On 01/10/2015 05:47 PM, Sina Owolabi wrote:


Yes, I've had this installed more than three years, and I upgrade from time to time, not frequently because I don't want to break anything. I just did an upgrade to the latest RHEL version about a week ago, when the replica started acting up. Directory services would hang indefinitely, and nothing else would function. So I took it down and reinstalled ipa and resynced.
Is there a fix I can apply?


You situation has quite similar symptoms to the case of expired certificates. What most likely happened is that the certificates we not renewed properly or not renewed properly on all servers.

Here is the procedure
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
there have also been some threads as a lot of people hit this.

Check IPA mailing archives.
Rob Crittenden is the person who was hand holding other people on the list through this and similar procedures, so look for his posts.

But before you go there please check that this is actually the case and your certs in fact expired. Check all your servers.

Here is the pointer
http://www.freeipa.org/page/Troubleshooting#PKI_Issues


On Jan 10, 2015 10:42 PM, "Dmitri Pal" <d...@redhat.com <mailto:d...@redhat.com>> wrote:

    On 01/10/2015 04:41 AM, Sina Owolabi wrote:

        I've run ipa-dns-install after the fact now, and named is setup.
        Strange, it used to work without me having to do this manually
        (whenever I needed to take down a replica).
        However when I ran dnsconfig-mod on the new replica, I get:

          ipa dnsconfig-mod
        ipa: ERROR: cert validation failed for
        "CN=services01.mydom.com
        <http://services01.mydom.com>,O=MYDOM.COM <http://MYDOM.COM>"
        ((SEC_ERROR_UNTRUSTED_ISSUER)
        Peer's certificate issuer has been marked as not trusted by
        the user.)
        ipa: ERROR: cert validation failed for
        "CN=services.mydom.com <http://services.mydom.com>,O=MYDOM.COM
        <http://MYDOM.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER)
        Peer's certificate issuer has been marked as not trusted by
        the user.)
        ipa: ERROR: cannot connect to Gettext('any of the configured
        servers',
        domain='ipa', localedir=None):
        https://services01.mydom.com/ipa/xml,
        https://services.mydom.com/ipa/xml


    Can it be that your certs have expired and were not properly renewed?
    How long have you been running this setup?
    More than two years?
    Have you been upgrading since early versions?



        On Sat, Jan 10, 2015 at 10:22 AM, Sina Owolabi
        <notify.s...@gmail.com <mailto:notify.s...@gmail.com>> wrote:

            I did run it with --setup-dns.

            [root@services01 ~]# ipa-replica-install --setup-dns
            --forwarder=8.8.8.8 --forwarder=8.8.4.4
            replica-info-services01.mydom.com.gpg

            How can I fix this, please?

            On Fri, Jan 9, 2015 at 8:33 PM, Rob Crittenden
            <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote:

                Sina Owolabi wrote:

                    Hi List,

                    I've seen this happen on two occasions, now, in
                    two different
                    environments, one with RHEL6.6 and RHEL 6.3.

                    I have issues with a replica sever, I delete the
                    replication
                    agreement, remove the server from ipa dns, run
                    ipa-server-install
                    --uninstall -U.
                    Reboot the server, create new replication settings
                    from the existing
                    master, and restore the replica.
                    Running ipactl status, I see:

                      ipactl status
                    Directory Service: RUNNING
                    KDC Service: RUNNING
                    KPASSWD Service: RUNNING
                    MEMCACHE Service: RUNNING
                    HTTP Service: RUNNING

                    No DNS service listed. Named is not running.

                    ipactl restart
                    Restarting Directory Service
                    Shutting down dirsrv:
                         MYDOM-COM... [  OK  ]
                    Starting dirsrv:
                         MYDOM-COM... [  OK  ]
                    Restarting KDC Service
                    Stopping Kerberos 5 KDC:      [  OK  ]
                    Starting Kerberos 5 KDC:      [  OK  ]
                    Restarting KPASSWD Service
                    Stopping Kerberos 5 Admin Server:     [  OK  ]
                    Starting Kerberos 5 Admin Server:     [  OK  ]
                    Restarting MEMCACHE Service
                    Stopping ipa_memcached:     [  OK  ]
                    Starting ipa_memcached:     [  OK  ]
                    Restarting HTTP Service
                    Stopping httpd:     [  OK  ]
                    Starting httpd:     [  OK  ]

                    Checking on named:
                      service named status
                    rndc: connect failed: 127.0.0.1#953: connection
                    refused
                    named is stopped
                    # service named start
                    Starting named:     [  OK  ]
                    # service named status
                    version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
                    CPUs found: 2
                    worker threads: 2
                    number of zones: 19
                    debug level: 0
                    xfers running: 0
                    xfers deferred: 0
                    soa queries in progress: 0
                    query logging is OFF
                    recursive clients: 0/0/1000
                    tcp clients: 0/100
                    server is up and running
                    named (pid  25017) is running...

                    But it does not resolve. Please what is happening
                    and how can I fix this?
                    I don't know what logs to provide, but please let
                    me know what is
                    necessary and I'll make them available.

                Bind is an optional service. You can either configure
                it at the time you
                install replica using the --setup-dns option or
                afterward using
                ipa-dns-install.

                rob



-- Thank you,
    Dmitri Pal

    Sr. Engineering Manager IdM portfolio
    Red Hat, Inc.

-- Manage your subscription for the Freeipa-users mailing list:
    https://www.redhat.com/mailman/listinfo/freeipa-users
    Go To http://freeipa.org for more info on the project



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to