Uzor Ide wrote:

Hi all

We are trying to setup a backup IPA server and decided to toe that
replication route.
The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to fedora
15 and freeipa 2.0.1.
Note we first did ipa-server-install --uninstall before upgrading the
freeipa packages so as to make sure that the server is relatively clean.

However when I run that ipa-replica-install command, I end up with the
following error in the ipareplica-install.log

2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart PKI-IPA
2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv:
     PKI-IPA...[  OK  ]
Starting dirsrv:
     PKI-IPA...[FAILED]
   *** Warning: 1 instance(s) failed to start

2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23 -0400] - SSL
alert: Security Initialization: Unable to authenticate (Netscape
Portable Runtime error -8192 - An I/O error occurred during security
authorization.)
[31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed.

2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status
2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped

2011-05-31 23:54:33,501 DEBUG stderr=
2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory server.
See the installation log for details.

This are the tomcat rpms on the server

tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch
tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch
tomcat6-6.0.30-6.fc15.noarch
tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch
tomcat6-lib-6.0.30-6.fc15.noarch
tomcat6-el-2.1-api-6.0.30-6.fc15.noarch
tomcatjss-2.1.1-1.fc15.noarch

So the tomcat6 version is definitely greater than tomcat6-6-0.30-5.

The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any other
thing different from same,

[31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization:
Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O
error occurred during security authorization.)
[31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed


Any help will be greatly appreciated

Ide

I think we need more context. Can you compress and send /var/log/ipareplica-install.log ?

I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and errors to see if there is anything interesting there.

And can you provide the output for:

certutil -L -d /etc/dirsrv/slapd-PKI-IPA

It would seem that your 389-ds instance is missing a copy of the CA cert.

thanks

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to