Hi,

The Pki service is running and I cannot find any issues with it.  I can run
a curl request to the master hostname on port 8443 and communication works
fine.
Any other idea why this replica install code would fail and log
CA_UNREACHABLE?

Regards,

David


2016-11-29 22:16 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:

> On 11/29/2016 03:19 PM, David Dejaeghere wrote:
>
>> Can you give me a couple of test commands?
>> I am not familiar with Dogtag.
>>
>> Hi,
>
> To reproduce the issue:
> 1. install IPA server
> 2. On the replica, run ipa-client-install
> 3. On the server, stop dogtag with
> $ systemctl stop pki-tomcatd@pki-tomcat.service
> 4. On the replica, run ipa-replica-install
>
> When you want to restart dogtag, you can run
> $ systemctl start pki-tomcatd@pki-tomcat.service
>
> If you want to check if dogtag is running:
> $ systemctl status pki-tomcatd@pki-tomcat.service
>
> You may find more information on Dogtag here:
> http://pki.fedoraproject.org/wiki/PKI_Main_Page
> http://pki.fedoraproject.org/wiki/IPA
> http://pki.fedoraproject.org/wiki/Debugging_the_state_of_dog
> tag_in_an_ipa_install
>
> Flo
>
> Groeten,
>>
>> David
>>
>> 2016-11-29 14:57 GMT+01:00 David Kupka <dku...@redhat.com
>> <mailto:dku...@redhat.com>>:
>>
>>     On 29/11/16 13:55, David Dejaeghere wrote:
>>
>>         Correct.  Same symptoms.
>>
>>         2016-11-29T10:29:42Z DEBUG certmonger request is in state
>>         dbus.String(u'CA_UNREACHABLE', variant_level=1)
>>
>>         Fedora 24 Server
>>
>>         [root@ns02 ~]# dnf history userinstalled
>>         Packages installed by user
>>         freeipa-client-4.3.2-2.fc24.x86_64
>>         freeipa-server-4.3.2-2.fc24.x86_64
>>         grub2-1:2.02-0.34.fc24.x86_64
>>         kernel-4.5.5-300.fc24.x86_64
>>         kernel-4.8.8-200.fc24.x86_64
>>         lvm2-2.02.150-2.fc24.x86_64
>>         xfsprogs-4.5.0-2.fc24.x86_64
>>
>>
>>     Ok. I've reproduced it by simply stopping dogtag on FreeIPA server
>>     while installing the replica. I see the exactly same errors as
>>     you've reported and are described in the ticket, now.
>>
>>     Is dogtag running on your master? Is in responding (e.g. issuing
>>     certificates for users)? Is it accessible from the replica?
>>
>>
>>
>>         2016-11-29 13:41 GMT+01:00 Petr Vobornik <pvobo...@redhat.com
>>         <mailto:pvobo...@redhat.com>>:
>>
>>
>>             On 11/29/2016 12:43 PM, David Kupka wrote:
>>
>>                 On 29/11/16 12:15, David Dejaeghere wrote:
>>
>>                     Seems like it is but it does not show a server cert
>>                     for dirsrv
>>
>>                     [root@ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/
>>                     total 468
>>                     -rw-------. 1 dirsrv root
>>                      unconfined_u:object_r:dirsrv_config_t:s0
>>                     65536
>>                     Nov 29 11:29 cert8.db
>>                     -rw-rw----. 1 dirsrv dirsrv
>>                     unconfined_u:object_r:dirsrv_config_t:s0
>>                     65536
>>                     Nov 29 11:29 cert8.db.orig
>>                     -r--r-----. 1 dirsrv dirsrv
>>                     unconfined_u:object_r:dirsrv_config_t:s0
>>                     1623
>>                     Nov 29 11:29 certmap.conf
>>                     -rw-------. 1 dirsrv dirsrv
>>                     system_u:object_r:dirsrv_config_t:s0
>>                     89977
>>                     Nov 29 11:29 dse.ldif
>>                     -rw-------. 2 dirsrv dirsrv
>>                     system_u:object_r:dirsrv_config_t:s0
>>                     89977
>>                     Nov 29 11:29 dse.ldif.bak
>>                     -rw-------. 2 dirsrv dirsrv
>>                     system_u:object_r:dirsrv_config_t:s0
>>                     89977
>>                     Nov 29 11:29 dse.ldif.startOK
>>                     -r--r-----. 1 dirsrv dirsrv
>>                     unconfined_u:object_r:dirsrv_config_t:s0
>>                     36228
>>                     Nov 29 11:28 dse_original.ldif
>>                     -rw-------. 1 dirsrv root
>>                      unconfined_u:object_r:dirsrv_config_t:s0
>>                     16384
>>                     Nov 29 11:29 key3.db
>>                     -rw-rw----. 1 dirsrv dirsrv
>>                     unconfined_u:object_r:dirsrv_config_t:s0
>>                     16384
>>                     Nov 29 11:29 key3.db.orig
>>                     -r--------. 1 dirsrv dirsrv
>>                     unconfined_u:object_r:dirsrv_config_t:s0    66
>>                     Nov 29 11:29 pin.txt
>>                     -rw-------. 1 dirsrv dirsrv
>>                     unconfined_u:object_r:dirsrv_config_t:s0    40
>>                     Nov 29 11:29 pwdfile.txt
>>                     drwxrwx---. 2 dirsrv dirsrv
>>                     unconfined_u:object_r:dirsrv_config_t:s0
>>                     4096
>>                     Nov 29 11:29 schema
>>                     -rw-------. 1 dirsrv root
>>                      unconfined_u:object_r:dirsrv_config_t:s0
>>                     16384
>>                     Nov 29 11:29 secmod.db
>>                     -rw-rw----. 1 dirsrv dirsrv
>>                     unconfined_u:object_r:dirsrv_config_t:s0
>>                     16384
>>                     Nov 29 11:29 secmod.db.orig
>>                     -r--r-----. 1 dirsrv dirsrv
>>                     unconfined_u:object_r:dirsrv_config_t:s0
>>                     15142
>>                     Nov 29 11:28 slapd-collations.conf
>>
>>                     [root@ns02 ~]# certutil -d
>>                     /etc/dirsrv/slapd-SOMETHING-BE -L
>>
>>                     Certificate Nickname
>>                              Trust
>>                     Attributes
>>
>>                      SSL,S/MIME,JAR/XPI
>>
>>                     CN=something-PAPRIKA-CA,DC=something,DC=local
>>                     CT,C,C
>>                     SOMETHING.BE <http://SOMETHING.BE> IPA CA
>>                                                  CT,C,C
>>                     [root@ns02 ~]# certutil -d
>>                     /etc/dirsrv/slapd-SOMETHING-BE -L
>>
>>                     Certificate Nickname
>>                              Trust
>>                     Attributes
>>
>>                      SSL,S/MIME,JAR/XPI
>>
>>                     CN=something-PAPRIKA-CA,DC=something,DC=local
>>                     CT,C,C
>>                     SOMETHING.BE <http://SOMETHING.BE> IPA CA
>>                                                  CT,C,C
>>
>>                     [root@ns02 ~]# ausearch -m avc -i
>>                     <no matches>
>>
>>
>>
>>                 Exactly, the NSSDB should be accessible to dirsrv and is
>>                 missing the
>>                 Server-Cert but I don't understand why there's "bad
>>                 database" error in
>>                 the errors log. I'll try to reproduce it. What version
>>                 of FreeIPA are
>>                 you using? On what system?
>>
>>
>>             Right.
>>
>>             Seems bit similar to
>>             https://fedorahosted.org/freeipa/ticket/6514
>>             <https://fedorahosted.org/freeipa/ticket/6514> would
>>             be good to check if it has the same symptoms, mainly
>>               certmonger request is in state
>> dbus.String(u'CA_UNREACHABLE',
>>             variant_level=1)
>>
>>             in replica install log.
>>
>>
>>
>>
>>                     2016-11-29 12:09 GMT+01:00 David Kupka
>>                     <dku...@redhat.com <mailto:dku...@redhat.com>>:
>>
>>
>>                         On 29/11/16 11:51, David Dejaeghere wrote:
>>
>>                             Hi,
>>
>>                             I have a setup where i want to add a
>>                             replica.  The first master
>>                             setup has
>>                             an externally signed cert for dirsrv and
>>                             httpd.  The replica is
>>                             prepapred
>>                             succesfully with ipa-client-install but the
>>                             replica install then keeps
>>                             failing.  It seems that during install
>>                             dirserv is not configured
>>                             correctly
>>                             with a valid server certificate. Output from
>>                             the dirsrv error added to
>>                             this
>>                             email as well.
>>
>>                             [root@ns02 ~]# ipa-replica-install --setup-ca
>>                             WARNING: conflicting time&date
>>                             synchronization service 'chronyd' will
>>                             be disabled in favor of ntpd
>>
>>                             Run connection check to master
>>                             Connection check OK
>>                             Configuring NTP daemon (ntpd)
>>                               [1/4]: stopping ntpd
>>                               [2/4]: writing configuration
>>                               [3/4]: configuring ntpd to start on boot
>>                               [4/4]: starting ntpd
>>                             Done configuring NTP daemon (ntpd).
>>                             Configuring directory server (dirsrv).
>>                             Estimated time: 1 minute
>>                               [1/43]: creating directory server user
>>                               [2/43]: creating directory server instance
>>                               [3/43]: restarting directory server
>>                               [4/43]: adding default schema
>>                               [5/43]: enabling memberof plugin
>>                               [6/43]: enabling winsync plugin
>>                               [7/43]: configuring replication version
>> plugin
>>                               [8/43]: enabling IPA enrollment plugin
>>                               [9/43]: enabling ldapi
>>                               [10/43]: configuring uniqueness plugin
>>                               [11/43]: configuring uuid plugin
>>                               [12/43]: configuring modrdn plugin
>>                               [13/43]: configuring DNS plugin
>>                               [14/43]: enabling entryUSN plugin
>>                               [15/43]: configuring lockout plugin
>>                               [16/43]: configuring topology plugin
>>                               [17/43]: creating indices
>>                               [18/43]: enabling referential integrity
>> plugin
>>                               [19/43]: configuring certmap.conf
>>                               [20/43]: configure autobind for root
>>                               [21/43]: configure new location for
>>                             managed entries
>>                               [22/43]: configure dirsrv ccache
>>                               [23/43]: enabling SASL mapping fallback
>>                               [24/43]: restarting directory server
>>                               [25/43]: creating DS keytab
>>                               [26/43]: retrieving DS Certificate
>>                               [27/43]: restarting directory server
>>                             ipa         : CRITICAL Failed to restart the
>>                             directory server (Command
>>                             '/bin/systemctl restart
>>                             dirsrv@SOMETHING-BE.service' returned
>>
>>             non-zero
>>
>>                             exit
>>                             status 1). See the installation log for
>> details.
>>                               [28/43]: setting up initial replication
>>                               [error] error: [Errno 111] Connection
>> refused
>>                             Your system may be partly configured.
>>                             Run /usr/sbin/ipa-server-install --uninstall
>>                             to clean up.
>>
>>
>>                             [29/Nov/2016:11:29:44.034285579 +0100] SSL
>>                             alert: Security
>>                             Initialization:
>>                             Can't find certificate (Server-Cert) for
>> family
>>                             cn=RSA,cn=encryption,cn=config (Netscape
>>                             Portable Runtime error -8174
>>
>>             -
>>
>>                             security library: bad database.)
>>                             [29/Nov/2016:11:29:44.045039728 +0100] SSL
>>                             alert: Security
>>                             Initialization:
>>                             Unable to retrieve private key for cert
>>                             Server-Cert of family
>>                             cn=RSA,cn=encryption,cn=config (Netscape
>>                             Portable Runtime error -8174
>>
>>             -
>>
>>                             security library: bad database.)
>>
>>
>>
>>
>>                         Hello David,
>>
>>                         The error from the log indicates that either the
>>                         NSSDB for dirsrv is
>>
>>             not
>>
>>                         initialized or not accessible.
>>
>>                         Could you please send output of the following
>>                         commands?
>>
>>                         # ls -lZ /etc/dirsrv/slapd-$REALM/
>>                         # certutil -d /etc/dirsrv/slapd-$REALM/ -L
>>                         # ausearch -m avc -i
>>
>>
>>                         --
>>                         David Kupka
>>
>>
>>
>>             --
>>             Petr Vobornik
>>
>>
>>
>>
>>     --
>>     David Kupka
>>
>>
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to