Oh thanks for that webpage! So now named starts, it was because my
hostname was ip-10.x.x.x I then tried to change it to ip-10.x.x.x.ec2.internal
(standard fqdn for AWS). Then I remembered that during setup I had to change
it to ipa.example.com. Once I did that it started! Now I just have the cert
issue, I'll email back after I gather more of the details around the remaining
issues I'm having. Thanks for your help!
Director, IT Operations
On May 29, 2013, at 10:24 AM, Petr Spacek <pspa...@redhat.com> wrote:
> On 29.5.2013 15:50, John Moyer wrote:
>> I changed both the host file (actually did that before emailing) and
>> now I have changed the DNS manually in LDAP. I restart ipa and it still
>> fails on DNS startup. It says the following (after I manually start
>> everything else)
>> May 29 13:16:15 ip- named: set up managed keys zone for view _default,
>> file 'dynamic/managed-keys.bind'
>> May 29 13:16:15 ip- named: GSSAPI Error: Unspecified GSS failure.
>> Minor code may provide more information (Server
>> krbtgt/ec2.inter...@example.com not found in Kerberos database)
>> May 29 13:16:15 ip- named: bind to LDAP server failed: Local error
>> May 29 13:16:15 ip- named: loading configuration: failure
>> May 29 13:16:15 ip- named: exiting (due to fatal error)
> The important piece is:
> > Server krbtgt/ec2.inter...@example.com not found in Kerberos database
> Some very basic instructions are at
> See https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
> IMHO Kerberos libraries are confused by the crazy network setup inside EC2.
> Does your /etc/krb5.conf point to internal or external name?
> Does your /etc/hosts point to internal or external name?
> I would try to include *internal* IPs in /etc/hosts, because internal IPs are
> what libraries see on local interfaces.
> Please do the experiments described above and let us now. Also, you can join
> #freeipa channel on FreeNode, I will be around for next hour (at least).
> Petr^2 Spacek
>> On May 29, 2013, at 4:11 AM, Petr Spacek <pspa...@redhat.com> wrote:
>>> On 29.5.2013 07:42, John Moyer wrote:
>>>> Yea I replaced both certs, however, in my troubleshooting I've found more
>>>> I'll say symptoms or potential problems, which may stem from this or be
>>>> independent from it.
>>>> 1. Showing this error message on restarting the service:
>>>> EXAMPLE-COM...[29/May/2013:05:30:58 +0000] - SSL alert:
>>>> CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of
>>>> family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
>>>> -8172 - Peer's certificate issuer has been marked as not trusted by the
>>>> 2. This is on an AWS machine, and when I rebooted the internal IP of the
>>>> machine changed. I'm not sure if there are values in the Directory Server
>>>> that would have that internal IP in there which would cause a problem.
>>>> The external IP and DNS have stayed the same and I've tried to have all
>>>> install values match the external IP or external name for this exact
>>>> 3. The named service will no longer start, here are the errors getting put
>>>> in the /var/log/messages
>>>> May 29 05:31:01 ip-10-1-3-5 named: sizing zone task pool based on 6
>>>> May 29 05:31:01 ip-10-1-3-5 named: /etc/named.conf:12: no forwarders
>>>> seen; disabling forwarding
>>>> May 29 05:31:01 ip-10-1-3-5 named: set up managed keys zone for view
>>>> _default, file 'dynamic/managed-keys.bind'
>>>> May 29 05:31:19 ip-10-1-3-5 named: Failed to init credentials
>>>> (Cannot contact any KDC for realm 'EXAMPLE.COM')
>>>> May 29 05:31:19 ip-10-1-3-5 named: loading configuration: failure
>>>> May 29 05:31:19 ip-10-1-3-5 named: exiting (due to fatal error)
>>>> Any help in a right direction or theory to a right direction would be much
>>> Problems 2 and 3 might be caused by incorrect IP address in /etc/hosts and
>>> IPA DNS. Please correct content of /etc/hosts, start IPA and then correct
>>> IP addresses in IPA DNS.
Freeipa-users mailing list