On Thu, 22 Dec 2016 16:48:10 -0500 Robert wrote:
RS> I tried to create a replica. It went well for the directory server, but
RS> then:
RS> 
RS> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
RS> seconds [1/27]: creating certificate server user
RS>   [2/27]: configuring certificate server instance
RS> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure
RS> CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpqYyqJJ' returned
RS> non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance:
RS> CRITICAL See the installation logs and the following files/directories for
RS> more information: ipa.ipaserver.install.cainstance.CAInstance:
RS> CRITICAL   /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration
RS> failed.
RS> [...]
RS> So this looks like the culprit:
RS> 
RS> [22/Dec/2016:16:07:48][http-bio-8443-exec-3]: updateNumberRange: Failed to 
contact master using admin portjavax.ws.rs.InternalServerErrorException: HTTP 
500 Internal Server Error

So eventually I found proxy errors like this in a logfile:

  proxy_ajp:error (70007)The timeout specified has expired:

I added large timeouts to /etc/httpd/conf.d/ipa-pki-proxy.conf

 Timeout 900
 ProxyTimeout 900

This allowed my replica install to complete. However, when I logged in to
the new replica, I was getting the same long timeout trying to load users.
The error log had this:

[Fri Dec 23 00:50:39.206858 2016] [proxy_ajp:error] [pid 31182]
[client 10.71.10.118:49784] AH00896: failed to make connection to backend: 
localhost

This started ringing a little bell in my head about localhost and ipv4 vs
ipv6. I disabled ipv6 in /etc/sysctl.conf, and voila, users load in less
than 5 seconds instead of 5 minutes or timing out.

Hopefully this will also resolve the other weirdness I've been seeing. I'm
keeping my fingers crossed.


Robert

-- 
Senior Software Engineer @ Parsons

Attachment: pgpqGB0jo68SB.pgp
Description: OpenPGP digital signature

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to