On 29/11/16 11:51, David Dejaeghere wrote:

I have a setup where i want to add a replica.  The first master setup has
an externally signed cert for dirsrv and httpd.  The replica is prepapred
succesfully with ipa-client-install but the replica install then keeps
failing.  It seems that during install dirserv is not configured correctly
with a valid server certificate. Output from the dirsrv error added to this
email as well.

[root@ns02 ~]# ipa-replica-install --setup-ca
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/43]: creating directory server user
  [2/43]: creating directory server instance
  [3/43]: restarting directory server
  [4/43]: adding default schema
  [5/43]: enabling memberof plugin
  [6/43]: enabling winsync plugin
  [7/43]: configuring replication version plugin
  [8/43]: enabling IPA enrollment plugin
  [9/43]: enabling ldapi
  [10/43]: configuring uniqueness plugin
  [11/43]: configuring uuid plugin
  [12/43]: configuring modrdn plugin
  [13/43]: configuring DNS plugin
  [14/43]: enabling entryUSN plugin
  [15/43]: configuring lockout plugin
  [16/43]: configuring topology plugin
  [17/43]: creating indices
  [18/43]: enabling referential integrity plugin
  [19/43]: configuring certmap.conf
  [20/43]: configure autobind for root
  [21/43]: configure new location for managed entries
  [22/43]: configure dirsrv ccache
  [23/43]: enabling SASL mapping fallback
  [24/43]: restarting directory server
  [25/43]: creating DS keytab
  [26/43]: retrieving DS Certificate
  [27/43]: restarting directory server
ipa         : CRITICAL Failed to restart the directory server (Command
'/bin/systemctl restart dirsrv@SOMETHING-BE.service' returned non-zero exit
status 1). See the installation log for details.
  [28/43]: setting up initial replication
  [error] error: [Errno 111] Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

[29/Nov/2016:11:29:44.034285579 +0100] SSL alert: Security Initialization:
Can't find certificate (Server-Cert) for family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
security library: bad database.)
[29/Nov/2016:11:29:44.045039728 +0100] SSL alert: Security Initialization:
Unable to retrieve private key for cert Server-Cert of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
security library: bad database.)

Hello David,

The error from the log indicates that either the NSSDB for dirsrv is not initialized or not accessible.

Could you please send output of the following commands?

# ls -lZ /etc/dirsrv/slapd-$REALM/
# certutil -d /etc/dirsrv/slapd-$REALM/ -L
# ausearch -m avc -i

David Kupka

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to