On 6/17/15 6:21 AM, Rob Crittenden wrote:
Janelle wrote:
On 6/17/15 6:14 AM, Rob Crittenden wrote:
Janelle wrote:
Hi,
Had a server - named ipa001.example.com -- it was a replica. It
died. It
was re-installed. However, prior to the re-install it was saying the
wonderful:
TLS error -8172:Peer's certificate issuer has been marked as not
trusted
by the user.
It was rebuilt - new OS and doing a brand new ipa-server-install
(NOT a
replica or trying to join it back in to the existing ring of servers)
and at the end of the ipa-server-install - it gives:
Done.
Restarting the directory server
Restarting the KDC
Restarting the certificate server
Restarting the web server
Unable to set admin password Command ''/usr/bin/ldappasswd' '-h'
'ipa001.example.com' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y'
'/var/lib/ipa/tmp5Fxy2Z' '-T' '/var/lib/ipa/tmpnz0jLs'
'uid=admin,cn=users,cn=accounts,dc=example,dc=com'' returned non-zero
exit status 1
Configuration of client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
'--on-master' '--unattended' '--domain' 'example.com' '--server'
'ipa001.example.com' '--realm' 'example.com' '--hostname'
'ipa001.example.com'' returned non-zero exit status 1
and checking /var/log/ipaclient-install.log - the exact same TLS
error????
But this is a brand new system, with brand new OS and the install was
ipa-server-install to install a clean server.
I don't understand how this is happening. There is no "peer" to be not
trusted?
What version of IPA and distro? (I don't think that probably has
anything to do with it, just curious in case it does eventually
matter).
What does /etc/openldap/ldap.conf look like? Normally it should have
TLS_CACERT /etc/ipa/ca.crt
Any chance you can share the server and client install logs?
rob
4.1.4 = IPA
CentOS 7.1
Oooh... Found something: /etc/openldap/ldap.conf:
TLS_CACERTDIR /etc/openldap/certs
Going to investigate.
~J
That should be fine assuming there aren't any certs in there (and on a
brand new system I'd think you'd have empty NSS databases).
rob
Well I was able to get another server stood up, but now if I go back to
the server I was TRYING to set up and add it as a replica:
<all good to here -- then>
Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'ipa002.example.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
Connection from master to replica is OK.
Connection check OK
Using reverse zone(s) 202.161.17.in-addr.arpa.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Unexpected error - see /var/log/ipareplica-install.log for details:
NetworkError: cannot connect to 'ldaps://ipa001.example.com': TLS error
-8172:Peer's certificate issuer has been marked as not trusted by the user.
========================
ipareplica-install.log below:
2015-06-17T13:37:48Z DEBUG stderr=
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/radiusproxy.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/role.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/rpcclient.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/service.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/user.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py'
2015-06-17T13:37:48Z DEBUG importing all plugin modules in
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins'...
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/adtrust.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/baseupdate.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/ca_renewal_master.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_replica_agreements.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/rename_managed.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_idranges.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_pacs.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_passsync.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_referint.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_services.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_uniqueness.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py'
2015-06-17T13:37:49Z DEBUG group dirsrv exists
2015-06-17T13:37:49Z DEBUG user dirsrv exists
2015-06-17T13:37:49Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 642, in run_script
return_value = main_function()
File "/usr/sbin/ipa-replica-install", line 626, in main
tls_cacertfile=cafile)
File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 63,
in connect
conn = self.create_connection(*args, **kw)
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",
line 169, in create_connection
clientctrls=clientctrls)
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1206, in error_handler
error=info)
2015-06-17T13:37:49Z DEBUG The ipa-replica-install command failed,
exception: NetworkError: cannot connect to 'ldaps://ipa001.example.com':
TLS error -8172:Peer's certificate issuer has been marked as not trusted
by the user.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
