On Thu, 22 Dec 2016 16:48:10 -0500 Robert wrote: RS> I tried to create a replica. It went well for the directory server, but RS> then: RS> RS> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 RS> seconds [1/27]: creating certificate server user RS> [2/27]: configuring certificate server instance RS> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure RS> CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpqYyqJJ' returned RS> non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: RS> CRITICAL See the installation logs and the following files/directories for RS> more information: ipa.ipaserver.install.cainstance.CAInstance: RS> CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration RS> failed. RS> [...] RS> So this looks like the culprit: RS> RS> [22/Dec/2016:16:07:48][http-bio-8443-exec-3]: updateNumberRange: Failed to contact master using admin portjavax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
So eventually I found proxy errors like this in a logfile: proxy_ajp:error (70007)The timeout specified has expired: I added large timeouts to /etc/httpd/conf.d/ipa-pki-proxy.conf Timeout 900 ProxyTimeout 900 This allowed my replica install to complete. However, when I logged in to the new replica, I was getting the same long timeout trying to load users. The error log had this: [Fri Dec 23 00:50:39.206858 2016] [proxy_ajp:error] [pid 31182] [client 10.71.10.118:49784] AH00896: failed to make connection to backend: localhost This started ringing a little bell in my head about localhost and ipv4 vs ipv6. I disabled ipv6 in /etc/sysctl.conf, and voila, users load in less than 5 seconds instead of 5 minutes or timing out. Hopefully this will also resolve the other weirdness I've been seeing. I'm keeping my fingers crossed. Robert -- Senior Software Engineer @ Parsons
pgpqGB0jo68SB.pgp
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
