On 06/01/2011 11:40 AM, Rob Crittenden wrote:
> Uzor Ide wrote:
>>
>> Hi all
>>
>> We are trying to setup a backup IPA server and decided to toe that
>> replication route.
>> The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to fedora
>> 15 and freeipa 2.0.1.
>> Note we first did ipa-server-install --uninstall before upgrading the
>> freeipa packages so as to make sure that the server is relatively clean.
>>
>> However when I run that ipa-replica-install command, I end up with the
>> following error in the ipareplica-install.log
>>
>> 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart PKI-IPA
>> 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv:
>>      PKI-IPA...[  OK  ]
>> Starting dirsrv:
>>      PKI-IPA...[FAILED]
>>    *** Warning: 1 instance(s) failed to start
>>
>> 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23 -0400] - SSL
>> alert: Security Initialization: Unable to authenticate (Netscape
>> Portable Runtime error -8192 - An I/O error occurred during security
>> authorization.)
>> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed.
>>
>> 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status
>> 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped
>>
>> 2011-05-31 23:54:33,501 DEBUG stderr=
>> 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory server.
>> See the installation log for details.
>>
>> This are the tomcat rpms on the server
>>
>> tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch
>> tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch
>> tomcat6-6.0.30-6.fc15.noarch
>> tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch
>> tomcat6-lib-6.0.30-6.fc15.noarch
>> tomcat6-el-2.1-api-6.0.30-6.fc15.noarch
>> tomcatjss-2.1.1-1.fc15.noarch
>>
>> So the tomcat6 version is definitely greater than tomcat6-6-0.30-5.
>>
>> The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any other
>> thing different from same,
>>
>> [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization:
>> Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O
>> error occurred during security authorization.)
>> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed
>>
>>
>> Any help will be greatly appreciated
>>
>> Ide
>
> I think we need more context. Can you compress and send
> /var/log/ipareplica-install.log ?
>
> I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and errors
> to see if there is anything interesting there.
>
> And can you provide the output for:
>
> certutil -L -d /etc/dirsrv/slapd-PKI-IPA
>
> It would seem that your 389-ds instance is missing a copy of the CA cert.
>
> thanks
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
I just for the record, I did a similar thing yesterday.
I had F14 with old ipa instance.
I did ipa-server-install -- uninstall
removed ipa packages
Upgraded Fedora.
Installed new IPA packages
Ran install and hit a similar error.

It seems that ipa-server uninstall does not destroy all the instances
correctly for the PKI.
So when the package is updated and the install is rerun it fails since
there is a PKI DS instance.
This might be a bug in the uninstall that we already fixed.

To clean the system I ran the --uninstall several times. Each time it
was failing but moving further. At some point it was successful and I
was able to install.




-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to