<div dir="ltr">Hi,<div><br></div><div>The Pki service is running and I cannot find any issues with it. I can run a curl request to the master hostname on port 8443 and communication works fine.</div><div>Any other idea why this replica install code would fail and log CA_UNREACHABLE?</div><div><br></div><div>Regards,</div><div><br></div><div>David</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-11-29 22:16 GMT+01:00 Florence Blanc-Renaud <span dir="ltr"><<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 11/29/2016 03:19 PM, David Dejaeghere wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Can you give me a couple of test commands?<br>
I am not familiar with Dogtag.<br>
<br>
</blockquote></span>
Hi,<br>
<br>
To reproduce the issue:<br>
1. install IPA server<br>
2. On the replica, run ipa-client-install<br>
3. On the server, stop dogtag with<br>
$ systemctl stop pki-tomcatd@pki-tomcat.service<br>
4. On the replica, run ipa-replica-install<br>
<br>
When you want to restart dogtag, you can run<br>
$ systemctl start pki-tomcatd@pki-tomcat.service<br>
<br>
If you want to check if dogtag is running:<br>
$ systemctl status pki-tomcatd@pki-tomcat.service<br>
<br>
You may find more information on Dogtag here:<br>
<a href="http://pki.fedoraproject.org/wiki/PKI_Main_Page" rel="noreferrer" target="_blank">http://pki.fedoraproject.org/w<wbr>iki/PKI_Main_Page</a><br>
<a href="http://pki.fedoraproject.org/wiki/IPA" rel="noreferrer" target="_blank">http://pki.fedoraproject.org/w<wbr>iki/IPA</a><br>
<a href="http://pki.fedoraproject.org/wiki/Debugging_the_state_of_dogtag_in_an_ipa_install" rel="noreferrer" target="_blank">http://pki.fedoraproject.org/w<wbr>iki/Debugging_the_state_of_dog<wbr>tag_in_an_ipa_install</a><br>
<br>
Flo<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
Groeten,<br>
<br>
David<br>
<br>
2016-11-29 14:57 GMT+01:00 David Kupka <<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a><br></span>
<mailto:<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a>>>:<span class=""><br>
<br>
On 29/11/16 13:55, David Dejaeghere wrote:<br>
<br>
Correct. Same symptoms.<br>
<br>
2016-11-29T10:29:42Z DEBUG certmonger request is in state<br>
dbus.String(u'CA_UNREACHABLE', variant_level=1)<br>
<br>
Fedora 24 Server<br>
<br>
[root@ns02 ~]# dnf history userinstalled<br>
Packages installed by user<br>
freeipa-client-4.3.2-2.fc24.x8<wbr>6_64<br>
freeipa-server-4.3.2-2.fc24.x8<wbr>6_64<br>
grub2-1:2.02-0.34.fc24.x86_64<br>
kernel-4.5.5-300.fc24.x86_64<br>
kernel-4.8.8-200.fc24.x86_64<br>
lvm2-2.02.150-2.fc24.x86_64<br>
xfsprogs-4.5.0-2.fc24.x86_64<br>
<br>
<br>
Ok. I've reproduced it by simply stopping dogtag on FreeIPA server<br>
while installing the replica. I see the exactly same errors as<br>
you've reported and are described in the ticket, now.<br>
<br>
Is dogtag running on your master? Is in responding (e.g. issuing<br>
certificates for users)? Is it accessible from the replica?<br>
<br>
<br>
<br>
2016-11-29 13:41 GMT+01:00 Petr Vobornik <<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a><br></span>
<mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>>>:<div><div class="h5"><br>
<br>
On 11/29/2016 12:43 PM, David Kupka wrote:<br>
<br>
On 29/11/16 12:15, David Dejaeghere wrote:<br>
<br>
Seems like it is but it does not show a server cert<br>
for dirsrv<br>
<br>
[root@ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE<wbr>/<br>
total 468<br>
-rw-------. 1 dirsrv root<br>
unconfined_u:object_r:dirsrv_<wbr>config_t:s0<br>
65536<br>
Nov 29 11:29 cert8.db<br>
-rw-rw----. 1 dirsrv dirsrv<br>
unconfined_u:object_r:dirsrv_c<wbr>onfig_t:s0<br>
65536<br>
Nov 29 11:29 cert8.db.orig<br>
-r--r-----. 1 dirsrv dirsrv<br>
unconfined_u:object_r:dirsrv_c<wbr>onfig_t:s0<br>
1623<br>
Nov 29 11:29 certmap.conf<br>
-rw-------. 1 dirsrv dirsrv<br>
system_u:object_r:dirsrv_confi<wbr>g_t:s0<br>
89977<br>
Nov 29 11:29 dse.ldif<br>
-rw-------. 2 dirsrv dirsrv<br>
system_u:object_r:dirsrv_confi<wbr>g_t:s0<br>
89977<br>
Nov 29 11:29 dse.ldif.bak<br>
-rw-------. 2 dirsrv dirsrv<br>
system_u:object_r:dirsrv_confi<wbr>g_t:s0<br>
89977<br>
Nov 29 11:29 dse.ldif.startOK<br>
-r--r-----. 1 dirsrv dirsrv<br>
unconfined_u:object_r:dirsrv_c<wbr>onfig_t:s0<br>
36228<br>
Nov 29 11:28 dse_original.ldif<br>
-rw-------. 1 dirsrv root<br>
unconfined_u:object_r:dirsrv_<wbr>config_t:s0<br>
16384<br>
Nov 29 11:29 key3.db<br>
-rw-rw----. 1 dirsrv dirsrv<br>
unconfined_u:object_r:dirsrv_c<wbr>onfig_t:s0<br>
16384<br>
Nov 29 11:29 key3.db.orig<br>
-r--------. 1 dirsrv dirsrv<br>
unconfined_u:object_r:dirsrv_c<wbr>onfig_t:s0 66<br>
Nov 29 11:29 pin.txt<br>
-rw-------. 1 dirsrv dirsrv<br>
unconfined_u:object_r:dirsrv_c<wbr>onfig_t:s0 40<br>
Nov 29 11:29 pwdfile.txt<br>
drwxrwx---. 2 dirsrv dirsrv<br>
unconfined_u:object_r:dirsrv_c<wbr>onfig_t:s0<br>
4096<br>
Nov 29 11:29 schema<br>
-rw-------. 1 dirsrv root<br>
unconfined_u:object_r:dirsrv_<wbr>config_t:s0<br>
16384<br>
Nov 29 11:29 secmod.db<br>
-rw-rw----. 1 dirsrv dirsrv<br>
unconfined_u:object_r:dirsrv_c<wbr>onfig_t:s0<br>
16384<br>
Nov 29 11:29 secmod.db.orig<br>
-r--r-----. 1 dirsrv dirsrv<br>
unconfined_u:object_r:dirsrv_c<wbr>onfig_t:s0<br>
15142<br>
Nov 29 11:28 slapd-collations.conf<br>
<br>
[root@ns02 ~]# certutil -d<br>
/etc/dirsrv/slapd-SOMETHING-BE -L<br>
<br>
Certificate Nickname<br>
Trust<br>
Attributes<br>
<br>
SSL,S/MIME,JAR/XPI<br>
<br>
CN=something-PAPRIKA-CA,DC=som<wbr>ething,DC=local<br>
CT,C,C<br></div></div>
<a href="http://SOMETHING.BE" rel="noreferrer" target="_blank">SOMETHING.BE</a> <<a href="http://SOMETHING.BE" rel="noreferrer" target="_blank">http://SOMETHING.BE</a>> IPA CA<span class=""><br>
CT,C,C<br>
[root@ns02 ~]# certutil -d<br>
/etc/dirsrv/slapd-SOMETHING-BE -L<br>
<br>
Certificate Nickname<br>
Trust<br>
Attributes<br>
<br>
SSL,S/MIME,JAR/XPI<br>
<br>
CN=something-PAPRIKA-CA,DC=som<wbr>ething,DC=local<br>
CT,C,C<br></span>
<a href="http://SOMETHING.BE" rel="noreferrer" target="_blank">SOMETHING.BE</a> <<a href="http://SOMETHING.BE" rel="noreferrer" target="_blank">http://SOMETHING.BE</a>> IPA CA<span class=""><br>
CT,C,C<br>
<br>
[root@ns02 ~]# ausearch -m avc -i<br>
<no matches><br>
<br>
<br>
<br>
Exactly, the NSSDB should be accessible to dirsrv and is<br>
missing the<br>
Server-Cert but I don't understand why there's "bad<br>
database" error in<br>
the errors log. I'll try to reproduce it. What version<br>
of FreeIPA are<br>
you using? On what system?<br>
<br>
<br>
Right.<br>
<br>
Seems bit similar to<br>
<a href="https://fedorahosted.org/freeipa/ticket/6514" rel="noreferrer" target="_blank">https://fedorahosted.org/freei<wbr>pa/ticket/6514</a><br>
<<a href="https://fedorahosted.org/freeipa/ticket/6514" rel="noreferrer" target="_blank">https://fedorahosted.org/free<wbr>ipa/ticket/6514</a>> would<br>
be good to check if it has the same symptoms, mainly<br>
certmonger request is in state dbus.String(u'CA_UNREACHABLE',<br>
variant_level=1)<br>
<br>
in replica install log.<br>
<br>
<br>
<br>
<br>
2016-11-29 12:09 GMT+01:00 David Kupka<br></span>
<<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a> <mailto:<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a>>>:<div><div class="h5"><br>
<br>
On 29/11/16 11:51, David Dejaeghere wrote:<br>
<br>
Hi,<br>
<br>
I have a setup where i want to add a<br>
replica. The first master<br>
setup has<br>
an externally signed cert for dirsrv and<br>
httpd. The replica is<br>
prepapred<br>
succesfully with ipa-client-install but the<br>
replica install then keeps<br>
failing. It seems that during install<br>
dirserv is not configured<br>
correctly<br>
with a valid server certificate. Output from<br>
the dirsrv error added to<br>
this<br>
email as well.<br>
<br>
[root@ns02 ~]# ipa-replica-install --setup-ca<br>
WARNING: conflicting time&date<br>
synchronization service 'chronyd' will<br>
be disabled in favor of ntpd<br>
<br>
Run connection check to master<br>
Connection check OK<br>
Configuring NTP daemon (ntpd)<br>
[1/4]: stopping ntpd<br>
[2/4]: writing configuration<br>
[3/4]: configuring ntpd to start on boot<br>
[4/4]: starting ntpd<br>
Done configuring NTP daemon (ntpd).<br>
Configuring directory server (dirsrv).<br>
Estimated time: 1 minute<br>
[1/43]: creating directory server user<br>
[2/43]: creating directory server instance<br>
[3/43]: restarting directory server<br>
[4/43]: adding default schema<br>
[5/43]: enabling memberof plugin<br>
[6/43]: enabling winsync plugin<br>
[7/43]: configuring replication version plugin<br>
[8/43]: enabling IPA enrollment plugin<br>
[9/43]: enabling ldapi<br>
[10/43]: configuring uniqueness plugin<br>
[11/43]: configuring uuid plugin<br>
[12/43]: configuring modrdn plugin<br>
[13/43]: configuring DNS plugin<br>
[14/43]: enabling entryUSN plugin<br>
[15/43]: configuring lockout plugin<br>
[16/43]: configuring topology plugin<br>
[17/43]: creating indices<br>
[18/43]: enabling referential integrity plugin<br>
[19/43]: configuring certmap.conf<br>
[20/43]: configure autobind for root<br>
[21/43]: configure new location for<br>
managed entries<br>
[22/43]: configure dirsrv ccache<br>
[23/43]: enabling SASL mapping fallback<br>
[24/43]: restarting directory server<br>
[25/43]: creating DS keytab<br>
[26/43]: retrieving DS Certificate<br>
[27/43]: restarting directory server<br>
ipa : CRITICAL Failed to restart the<br>
directory server (Command<br>
'/bin/systemctl restart<br>
dirsrv@SOMETHING-BE.service' returned<br>
<br>
non-zero<br>
<br>
exit<br>
status 1). See the installation log for details.<br>
[28/43]: setting up initial replication<br>
[error] error: [Errno 111] Connection refused<br>
Your system may be partly configured.<br>
Run /usr/sbin/ipa-server-install --uninstall<br>
to clean up.<br>
<br>
<br>
[29/Nov/2016:11:29:44.03428557<wbr>9 +0100] SSL<br>
alert: Security<br>
Initialization:<br>
Can't find certificate (Server-Cert) for family<br>
cn=RSA,cn=encryption,cn=config (Netscape<br>
Portable Runtime error -8174<br>
<br>
-<br>
<br>
security library: bad database.)<br>
[29/Nov/2016:11:29:44.04503972<wbr>8 +0100] SSL<br>
alert: Security<br>
Initialization:<br>
Unable to retrieve private key for cert<br>
Server-Cert of family<br>
cn=RSA,cn=encryption,cn=config (Netscape<br>
Portable Runtime error -8174<br>
<br>
-<br>
<br>
security library: bad database.)<br>
<br>
<br>
<br>
<br>
Hello David,<br>
<br>
The error from the log indicates that either the<br>
NSSDB for dirsrv is<br>
<br>
not<br>
<br>
initialized or not accessible.<br>
<br>
Could you please send output of the following<br>
commands?<br>
<br>
# ls -lZ /etc/dirsrv/slapd-$REALM/<br>
# certutil -d /etc/dirsrv/slapd-$REALM/ -L<br>
# ausearch -m avc -i<br>
<br>
<br>
--<br>
David Kupka<br>
<br>
<br>
<br>
--<br>
Petr Vobornik<br>
<br>
<br>
<br>
<br>
--<br>
David Kupka<br>
<br>
<br>
<br>
<br>
</div></div></blockquote>
<br>
</blockquote></div><br></div>