Uzor Ide wrote:
Hi all We are trying to setup a backup IPA server and decided to toe that replication route. The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to fedora 15 and freeipa 2.0.1. Note we first did ipa-server-install --uninstall before upgrading the freeipa packages so as to make sure that the server is relatively clean. However when I run that ipa-replica-install command, I end up with the following error in the ipareplica-install.log 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart PKI-IPA 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv: PKI-IPA...[ OK ] Starting dirsrv: PKI-IPA...[FAILED] *** Warning: 1 instance(s) failed to start 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed. 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped 2011-05-31 23:54:33,501 DEBUG stderr= 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory server. See the installation log for details. This are the tomcat rpms on the server tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch tomcat6-6.0.30-6.fc15.noarch tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch tomcat6-lib-6.0.30-6.fc15.noarch tomcat6-el-2.1-api-6.0.30-6.fc15.noarch tomcatjss-2.1.1-1.fc15.noarch So the tomcat6 version is definitely greater than tomcat6-6-0.30-5. The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any other thing different from same, [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed Any help will be greatly appreciated Ide
I think we need more context. Can you compress and send /var/log/ipareplica-install.log ?
I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and errors to see if there is anything interesting there.
And can you provide the output for: certutil -L -d /etc/dirsrv/slapd-PKI-IPA It would seem that your 389-ds instance is missing a copy of the CA cert. thanks rob _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users