[Pki-devel] Proxy/Port work status

Ade Lee alee at redhat.com
Thu Aug 25 02:59:31 UTC 2011 

When I looked at one point, I noticed that /var/log/pki-ca/catalina.out
was owned by root.  And in fact the whole /var/log/pki-ca directory was
owned by root.  

If the CA process runs as pkiuser, that would explain the permission
denied bit.

Adam, please reproduce and do not clean up.  I can go in at that point
and try to figure out what went wrong.

Ade

On Wed, 2011-08-24 at 22:29 -0400, Adam Young wrote:
> Had some success earlier today, but I seem to be unable to replicate 
> it.  I've been working with the "full" proxy.conf file lately,. and even 
> that seems to be preventing a replica.  It is quite possible that the 
> problem is something on one of the two systems, as I've found that 
> install/uninstall often leaves some of the files being owned by 
> non-existent users.   At this point, I'm not sure if the patch I've 
> submitted will work on a vanilla system.  Testing it has proven to be a 
> pretty time consuming endeavour.
> 
> 
> Here's what I've gotten it down to:
> 
> ON One machine, run
> 
> ipa-server-install -U -r ` hostname  | tr '[:lower:]' '[:upper:]'`  -p 
> freeipa4all  -a freeipa4all  --setup-dns --no-forwarders
> 
> 
> once that succeeds, I have to reset /etc/resolv.conf as the lab DNS 
> server gets removed:
> 
> cp ~/resolve.conf /etc
> 
> then
> 
> ipa-replica-prepare $REPLICA
> 
> scp /var/lib/ipa/replica-info-$REPLICA.gpg root@$REPLICA:
> 
> On the replica:
> 
> ipa-replica-install  --setup-ca  replica-info-$HOSTNAME.gpg
> 
> I have firewall off on master and replica
> 
> 
> At one point I had a replica install that worked with the Proxy, so I 
> know it is possible, but for the last couple of hours this last command 
> has been failing with:
> 
> creation of replica failed: Configuration of CA failed
> 
> 
> 
> pkisilent reports the failure in the debug log, but not the URL it is 
> trying to reach.  I'm going to modify it to give some more information 
> in the morning.
> 
> 
> I'm not seeing anything in /var/log/httpd/error|access.log  on the 
> master, which is weird.
> 
> 
> I see this in /var/log/ipareplica-conncheck.log.   We should not be 
> trying to do anything in /home/admin
> 
> 
> 2011-08-24 21:52:18,544 DEBUG stderr=
> 2011-08-24 21:52:19,521 DEBUG args=/usr/bin/ssh -q -o 
> StrictHostKeychecking=no -o UserKnownHostsFile=/dev/null 
> admin at vm-088.idm.lab.bos.redhat.com /usr/sbin/ipa-replica-conncheck 
> --replica vm-116.idm.lab.bos.redhat.com --check-ca
> 2011-08-24 21:52:19,521 DEBUG stdout=Check connection from master to 
> remote replica 'vm-116.idm.lab.bos.redhat.com':
>     Directory Service: Unsecure port (389): OK
>     Directory Service: Secure port (636): OK
>     Kerberos (88): OK
>     PKI-CA: Directory Service port (7389): OK
>     PKI-CA: Agent secure port (9443): OK
>     PKI-CA: EE secure port (9444): OK
>     PKI-CA: Admin secure port (9445): OK
>     PKI-CA: EE secure client auth port (9446): OK
>     PKI-CA: Unsecure port (9180): OK
> 
> Connection from master to replica is OK.
> 
> 2011-08-24 21:52:19,522 DEBUG stderr=Could not chdir to home directory 
> /home/admin: No such file or directory
> 
> 
> 
> Ade Lee noticed that the replica install is failing before it ever 
> attempts to talk to the Master,  which corresponds with what I am 
> seeing.  I see in the PKI install log that
> 
> [2011-08-24 22:23:50] [error] FAILED run_command("/sbin/service pki-cad 
> restart pki-ca"), exit status=1 output="Stopping pki-ca: [FAILED]
> Starting pki-ca: [  OK  ]^M"
> 
> 
> Running this command by hand gets the same output.
> 
> In  less /var/log/pki-ca/catalina.out
> 
>   /var/lib/pki-ca/logs/catalina.out: Permission denied
> /var/log/pki-ca/catalina.out (END)
> 
> 
> SO it looks like another cleanup issue.
> 
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list