On 20 July 2013 04:20, Ade Lee <a...@redhat.com> wrote:
>
> On Fri, 2013-07-19 at 14:14 +1000, Pete Brown wrote:
>> I was just trying this again and noticed there is a
>> /var/log/pki/pki-ca-spawn.20130719140342.log file with what i assume
>> is the logging for the attempt to create the pki.
>> right at the end is this entry.
>>
>> 2013-07-19 14:04:42 pkispawn    : INFO     ....... unable to access
>> security domain through REST interface.  Trying old interface. 503
>> Server Error: Service Unavailable
>>
>> Does anyone know what that means and how to fix it?
>>
>
> This means that the dogtag CA is trying to contact the dogtag master -
> and is failing to do so.  It may be trying to access the wrong port.
>
> What version do you have for :
> rpm -q pki-ca ?

on my master server.
pki-ca-10.0.3-2.fc18.noarch

> Please attach the logs for the replica CA.
> /var/log/pki/pki-tomcat/*

I just tried doing the replica install again and was tailing the
catalina.out while is was running and I think I have discovered the
problem.
The jre it seems to have been upgraded and it is still using the old path.
I shall try and work out how to fix that and will let you know if I get stuck.

> You are also exactly correct in creating a replica before upgrading to
> F19.  Much older dogtag instances (based on dogtag 9) will not work in
> f19 due to tomcat6 not being available in f19.

Ahh.
Did that prompt the amalgamation of the ldap trees?

>
> Ade
>>
>> On 19 July 2013 12:46, Pete Brown <rendhal...@gmail.com> wrote:
>> > On 18 July 2013 19:50, Petr Viktorin <pvikt...@redhat.com> wrote:
>> >> On 07/18/2013 03:31 AM, Pete Brown wrote:
>> >>>
>> >>> I opened all the ports that seemed to be listening n the master.
>> >>> I also ran the setup again without disabling the connection check to
>> >>> see what else needed fixing.
>> >>> It seems after much investigation and log dredging it seems my admin
>> >>> password had expired.
>> >>> I wasn't aware that was possible.
>> >>> I reset the password and it seemed to get further.
>> >>> This for some reason not mentioned in the documentation the replica is
>> >>> trying to ssh into the master as admin.
>> >>> I managed to fix that by changing my setup and ssh config files.
>> >>>
>> >>> Then it actually managed to start the setup process.
>> >>> But again it fails at exactly the same point mentioned in my initial
>> >>> email.
>> >>>
>> >>> After some further digging with reference to the log output below it
>> >>> seems I have run into a bug that seems to have been fixed.
>> >>> https://fedorahosted.org/freeipa/ticket/3213
>> >>> As I mentioned I am running current Fedora 18 so freeipa is
>> >>> 3.1.5-1.fc18 is that fixed in my version?
>> >>
>> >>
>> >> Yes, that bug was fixed in 3.1.0.
>> >
>> > Well the script is still complaining about not being able to find
>> > dogtag_master_ds_port and the option still appears in my version of
>> > the script.
>> > Which from the bug seems to be what was causing the issue and the
>> > ipareplica-install log I included below says this is the case.
>> > It seems a bit odd because this is a fresh install of 3.1.5.
>> >
>> >
>> >
>> >>> It also seems the dogatg and IPA directories will be or have been merged?
>> >>> Which version did this happen in and will it get applied to my server?
>> >>
>> >>
>> >> Also in 3.1.0; new servers installed using that version have merged
>> >> databases.
>> >
>> > I still seem to have split instances.
>> > I did the install before Fedora 18 was released because I wanted ipa 3
>> > and that was the only way I could get it.
>> > Will they get merged at some point or can I do it manually?
>> >
>> >>
>> >>> Can anyone suggest how I go about fixing this issue?
>> >>
>> >>
>> >> Well, ipa-server-uninstall can misbehave if CA installation goes wrong
>> >> (ticket #2796).
>> >> So I would start by uninstalling, then running the following command to 
>> >> make
>> >> sure CA is not left:
>> >>     sudo pkidestroy -s CA -i pki-tomcat
>> >> then installing again.
>> >
>> > Ran that on my replica after the install and before the clean and it said 
>> > this.
>> > That would make sense because it fails during the ca creation stage.
>> >
>> > root@ipa2 ~]# pkidestroy -s CA -i pki-tomcat
>> > ERROR:  PKI instance '/var/lib/pki/pki-tomcat' does NOT exist!
>> >
>> >
>> >>
>> >> Can you also provide logs without the --skip-conncheck flag? Specifically
>> >> the /var/log/ipareplica-conncheck.log should be interesting.
>> >
>> > From what I can tell all the tests in the connection check passed.
>> >
>> >>
>> >>
>> >>> I wanted to create a replica so I could upgrade to fedora 19 and not
>> >>> have to take my single instance of FreeIPA offline while that was
>> >>> happening.
>> >>> Will I need to upgrade to Fedora 19 to fix my issue?
>> >>
>> >>
>> >>
>> >>> For reference this is the point of failure in the
>> >>> /var/log/ipareplica-install.log file
>> >>>
>> >>> 2013-07-18T01:06:16Z DEBUG Starting external process
>> >>> 2013-07-18T01:06:16Z DEBUG args=/usr/sbin/pkispawn -s CA -f 
>> >>> /tmp/tmpFKBxMW
>> >>> 2013-07-18T01:08:16Z DEBUG Process finished, return code=1
>> >>> 2013-07-18T01:08:16Z DEBUG stdout=Loading deployment configuration
>> >>> from /tmp/tmpFKBxMW.
>> >>> ERROR:  Unable to access security domain: 503 Server Error: Service
>> >>> Unavailable
>> >>
>> >>
>> >> Please also check logs on the existing server. Is the CA available?
>> >> Does e.g. `ipa cert-show 1` work?
>> >>
>> >>> 2013-07-18T01:08:16Z DEBUG stderr=
>> >>> 2013-07-18T01:08:16Z CRITICAL failed to configure ca instance Command
>> >>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW' returned non-zero exit
>> >>> status 1
>> >>> 2013-07-18T01:08:16Z INFO   File
>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> >>> line 619, in run_script
>> >>>      return_value = main_function()
>> >>>
>> >>>    File "/usr/sbin/ipa-replica-install", line 652, in main
>> >>>      (CA, cs) = cainstance.install_replica_ca(config,
>> >>> dogtag_master_ds_port)
>> >>>
>> >>>    File
>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> >>> line 1809, in install_replica_ca
>> >>>      subject_base=config.subject_base)
>> >>>
>> >>>    File
>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> >>> line 625, in configure_instance
>> >>>      self.start_creation(runtime=210)
>> >>>
>> >>>    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> >>> line 358, in start_creation
>> >>>      method()
>> >>>
>> >>>    File
>> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> >>> line 744, in __spawn_instance
>> >>>      raise RuntimeError('Configuration of CA failed')
>> >>>
>> >>> 2013-07-18T01:08:16Z INFO The ipa-replica-install command failed,
>> >>> exception: RuntimeError: Configuration of CA failed
>> >>>
>> >>> On 17 July 2013 15:52, Pete Brown <rendhal...@gmail.com> wrote:
>> >>>>
>> >>>> Hi everyone,
>> >>>>
>> >>>> I am attempting to create a replica of my freeipa server.
>> >>>> I am following the docs but they are not working for me.
>> >>>> I am getting the vague impression I am missing a step that doesn't
>> >>>> seem to be documented.
>> >>>>
>> >>>> For the record all the posts listed are open and it was a clean
>> >>>> install of Fedora 18.
>> >>>>
>> >>>> I thought the server may need to be a client of the master before I
>> >>>> set it up as a replica but it just said I needed to uninstall the
>> >>>> client setup.
>> >>>>
>> >>>> After running ipa-replica-prepare on the master and scping the file to
>> >>>> the new replica.
>> >>>> I ran this command on the new replica
>> >>>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
>> >>>> --forwarder=XXX.XXX.XXX.XX --forwarder=XX.XXX.XXX.XXX
>> >>>> /var/lib/ipa/replica-info-ipa2.domain.com.gpg
>> >>>>
>> >>>> The error I am seeing is from that command is this:
>> >>>> Cannot acquire Kerberos ticket: kinit: Cannot read password while
>> >>>> getting initial credentials
>> >>>>
>> >>>> Connection check failed!
>> >>>> Please fix your network settings according to error messages above.
>> >>>> If the check results are not valid it can be skipped with
>> >>>> --skip-conncheck parameter.
>> >>>>
>> >>>> So I cleaned everything off (i think) and tried it with this command
>> >>>>
>> >>>> ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns
>> >>>> --forwarder=61.9.211.33 --forwarder=61.9.211.1 --skip-conncheck
>> >>>> /var/lib/ipa/replica-info-ipa2.webgatetec.com.gpg
>> >>>>
>> >>>> This seems to actually start the install and setup process i remember
>> >>>> from installing the ipa server initially
>> >>>>
>> >>>> This it fails with this output
>> >>>>
>> >>>> WARNING: conflicting time&date synchronization service 'chronyd' will
>> >>>> be disabled in favor of ntpd
>> >>>>
>> >>>> Directory Manager (existing master) password:
>> >>>>
>> >>>> Configuring NTP daemon (ntpd)
>> >>>>    [1/4]: stopping ntpd
>> >>>>    [2/4]: writing configuration
>> >>>>    [3/4]: configuring ntpd to start on boot
>> >>>>    [4/4]: starting ntpd
>> >>>> Done configuring NTP daemon (ntpd).
>> >>>> Configuring directory server (dirsrv): Estimated time 1 minute
>> >>>>    [1/31]: creating directory server user
>> >>>>    [2/31]: creating directory server instance
>> >>>>    [3/31]: adding default schema
>> >>>>    [4/31]: enabling memberof plugin
>> >>>>    [5/31]: enabling winsync plugin
>> >>>>    [6/31]: configuring replication version plugin
>> >>>>    [7/31]: enabling IPA enrollment plugin
>> >>>>    [8/31]: enabling ldapi
>> >>>>    [9/31]: configuring uniqueness plugin
>> >>>>    [10/31]: configuring uuid plugin
>> >>>>    [11/31]: configuring modrdn plugin
>> >>>>    [12/31]: configuring DNS plugin
>> >>>>    [13/31]: enabling entryUSN plugin
>> >>>>    [14/31]: configuring lockout plugin
>> >>>>    [15/31]: creating indices
>> >>>>    [16/31]: enabling referential integrity plugin
>> >>>>    [17/31]: configuring ssl for ds instance
>> >>>>    [18/31]: configuring certmap.conf
>> >>>>    [19/31]: configure autobind for root
>> >>>>    [20/31]: configure new location for managed entries
>> >>>>    [21/31]: restarting directory server
>> >>>>    [22/31]: setting up initial replication
>> >>>> Starting replication, please wait until this has completed.
>> >>>> Update in progress
>> >>>> Update in progress
>> >>>> Update in progress
>> >>>> Update in progress
>> >>>> Update succeeded
>> >>>>    [23/31]: adding replication acis
>> >>>>    [24/31]: setting Auto Member configuration
>> >>>>    [25/31]: enabling S4U2Proxy delegation
>> >>>>    [26/31]: initializing group membership
>> >>>>    [27/31]: adding master entry
>> >>>>    [28/31]: configuring Posix uid/gid generation
>> >>>>    [29/31]: enabling compatibility plugin
>> >>>>    [30/31]: tuning directory server
>> >>>>    [31/31]: configuring directory to start on boot
>> >>>> Done configuring directory server (dirsrv).
>> >>>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
>> >>>> 30 seconds
>> >>>>    [1/17]: creating certificate server user
>> >>>>    [2/17]: configuring certificate server instance
>> >>>> ipa         : CRITICAL failed to configure ca instance Command
>> >>>> '/usr/sbin/pkispawn -s CA -f /tmp/tmptGcdgB' returned non-zero exit
>> >>>> status 1
>> >>>>
>> >>>> Your system may be partly configured.
>> >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>> >>>>
>> >>>> Configuration of CA failed
>> >>>>
>> >>>> I even tried cleaning it again at that point and made sure all the
>> >>>> ports were open and still got the same error.
>> >>>>
>> >>>> I also switched selinux to permissive mode cleaned up and rebooted but
>> >>>> that didn't help either
>> >>>>
>> >>>> Can someone please point out what I need to do to get this working.
>> >>>>
>> >>>> Thanks in advance.
>> >>>> Pete.
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Freeipa-users mailing list
>> >>> Freeipa-users@redhat.com
>> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> >>>
>> >>
>> >>
>> >> --
>> >> Petrł
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to