>
>   [28/42]: adding sasl mappings to the directory
>   [29/42]: updating schema
>   [30/42]: setting Auto Member configuration
>   [31/42]: enabling S4U2Proxy delegation
>   [32/42]: importing CA certificates from LDAP
>   [33/42]: initializing group membership
>   [34/42]: adding master entry
>   [35/42]: initializing domain level
>   [36/42]: configuring Posix uid/gid generation
>   [37/42]: adding replication acis
>   [38/42]: enabling compatibility plugin
>   [39/42]: activating sidgen plugin
>   [40/42]: activating extdom plugin
>   [41/42]: tuning directory server
>   [42/42]: configuring directory to start on boot
> Done configuring directory server (dirsrv).
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
> seconds
>   [1/27]: creating certificate server user
>   [2/27]: configuring certificate server instance
>   [3/27]: stopping certificate server instance to update CS.cfg
>   [4/27]: backing up CS.cfg
>   [5/27]: disabling nonces
>   [6/27]: set up CRL publishing
>   [7/27]: enable PKIX certificate path discovery and validation
>   [8/27]: starting certificate server instance
>
> And here is stays and refuses to move on. The ipareplica-install.log log
> reports:
> 2017-05-18T08:40:07Z DEBUG wait_for_open_ports: localhost [8080, 8443]
> timeout 300
> 2017-05-18T08:40:09Z DEBUG Waiting until the CA is running
> 2017-05-18T08:40:09Z DEBUG request POST
> http://ipa2.SITE.net:8080/ca/admin/ca/getStatus
> 2017-05-18T08:40:09Z DEBUG request body ''
>
> I have tried and that port is indeed inaccessible but I can't establish a
> way to progress this issue from any of the the other log files. Also I have
> seen in the 4.4.4 release notes that IPv6 being disabled on the master can
> cause issues, re-enabling (at least in /etc/hosts) did not seem to help.
>
> If anyone is able to offer ideas that would be very much appreciated. I am
> tempted to remove the --setup-ca option to see if this helps.
>
> Thanks,
>
> Callum
>
>

-- 



*0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel> 
  <https://twitter.com/xonuk> * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170518/4afa184d/attachment.htm>

More information about the Freeipa-users mailing list