On 11/01/18 17:12, Florence Blanc-Renaud wrote:
I must admit that I'm getting lost among all the errors... Can you summarize your topology (for instance server A installed as first IPA master, then server B successfully configured as a replica, then server C where I tried to run ipa-replica-install but the command failed).

This way we'll be able to sort out the various issues.

Thanks,
Flo

I'd like to think it's very simple, minimalistic setup:
- one newly installed server, it's resolver points to 127.0.0.1
- one client candidate which resolver points directly to IPA's dns only.
Just one server which installed apparently okey.
Just one replica candidate, client installed okey.

Replica install fails, when it does it leave nothing in ipa-replica-manage, only add client installation add host record.
...
  [1/3]: configuring TLS for DS instance
  [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Your system may be partly configured.

-- Working Server when replica installation fails
--- The server end, httpd/error_log :
...
[Thu Jan 11 17:20:53.475973 2018] [:error] [pid 2701892] ipa: INFO: [jsonserver_kerb] host/dzien.priv. xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x: ping(): SUCCESS [Thu Jan 11 17:20:53.527232 2018] [:error] [pid 2701893] ipa: INFO: [jsonserver_kerb] host/dzien.priv. xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x: env((u'version',)): SUCCESS [Thu Jan 11 17:20:53.573580 2018] [:error] [pid 2701892] ipa: INFO: [jsonserver_kerb] host/dzien.priv. xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x: env((u'fips_mode',)): SUCCESS [Thu Jan 11 17:21:04.406246 2018] [:error] [pid 2701893] ipa: INFO: [jsonserver_kerb] ad...@private.xx.
xx.PRIVATE.xx.xx.x: ping(): SUCCESS
[Thu Jan 11 17:21:04.444042 2018] [:error] [pid 2701892] ipa: INFO: [jsonserver_kerb] ad...@private.xx.
xx.PRIVATE.xx.xx.x: ping/1(version=u'2.228'): SUCCESS
[Thu Jan 11 17:21:04.900349 2018] [:error] [pid 2701893] ipa: INFO: [jsonserver_kerb] ad...@private.xx. xx.PRIVATE.xx.xx.x: server_conncheck(u'swir.priv.xx.xx.priv.xx.xx.x', u'dzien.priv.xx.
xx.priv.xx.xx.x', version=u'2.162'): SUCCESS
[Thu Jan 11 17:21:40.832678 2018] [auth_gssapi:error] [pid 2702831] [client 10.5.6.17:47072] NO AUTH DATA  Client did not send any authentication headers, referer: https://swir.priv.xx.xx.priv.xx.xx.x
/ipa/xml
[Thu Jan 11 17:21:40.913393 2018] [:error] [pid 2701892] ipa: INFO: [xmlserver] host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x: cert_request(u'MIIEWTCCA0ECAQAwYDErMCkGA1UEChMiUFJJVkFURS5DQ05SLkNFQi5QUklWQVRFLkNBTS5BQy5VSzExMC8GA1UEAxMoZHppZW4ucHJpdmF0ZS5jY25yLmNlYi5wcml2YXRlLmNhbS5hYy51azCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK81UM4J4041W+ujikOQrplTcUjjmMHOWkE8YbVwjZvH2AYhP7tn+jZ7GYWZuv//j4tfFEEiIyV94hL85xjhXCwkLdR1R6CaswD1SpwOkQGOOICol1aV2tX1+o9Q3Q4gDLMBvxX3+s+l39l7dgDqj6ZaueH8E7H+W9Oj+w3+E8mR5Zy/kG6X6WNtwbqyf6fZwshRO26O4aUNlxMDpeLN5mDoRWBeeHiWoFBXwYXqysHoVLFN4urpH7wHKSEkdW7Vaj/1HXGutOV5HsaBqeGzdCiwlrBFDE9maU7HhyBxxGEit11ejGxoP2hjxyO0l0tfBuqJjBkGZDvgB3501jGgHQ8CAwEAAaCCAbIwJQYJKoZIhvcNAQkUMRgeFgBTAGUAcgB2AGUAcgAtAEMAZQByAHQwggGHBgkqhkiG9w0BCQ4xggF4MIIBdDCCAQwGA1UdEQEBAASCAQAwgf2CKGR6aWVuLnByaXZhdGUuY2Nuci5jZWIucHJpdmF0ZS5jYW0uYWMudWugYAYKKwYBBAGCNxQCA6BSDFBsZGFwL2R6aWVuLnByaXZhdGUuY2Nuci5jZWIucHJpdmF0ZS5jYW0uYWMudWtAUFJJVkFURS5DQ05SLkNFQi5QUklWQVRFLkNBTS5BQy5VS6BvBgYrBgEFAgKgZTBjoCQbIlBSSVZBVEUuQ0NOUi5DRUIuUFJJVkFURS5DQU0uQUMuVUuhOzA5oAMCAQGhMjAwGwRsZGFwGyhkemllbi5wcml2YXRlLmNjbnIuY2ViLnByaXZhdGUuY2FtLmFjLnVrMAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFA1WfK69+iWx/R7b8kWpd/4M3QtrMDIGCSsGAQQBgjcUAgEBAAQiHiAAYwBhAEkAUABBAHMAZQByAHYAaQBjAGUAQwBlAHIAdDANBgkqhkiG9w0BAQsFAAOCAQEAXBhrwG29M+UEWZsWjIJWRHEQ6bAdpTWJVP7P9eXu11Krd/VrCb/qgz7/68GWkKCDpINLB8P7SGWoUwI4zjn1YJNn9jyVELryLn4MHfQ/3W3mVZcK6FPtRqmpwZ6q0TEG/ZpBftWlpI8AkhruGrx8bJ/pGo3UJgY/5QajMjsuuysvoukVxeYmQJDCH36Hdfw6+hYg3XQfmJ2WgLjnVaA0v3e9gKYf0gObwSbKF1ZqF6pVw9D9h8BgTITB8PO6aQvYCeWY6H9w/Dc3V77pPubTrScN6JJFZEyTWPK2GijpO7E+4nV5bnHNlJ4LpAZRYH0lzcVok/YNsRv8bupoFoChNQ==', profile_id=u'caIPAserviceCert', principal=u'ldap/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x', add=True, version=u'2.51'): NetworkError

--- The server, tomcat, if I do:
$ egrep '(warn|error|fail|canno)' /var/log/pki/pki-tomcat/ca/debug
I see many:
[11/Jan/2018:17:12:55][localhost-startStop-1]: init: before makeConnection errorIfDown is false [11/Jan/2018:17:12:55][localhost-startStop-1]: makeConnection: errorIfDown false [11/Jan/2018:17:12:55][localhost-startStop-1]: init: before makeConnection errorIfDown is false [11/Jan/2018:17:12:55][localhost-startStop-1]: makeConnection: errorIfDown false

But time stamps do not see to correspond to what's in httpd/error_log Also cannot see something like "PKIRealm: Authenticating certificate chain" around the time of replica installation.

Should I also be looking at  /var/log/dirsrv/xx/erros mabye?



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to