On 11/01/18 17:12, Florence Blanc-Renaud wrote:
I must admit that I'm getting lost among all the errors...
Can you summarize your topology (for instance server A
installed as first IPA master, then server B successfully
configured as a replica, then server C where I tried to
run ipa-replica-install but the command failed).
This way we'll be able to sort out the various issues.
Thanks,
Flo
I'd like to think it's very simple, minimalistic setup:
- one newly installed server, it's resolver points to 127.0.0.1
- one client candidate which resolver points directly to
IPA's dns only.
Just one server which installed apparently okey.
Just one replica candidate, client installed okey.
Replica install fails, when it does it leave nothing in
ipa-replica-manage, only add client installation add host
record.
...
[1/3]: configuring TLS for DS instance
[error] RuntimeError: Certificate issuance failed
(CA_UNREACHABLE)
Your system may be partly configured.
-- Working Server when replica installation fails
--- The server end, httpd/error_log :
...
[Thu Jan 11 17:20:53.475973 2018] [:error] [pid 2701892]
ipa: INFO: [jsonserver_kerb] host/dzien.priv.
xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x: ping():
SUCCESS
[Thu Jan 11 17:20:53.527232 2018] [:error] [pid 2701893]
ipa: INFO: [jsonserver_kerb] host/dzien.priv.
xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x:
env((u'version',)): SUCCESS
[Thu Jan 11 17:20:53.573580 2018] [:error] [pid 2701892]
ipa: INFO: [jsonserver_kerb] host/dzien.priv.
xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x:
env((u'fips_mode',)): SUCCESS
[Thu Jan 11 17:21:04.406246 2018] [:error] [pid 2701893]
ipa: INFO: [jsonserver_kerb] ad...@private.xx.
xx.PRIVATE.xx.xx.x: ping(): SUCCESS
[Thu Jan 11 17:21:04.444042 2018] [:error] [pid 2701892]
ipa: INFO: [jsonserver_kerb] ad...@private.xx.
xx.PRIVATE.xx.xx.x: ping/1(version=u'2.228'): SUCCESS
[Thu Jan 11 17:21:04.900349 2018] [:error] [pid 2701893]
ipa: INFO: [jsonserver_kerb] ad...@private.xx.
xx.PRIVATE.xx.xx.x:
server_conncheck(u'swir.priv.xx.xx.priv.xx.xx.x',
u'dzien.priv.xx.
xx.priv.xx.xx.x', version=u'2.162'): SUCCESS
[Thu Jan 11 17:21:40.832678 2018] [auth_gssapi:error] [pid
2702831] [client 10.5.6.17:47072] NO AUTH DATA
Client did not send any authentication headers, referer:
https://swir.priv.xx.xx.priv.xx.xx.x
/ipa/xml
[Thu Jan 11 17:21:40.913393 2018] [:error] [pid 2701892]
ipa: INFO: [xmlserver]
host/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x:
cert_request(u'MIIEWTCCA0ECAQAwYDErMCkGA1UEChMiUFJJVkFURS5DQ05SLkNFQi5QUklWQVRFLkNBTS5BQy5VSzExMC8GA1UEAxMoZHppZW4ucHJpdmF0ZS5jY25yLmNlYi5wcml2YXRlLmNhbS5hYy51azCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK81UM4J4041W+ujikOQrplTcUjjmMHOWkE8YbVwjZvH2AYhP7tn+jZ7GYWZuv//j4tfFEEiIyV94hL85xjhXCwkLdR1R6CaswD1SpwOkQGOOICol1aV2tX1+o9Q3Q4gDLMBvxX3+s+l39l7dgDqj6ZaueH8E7H+W9Oj+w3+E8mR5Zy/kG6X6WNtwbqyf6fZwshRO26O4aUNlxMDpeLN5mDoRWBeeHiWoFBXwYXqysHoVLFN4urpH7wHKSEkdW7Vaj/1HXGutOV5HsaBqeGzdCiwlrBFDE9maU7HhyBxxGEit11ejGxoP2hjxyO0l0tfBuqJjBkGZDvgB3501jGgHQ8CAwEAAaCCAbIwJQYJKoZIhvcNAQkUMRgeFgBTAGUAcgB2AGUAcgAtAEMAZQByAHQwggGHBgkqhkiG9w0BCQ4xggF4MIIBdDCCAQwGA1UdEQEBAASCAQAwgf2CKGR6aWVuLnByaXZhdGUuY2Nuci5jZWIucHJpdmF0ZS5jYW0uYWMudWugYAYKKwYBBAGCNxQCA6BSDFBsZGFwL2R6aWVuLnByaXZhdGUuY2Nuci5jZWIucHJpdmF0ZS5jYW0uYWMudWtAUFJJVkFURS5DQ05SLkNFQi5QUklWQVRFLkNBTS5BQy5VS6BvBgYrBgEFAgKgZTBjoCQbIlBSSVZBVEUuQ0NOUi5DRUIuUFJJVkFURS5DQU0uQUMuVUuhOzA5oAMCAQGhMjAwGwRsZGFwGyhkemllbi5wcml2YXRlLmNjbnIuY2ViLnByaXZhdGUuY2FtLmFjLnVrMAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFA1WfK69+iWx/R7b8kWpd/4M3QtrMDIGCSsGAQQBgjcUAgEBAAQiHiAAYwBhAEkAUABBAHMAZQByAHYAaQBjAGUAQwBlAHIAdDANBgkqhkiG9w0BAQsFAAOCAQEAXBhrwG29M+UEWZsWjIJWRHEQ6bAdpTWJVP7P9eXu11Krd/VrCb/qgz7/68GWkKCDpINLB8P7SGWoUwI4zjn1YJNn9jyVELryLn4MHfQ/3W3mVZcK6FPtRqmpwZ6q0TEG/ZpBftWlpI8AkhruGrx8bJ/pGo3UJgY/5QajMjsuuysvoukVxeYmQJDCH36Hdfw6+hYg3XQfmJ2WgLjnVaA0v3e9gKYf0gObwSbKF1ZqF6pVw9D9h8BgTITB8PO6aQvYCeWY6H9w/Dc3V77pPubTrScN6JJFZEyTWPK2GijpO7E+4nV5bnHNlJ4LpAZRYH0lzcVok/YNsRv8bupoFoChNQ==',
profile_id=u'caIPAserviceCert',
principal=u'ldap/dzien.priv.xx.xx.priv.xx.x...@private.xx.xx.private.xx.xx.x',
add=True, version=u'2.51'): NetworkError
--- The server, tomcat, if I do:
$ egrep '(warn|error|fail|canno)'
/var/log/pki/pki-tomcat/ca/debug
I see many:
[11/Jan/2018:17:12:55][localhost-startStop-1]: init: before
makeConnection errorIfDown is false
[11/Jan/2018:17:12:55][localhost-startStop-1]:
makeConnection: errorIfDown false
[11/Jan/2018:17:12:55][localhost-startStop-1]: init: before
makeConnection errorIfDown is false
[11/Jan/2018:17:12:55][localhost-startStop-1]:
makeConnection: errorIfDown false
But time stamps do not see to correspond to what's in
httpd/error_log
Also cannot see something like "PKIRealm: Authenticating
certificate chain" around the time of replica installation.
Should I also be looking at /var/log/dirsrv/xx/erros mabye?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org