Hey Rob,

Here is the output from cerutil -L -d /etc/dirsrv/slapd-DOMAIN-CA/

Server:
Server-Cert     u,u,u

Client:
Server-Cert     u,u,u

Matt

-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Wednesday, April 10, 2013 11:01 AM
To: Joseph, Matthew (EXP); Nathan Kinder
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors

Joseph, Matthew (EXP) wrote:
> Hey Rob,
>
> Yes I've tried to do that. Everytime I try to run an ipa-replica-install I 
> make sure I create a new replica file from the server.

Well, it is confusing because this worked once, when you got the error about 
replication ID.

I guess I'd use certutil to compare what /etc/dirsrv/slapd-REALM looks like on 
the replica vs the existing master.

The error is related to SSL trust.

rob

>
>
> Matt
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Wednesday, April 10, 2013 10:47 AM
> To: Joseph, Matthew (EXP); Nathan Kinder
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
>
> Joseph, Matthew (EXP) wrote:
>> Hey,
>>
>> I'm still trying to figure out this error but I am getting nothing.
>>
>> Anyone have any suggestions or ideas on why this is failing?
>
> Is there a chance you're using a replica file prepared from a different IPA 
> installation? I'd probably go ahead and use ipa-replica-prepare to create a 
> new file and try installing that.
>
> rob
>
>>
>> Matt
>>
>> *From:*freeipa-users-boun...@redhat.com
>> [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph, 
>> Matthew
>> (EXP)
>> *Sent:* Monday, April 08, 2013 12:30 PM
>> *To:* Nathan Kinder
>> *Cc:* freeipa-users@redhat.com
>> *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install 
>> errors
>>
>> Hey,
>>
>>
>> Yup, the client side says the following;
>>
>> Op=-1 fd=64 closed - Peer does not recognize and trust the CA that 
>> issued your certificate.
>>
>> Matt
>>
>> *From:*Nathan Kinder [mailto:nkin...@redhat.com]
>> *Sent:* Monday, April 08, 2013 12:28 PM
>> *To:* Joseph, Matthew (EXP)
>> *Cc:* freeipa-users@redhat.com
>> *Subject:* Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install 
>> errors
>>
>> On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote:
>>
>>      Hey,
>>
>>      So on the IPA server under the access logs I am getting the
>>      following error.
>>
>>      Error: could not send startTLS request: Error -11 (connect error)
>>      errno 0 (success)
>>
>>      Any ideas?
>>
>> Does the access log on the receiving side show a connection attempt 
>> from the master at the same time?  The access log will be located at 
>> /var/log/dirsrv/slapd-<DOMAIN>/access.
>>
>> -NGK
>>
>> Matt
>>
>> *From:*Nathan Kinder [mailto:nkin...@redhat.com]
>> *Sent:* Thursday, April 04, 2013 6:00 PM
>> *To:* Joseph, Matthew (EXP)
>> *Cc:* freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
>> *Subject:* EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors
>>
>> On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote:
>>
>>      Hello,
>>
>>      I'm trying to setup a replica server with ipa-2.2.0-16 on both the
>>      Server and the Replica Server.
>>
>>      Here are the steps I ran (From the Red Hat 6.3 IdM Administration
>>      Guide);
>>
>>      ------------------------
>>
>>      *IPA_Server:*
>>
>>      ipa-replica-prepare ipareplica.example.com --ip-address
>> 192.168.1.2
>>
>>      scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@
>>      ipareplica:/var/lib/ipa/
>>
>>      *IPA_Replica:*
>>
>>      ipa-replica-install --setup-ca --setup-dns
>>      /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg
>>
>>      ------------------------------
>>
>>      Below is the error I am getting when running 
>> ipa-replica-install;
>>
>>      Directory Manager (existing master) password:
>>
>>      Run connection check to master
>>
>>      Check connection from replica to remote master 'IPA_Server.domain.ca':
>>
>>          Directory Service: Unsecure port (389): OK
>>
>>          Directory Service: Secure port (636): OK
>>
>>          Kerberos KDC: TCP (88): OK
>>
>>          Kerberos Kpasswd: TCP (464): OK
>>
>>          HTTP Server: Unsecure port (80): OK
>>
>>          HTTP Server: Secure port (443): OK
>>
>>          PKI-CA: Directory Service port (7389): OK
>>
>>      The following list of ports use UDP protocol and would need to 
>> be
>>
>>      checked manually:
>>
>>          Kerberos KDC: UDP (88): SKIPPED
>>
>>          Kerberos Kpasswd: UDP (464): SKIPPED
>>
>>      Connection from replica to master is OK.
>>
>>      Start listening on required ports for remote master check
>>
>>      Get credentials to log in to remote master
>>
>>      ad...@domain.ca <mailto:ad...@domain.ca> password:
>>
>>      Execute check on remote master
>>
>>      Check connection from master to remote replica 'IPA_Replica.domain.ca':
>>
>>          Directory Service: Unsecure port (389): OK
>>
>>          Directory Service: Secure port (636): OK
>>
>>          Kerberos KDC: TCP (88): OK
>>
>>          Kerberos KDC: UDP (88): OK
>>
>>          Kerberos Kpasswd: TCP (464): OK
>>
>>          Kerberos Kpasswd: UDP (464): OK
>>
>>          HTTP Server: Unsecure port (80): OK
>>
>>          HTTP Server: Secure port (443): OK
>>
>>          PKI-CA: Directory Service port (7389): OK
>>
>>      Connection from master to replica is OK.
>>
>>      Connection check OK
>>
>>      Configuring ntpd
>>
>>         [1/4]: stopping ntpd
>>
>>         [2/4]: writing configuration
>>
>>         [3/4]: configuring ntpd to start on boot
>>
>>         [4/4]: starting ntpd
>>
>>      done configuring ntpd.
>>
>>      Configuring directory server for the CA: Estimated time 30 
>> seconds
>>
>>         [1/3]: creating directory server user
>>
>>         [2/3]: creating directory server instance
>>
>>         [3/3]: restarting directory server
>>
>>      done configuring pkids.
>>
>>      Configuring certificate server: Estimated time 3 minutes 30 
>> seconds
>>
>>         [1/13]: creating certificate server user
>>
>>         [2/13]: creating pki-ca instance
>>
>>         [3/13]: configuring certificate server instance
>>
>>         [4/13]: disabling nonces
>>
>>         [5/13]: creating RA agent certificate database
>>
>>         [6/13]: importing CA chain to RA certificate database
>>
>>         [7/13]: fixing RA database permissions
>>
>>         [8/13]: setting up signing cert profile
>>
>>         [9/13]: set up CRL publishing
>>
>>         [10/13]: set certificate subject base
>>
>>         [11/13]: enabling Subject Key Identifier
>>
>>         [12/13]: configuring certificate server to start on boot
>>
>>         [13/13]: Configure HTTP to proxy connections
>>
>>      done configuring pki-cad.
>>
>>      Restarting the directory and certificate servers
>>
>>      Configuring directory server: Estimated time 1 minute
>>
>>         [1/30]: creating directory server user
>>
>>         [2/30]: creating directory server instance
>>
>>         [3/30]: adding default schema
>>
>>         [4/30]: enabling memberof plugin
>>
>>         [5/30]: enabling referential integrity plugin
>>
>>         [6/30]: enabling winsync plugin
>>
>>         [7/30]: configuring replication version plugin
>>
>>         [8/30]: enabling IPA enrollment plugin
>>
>>         [9/30]: enabling ldapi
>>
>>         [10/30]: configuring uniqueness plugin
>>
>>         [11/30]: configuring uuid plugin
>>
>>         [12/30]: configuring modrdn plugin
>>
>>         [13/30]: enabling entryUSN plugin
>>
>>         [14/30]: configuring lockout plugin
>>
>>         [15/30]: creating indices
>>
>>         [16/30]: configuring ssl for ds instance
>>
>>         [17/30]: configuring certmap.conf
>>
>>         [18/30]: configure autobind for root
>>
>>         [19/30]: configure new location for managed entries
>>
>>         [20/30]: restarting directory server
>>
>>         [21/30]: setting up initial replication
>>
>>      Starting replication, please wait until this has completed.
>>
>>      [IPA_Server.domain.ca] reports: Update failed! Status: [-11  -
>>      System error]
>>
>>      creation of replica failed: Failed to start replication
>>
>>      Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the
>>      following error;
>>
>>      NSMMReplicationPlugin - agmt="cn=metoIPA_Server.domain.ca"
>>      (ipa_server:389): Replica has a different generation ID than the
>>      local data.
>>
>> This is probably just fallout from the replica initialization failure.
>> If a replica is never initialized, it will get a generation ID 
>> mismatch error when the master contacts it.
>>
>> Any thoughts or ideas on this issue? Searching google I don't see 
>> anyone getting the Status:-11 - System Error.
>>
>> There was a bug in 389-ds-base that was fixed a while back where 
>> negative LDAP error codes were all printed as "System Error".  The 
>> -11 is a connection error.  Here is how it is defined in /usr/include/ldap.h:
>>
>>       #define LDAP_CONNECT_ERROR                              (-11)
>>
>> It sounds like this connection error is occurring when it tries to 
>> initialize the replica.  It might help to enable replication level 
>> logging on the master, then trying to run ipa-replica-install again.
>> The errors in the 389 DS errors log might point to the problem.  To 
>> enable replication level logging, you can perform the following 
>> operation with ldapmodify as "cn=Directory Manager":
>>
>> ------------------------------------------
>> dn: cn=config
>> changetype: modify
>> replace: nsslapd-errorlog-level
>> nsslapd-errorlog-level: 8192
>> ------------------------------------------
>>
>> When you are finished debugging the issue, don't forget to change the 
>> log level back to "0".
>>
>> -NGK
>>
>> Thanks,
>>
>> Matt
>>
>>
>>
>>
>> _______________________________________________
>>
>> Freeipa-users mailing list
>>
>> Freeipa-users@redhat.com  <mailto:Freeipa-users@redhat.com>
>>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to