<div dir="ltr">Can you give me a couple of test commands? I am not familiar with Dogtag. <div> </div><div>Groeten,</div><div> </div><div>David</div></div><div class="gmail_extra"> <div class="gmail_quote">2016-11-29 14:57 GMT+01:00 David Kupka <<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 29/11/16 13:55, David Dejaeghere wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Correct. Same symptoms. 2016-11-29T10:29:42Z DEBUG certmonger request is in state dbus.String(u'CA_UNREACHABLE', variant_level=1) Fedora 24 Server [root@ns02 ~]# dnf history userinstalled Packages installed by user freeipa-client-4.3.2-2.fc24.x86_64 freeipa-server-4.3.2-2.fc24.x86_64 grub2-1:2.02-0.34.fc24.x86_64 kernel-4.5.5-300.fc24.x86_64 kernel-4.8.8-200.fc24.x86_64 lvm2-2.02.150-2.fc24.x86_64 xfsprogs-4.5.0-2.fc24.x86_64 </blockquote> Ok. I've reproduced it by simply stopping dogtag on FreeIPA server while installing the replica. I see the exactly same errors as you've reported and are described in the ticket, now. Is dogtag running on your master? Is in responding (e.g. issuing certificates for users)? Is it accessible from the replica?<div class="HOEnZb"><div class="h5"> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> 2016-11-29 13:41 GMT+01:00 Petr Vobornik <<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On 11/29/2016 12:43 PM, David Kupka wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On 29/11/16 12:15, David Dejaeghere wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Seems like it is but it does not show a server cert for dirsrv [root@ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/ total 468 -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 65536 Nov 29 11:29 cert8.db -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 65536 Nov 29 11:29 cert8.db.orig -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 1623 Nov 29 11:29 certmap.conf -rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 89977 Nov 29 11:29 dse.ldif -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 89977 Nov 29 11:29 dse.ldif.bak -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 89977 Nov 29 11:29 dse.ldif.startOK -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 36228 Nov 29 11:28 dse_original.ldif -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 16384 Nov 29 11:29 key3.db -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 16384 Nov 29 11:29 key3.db.orig -r--------. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 66 Nov 29 11:29 pin.txt -rw-------. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 40 Nov 29 11:29 pwdfile.txt drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 4096 Nov 29 11:29 schema -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 16384 Nov 29 11:29 secmod.db -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 16384 Nov 29 11:29 secmod.db.orig -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 15142 Nov 29 11:28 slapd-collations.conf [root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CN=something-PAPRIKA-CA,DC=something,DC=local CT,C,C <a href="http://SOMETHING.BE" rel="noreferrer" target="_blank">SOMETHING.BE</a> IPA CA CT,C,C [root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CN=something-PAPRIKA-CA,DC=something,DC=local CT,C,C <a href="http://SOMETHING.BE" rel="noreferrer" target="_blank">SOMETHING.BE</a> IPA CA CT,C,C [root@ns02 ~]# ausearch -m avc -i <no matches> </blockquote> Exactly, the NSSDB should be accessible to dirsrv and is missing the Server-Cert but I don't understand why there's "bad database" error in the errors log. I'll try to reproduce it. What version of FreeIPA are you using? On what system? </blockquote> Right. Seems bit similar to <a href="https://fedorahosted.org/freeipa/ticket/6514" rel="noreferrer" target="_blank">https://fedorahosted.org/freeipa/ticket/6514</a> would be good to check if it has the same symptoms, mainly certmonger request is in state dbus.String(u'CA_UNREACHABLE', variant_level=1) in replica install log. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> 2016-11-29 12:09 GMT+01:00 David Kupka <<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On 29/11/16 11:51, David Dejaeghere wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi, I have a setup where i want to add a replica. The first master setup has an externally signed cert for dirsrv and httpd. The replica is prepapred succesfully with ipa-client-install but the replica install then keeps failing. It seems that during install dirserv is not configured correctly with a valid server certificate. Output from the dirsrv error added to this email as well. [root@ns02 ~]# ipa-replica-install --setup-ca WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Run connection check to master Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/43]: creating directory server user [2/43]: creating directory server instance [3/43]: restarting directory server [4/43]: adding default schema [5/43]: enabling memberof plugin [6/43]: enabling winsync plugin [7/43]: configuring replication version plugin [8/43]: enabling IPA enrollment plugin [9/43]: enabling ldapi [10/43]: configuring uniqueness plugin [11/43]: configuring uuid plugin [12/43]: configuring modrdn plugin [13/43]: configuring DNS plugin [14/43]: enabling entryUSN plugin [15/43]: configuring lockout plugin [16/43]: configuring topology plugin [17/43]: creating indices [18/43]: enabling referential integrity plugin [19/43]: configuring certmap.conf [20/43]: configure autobind for root [21/43]: configure new location for managed entries [22/43]: configure dirsrv ccache [23/43]: enabling SASL mapping fallback [24/43]: restarting directory server [25/43]: creating DS keytab [26/43]: retrieving DS Certificate [27/43]: restarting directory server ipa : CRITICAL Failed to restart the directory server (Command '/bin/systemctl restart dirsrv@SOMETHING-BE.service' returned </blockquote></blockquote></blockquote></blockquote> non-zero <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> exit status 1). See the installation log for details. [28/43]: setting up initial replication [error] error: [Errno 111] Connection refused Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. [29/Nov/2016:11:29:44.034285579 +0100] SSL alert: Security Initialization: Can't find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 </blockquote></blockquote></blockquote></blockquote> - <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> security library: bad database.) [29/Nov/2016:11:29:44.045039728 +0100] SSL alert: Security Initialization: Unable to retrieve private key for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 </blockquote></blockquote></blockquote></blockquote> - <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> security library: bad database.) </blockquote> Hello David, The error from the log indicates that either the NSSDB for dirsrv is </blockquote></blockquote></blockquote> not <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> initialized or not accessible. Could you please send output of the following commands? # ls -lZ /etc/dirsrv/slapd-$REALM/ # certutil -d /etc/dirsrv/slapd-$REALM/ -L # ausearch -m avc -i -- David Kupka </blockquote></blockquote></blockquote> -- Petr Vobornik </blockquote> </blockquote> </div></div> -- David Kupka </blockquote></div> </div>