[Freeipa-users] ipa-replica-install hangs: starting certificate server instance

Lachlan Musicman datakid at gmail.com
Thu May 18 10:01:53 UTC 2017 

Sorry cobber. We only found 6766 today - we've been tackling it on and off
for a couple of weeks :)

------
"Mission Statement: To provide hope and inspiration for collective action,
to build collective power, to achieve collective transformation, rooted in
grief and rage but pointed towards vision and dreams."

 - Patrice Cullors, *Black Lives Matter founder*

On 18 May 2017 at 19:53, Callum Guy <callum.guy at x-on.co.uk> wrote:

> Ah, thanks for that Lachlan - its always reassuring to hear that its not
> just me!
>
> As mentioned above I have it running without the CA so that's a good
> start. I am sure we will upgrade as well once 4.5 becomes stable and GA for
> CentOS. I'm not expecting that to happen quickly so will have to work with
> what we have for now.
>
> Do you happen to know if there is any way to build the CA component
> separately?
>
> On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman <datakid at gmail.com>
> wrote:
>
>> https://pagure.io/freeipa/issue/6766
>>
>> 4.5.1 - I stand corrected. Can add more tomorrow.
>>
>> ------
>> "Mission Statement: To provide hope and inspiration for collective
>> action, to build collective power, to achieve collective transformation,
>> rooted in grief and rage but pointed towards vision and dreams."
>>
>>  - Patrice Cullors, *Black Lives Matter founder*
>>
>> On 18 May 2017 at 19:34, Lachlan Musicman <datakid at gmail.com> wrote:
>>
>>> We are seeing this. I'm not at work, but I think it's bug report 6766.
>>>
>>> Patch has already been committed (bot by us), we're waiting for IPA 4.5.
>>>
>>> cheers
>>> L.
>>>
>>> ------
>>> "Mission Statement: To provide hope and inspiration for collective
>>> action, to build collective power, to achieve collective transformation,
>>> rooted in grief and rage but pointed towards vision and dreams."
>>>
>>>  - Patrice Cullors, *Black Lives Matter founder*
>>>
>>> On 18 May 2017 at 18:57, Callum Guy <callum.guy at x-on.co.uk> wrote:
>>>
>>>> Hi All,
>>>>
>>>> I am currently stuck trying to setup the first replica of our master
>>>> IPA server. I have tried a number of different approaches including
>>>> escalating from a client and nothing is working for me. I perform a full OS
>>>> reset each time I get stuck.
>>>>
>>>> I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm -q reports this
>>>> version however having performed ipa-server-upgrade - does this mean i'm on
>>>> 4.4.4?).
>>>>
>>>> The command is shown below - note that i am skipping the conn check as
>>>> my platforms security settings do not allow the SSH session to be
>>>> established back on the master, all ports should be available to the
>>>> application however.
>>>>
>>>> [root at ipa2 ~]# ipa-replica-install --ip-address=172.24.0.101
>>>> --setup-ca --setup-dns --skip-conncheck --no-forwarders SITE.net.gpg
>>>>
>>>> Directory Manager (existing master) password:
>>>>
>>>> ipa         : ERROR    Could not resolve hostname ipa2.SITE.net usis
>>>> check queries IPA DNS directly and ignores /etc/hosts.)
>>>> Continue? [no]: yes
>>>> Configuring NTP daemon (ntpd)
>>>>   [1/4]: stopping ntpd
>>>>   [2/4]: writing configuration
>>>>   [3/4]: configuring ntpd to start on boot
>>>>   [4/4]: starting ntpd
>>>> Done configuring NTP daemon (ntpd).
>>>> Configuring directory server (dirsrv). Estimated time: 1 minute
>>>>   [1/42]: creating directory server user
>>>>   [2/42]: creating directory server instance
>>>>   [3/42]: updating configuration in dse.ldif
>>>>   [4/42]: restarting directory server
>>>>   [5/42]: adding default schema
>>>>   [6/42]: enabling memberof plugin
>>>>   [7/42]: enabling winsync plugin
>>>>   [8/42]: configuring replication version plugin
>>>>   [9/42]: enabling IPA enrollment plugin
>>>>   [10/42]: enabling ldapi
>>>>   [11/42]: configuring uniqueness plugin
>>>>   [12/42]: configuring uuid plugin
>>>>   [13/42]: configuring modrdn plugin
>>>>   [14/42]: configuring DNS plugin
>>>>   [15/42]: enabling entryUSN plugin
>>>>   [16/42]: configuring lockout plugin
>>>>   [17/42]: configuring topology plugin
>>>>   [18/42]: creating indices
>>>>   [19/42]: enabling referential integrity plugin
>>>>   [20/42]: configuring ssl for ds instance
>>>>   [21/42]: configuring certmap.conf
>>>>   [22/42]: configure autobind for root
>>>>   [23/42]: configure new location for managed entries
>>>>   [24/42]: configure dirsrv ccache
>>>>   [25/42]: enabling SASL mapping fallback
>>>>   [26/42]: restarting directory server
>>>>   [27/42]: setting up initial replication
>>>> Starting replication, please wait until this has completed.
>>>> Update in progress, 4 seconds elapsed
>>>> Update succeeded
>>>>
>>>>   [28/42]: adding sasl mappings to the directory
>>>>   [29/42]: updating schema
>>>>   [30/42]: setting Auto Member configuration
>>>>   [31/42]: enabling S4U2Proxy delegation
>>>>   [32/42]: importing CA certificates from LDAP
>>>>   [33/42]: initializing group membership
>>>>   [34/42]: adding master entry
>>>>   [35/42]: initializing domain level
>>>>   [36/42]: configuring Posix uid/gid generation
>>>>   [37/42]: adding replication acis
>>>>   [38/42]: enabling compatibility plugin
>>>>   [39/42]: activating sidgen plugin
>>>>   [40/42]: activating extdom plugin
>>>>   [41/42]: tuning directory server
>>>>   [42/42]: configuring directory to start on boot
>>>> Done configuring directory server (dirsrv).
>>>> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
>>>> 30 seconds
>>>>   [1/27]: creating certificate server user
>>>>   [2/27]: configuring certificate server instance
>>>>   [3/27]: stopping certificate server instance to update CS.cfg
>>>>   [4/27]: backing up CS.cfg
>>>>   [5/27]: disabling nonces
>>>>   [6/27]: set up CRL publishing
>>>>   [7/27]: enable PKIX certificate path discovery and validation
>>>>   [8/27]: starting certificate server instance
>>>>
>>>> And here is stays and refuses to move on. The ipareplica-install.log
>>>> log reports:
>>>> 2017-05-18T08:40:07Z DEBUG wait_for_open_ports: localhost [8080, 8443]
>>>> timeout 300
>>>> 2017-05-18T08:40:09Z DEBUG Waiting until the CA is running
>>>> 2017-05-18T08:40:09Z DEBUG request POST http://ipa2.SITE.net:8080/ca/
>>>> admin/ca/getStatus
>>>> 2017-05-18T08:40:09Z DEBUG request body ''
>>>>
>>>> I have tried and that port is indeed inaccessible but I can't establish
>>>> a way to progress this issue from any of the the other log files. Also I
>>>> have seen in the 4.4.4 release notes that IPv6 being disabled on the master
>>>> can cause issues, re-enabling (at least in /etc/hosts) did not seem to help.
>>>>
>>>> If anyone is able to offer ideas that would be very much appreciated. I
>>>> am tempted to remove the --setup-ca option to see if this helps.
>>>>
>>>> Thanks,
>>>>
>>>> Callum
>>>>
>>>>
>>>>
>>>> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   **
>>>> <https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel>
>>>>   <https://twitter.com/xonuk> *
>>>> X-on is a trading name of Storacall Technology Ltd a limited company
>>>> registered in England and Wales.
>>>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
>>>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
>>>> The information in this e-mail is confidential and for use by the
>>>> addressee(s) only. If you are not the intended recipient, please notify
>>>> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and
>>>> delete the
>>>> message from your computer. If you are not a named addressee you must
>>>> not use, disclose, disseminate, distribute, copy, print or reply to this
>>>> email. Views or opinions expressed by an individual
>>>> within this email may not necessarily reflect the views of X-on or its
>>>> associated companies. Although X-on routinely screens for viruses,
>>>> addressees should scan this email and any attachments
>>>> for viruses. X-on makes no representation or warranty as to the absence
>>>> of viruses in this email or any attachments.
>>>>
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>
>>>
>>
>
> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   **
> <https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel>
>   <https://twitter.com/xonuk> *
> X-on is a trading name of Storacall Technology Ltd a limited company
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the
> addressee(s) only. If you are not the intended recipient, please notify
> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and
> delete the
> message from your computer. If you are not a named addressee you must not
> use, disclose, disseminate, distribute, copy, print or reply to this email. Views
> or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its
> associated companies. Although X-on routinely screens for viruses,
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the absence of
> viruses in this email or any attachments.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170518/4d6f1d61/attachment.htm>

More information about the Freeipa-users mailing list