On 29/11/16 12:15, David Dejaeghere wrote:
Seems like it is but it does not show a server cert for dirsrv
[root@ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/
total 468
-rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 65536
Nov 29 11:29 cert8.db
-rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 65536
Nov 29 11:29 cert8.db.orig
-r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 1623
Nov 29 11:29 certmap.conf
-rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 89977
Nov 29 11:29 dse.ldif
-rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 89977
Nov 29 11:29 dse.ldif.bak
-rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 89977
Nov 29 11:29 dse.ldif.startOK
-r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 36228
Nov 29 11:28 dse_original.ldif
-rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 16384
Nov 29 11:29 key3.db
-rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 16384
Nov 29 11:29 key3.db.orig
-r--------. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 66
Nov 29 11:29 pin.txt
-rw-------. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 40
Nov 29 11:29 pwdfile.txt
drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 4096
Nov 29 11:29 schema
-rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 16384
Nov 29 11:29 secmod.db
-rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 16384
Nov 29 11:29 secmod.db.orig
-r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 15142
Nov 29 11:28 slapd-collations.conf
[root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CN=something-PAPRIKA-CA,DC=something,DC=local CT,C,C
SOMETHING.BE IPA CA CT,C,C
[root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CN=something-PAPRIKA-CA,DC=something,DC=local CT,C,C
SOMETHING.BE IPA CA CT,C,C
[root@ns02 ~]# ausearch -m avc -i
<no matches>
Exactly, the NSSDB should be accessible to dirsrv and is missing the
Server-Cert but I don't understand why there's "bad database" error in
the errors log. I'll try to reproduce it. What version of FreeIPA are
you using? On what system?
2016-11-29 12:09 GMT+01:00 David Kupka <dku...@redhat.com>:
On 29/11/16 11:51, David Dejaeghere wrote:
Hi,
I have a setup where i want to add a replica. The first master setup has
an externally signed cert for dirsrv and httpd. The replica is prepapred
succesfully with ipa-client-install but the replica install then keeps
failing. It seems that during install dirserv is not configured correctly
with a valid server certificate. Output from the dirsrv error added to
this
email as well.
[root@ns02 ~]# ipa-replica-install --setup-ca
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
[1/43]: creating directory server user
[2/43]: creating directory server instance
[3/43]: restarting directory server
[4/43]: adding default schema
[5/43]: enabling memberof plugin
[6/43]: enabling winsync plugin
[7/43]: configuring replication version plugin
[8/43]: enabling IPA enrollment plugin
[9/43]: enabling ldapi
[10/43]: configuring uniqueness plugin
[11/43]: configuring uuid plugin
[12/43]: configuring modrdn plugin
[13/43]: configuring DNS plugin
[14/43]: enabling entryUSN plugin
[15/43]: configuring lockout plugin
[16/43]: configuring topology plugin
[17/43]: creating indices
[18/43]: enabling referential integrity plugin
[19/43]: configuring certmap.conf
[20/43]: configure autobind for root
[21/43]: configure new location for managed entries
[22/43]: configure dirsrv ccache
[23/43]: enabling SASL mapping fallback
[24/43]: restarting directory server
[25/43]: creating DS keytab
[26/43]: retrieving DS Certificate
[27/43]: restarting directory server
ipa : CRITICAL Failed to restart the directory server (Command
'/bin/systemctl restart dirsrv@SOMETHING-BE.service' returned non-zero
exit
status 1). See the installation log for details.
[28/43]: setting up initial replication
[error] error: [Errno 111] Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
[29/Nov/2016:11:29:44.034285579 +0100] SSL alert: Security
Initialization:
Can't find certificate (Server-Cert) for family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
security library: bad database.)
[29/Nov/2016:11:29:44.045039728 +0100] SSL alert: Security
Initialization:
Unable to retrieve private key for cert Server-Cert of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
security library: bad database.)
Hello David,
The error from the log indicates that either the NSSDB for dirsrv is not
initialized or not accessible.
Could you please send output of the following commands?
# ls -lZ /etc/dirsrv/slapd-$REALM/
# certutil -d /etc/dirsrv/slapd-$REALM/ -L
# ausearch -m avc -i
--
David Kupka
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
