Hi. have you tried to use "ipa-csreplica-manage re-initialize --from <replica1>" in replica1 ?
You could also re-init off line by using this article: https://access.redhat.com/solutions/140483 only for ipaca backend. regards, German. On Wed, Feb 6, 2019 at 11:31 AM dbischof--- via FreeIPA-users < [email protected]> wrote: > Hi Florence, > > On Wed, 6 Feb 2019, dbischof--- via FreeIPA-users wrote: > > > On Wed, 6 Feb 2019, Florence Blanc-Renaud via FreeIPA-users wrote: > > > >> On 2/5/19 4:17 PM, dbischof--- via FreeIPA-users wrote: > >>> > >>> my IPA system consists of 2 masters (ipa1 and ipa2, both on FreeIPA > >>> 4.6.4) with their own self-signed CAs, one of them being the > >>> certificate renewal master (ipa1). The system has been running for > >>> years and has been migrated from an IPA 3 system. Both IPA servers > >>> are on domain level 1. > >>> > >>> Problem: CS replication failed, probably months ago. > >>> > >>> --- ipa1 --- > >>> $ ipa-csreplica-manage -v list ipa1.example.com > >>> > >>> ipa2.example.com > >>> last init status: None > >>> last init ended: 1970-01-01 00:00:00+00:00 > >>> last update status: Error (-1) Problem connecting to replica - > LDAP > >>> error: Can't contact LDAP server (connection error) > >>> last update ended: 1970-01-01 00:00:00+00:00 > >>> > >>> -- > >>> $ ipa-csreplica-manage -v list ipa2.example.com > >>> > >>> [no output] > >>> ---- > >>> > >>> Same on ipa2. > >>> > >>> Probably related: > >>> > >>> --- > >>> ERR - slapi_ldap_bind - Error: could not send startTLS request: > error -1 > >>> (Can't contact LDAP server) errno 107 (Transport endpoint is not > >>> connected) > >>> --- > >>> > >>> Every 5 mins in /var/log/dirsrv/slapd-EXAMPLE-COM/errors. However, > these > >>> error messages could refer to ipa3.example.com, a master i deleted > long > >>> (> > >>> 2 years) ago: > >>> > >>> --- > >>> $ ipa-replica-manage list-ruv > >>> > >>> Replica Update Vectors: > >>> ipa2.example.com:389: 10 > >>> ipa1.example.com:389: 9 > >>> Certificate Server Replica Update Vectors: > >>> ipa2.example.com:389: 11 > >>> ipa1.example.com:389: 91 > >>> ipa2.example.com:7389: 96 > >>> ipa3.example.com:7389: 97 > >>> --- > >>> > >>> How do i track this down and resolve the problem? > >>> > >>> > >> please find more information re. 389-ds troubleshooting: > >> https://www.freeipa.org/page/Troubleshooting/Directory_Server > > > > I checked for the common problems described in that page already, but to > > no avail. I did, however, successfully manage to remove replication > > references to ipa3 using "ipa-replica-manage clean-dangling-ruv": > > > > --- > > $ ipa-replica-manage list-ruv > > Replica Update Vectors: > > ipa1.example.com:389: 9 > > ipa2.example.com:389: 10 > > Certificate Server Replica Update Vectors: > > ipa1.example.com:389: 91 > > ipa2.example.com:389: 11 > > --- > > > > The error message > > > > --- > > [06/Feb/2019:10:38:52.095489260 +0100] - ERR - slapi_ldap_bind - Error: > > could not send startTLS request: error -1 (Can't contact LDAP server) > > errno 107 (Transport endpoint is not connected) > > --- > > > > on ipa1 is still in the logs. Additionally, while cleaning ruvs: > > > > --- > > [06/Feb/2019:10:32:31.029394375 +0100] - ERR - NSMMReplicationPlugin - > > bind_and_check_pwp - > > agmt="cn=cloneAgreement1-ipa1.example.com-pki-tomcat" (ipa2:7389) - > > Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact > > LDAP server) () > > --- > > > > The ldapsearch queries described in the above page can be carried out > > successfully on both servers: > > > > --- > > [...] > > # search result > > search: 4 > > result: 0 Success > > > > # numResponses: 2 > > # numEntries: 1 > > --- > > > > Also, no DNS issues, wrong entries /etc/hosts, time differences or log > > messages related to SASL issues. > > > > Maybe a wrong key or certificate somewhere? > > update: ipa-checkcerts.py shows > > --- > [...] > Failures: > ipa: INFO: Unable to find request for serial 268304391 > Unable to find request for serial 268304391 > ipa: INFO: Unable to find request for serial 268304394 > Unable to find request for serial 268304394 > ipa: INFO: Unable to find request for serial 268304393 > Unable to find request for serial 268304393 > ipa: INFO: Unable to find request for serial 268304392 > Unable to find request for serial 268304392 > ipa: INFO: Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject > CN=ipa1.example.com,O=EXAMPLE.COM do not match for serial 57 > Subject O=EXAMPLE.COM,CN=ipa2.example.com and template subject CN= > ipa1.example.com,O=EXAMPLE.COM do not match for serial 57 > --- > > So there is a certificate issue. > > > Mit freundlichen Gruessen/With best regards, > > --Daniel. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
