Dear Florence Thank you for your response!
We identified the node initialized from (we knew but confirmed it) and there we found the following log entries: > [Mon Jul 05 17:01:55.151483 2021] [:error] [pid 32729] SSL Library Error: > -12224 SSL peer had some unspecified issue with the certificate it received > [Mon Jul 05 17:01:55.368456 2021] [:error] [pid 31906] SSL Library Error: > -12224 SSL peer had some unspecified issue with the certificate it received > [Mon Jul 05 17:01:55.372097 2021] [:error] [pid 32313] SSL Library Error: > -12224 SSL peer had some unspecified issue with the certificate it received > [Mon Jul 05 17:01:55.503391 2021] [:error] [pid 31905] SSL Library Error: > -12224 SSL peer had some unspecified issue with the certificate it received > [Mon Jul 05 17:01:55.582016 2021] [:error] [pid 32734] SSL Library Error: > -12224 SSL peer had some unspecified issue with the certificate it received > [Mon Jul 05 17:01:55.609485 2021] [:error] [pid 309] SSL Library Error: > -12224 SSL peer had some unspecified issue with the certificate it received > [Mon Jul 05 17:01:56.609513 2021] [:error] [pid 32729] SSL Library Error: > -12224 SSL peer had some unspecified issue with the certificate it received > [Mon Jul 05 17:01:56.660519 2021] [:error] [pid 31906] SSL Library Error: > -12224 SSL peer had some unspecified issue with the certificate it received > [Mon Jul 05 17:01:56.669421 2021] [:error] [pid 32313] SSL Library Error: > -12224 SSL peer had some unspecified issue with the certificate it received (we are in UTC+2 timezone) To our surprise next attempts this morning on the very same node (VM reset and cleanup using “ipa server-del [node]” as yesterday) it worked out of a sudden. We could confirm this as we setup another replica (we planned to add 2) where it also worked. So all in all the good news is that it worked in the end, but bad news is we have no information why (are there nightly data cleanup jobs which remove obsolete data in directory?) We always made sure there were no dangling RUVs (ipa-replica-manage showed clean server list) so that it should not have been. Best regards, Rolf From: Florence Renaud <[email protected]> Sent: Tuesday, July 6, 2021 08:49 To: FreeIPA users list <[email protected]> Cc: Linder, Rolf <[email protected]> Subject: Re: [Freeipa-users] failing to add additional replica (already 3 in place) Hi, can you provide the logs of the replica installation (/var/log/ipareplica-install.log and /var/log/pki/pki-ca-spawn.$date.log) ? In the logs you can find which server was used to initialize the data (look for a line with ipa-replica-conncheck), the logs from this server may also be useful (/var/log/httpd/error_log). flo On Mon, Jul 5, 2021 at 5:23 PM Rolf Linder via FreeIPA-users <[email protected]<mailto:[email protected]>> wrote: Hey there Using freeipa on centos (ipa-server-4.6.8-5.el7.centos.6.x86_64) we fail to add an additional replica, but only when enabling CA services (option "--setup-ca"). We use the following command to stage a new replica (and have in the past): > ipa-replica-install --principal admin --admin-password ${adminpw} --setup-dns > --no-dnssec-validation --no-forwarder --setup-ca --domain lxusp.local > --server [master-idm-node] which we have used to stage the previous replicas too. Log (/var/log/ipareplica-install.log) shows that its stuck in state > DEBUG certmonger request is in state dbus.String(u'SUBMITTING', > variant_level=1) Repeated until then aborted by a timeout message (and non-functional replica). Since there are only outdated reports (>2 years old) about slightly similar (but not matching!) behavior like https://bugzilla.redhat.com/show_bug.cgi?id=1623113 we kindly ask if anyone can help here. Best regards, Rolf _______________________________________________ FreeIPA-users mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
