[Freeipa-users] ipa-replica-install hangs: starting certificate server instance
Martin Bašti
mbasti at redhat.com
Thu May 18 11:46:02 UTC 2017
Please note that commits in #6766 will not fix this issue, the issue is
on dogtag side, please see https://pagure.io/dogtagpki/issue/2646
Sorry for troubles
On 18.05.2017 12:19, Callum Guy wrote:
> Haha, looks like i'm going CA-less for a while on the replica. I don't
> see any immediate requirement for one so time to get on with my life!
>
> I'll post back if anything changes but I'm probably stuck waiting for
> the upgrade too..
>
> On Thu, May 18, 2017 at 11:01 AM Lachlan Musicman <datakid at gmail.com
> <mailto:datakid at gmail.com>> wrote:
>
> Sorry cobber. We only found 6766 today - we've been tackling it on
> and off for a couple of weeks :)
>
> ------
> "Mission Statement: To provide hope and inspiration for collective
> action, to build collective power, to achieve collective
> transformation, rooted in grief and rage but pointed towards
> vision and dreams."
>
> - Patrice Cullors, /Black Lives Matter founder/
>
> On 18 May 2017 at 19:53, Callum Guy <callum.guy at x-on.co.uk
> <mailto:callum.guy at x-on.co.uk>> wrote:
>
> Ah, thanks for that Lachlan - its always reassuring to hear
> that its not just me!
>
> As mentioned above I have it running without the CA so that's
> a good start. I am sure we will upgrade as well once 4.5
> becomes stable and GA for CentOS. I'm not expecting that to
> happen quickly so will have to work with what we have for now.
>
> Do you happen to know if there is any way to build the CA
> component separately?
>
> On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman
> <datakid at gmail.com <mailto:datakid at gmail.com>> wrote:
>
> https://pagure.io/freeipa/issue/6766
>
> 4.5.1 - I stand corrected. Can add more tomorrow.
>
> ------
> "Mission Statement: To provide hope and inspiration for
> collective action, to build collective power, to achieve
> collective transformation, rooted in grief and rage but
> pointed towards vision and dreams."
>
> - Patrice Cullors, /Black Lives Matter founder/
>
> On 18 May 2017 at 19:34, Lachlan Musicman
> <datakid at gmail.com <mailto:datakid at gmail.com>> wrote:
>
> We are seeing this. I'm not at work, but I think it's
> bug report 6766.
>
> Patch has already been committed (bot by us), we're
> waiting for IPA 4.5.
>
> cheers
> L.
>
> ------
> "Mission Statement: To provide hope and inspiration
> for collective action, to build collective power, to
> achieve collective transformation, rooted in grief and
> rage but pointed towards vision and dreams."
>
> - Patrice Cullors, /Black Lives Matter founder/
>
> On 18 May 2017 at 18:57, Callum Guy
> <callum.guy at x-on.co.uk <mailto:callum.guy at x-on.co.uk>>
> wrote:
>
> Hi All,
>
> I am currently stuck trying to setup the first
> replica of our master IPA server. I have tried a
> number of different approaches including
> escalating from a client and nothing is working
> for me. I perform a full OS reset each time I get
> stuck.
>
> I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm
> -q reports this version however having performed
> ipa-server-upgrade - does this mean i'm on 4.4.4?).
>
> The command is shown below - note that i am
> skipping the conn check as my platforms security
> settings do not allow the SSH session to be
> established back on the master, all ports should
> be available to the application however.
>
> [root at ipa2 ~]# ipa-replica-install
> --ip-address=172.24.0.101 --setup-ca --setup-dns
> --skip-conncheck --no-forwarders SITE.net.gpg
>
> Directory Manager (existing master) password:
>
> ipa : ERROR Could not resolve hostname
> ipa2.SITE.net <http://ipa2.SITE.net> usis check
> queries IPA DNS directly and ignores /etc/hosts.)
> Continue? [no]: yes
> Configuring NTP daemon (ntpd)
> [1/4]: stopping ntpd
> [2/4]: writing configuration
> [3/4]: configuring ntpd to start on boot
> [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv). Estimated
> time: 1 minute
> [1/42]: creating directory server user
> [2/42]: creating directory server instance
> [3/42]: updating configuration in dse.ldif
> [4/42]: restarting directory server
> [5/42]: adding default schema
> [6/42]: enabling memberof plugin
> [7/42]: enabling winsync plugin
> [8/42]: configuring replication version plugin
> [9/42]: enabling IPA enrollment plugin
> [10/42]: enabling ldapi
> [11/42]: configuring uniqueness plugin
> [12/42]: configuring uuid plugin
> [13/42]: configuring modrdn plugin
> [14/42]: configuring DNS plugin
> [15/42]: enabling entryUSN plugin
> [16/42]: configuring lockout plugin
> [17/42]: configuring topology plugin
> [18/42]: creating indices
> [19/42]: enabling referential integrity plugin
> [20/42]: configuring ssl for ds instance
> [21/42]: configuring certmap.conf
> [22/42]: configure autobind for root
> [23/42]: configure new location for managed entries
> [24/42]: configure dirsrv ccache
> [25/42]: enabling SASL mapping fallback
> [26/42]: restarting directory server
> [27/42]: setting up initial replication
> Starting replication, please wait until this has
> completed.
> Update in progress, 4 seconds elapsed
> Update succeeded
>
> [28/42]: adding sasl mappings to the directory
> [29/42]: updating schema
> [30/42]: setting Auto Member configuration
> [31/42]: enabling S4U2Proxy delegation
> [32/42]: importing CA certificates from LDAP
> [33/42]: initializing group membership
> [34/42]: adding master entry
> [35/42]: initializing domain level
> [36/42]: configuring Posix uid/gid generation
> [37/42]: adding replication acis
> [38/42]: enabling compatibility plugin
> [39/42]: activating sidgen plugin
> [40/42]: activating extdom plugin
> [41/42]: tuning directory server
> [42/42]: configuring directory to start on boot
> Done configuring directory server (dirsrv).
> Configuring certificate server (pki-tomcatd).
> Estimated time: 3 minutes 30 seconds
> [1/27]: creating certificate server user
> [2/27]: configuring certificate server instance
> [3/27]: stopping certificate server instance to
> update CS.cfg
> [4/27]: backing up CS.cfg
> [5/27]: disabling nonces
> [6/27]: set up CRL publishing
> [7/27]: enable PKIX certificate path discovery
> and validation
> [8/27]: starting certificate server instance
>
> And here is stays and refuses to move on. The
> ipareplica-install.log log reports:
> 2017-05-18T08:40:07Z DEBUG wait_for_open_ports:
> localhost [8080, 8443] timeout 300
> 2017-05-18T08:40:09Z DEBUG Waiting until the CA is
> running
> 2017-05-18T08:40:09Z DEBUG request POST
> http://ipa2.SITE.net:8080/ca/admin/ca/getStatus
> 2017-05-18T08:40:09Z DEBUG request body ''
>
> I have tried and that port is indeed inaccessible
> but I can't establish a way to progress this issue
> from any of the the other log files. Also I have
> seen in the 4.4.4 release notes that IPv6 being
> disabled on the master can cause issues,
> re-enabling (at least in /etc/hosts) did not seem
> to help.
>
> If anyone is able to offer ideas that would be
> very much appreciated. I am tempted to remove the
> --setup-ca option to see if this helps.
>
> Thanks,
>
> Callum
>
>
>
> *^0333 332 0000 | www.x-on.co.uk
> <http://www.x-on.co.uk> |
> _**_^<https://www.linkedin.com/company/x-on>
> <https://www.facebook.com/XonTel>
> <https://twitter.com/xonuk> *
> X-on is a trading name of Storacall Technology Ltd
> a limited company registered in England and Wales.
> Registered Office : Avaland House, 110 London
> Road, Apsley, Hemel Hempstead, Herts, HP3 9SD.
> Company Registration No. 2578478.
> The information in this e-mail is confidential and
> for use by the addressee(s) only. If you are not
> the intended recipient, please notify X-on
> immediately on +44(0)333 332 0000
> <tel:+44%20333%20332%200000> and delete the
> message from your computer. If you are not a named
> addressee you must not use, disclose, disseminate,
> distribute, copy, print or reply to this email.
> Views or opinions expressed by an individual
> within this email may not necessarily reflect the
> views of X-on or its associated companies.
> Although X-on routinely screens for viruses,
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or
> warranty as to the absence of viruses in this
> email or any attachments.
>
>
> --
> Manage your subscription for the Freeipa-users
> mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
>
> *^0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> |
> _**_^<https://www.linkedin.com/company/x-on>
> <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> *
> X-on is a trading name of Storacall Technology Ltd a limited
> company registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley,
> Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by
> the addressee(s) only. If you are not the intended recipient,
> please notify X-on immediately on +44(0)333 332 0000
> <tel:+44%20333%20332%200000> and delete the
> message from your computer. If you are not a named addressee
> you must not use, disclose, disseminate, distribute, copy,
> print or reply to this email. Views or opinions expressed by
> an individual
> within this email may not necessarily reflect the views of
> X-on or its associated companies. Although X-on routinely
> screens for viruses, addressees should scan this email and any
> attachments
> for viruses. X-on makes no representation or warranty as to
> the absence of viruses in this email or any attachments.
>
>
>
>
> *^0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> |
> _**_^<https://www.linkedin.com/company/x-on>
> <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> *
> X-on is a trading name of Storacall Technology Ltd a limited company
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the
> addressee(s) only. If you are not the intended recipient, please
> notify X-on immediately on +44(0)333 332 0000 and delete the
> message from your computer. If you are not a named addressee you must
> not use, disclose, disseminate, distribute, copy, print or reply to
> this email. Views or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its
> associated companies. Although X-on routinely screens for viruses,
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the
> absence of viruses in this email or any attachments.
>
>
>
--
Martin Bašti
Software Engineer
Red Hat Czech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170518/8919df17/attachment.htm>
More information about the Freeipa-users
mailing list