Hello Flo, Thanks for your response. I ran that command and I seem to have a different problem (connectors are defined as you indicated):
[tiemen@copernicum ~]$ sudo getcert list -d > /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ > [sudo] password for tiemen: > Number of certificates and requests being tracked: 2. > Request ID '20170217130857': > status: CA_UNREACHABLE > ca-error: Server at https://moscovium.ipa.rdmedia.com/ipa/xml failed > request, will retry: 4301 (RPC failed at server. Certificate operation > cannot be completed: FAILURE (*CA not found: > 1ba8130c-56b8-4bd9-ae8a-8b0333d71b80*)). > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-IPA-RDMEDIA-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-RDMEDIA-COM//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-IPA-RDMEDIA-COM',nickname='Server-Cert' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: > track: yes > auto-renew: yes On 20 February 2017 at 09:28, Florence Blanc-Renaud <[email protected]> wrote: > On 02/17/2017 10:36 AM, Tiemen Ruiten wrote: > >> I went through that bugreport, particularly this section... >> >> OK, I think I found the error. On the logs I get something like this >> *before* the failing dirsrv restart: >> >> 2017-01-14T03:41:28Z DEBUG [27/44]: retrieving DS Certificate >> 2017-01-14T03:41:28Z DEBUG Loading Index file from >> '/var/lib/ipa/sysrestore/sysrestore.index' >> 2017-01-14T03:41:28Z DEBUG Starting external process >> 2017-01-14T03:41:28Z DEBUG args=/usr/bin/certutil -d >> /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM <http://EXAMPLE.COM> >> IPA CA -a >> 2017-01-14T03:41:28Z DEBUG Process finished, return code=255 >> 2017-01-14T03:41:28Z DEBUG stdout= >> 2017-01-14T03:41:28Z DEBUG stderr=certutil: Could not find cert: >> EXAMPLE.COM <http://EXAMPLE.COM> IPA CA >> : PR_FILE_NOT_FOUND_ERROR: File not found >> >> > Hi, > > this error shows that the server certificate for the LDAP server is not > present in the NSS database. I am pretty sure that if you run > $ getcert list -d /etc/dirsrv/slapd-DOMAIN > you will get an error like this one: > status: CA_UNREACHABLE > ca-error: Server at https://ipa.EXAMPLE.COM/ipa/xml failed > request, will retry: 4301 (RPC failed at server. Certificate operation > cannot be completed: Unable to communicate with CMS (503)). > > Make sure that the file /etc/pki/pki-tomcat/server.xml (on all the > masters) defines the AJP connector like this: > <Connector port="8009" > protocol="AJP/1.3" > redirectPort="8443" > address="localhost" /> > and that the /etc/hosts file (on all the masters) properly defines > localhost: > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 > ::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6 > Then restart the PKI service on the masters: > systemctl stop [email protected] > > After this, you should be able to re-run ipa-replica-install without any > problem. > HTH, > Flo. > > So, when the process stopped, I run the command again: >> >> # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM < >> http://EXAMPLE.COM> IPA CA -a >> certutil: Could not find cert: EXAMPLE.COM <http://EXAMPLE.COM> >> : PR_FILE_NOT_FOUND_ERROR: File not found >> >> and thought "wait... something is missing there": >> >> # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n "EXAMPLE.COM >> <http://EXAMPLE.COM> IPA CA" -a >> -----BEGIN CERTIFICATE----- >> <strip> >> -----END CERTIFICATE----- >> >> So, could this be the problem? >> >> >> ...and indeed when I run >> >> [tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d >> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM >> <http://IPA.RDMEDIA.COM> IPA CA -a >> [sudo] password for tiemen: >> certutil: Could not find cert: IPA.RDMEDIA.COM < >> http://IPA.RDMEDIA.COM> >> : PR_FILE_NOT_FOUND_ERROR: File not found >> >> >> and when I run >> >> [tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d >> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n "IPA.RDMEDIA.COM >> <http://IPA.RDMEDIA.COM> IPA CA" -a >> -----BEGIN CERTIFICATE----- >> <snip> >> -----END CERTIFICATE----- >> >> valid certificate output. Where can I change this command to quote this >> string? >> >> >> On 16 February 2017 at 17:29, Jeff Goddard <[email protected] >> <mailto:[email protected]>> wrote: >> >> Might be another instance of this: >> https://fedorahosted.org/freeipa/ticket/6613 >> <https://fedorahosted.org/freeipa/ticket/6613> >> >> Jeff >> >> On Thu, Feb 16, 2017 at 11:21 AM, Tiemen Ruiten >> <[email protected] <mailto:[email protected]>> wrote: >> >> Hello, >> >> I'm trying to add a third replica to a FreeIPA 4.4 domain (level >> 1), but I'm getting this error: >> >> [tiemen@copernicum ~]$ sudo ipa-replica-install -P admin -w >> "XXXXXXXXXX" --mkhomedir --setup-dns --forwarder 8.8.8.8 >> --forwarder 8.8.4.4 >> Checking DNS forwarders, please wait ... >> Run connection check to master >> Connection check OK >> Configuring NTP daemon (ntpd) >> [1/4]: stopping ntpd >> [2/4]: writing configuration >> [3/4]: configuring ntpd to start on boot >> [4/4]: starting ntpd >> Done configuring NTP daemon (ntpd). >> Configuring directory server (dirsrv). Estimated time: 1 >> minute >> [1/44]: creating directory server user >> [2/44]: creating directory server instance >> [3/44]: updating configuration in dse.ldif >> [4/44]: restarting directory server >> [5/44]: adding default schema >> [6/44]: enabling memberof plugin >> [7/44]: enabling winsync plugin >> [8/44]: configuring replication version plugin >> [9/44]: enabling IPA enrollment plugin >> [10/44]: enabling ldapi >> [11/44]: configuring uniqueness plugin >> [12/44]: configuring uuid plugin >> [13/44]: configuring modrdn plugin >> [14/44]: configuring DNS plugin >> [15/44]: enabling entryUSN plugin >> [16/44]: configuring lockout plugin >> [17/44]: configuring topology plugin >> [18/44]: creating indices >> [19/44]: enabling referential integrity plugin >> [20/44]: configuring certmap.conf >> [21/44]: configure autobind for root >> [22/44]: configure new location for managed entries >> [23/44]: configure dirsrv ccache >> [24/44]: enabling SASL mapping fallback >> [25/44]: restarting directory server >> [26/44]: creating DS keytab >> [27/44]: retrieving DS Certificate >> [28/44]: restarting directory server >> ipa : CRITICAL Failed to restart the directory >> server (Command '/bin/systemctl restart >> [email protected]' returned non-zero exit >> status 1). See the installation log for details. >> [29/44]: setting up initial replication >> [error] error: [Errno 111] Connection refused >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> ipa.ipapython.install.cli.install_tool(Replica): ERROR >> [Errno 111] Connection refused >> ipa.ipapython.install.cli.install_tool(Replica): ERROR >> The ipa-replica-install command failed. See >> /var/log/ipareplica-install.log for more information >> >> >> In /var/log/ipareplica-install.log we find: >> >> 2017-02-16T15:53:59Z DEBUG [27/44]: retrieving DS >> Certificate >> 2017-02-16T15:53:59Z DEBUG Loading Index file from >> '/var/lib/ipa/sysrestore/sysrestore.index' >> 2017-02-16T15:53:59Z DEBUG Starting external process >> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d >> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM >> <http://IPA.RDMEDIA.COM> IPA CA -a >> 2017-02-16T15:53:59Z DEBUG Process finished, return code=255 >> 2017-02-16T15:53:59Z DEBUG stdout= >> *2017-02-16T15:53:59Z DEBUG stderr=certutil: Could not find >> cert: IPA.RDMEDIA.COM <http://IPA.RDMEDIA.COM> IPA CA >> : PR_FILE_NOT_FOUND_ERROR: File not found* >> 2017-02-16T15:53:59Z DEBUG Starting external process >> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d >> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -N -f >> /etc/dirsrv/slapd-IPA-RDMEDIA-COM//pwdfile.txt >> 2017-02-16T15:53:59Z DEBUG Process finished, return code=0 >> 2017-02-16T15:53:59Z DEBUG stdout= >> 2017-02-16T15:53:59Z DEBUG stderr= >> 2017-02-16T15:53:59Z DEBUG Starting external process >> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d >> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -A -n IPA.RDMEDIA.COM >> <http://IPA.RDMEDIA.COM> IPA CA -t CT,C,C -a >> >> 2017-02-16T15:53:59Z DEBUG Process finished, return code=0 >> 2017-02-16T15:53:59Z DEBUG stdout= >> 2017-02-16T15:53:59Z DEBUG stderr= >> 2017-02-16T15:53:59Z DEBUG certmonger request is in state >> dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1) >> 2017-02-16T15:54:04Z DEBUG certmonger request is in state >> dbus.String(u'CA_UNREACHABLE', variant_level=1) >> 2017-02-16T15:54:04Z DEBUG flushing >> ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket from >> SchemaCache >> 2017-02-16T15:54:04Z DEBUG retrieving schema for SchemaCache >> url=ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket >> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x74efd40> >> 2017-02-16T15:54:05Z DEBUG duration: 5 seconds >> 2017-02-16T15:54:05Z DEBUG [28/44]: restarting directory >> server >> 2017-02-16T15:54:05Z DEBUG Starting external process >> 2017-02-16T15:54:05Z DEBUG args=/bin/systemctl --system >> daemon-reload >> 2017-02-16T15:54:05Z DEBUG Process finished, return code=0 >> 2017-02-16T15:54:05Z DEBUG stdout= >> 2017-02-16T15:54:05Z DEBUG stderr= >> 2017-02-16T15:54:05Z DEBUG Starting external process >> 2017-02-16T15:54:05Z DEBUG args=/bin/systemctl restart >> [email protected] >> 2017-02-16T15:54:06Z DEBUG Process finished, return code=1 >> 2017-02-16T15:54:06Z DEBUG stdout= >> 2017-02-16T15:54:06Z DEBUG stderr=Job for >> [email protected] failed because the control >> process exited with error code. See "systemctl status >> [email protected]" and "journalctl -xe" for >> details. >> 2017-02-16T15:54:06Z CRITICAL Failed to restart the >> directory server (Command '/bin/systemctl restart >> [email protected]' returned non-zero exit >> status 1). See the installation log for details. >> 2017-02-16T15:54:06Z DEBUG duration: 1 seconds >> 2017-02-16T15:54:06Z DEBUG [29/44]: setting up initial >> replication >> 2017-02-16T15:54:16Z DEBUG Traceback (most recent call last): >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service. >> py", >> line 449, in start_creation >> run_step(full_msg, method) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service. >> py", >> line 439, in run_step >> method() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstan >> ce.py", >> line 405, in __setup_replica >> self.dm_password) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replicat >> ion.py", >> line 118, in enable_replication_version_checking >> conn.do_simple_bind(bindpw=dirman_passwd) >> File >> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", >> line 1665, in do_simple_bind >> self.__bind_with_wait(self.simple_bind, timeout, binddn, >> bindpw) >> File >> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", >> line 1660, in __bind_with_wait >> self.__wait_for_connection(timeout) >> File >> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", >> line 1643, in __wait_for_connection >> wait_for_open_socket(lurl.hostport, timeout) >> File >> "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", >> line 1286, in wait_for_open_socket >> raise e >> error: [Errno 111] Connection refused >> 2017-02-16T15:54:16Z DEBUG [error] error: [Errno 111] >> Connection refused >> 2017-02-16T15:54:16Z DEBUG Destroyed connection >> context.ldap2_78478480 >> 2017-02-16T15:54:16Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", >> line 171, in execute >> return_value = self.run() >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >> line 318, in run >> cfgr.run() >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line >> 310, in run >> self.execute() >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line >> 332, in execute >> for nothing in self._executor(): >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line >> 372, in __runner >> self._handle_exception(exc_info) >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line >> 394, in _handle_exception >> six.reraise(*exc_info) >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line >> 362, in __runner >> step() >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line >> 359, in <lambda> >> step = lambda: next(self.__gen) >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line >> 81, in run_generator_with_yield_from >> six.reraise(*exc_info) >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line >> 59, in run_generator_with_yield_from >> value = gen.send(prev_value) >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line >> 586, in _configure >> next(executor) >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line >> 372, in __runner >> self._handle_exception(exc_info) >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line >> 449, in _handle_exception >> self.__parent._handle_exception(exc_info) >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line >> 394, in _handle_exception >> six.reraise(*exc_info) >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line >> 446, in _handle_exception >> super(ComponentBase, self)._handle_exception(exc_info) >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line >> 394, in _handle_exception >> six.reraise(*exc_info) >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line >> 362, in __runner >> step() >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line >> 359, in <lambda> >> step = lambda: next(self.__gen) >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line >> 81, in run_generator_with_yield_from >> six.reraise(*exc_info) >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line >> 59, in run_generator_with_yield_from >> value = gen.send(prev_value) >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/common. >> py", >> line 63, in _install >> for nothing in self._installer(self.parent): >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/ >> replicainstall.py", >> line 1714, in main >> promote(self) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/ >> replicainstall.py", >> line 364, in decorated >> func(installer) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/ >> replicainstall.py", >> line 1415, in promote >> promote=True, pkcs12_info=dirsrv_pkcs12_info) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/ >> replicainstall.py", >> line 127, in install_replica_ds >> api=remote_api, >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstan >> ce.py", >> line 399, in create_replica >> self.start_creation(runtime=60) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service. >> py", >> line 449, in start_creation >> run_step(full_msg, method) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service. >> py", >> line 439, in run_step >> method() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstan >> ce.py", >> line 405, in __setup_replica >> self.dm_password) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replicat >> ion.py", >> line 118, in enable_replication_version_checking >> conn.do_simple_bind(bindpw=dirman_passwd) >> File >> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", >> line 1665, in do_simple_bind >> self.__bind_with_wait(self.simple_bind, timeout, binddn, >> bindpw) >> File >> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", >> line 1660, in __bind_with_wait >> self.__wait_for_connection(timeout) >> File >> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", >> line 1643, in __wait_for_connection >> wait_for_open_socket(lurl.hostport, timeout) >> File >> "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", >> line 1286, in wait_for_open_socket >> raise e >> 2017-02-16T15:54:16Z DEBUG The ipa-replica-install command >> failed, exception: error: [Errno 111] Connection refused >> 2017-02-16T15:54:16Z ERROR [Errno 111] Connection refused >> 2017-02-16T15:54:16Z ERROR The ipa-replica-install command >> failed. See /var/log/ipareplica-install.log for more >> information >> >> >> How can I troubleshoot this? >> >> >> >> -- >> Tiemen Ruiten >> Systems Engineer >> R&D Media >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> <https://www.redhat.com/mailman/listinfo/freeipa-users> >> Go to http://freeipa.org for more info on the project >> >> >> >> >> >> >> >> >> -- >> Tiemen Ruiten >> Systems Engineer >> R&D Media >> >> >> > -- Tiemen Ruiten Systems Engineer R&D Media
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
