Correct. Same symptoms. 2016-11-29T10:29:42Z DEBUG certmonger request is in state dbus.String(u'CA_UNREACHABLE', variant_level=1)
Fedora 24 Server [root@ns02 ~]# dnf history userinstalled Packages installed by user freeipa-client-4.3.2-2.fc24.x86_64 freeipa-server-4.3.2-2.fc24.x86_64 grub2-1:2.02-0.34.fc24.x86_64 kernel-4.5.5-300.fc24.x86_64 kernel-4.8.8-200.fc24.x86_64 lvm2-2.02.150-2.fc24.x86_64 xfsprogs-4.5.0-2.fc24.x86_64 2016-11-29 13:41 GMT+01:00 Petr Vobornik <pvobo...@redhat.com>: > On 11/29/2016 12:43 PM, David Kupka wrote: > > On 29/11/16 12:15, David Dejaeghere wrote: > >> Seems like it is but it does not show a server cert for dirsrv > >> > >> [root@ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/ > >> total 468 > >> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 > >> 65536 > >> Nov 29 11:29 cert8.db > >> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 > >> 65536 > >> Nov 29 11:29 cert8.db.orig > >> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 > >> 1623 > >> Nov 29 11:29 certmap.conf > >> -rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 > >> 89977 > >> Nov 29 11:29 dse.ldif > >> -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 > >> 89977 > >> Nov 29 11:29 dse.ldif.bak > >> -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 > >> 89977 > >> Nov 29 11:29 dse.ldif.startOK > >> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 > >> 36228 > >> Nov 29 11:28 dse_original.ldif > >> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 > >> 16384 > >> Nov 29 11:29 key3.db > >> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 > >> 16384 > >> Nov 29 11:29 key3.db.orig > >> -r--------. 1 dirsrv dirsrv > >> unconfined_u:object_r:dirsrv_config_t:s0 66 > >> Nov 29 11:29 pin.txt > >> -rw-------. 1 dirsrv dirsrv > >> unconfined_u:object_r:dirsrv_config_t:s0 40 > >> Nov 29 11:29 pwdfile.txt > >> drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 > >> 4096 > >> Nov 29 11:29 schema > >> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 > >> 16384 > >> Nov 29 11:29 secmod.db > >> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 > >> 16384 > >> Nov 29 11:29 secmod.db.orig > >> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 > >> 15142 > >> Nov 29 11:28 slapd-collations.conf > >> > >> [root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L > >> > >> Certificate Nickname Trust > >> Attributes > >> > >> SSL,S/MIME,JAR/XPI > >> > >> CN=something-PAPRIKA-CA,DC=something,DC=local > >> CT,C,C > >> SOMETHING.BE IPA CA CT,C,C > >> [root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L > >> > >> Certificate Nickname Trust > >> Attributes > >> > >> SSL,S/MIME,JAR/XPI > >> > >> CN=something-PAPRIKA-CA,DC=something,DC=local > >> CT,C,C > >> SOMETHING.BE IPA CA CT,C,C > >> > >> [root@ns02 ~]# ausearch -m avc -i > >> <no matches> > >> > >> > > > > Exactly, the NSSDB should be accessible to dirsrv and is missing the > > Server-Cert but I don't understand why there's "bad database" error in > > the errors log. I'll try to reproduce it. What version of FreeIPA are > > you using? On what system? > > Right. > > Seems bit similar to https://fedorahosted.org/freeipa/ticket/6514 would > be good to check if it has the same symptoms, mainly > certmonger request is in state dbus.String(u'CA_UNREACHABLE', > variant_level=1) > > in replica install log. > > > > > >> > >> 2016-11-29 12:09 GMT+01:00 David Kupka <dku...@redhat.com>: > >> > >>> On 29/11/16 11:51, David Dejaeghere wrote: > >>> > >>>> Hi, > >>>> > >>>> I have a setup where i want to add a replica. The first master > >>>> setup has > >>>> an externally signed cert for dirsrv and httpd. The replica is > >>>> prepapred > >>>> succesfully with ipa-client-install but the replica install then keeps > >>>> failing. It seems that during install dirserv is not configured > >>>> correctly > >>>> with a valid server certificate. Output from the dirsrv error added to > >>>> this > >>>> email as well. > >>>> > >>>> [root@ns02 ~]# ipa-replica-install --setup-ca > >>>> WARNING: conflicting time&date synchronization service 'chronyd' will > >>>> be disabled in favor of ntpd > >>>> > >>>> Run connection check to master > >>>> Connection check OK > >>>> Configuring NTP daemon (ntpd) > >>>> [1/4]: stopping ntpd > >>>> [2/4]: writing configuration > >>>> [3/4]: configuring ntpd to start on boot > >>>> [4/4]: starting ntpd > >>>> Done configuring NTP daemon (ntpd). > >>>> Configuring directory server (dirsrv). Estimated time: 1 minute > >>>> [1/43]: creating directory server user > >>>> [2/43]: creating directory server instance > >>>> [3/43]: restarting directory server > >>>> [4/43]: adding default schema > >>>> [5/43]: enabling memberof plugin > >>>> [6/43]: enabling winsync plugin > >>>> [7/43]: configuring replication version plugin > >>>> [8/43]: enabling IPA enrollment plugin > >>>> [9/43]: enabling ldapi > >>>> [10/43]: configuring uniqueness plugin > >>>> [11/43]: configuring uuid plugin > >>>> [12/43]: configuring modrdn plugin > >>>> [13/43]: configuring DNS plugin > >>>> [14/43]: enabling entryUSN plugin > >>>> [15/43]: configuring lockout plugin > >>>> [16/43]: configuring topology plugin > >>>> [17/43]: creating indices > >>>> [18/43]: enabling referential integrity plugin > >>>> [19/43]: configuring certmap.conf > >>>> [20/43]: configure autobind for root > >>>> [21/43]: configure new location for managed entries > >>>> [22/43]: configure dirsrv ccache > >>>> [23/43]: enabling SASL mapping fallback > >>>> [24/43]: restarting directory server > >>>> [25/43]: creating DS keytab > >>>> [26/43]: retrieving DS Certificate > >>>> [27/43]: restarting directory server > >>>> ipa : CRITICAL Failed to restart the directory server (Command > >>>> '/bin/systemctl restart dirsrv@SOMETHING-BE.service' returned > non-zero > >>>> exit > >>>> status 1). See the installation log for details. > >>>> [28/43]: setting up initial replication > >>>> [error] error: [Errno 111] Connection refused > >>>> Your system may be partly configured. > >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. > >>>> > >>>> > >>>> [29/Nov/2016:11:29:44.034285579 +0100] SSL alert: Security > >>>> Initialization: > >>>> Can't find certificate (Server-Cert) for family > >>>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 > - > >>>> security library: bad database.) > >>>> [29/Nov/2016:11:29:44.045039728 +0100] SSL alert: Security > >>>> Initialization: > >>>> Unable to retrieve private key for cert Server-Cert of family > >>>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 > - > >>>> security library: bad database.) > >>>> > >>>> > >>>> > >>>> > >>> Hello David, > >>> > >>> The error from the log indicates that either the NSSDB for dirsrv is > not > >>> initialized or not accessible. > >>> > >>> Could you please send output of the following commands? > >>> > >>> # ls -lZ /etc/dirsrv/slapd-$REALM/ > >>> # certutil -d /etc/dirsrv/slapd-$REALM/ -L > >>> # ausearch -m avc -i > >>> > >>> > >>> -- > >>> David Kupka > >>> > > > -- > Petr Vobornik >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project