Thanks Rob I did run the certutil -L -d /etc/dirsrv/slapd-PKI-IPA command; the nssdb is empty If the CA cert is supposed to exist there at that stage of install, then that would be the problem.
Both the slapd-PKI-IPA error and access does not contain much. I attached them herein with the ipareplica-install.log. thanks Ide On Wed, Jun 1, 2011 at 11:40 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Uzor Ide wrote: > >> >> Hi all >> >> We are trying to setup a backup IPA server and decided to toe that >> replication route. >> The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to fedora >> 15 and freeipa 2.0.1. >> Note we first did ipa-server-install --uninstall before upgrading the >> freeipa packages so as to make sure that the server is relatively clean. >> >> However when I run that ipa-replica-install command, I end up with the >> following error in the ipareplica-install.log >> >> 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart PKI-IPA >> 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv: >> PKI-IPA...[ OK ] >> Starting dirsrv: >> PKI-IPA...[FAILED] >> *** Warning: 1 instance(s) failed to start >> >> 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23 -0400] - SSL >> alert: Security Initialization: Unable to authenticate (Netscape >> Portable Runtime error -8192 - An I/O error occurred during security >> authorization.) >> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed. >> >> 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status >> 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped >> >> 2011-05-31 23:54:33,501 DEBUG stderr= >> 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory server. >> See the installation log for details. >> >> This are the tomcat rpms on the server >> >> tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch >> tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch >> tomcat6-6.0.30-6.fc15.noarch >> tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch >> tomcat6-lib-6.0.30-6.fc15.noarch >> tomcat6-el-2.1-api-6.0.30-6.fc15.noarch >> tomcatjss-2.1.1-1.fc15.noarch >> >> So the tomcat6 version is definitely greater than tomcat6-6-0.30-5. >> >> The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any other >> thing different from same, >> >> [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: >> Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O >> error occurred during security authorization.) >> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed >> >> >> Any help will be greatly appreciated >> >> Ide >> > > I think we need more context. Can you compress and send > /var/log/ipareplica-install.log ? > > I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and errors to > see if there is anything interesting there. > > And can you provide the output for: > > certutil -L -d /etc/dirsrv/slapd-PKI-IPA > > It would seem that your 389-ds instance is missing a copy of the CA cert. > > thanks > > rob >
Description: GNU Zip compressed data
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users