Can you give me a couple of test commands? I am not familiar with Dogtag. Groeten,
David 2016-11-29 14:57 GMT+01:00 David Kupka <dku...@redhat.com>: > On 29/11/16 13:55, David Dejaeghere wrote: > >> Correct. Same symptoms. >> >> 2016-11-29T10:29:42Z DEBUG certmonger request is in state >> dbus.String(u'CA_UNREACHABLE', variant_level=1) >> >> Fedora 24 Server >> >> [root@ns02 ~]# dnf history userinstalled >> Packages installed by user >> freeipa-client-4.3.2-2.fc24.x86_64 >> freeipa-server-4.3.2-2.fc24.x86_64 >> grub2-1:2.02-0.34.fc24.x86_64 >> kernel-4.5.5-300.fc24.x86_64 >> kernel-4.8.8-200.fc24.x86_64 >> lvm2-2.02.150-2.fc24.x86_64 >> xfsprogs-4.5.0-2.fc24.x86_64 >> > > Ok. I've reproduced it by simply stopping dogtag on FreeIPA server while > installing the replica. I see the exactly same errors as you've reported > and are described in the ticket, now. > > Is dogtag running on your master? Is in responding (e.g. issuing > certificates for users)? Is it accessible from the replica? > > > >> 2016-11-29 13:41 GMT+01:00 Petr Vobornik <pvobo...@redhat.com>: >> >> On 11/29/2016 12:43 PM, David Kupka wrote: >>> >>>> On 29/11/16 12:15, David Dejaeghere wrote: >>>> >>>>> Seems like it is but it does not show a server cert for dirsrv >>>>> >>>>> [root@ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/ >>>>> total 468 >>>>> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 >>>>> 65536 >>>>> Nov 29 11:29 cert8.db >>>>> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 >>>>> 65536 >>>>> Nov 29 11:29 cert8.db.orig >>>>> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 >>>>> 1623 >>>>> Nov 29 11:29 certmap.conf >>>>> -rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 >>>>> 89977 >>>>> Nov 29 11:29 dse.ldif >>>>> -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 >>>>> 89977 >>>>> Nov 29 11:29 dse.ldif.bak >>>>> -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 >>>>> 89977 >>>>> Nov 29 11:29 dse.ldif.startOK >>>>> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 >>>>> 36228 >>>>> Nov 29 11:28 dse_original.ldif >>>>> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 >>>>> 16384 >>>>> Nov 29 11:29 key3.db >>>>> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 >>>>> 16384 >>>>> Nov 29 11:29 key3.db.orig >>>>> -r--------. 1 dirsrv dirsrv >>>>> unconfined_u:object_r:dirsrv_config_t:s0 66 >>>>> Nov 29 11:29 pin.txt >>>>> -rw-------. 1 dirsrv dirsrv >>>>> unconfined_u:object_r:dirsrv_config_t:s0 40 >>>>> Nov 29 11:29 pwdfile.txt >>>>> drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 >>>>> 4096 >>>>> Nov 29 11:29 schema >>>>> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 >>>>> 16384 >>>>> Nov 29 11:29 secmod.db >>>>> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 >>>>> 16384 >>>>> Nov 29 11:29 secmod.db.orig >>>>> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 >>>>> 15142 >>>>> Nov 29 11:28 slapd-collations.conf >>>>> >>>>> [root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L >>>>> >>>>> Certificate Nickname Trust >>>>> Attributes >>>>> >>>>> SSL,S/MIME,JAR/XPI >>>>> >>>>> CN=something-PAPRIKA-CA,DC=something,DC=local >>>>> CT,C,C >>>>> SOMETHING.BE IPA CA CT,C,C >>>>> [root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L >>>>> >>>>> Certificate Nickname Trust >>>>> Attributes >>>>> >>>>> SSL,S/MIME,JAR/XPI >>>>> >>>>> CN=something-PAPRIKA-CA,DC=something,DC=local >>>>> CT,C,C >>>>> SOMETHING.BE IPA CA CT,C,C >>>>> >>>>> [root@ns02 ~]# ausearch -m avc -i >>>>> <no matches> >>>>> >>>>> >>>>> >>>> Exactly, the NSSDB should be accessible to dirsrv and is missing the >>>> Server-Cert but I don't understand why there's "bad database" error in >>>> the errors log. I'll try to reproduce it. What version of FreeIPA are >>>> you using? On what system? >>>> >>> >>> Right. >>> >>> Seems bit similar to https://fedorahosted.org/freeipa/ticket/6514 would >>> be good to check if it has the same symptoms, mainly >>> certmonger request is in state dbus.String(u'CA_UNREACHABLE', >>> variant_level=1) >>> >>> in replica install log. >>> >>> >>> >>>> >>>>> 2016-11-29 12:09 GMT+01:00 David Kupka <dku...@redhat.com>: >>>>> >>>>> On 29/11/16 11:51, David Dejaeghere wrote: >>>>>> >>>>>> Hi, >>>>>>> >>>>>>> I have a setup where i want to add a replica. The first master >>>>>>> setup has >>>>>>> an externally signed cert for dirsrv and httpd. The replica is >>>>>>> prepapred >>>>>>> succesfully with ipa-client-install but the replica install then >>>>>>> keeps >>>>>>> failing. It seems that during install dirserv is not configured >>>>>>> correctly >>>>>>> with a valid server certificate. Output from the dirsrv error added >>>>>>> to >>>>>>> this >>>>>>> email as well. >>>>>>> >>>>>>> [root@ns02 ~]# ipa-replica-install --setup-ca >>>>>>> WARNING: conflicting time&date synchronization service 'chronyd' will >>>>>>> be disabled in favor of ntpd >>>>>>> >>>>>>> Run connection check to master >>>>>>> Connection check OK >>>>>>> Configuring NTP daemon (ntpd) >>>>>>> [1/4]: stopping ntpd >>>>>>> [2/4]: writing configuration >>>>>>> [3/4]: configuring ntpd to start on boot >>>>>>> [4/4]: starting ntpd >>>>>>> Done configuring NTP daemon (ntpd). >>>>>>> Configuring directory server (dirsrv). Estimated time: 1 minute >>>>>>> [1/43]: creating directory server user >>>>>>> [2/43]: creating directory server instance >>>>>>> [3/43]: restarting directory server >>>>>>> [4/43]: adding default schema >>>>>>> [5/43]: enabling memberof plugin >>>>>>> [6/43]: enabling winsync plugin >>>>>>> [7/43]: configuring replication version plugin >>>>>>> [8/43]: enabling IPA enrollment plugin >>>>>>> [9/43]: enabling ldapi >>>>>>> [10/43]: configuring uniqueness plugin >>>>>>> [11/43]: configuring uuid plugin >>>>>>> [12/43]: configuring modrdn plugin >>>>>>> [13/43]: configuring DNS plugin >>>>>>> [14/43]: enabling entryUSN plugin >>>>>>> [15/43]: configuring lockout plugin >>>>>>> [16/43]: configuring topology plugin >>>>>>> [17/43]: creating indices >>>>>>> [18/43]: enabling referential integrity plugin >>>>>>> [19/43]: configuring certmap.conf >>>>>>> [20/43]: configure autobind for root >>>>>>> [21/43]: configure new location for managed entries >>>>>>> [22/43]: configure dirsrv ccache >>>>>>> [23/43]: enabling SASL mapping fallback >>>>>>> [24/43]: restarting directory server >>>>>>> [25/43]: creating DS keytab >>>>>>> [26/43]: retrieving DS Certificate >>>>>>> [27/43]: restarting directory server >>>>>>> ipa : CRITICAL Failed to restart the directory server >>>>>>> (Command >>>>>>> '/bin/systemctl restart dirsrv@SOMETHING-BE.service' returned >>>>>>> >>>>>> non-zero >>> >>>> exit >>>>>>> status 1). See the installation log for details. >>>>>>> [28/43]: setting up initial replication >>>>>>> [error] error: [Errno 111] Connection refused >>>>>>> Your system may be partly configured. >>>>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>>> >>>>>>> >>>>>>> [29/Nov/2016:11:29:44.034285579 +0100] SSL alert: Security >>>>>>> Initialization: >>>>>>> Can't find certificate (Server-Cert) for family >>>>>>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 >>>>>>> >>>>>> - >>> >>>> security library: bad database.) >>>>>>> [29/Nov/2016:11:29:44.045039728 +0100] SSL alert: Security >>>>>>> Initialization: >>>>>>> Unable to retrieve private key for cert Server-Cert of family >>>>>>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 >>>>>>> >>>>>> - >>> >>>> security library: bad database.) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Hello David, >>>>>> >>>>>> The error from the log indicates that either the NSSDB for dirsrv is >>>>>> >>>>> not >>> >>>> initialized or not accessible. >>>>>> >>>>>> Could you please send output of the following commands? >>>>>> >>>>>> # ls -lZ /etc/dirsrv/slapd-$REALM/ >>>>>> # certutil -d /etc/dirsrv/slapd-$REALM/ -L >>>>>> # ausearch -m avc -i >>>>>> >>>>>> >>>>>> -- >>>>>> David Kupka >>>>>> >>>>>> >>> >>> -- >>> Petr Vobornik >>> >>> >> > > -- > David Kupka >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project