Hey Rob, Here is the output from cerutil -L -d /etc/dirsrv/slapd-DOMAIN-CA/
Server: Server-Cert u,u,u Client: Server-Cert u,u,u Matt -----Original Message----- From: Rob Crittenden [mailto:[email protected]] Sent: Wednesday, April 10, 2013 11:01 AM To: Joseph, Matthew (EXP); Nathan Kinder Cc: [email protected] Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Joseph, Matthew (EXP) wrote: > Hey Rob, > > Yes I've tried to do that. Everytime I try to run an ipa-replica-install I > make sure I create a new replica file from the server. Well, it is confusing because this worked once, when you got the error about replication ID. I guess I'd use certutil to compare what /etc/dirsrv/slapd-REALM looks like on the replica vs the existing master. The error is related to SSL trust. rob > > > Matt > > -----Original Message----- > From: Rob Crittenden [mailto:[email protected]] > Sent: Wednesday, April 10, 2013 10:47 AM > To: Joseph, Matthew (EXP); Nathan Kinder > Cc: [email protected] > Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors > > Joseph, Matthew (EXP) wrote: >> Hey, >> >> I'm still trying to figure out this error but I am getting nothing. >> >> Anyone have any suggestions or ideas on why this is failing? > > Is there a chance you're using a replica file prepared from a different IPA > installation? I'd probably go ahead and use ipa-replica-prepare to create a > new file and try installing that. > > rob > >> >> Matt >> >> *From:*[email protected] >> [mailto:[email protected]] *On Behalf Of *Joseph, >> Matthew >> (EXP) >> *Sent:* Monday, April 08, 2013 12:30 PM >> *To:* Nathan Kinder >> *Cc:* [email protected] >> *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install >> errors >> >> Hey, >> >> >> Yup, the client side says the following; >> >> Op=-1 fd=64 closed - Peer does not recognize and trust the CA that >> issued your certificate. >> >> Matt >> >> *From:*Nathan Kinder [mailto:[email protected]] >> *Sent:* Monday, April 08, 2013 12:28 PM >> *To:* Joseph, Matthew (EXP) >> *Cc:* [email protected] >> *Subject:* Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install >> errors >> >> On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote: >> >> Hey, >> >> So on the IPA server under the access logs I am getting the >> following error. >> >> Error: could not send startTLS request: Error -11 (connect error) >> errno 0 (success) >> >> Any ideas? >> >> Does the access log on the receiving side show a connection attempt >> from the master at the same time? The access log will be located at >> /var/log/dirsrv/slapd-<DOMAIN>/access. >> >> -NGK >> >> Matt >> >> *From:*Nathan Kinder [mailto:[email protected]] >> *Sent:* Thursday, April 04, 2013 6:00 PM >> *To:* Joseph, Matthew (EXP) >> *Cc:* [email protected] <mailto:[email protected]> >> *Subject:* EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors >> >> On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: >> >> Hello, >> >> I'm trying to setup a replica server with ipa-2.2.0-16 on both the >> Server and the Replica Server. >> >> Here are the steps I ran (From the Red Hat 6.3 IdM Administration >> Guide); >> >> ------------------------ >> >> *IPA_Server:* >> >> ipa-replica-prepare ipareplica.example.com --ip-address >> 192.168.1.2 >> >> scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ >> ipareplica:/var/lib/ipa/ >> >> *IPA_Replica:* >> >> ipa-replica-install --setup-ca --setup-dns >> /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg >> >> ------------------------------ >> >> Below is the error I am getting when running >> ipa-replica-install; >> >> Directory Manager (existing master) password: >> >> Run connection check to master >> >> Check connection from replica to remote master 'IPA_Server.domain.ca': >> >> Directory Service: Unsecure port (389): OK >> >> Directory Service: Secure port (636): OK >> >> Kerberos KDC: TCP (88): OK >> >> Kerberos Kpasswd: TCP (464): OK >> >> HTTP Server: Unsecure port (80): OK >> >> HTTP Server: Secure port (443): OK >> >> PKI-CA: Directory Service port (7389): OK >> >> The following list of ports use UDP protocol and would need to >> be >> >> checked manually: >> >> Kerberos KDC: UDP (88): SKIPPED >> >> Kerberos Kpasswd: UDP (464): SKIPPED >> >> Connection from replica to master is OK. >> >> Start listening on required ports for remote master check >> >> Get credentials to log in to remote master >> >> [email protected] <mailto:[email protected]> password: >> >> Execute check on remote master >> >> Check connection from master to remote replica 'IPA_Replica.domain.ca': >> >> Directory Service: Unsecure port (389): OK >> >> Directory Service: Secure port (636): OK >> >> Kerberos KDC: TCP (88): OK >> >> Kerberos KDC: UDP (88): OK >> >> Kerberos Kpasswd: TCP (464): OK >> >> Kerberos Kpasswd: UDP (464): OK >> >> HTTP Server: Unsecure port (80): OK >> >> HTTP Server: Secure port (443): OK >> >> PKI-CA: Directory Service port (7389): OK >> >> Connection from master to replica is OK. >> >> Connection check OK >> >> Configuring ntpd >> >> [1/4]: stopping ntpd >> >> [2/4]: writing configuration >> >> [3/4]: configuring ntpd to start on boot >> >> [4/4]: starting ntpd >> >> done configuring ntpd. >> >> Configuring directory server for the CA: Estimated time 30 >> seconds >> >> [1/3]: creating directory server user >> >> [2/3]: creating directory server instance >> >> [3/3]: restarting directory server >> >> done configuring pkids. >> >> Configuring certificate server: Estimated time 3 minutes 30 >> seconds >> >> [1/13]: creating certificate server user >> >> [2/13]: creating pki-ca instance >> >> [3/13]: configuring certificate server instance >> >> [4/13]: disabling nonces >> >> [5/13]: creating RA agent certificate database >> >> [6/13]: importing CA chain to RA certificate database >> >> [7/13]: fixing RA database permissions >> >> [8/13]: setting up signing cert profile >> >> [9/13]: set up CRL publishing >> >> [10/13]: set certificate subject base >> >> [11/13]: enabling Subject Key Identifier >> >> [12/13]: configuring certificate server to start on boot >> >> [13/13]: Configure HTTP to proxy connections >> >> done configuring pki-cad. >> >> Restarting the directory and certificate servers >> >> Configuring directory server: Estimated time 1 minute >> >> [1/30]: creating directory server user >> >> [2/30]: creating directory server instance >> >> [3/30]: adding default schema >> >> [4/30]: enabling memberof plugin >> >> [5/30]: enabling referential integrity plugin >> >> [6/30]: enabling winsync plugin >> >> [7/30]: configuring replication version plugin >> >> [8/30]: enabling IPA enrollment plugin >> >> [9/30]: enabling ldapi >> >> [10/30]: configuring uniqueness plugin >> >> [11/30]: configuring uuid plugin >> >> [12/30]: configuring modrdn plugin >> >> [13/30]: enabling entryUSN plugin >> >> [14/30]: configuring lockout plugin >> >> [15/30]: creating indices >> >> [16/30]: configuring ssl for ds instance >> >> [17/30]: configuring certmap.conf >> >> [18/30]: configure autobind for root >> >> [19/30]: configure new location for managed entries >> >> [20/30]: restarting directory server >> >> [21/30]: setting up initial replication >> >> Starting replication, please wait until this has completed. >> >> [IPA_Server.domain.ca] reports: Update failed! Status: [-11 - >> System error] >> >> creation of replica failed: Failed to start replication >> >> Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the >> following error; >> >> NSMMReplicationPlugin - agmt="cn=metoIPA_Server.domain.ca" >> (ipa_server:389): Replica has a different generation ID than the >> local data. >> >> This is probably just fallout from the replica initialization failure. >> If a replica is never initialized, it will get a generation ID >> mismatch error when the master contacts it. >> >> Any thoughts or ideas on this issue? Searching google I don't see >> anyone getting the Status:-11 - System Error. >> >> There was a bug in 389-ds-base that was fixed a while back where >> negative LDAP error codes were all printed as "System Error". The >> -11 is a connection error. Here is how it is defined in /usr/include/ldap.h: >> >> #define LDAP_CONNECT_ERROR (-11) >> >> It sounds like this connection error is occurring when it tries to >> initialize the replica. It might help to enable replication level >> logging on the master, then trying to run ipa-replica-install again. >> The errors in the 389 DS errors log might point to the problem. To >> enable replication level logging, you can perform the following >> operation with ldapmodify as "cn=Directory Manager": >> >> ------------------------------------------ >> dn: cn=config >> changetype: modify >> replace: nsslapd-errorlog-level >> nsslapd-errorlog-level: 8192 >> ------------------------------------------ >> >> When you are finished debugging the issue, don't forget to change the >> log level back to "0". >> >> -NGK >> >> Thanks, >> >> Matt >> >> >> >> >> _______________________________________________ >> >> Freeipa-users mailing list >> >> [email protected] <mailto:[email protected]> >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
