Hi Florence,
On Wed, 6 Feb 2019, Florence Blanc-Renaud via FreeIPA-users wrote:
On 2/5/19 4:17 PM, dbischof--- via FreeIPA-users wrote:
my IPA system consists of 2 masters (ipa1 and ipa2, both on FreeIPA 4.6.4)
with their own self-signed CAs, one of them being the certificate renewal
master (ipa1). The system has been running for years and has been migrated
from an IPA 3 system. Both IPA servers are on domain level 1.
Problem: CS replication failed, probably months ago.
--- ipa1 ---
$ ipa-csreplica-manage -v list ipa1.example.com
ipa2.example.com
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (-1) Problem connecting to replica - LDAP
error: Can't contact LDAP server (connection error)
last update ended: 1970-01-01 00:00:00+00:00
--
$ ipa-csreplica-manage -v list ipa2.example.com
[no output]
----
Same on ipa2.
Probably related:
---
ERR - slapi_ldap_bind - Error: could not send startTLS request: error -1
(Can't contact LDAP server) errno 107 (Transport endpoint is not
connected)
---
Every 5 mins in /var/log/dirsrv/slapd-EXAMPLE-COM/errors. However, these
error messages could refer to ipa3.example.com, a master i deleted long (>
2 years) ago:
---
$ ipa-replica-manage list-ruv
Replica Update Vectors:
ipa2.example.com:389: 10
ipa1.example.com:389: 9
Certificate Server Replica Update Vectors:
ipa2.example.com:389: 11
ipa1.example.com:389: 91
ipa2.example.com:7389: 96
ipa3.example.com:7389: 97
---
How do i track this down and resolve the problem?
please find more information re. 389-ds troubleshooting:
https://www.freeipa.org/page/Troubleshooting/Directory_Server
I checked for the common problems described in that page already, but to
no avail. I did, however, successfully manage to remove replication
references to ipa3 using "ipa-replica-manage clean-dangling-ruv":
---
$ ipa-replica-manage list-ruv
Replica Update Vectors:
ipa1.example.com:389: 9
ipa2.example.com:389: 10
Certificate Server Replica Update Vectors:
ipa1.example.com:389: 91
ipa2.example.com:389: 11
---
The error message
---
[06/Feb/2019:10:38:52.095489260 +0100] - ERR - slapi_ldap_bind - Error:
could not send startTLS request: error -1 (Can't contact LDAP server)
errno 107 (Transport endpoint is not connected)
---
on ipa1 is still in the logs. Additionally, while cleaning ruvs:
---
[06/Feb/2019:10:32:31.029394375 +0100] - ERR - NSMMReplicationPlugin -
bind_and_check_pwp - agmt="cn=cloneAgreement1-ipa1.example.com-pki-tomcat"
(ipa2:7389) - Replication bind with SIMPLE auth failed: LDAP error -1
(Can't contact LDAP server) ()
---
The ldapsearch queries described in the above page can be carried out
successfully on both servers:
---
[...]
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
---
Also, no DNS issues, wrong entries /etc/hosts, time differences or log
messages related to SASL issues.
Maybe a wrong key or certificate somewhere?
Mit freundlichen Gruessen/With best regards,
--Daniel.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
