Uzor Ide wrote:
Thanks Rob

I did run the certutil -L -d /etc/dirsrv/slapd-PKI-IPA command; the
nssdb is empty
If  the CA cert is supposed to exist there at that stage of install,
then that would be the problem.

Both the slapd-PKI-IPA error and access does not contain much. I
attached them herein with the ipareplica-install.log.


How old is the prepared replica file, and was it created with an older version of IPA?

In one of the last release candidates we started creating a separate SSL certificate for the 389-ds instance used by dogtag. I get the feeling that doesn't exist which would explain why SSL is failing.

You can check by doing something like:
# gpg -d replica-info-<your-server>.gpg | tar tvf -

The file you're looking for is dogtagcert.p12

rob
  thanks

Ide


On Wed, Jun 1, 2011 at 11:40 AM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    Uzor Ide wrote:


        Hi all

        We are trying to setup a backup IPA server and decided to toe that
        replication route.
        The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to
        fedora
        15 and freeipa 2.0.1.
        Note we first did ipa-server-install --uninstall before
        upgrading the
        freeipa packages so as to make sure that the server is
        relatively clean.

        However when I run that ipa-replica-install command, I end up
        with the
        following error in the ipareplica-install.log

        2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart
        PKI-IPA
        2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv:
             PKI-IPA...[  OK  ]
        Starting dirsrv:
             PKI-IPA...[FAILED]
           *** Warning: 1 instance(s) failed to start

        2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23
        -0400] - SSL
        alert: Security Initialization: Unable to authenticate (Netscape
        Portable Runtime error -8192 - An I/O error occurred during security
        authorization.)
        [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed.

        2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status
        2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped

        2011-05-31 23:54:33,501 DEBUG stderr=
        2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory
        server.
        See the installation log for details.

        This are the tomcat rpms on the server

        tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch
        tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch
        tomcat6-6.0.30-6.fc15.noarch
        tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch
        tomcat6-lib-6.0.30-6.fc15.noarch
        tomcat6-el-2.1-api-6.0.30-6.fc15.noarch
        tomcatjss-2.1.1-1.fc15.noarch

        So the tomcat6 version is definitely greater than tomcat6-6-0.30-5.

        The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any
        other
        thing different from same,

        [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization:
        Unable to authenticate (Netscape Portable Runtime error -8192 -
        An I/O
        error occurred during security authorization.)
        [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed


        Any help will be greatly appreciated

        Ide


    I think we need more context. Can you compress and send
    /var/log/ipareplica-install.log ?

    I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and
    errors to see if there is anything interesting there.

    And can you provide the output for:

    certutil -L -d /etc/dirsrv/slapd-PKI-IPA

    It would seem that your 389-ds instance is missing a copy of the CA
    cert.

    thanks

    rob




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to