On 01/10/2015 04:41 AM, Sina Owolabi wrote:
I've run ipa-dns-install after the fact now, and named is setup.
Strange, it used to work without me having to do this manually
(whenever I needed to take down a replica).
However when I ran dnsconfig-mod on the new replica, I get:

  ipa dnsconfig-mod
ipa: ERROR: cert validation failed for
"CN=services01.mydom.com,O=MYDOM.COM" ((SEC_ERROR_UNTRUSTED_ISSUER)
Peer's certificate issuer has been marked as not trusted by the user.)
ipa: ERROR: cert validation failed for
"CN=services.mydom.com,O=MYDOM.COM" ((SEC_ERROR_UNTRUSTED_ISSUER)
Peer's certificate issuer has been marked as not trusted by the user.)
ipa: ERROR: cannot connect to Gettext('any of the configured servers',
domain='ipa', localedir=None): https://services01.mydom.com/ipa/xml,
https://services.mydom.com/ipa/xml

Can it be that your certs have expired and were not properly renewed?
How long have you been running this setup?
More than two years?
Have you been upgrading since early versions?



On Sat, Jan 10, 2015 at 10:22 AM, Sina Owolabi <notify.s...@gmail.com> wrote:
I did run it with --setup-dns.

[root@services01 ~]# ipa-replica-install --setup-dns
--forwarder=8.8.8.8 --forwarder=8.8.4.4
replica-info-services01.mydom.com.gpg

How can I fix this, please?

On Fri, Jan 9, 2015 at 8:33 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
Sina Owolabi wrote:
Hi List,

I've seen this happen on two occasions, now, in two different
environments, one with RHEL6.6 and RHEL 6.3.

I have issues with a replica sever, I delete the replication
agreement, remove the server from ipa dns, run ipa-server-install
--uninstall -U.
Reboot the server, create new replication settings from the existing
master, and restore the replica.
Running ipactl status, I see:

  ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING

No DNS service listed. Named is not running.

ipactl restart
Restarting Directory Service
Shutting down dirsrv:
     MYDOM-COM...                                    [  OK  ]
Starting dirsrv:
     MYDOM-COM...                                    [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 KDC:                                   [  OK  ]
Restarting KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Starting Kerberos 5 Admin Server:                          [  OK  ]
Restarting MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Starting ipa_memcached:                                    [  OK  ]
Restarting HTTP Service
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

Checking on named:
  service named status
rndc: connect failed: 127.0.0.1#953: connection refused
named is stopped
# service named start
Starting named:                                            [  OK  ]
# service named status
version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
CPUs found: 2
worker threads: 2
number of zones: 19
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
named (pid  25017) is running...

But it does not resolve. Please what is happening and how can I fix this?
I don't know what logs to provide, but please let me know what is
necessary and I'll make them available.
Bind is an optional service. You can either configure it at the time you
install replica using the --setup-dns option or afterward using
ipa-dns-install.

rob



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to