Hello Flo,

Thanks for your response. I ran that command and I seem to have a different
problem (connectors are defined as you indicated):

[tiemen@copernicum ~]$ sudo getcert list -d
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/
> [sudo] password for tiemen:
> Number of certificates and requests being tracked: 2.
> Request ID '20170217130857':
> status: CA_UNREACHABLE
> ca-error: Server at https://moscovium.ipa.rdmedia.com/ipa/xml failed
> request, will retry: 4301 (RPC failed at server.  Certificate operation
> cannot be completed: FAILURE (*CA not found:
> 1ba8130c-56b8-4bd9-ae8a-8b0333d71b80*)).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-IPA-RDMEDIA-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-RDMEDIA-COM//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-IPA-RDMEDIA-COM',nickname='Server-Cert'
> CA: IPA
> issuer:
> subject:
> expires: unknown
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes







On 20 February 2017 at 09:28, Florence Blanc-Renaud <f...@redhat.com> wrote:

> On 02/17/2017 10:36 AM, Tiemen Ruiten wrote:
>
>> I went through that bugreport, particularly this section...
>>
>> OK, I think I found the error. On the logs I get something like this
>> *before* the failing dirsrv restart:
>>
>> 2017-01-14T03:41:28Z DEBUG   [27/44]: retrieving DS Certificate
>> 2017-01-14T03:41:28Z DEBUG Loading Index file from
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>> 2017-01-14T03:41:28Z DEBUG Starting external process
>> 2017-01-14T03:41:28Z DEBUG args=/usr/bin/certutil -d
>> /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM <http://EXAMPLE.COM>
>> IPA CA -a
>> 2017-01-14T03:41:28Z DEBUG Process finished, return code=255
>> 2017-01-14T03:41:28Z DEBUG stdout=
>> 2017-01-14T03:41:28Z DEBUG stderr=certutil: Could not find cert:
>> EXAMPLE.COM <http://EXAMPLE.COM> IPA CA
>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>
>>
> Hi,
>
> this error shows that the server certificate for the LDAP server is not
> present in the NSS database. I am pretty sure that if you run
> $ getcert list -d /etc/dirsrv/slapd-DOMAIN
> you will get an error like this one:
>         status: CA_UNREACHABLE
>         ca-error: Server at https://ipa.EXAMPLE.COM/ipa/xml failed
> request, will retry: 4301 (RPC failed at server.  Certificate operation
> cannot be completed: Unable to communicate with CMS (503)).
>
> Make sure that the file /etc/pki/pki-tomcat/server.xml (on all the
> masters) defines the AJP connector like this:
>     <Connector port="8009"
>             protocol="AJP/1.3"
>             redirectPort="8443"
>             address="localhost" />
> and that the /etc/hosts file (on all the masters) properly defines
> localhost:
> 127.0.0.1   localhost localhost.localdomain localhost4
> localhost4.localdomain4
> ::1         localhost localhost.localdomain localhost6
> localhost6.localdomain6
> Then restart the PKI service on the masters:
> systemctl stop pki-tomcatd@pki-tomcat.service
>
> After this, you should be able to re-run ipa-replica-install without any
> problem.
> HTH,
> Flo.
>
> So, when the process stopped, I run the command again:
>>
>> # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM <
>> http://EXAMPLE.COM> IPA CA -a
>> certutil: Could not find cert: EXAMPLE.COM <http://EXAMPLE.COM>
>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>
>> and thought "wait... something is missing there":
>>
>> # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n "EXAMPLE.COM
>> <http://EXAMPLE.COM> IPA CA" -a
>> -----BEGIN CERTIFICATE-----
>> <strip>
>> -----END CERTIFICATE-----
>>
>> So, could this be the problem?
>>
>>
>> ...and indeed when I run
>>
>>     [tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d
>>     /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM
>>     <http://IPA.RDMEDIA.COM> IPA CA -a
>>     [sudo] password for tiemen:
>>     certutil: Could not find cert: IPA.RDMEDIA.COM <
>> http://IPA.RDMEDIA.COM>
>>     : PR_FILE_NOT_FOUND_ERROR: File not found
>>
>>
>> and when I run
>>
>> [tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d
>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n "IPA.RDMEDIA.COM
>> <http://IPA.RDMEDIA.COM> IPA CA" -a
>> -----BEGIN CERTIFICATE-----
>> <snip>
>> -----END CERTIFICATE-----
>>
>> valid certificate output. Where can I change this command to quote this
>> string?
>>
>>
>> On 16 February 2017 at 17:29, Jeff Goddard <jgodd...@emerlyn.com
>> <mailto:jgodd...@emerlyn.com>> wrote:
>>
>>     Might be another instance of this:
>>     https://fedorahosted.org/freeipa/ticket/6613
>>     <https://fedorahosted.org/freeipa/ticket/6613>
>>
>>     Jeff
>>
>>     On Thu, Feb 16, 2017 at 11:21 AM, Tiemen Ruiten
>>     <t.rui...@rdmedia.com <mailto:t.rui...@rdmedia.com>> wrote:
>>
>>         Hello,
>>
>>         I'm trying to add a third replica to a FreeIPA 4.4 domain (level
>>         1), but I'm getting this error:
>>
>>             [tiemen@copernicum ~]$ sudo ipa-replica-install -P admin -w
>>             "XXXXXXXXXX" --mkhomedir --setup-dns --forwarder 8.8.8.8
>>             --forwarder 8.8.4.4
>>             Checking DNS forwarders, please wait ...
>>             Run connection check to master
>>             Connection check OK
>>             Configuring NTP daemon (ntpd)
>>               [1/4]: stopping ntpd
>>               [2/4]: writing configuration
>>               [3/4]: configuring ntpd to start on boot
>>               [4/4]: starting ntpd
>>             Done configuring NTP daemon (ntpd).
>>             Configuring directory server (dirsrv). Estimated time: 1
>> minute
>>               [1/44]: creating directory server user
>>               [2/44]: creating directory server instance
>>               [3/44]: updating configuration in dse.ldif
>>               [4/44]: restarting directory server
>>               [5/44]: adding default schema
>>               [6/44]: enabling memberof plugin
>>               [7/44]: enabling winsync plugin
>>               [8/44]: configuring replication version plugin
>>               [9/44]: enabling IPA enrollment plugin
>>               [10/44]: enabling ldapi
>>               [11/44]: configuring uniqueness plugin
>>               [12/44]: configuring uuid plugin
>>               [13/44]: configuring modrdn plugin
>>               [14/44]: configuring DNS plugin
>>               [15/44]: enabling entryUSN plugin
>>               [16/44]: configuring lockout plugin
>>               [17/44]: configuring topology plugin
>>               [18/44]: creating indices
>>               [19/44]: enabling referential integrity plugin
>>               [20/44]: configuring certmap.conf
>>               [21/44]: configure autobind for root
>>               [22/44]: configure new location for managed entries
>>               [23/44]: configure dirsrv ccache
>>               [24/44]: enabling SASL mapping fallback
>>               [25/44]: restarting directory server
>>               [26/44]: creating DS keytab
>>               [27/44]: retrieving DS Certificate
>>               [28/44]: restarting directory server
>>             ipa         : CRITICAL Failed to restart the directory
>>             server (Command '/bin/systemctl restart
>>             dirsrv@IPA-RDMEDIA-COM.service' returned non-zero exit
>>             status 1). See the installation log for details.
>>               [29/44]: setting up initial replication
>>               [error] error: [Errno 111] Connection refused
>>             Your system may be partly configured.
>>             Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>             ipa.ipapython.install.cli.install_tool(Replica): ERROR
>>              [Errno 111] Connection refused
>>             ipa.ipapython.install.cli.install_tool(Replica): ERROR
>>              The ipa-replica-install command failed. See
>>             /var/log/ipareplica-install.log for more information
>>
>>
>>         In /var/log/ipareplica-install.log we find:
>>
>>             2017-02-16T15:53:59Z DEBUG   [27/44]: retrieving DS
>> Certificate
>>             2017-02-16T15:53:59Z DEBUG Loading Index file from
>>             '/var/lib/ipa/sysrestore/sysrestore.index'
>>             2017-02-16T15:53:59Z DEBUG Starting external process
>>             2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
>>             /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM
>>             <http://IPA.RDMEDIA.COM> IPA CA -a
>>             2017-02-16T15:53:59Z DEBUG Process finished, return code=255
>>             2017-02-16T15:53:59Z DEBUG stdout=
>>             *2017-02-16T15:53:59Z DEBUG stderr=certutil: Could not find
>>             cert: IPA.RDMEDIA.COM <http://IPA.RDMEDIA.COM> IPA CA
>>             : PR_FILE_NOT_FOUND_ERROR: File not found*
>>             2017-02-16T15:53:59Z DEBUG Starting external process
>>             2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
>>             /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -N -f
>>             /etc/dirsrv/slapd-IPA-RDMEDIA-COM//pwdfile.txt
>>             2017-02-16T15:53:59Z DEBUG Process finished, return code=0
>>             2017-02-16T15:53:59Z DEBUG stdout=
>>             2017-02-16T15:53:59Z DEBUG stderr=
>>             2017-02-16T15:53:59Z DEBUG Starting external process
>>             2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
>>             /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -A -n IPA.RDMEDIA.COM
>>             <http://IPA.RDMEDIA.COM> IPA CA -t CT,C,C -a
>>
>>             2017-02-16T15:53:59Z DEBUG Process finished, return code=0
>>             2017-02-16T15:53:59Z DEBUG stdout=
>>             2017-02-16T15:53:59Z DEBUG stderr=
>>             2017-02-16T15:53:59Z DEBUG certmonger request is in state
>>             dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1)
>>             2017-02-16T15:54:04Z DEBUG certmonger request is in state
>>             dbus.String(u'CA_UNREACHABLE', variant_level=1)
>>             2017-02-16T15:54:04Z DEBUG flushing
>>             ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket from
>>             SchemaCache
>>             2017-02-16T15:54:04Z DEBUG retrieving schema for SchemaCache
>>             url=ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket
>>             conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x74efd40>
>>             2017-02-16T15:54:05Z DEBUG   duration: 5 seconds
>>             2017-02-16T15:54:05Z DEBUG   [28/44]: restarting directory
>>             server
>>             2017-02-16T15:54:05Z DEBUG Starting external process
>>             2017-02-16T15:54:05Z DEBUG args=/bin/systemctl --system
>>             daemon-reload
>>             2017-02-16T15:54:05Z DEBUG Process finished, return code=0
>>             2017-02-16T15:54:05Z DEBUG stdout=
>>             2017-02-16T15:54:05Z DEBUG stderr=
>>             2017-02-16T15:54:05Z DEBUG Starting external process
>>             2017-02-16T15:54:05Z DEBUG args=/bin/systemctl restart
>>             dirsrv@IPA-RDMEDIA-COM.service
>>             2017-02-16T15:54:06Z DEBUG Process finished, return code=1
>>             2017-02-16T15:54:06Z DEBUG stdout=
>>             2017-02-16T15:54:06Z DEBUG stderr=Job for
>>             dirsrv@IPA-RDMEDIA-COM.service failed because the control
>>             process exited with error code. See "systemctl status
>>             dirsrv@IPA-RDMEDIA-COM.service" and "journalctl -xe" for
>>             details.
>>             2017-02-16T15:54:06Z CRITICAL Failed to restart the
>>             directory server (Command '/bin/systemctl restart
>>             dirsrv@IPA-RDMEDIA-COM.service' returned non-zero exit
>>             status 1). See the installation log for details.
>>             2017-02-16T15:54:06Z DEBUG   duration: 1 seconds
>>             2017-02-16T15:54:06Z DEBUG   [29/44]: setting up initial
>>             replication
>>             2017-02-16T15:54:16Z DEBUG Traceback (most recent call last):
>>               File
>>             "/usr/lib/python2.7/site-packages/ipaserver/install/service.
>> py",
>>             line 449, in start_creation
>>                 run_step(full_msg, method)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipaserver/install/service.
>> py",
>>             line 439, in run_step
>>                 method()
>>               File
>>             "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstan
>> ce.py",
>>             line 405, in __setup_replica
>>                 self.dm_password)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipaserver/install/replicat
>> ion.py",
>>             line 118, in enable_replication_version_checking
>>                 conn.do_simple_bind(bindpw=dirman_passwd)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>             line 1665, in do_simple_bind
>>                 self.__bind_with_wait(self.simple_bind, timeout, binddn,
>>             bindpw)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>             line 1660, in __bind_with_wait
>>                 self.__wait_for_connection(timeout)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>             line 1643, in __wait_for_connection
>>                 wait_for_open_socket(lurl.hostport, timeout)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/ipautil.py",
>>             line 1286, in wait_for_open_socket
>>                 raise e
>>             error: [Errno 111] Connection refused
>>             2017-02-16T15:54:16Z DEBUG   [error] error: [Errno 111]
>>             Connection refused
>>             2017-02-16T15:54:16Z DEBUG Destroyed connection
>>             context.ldap2_78478480
>>             2017-02-16T15:54:16Z DEBUG   File
>>             "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
>>             line 171, in execute
>>                 return_value = self.run()
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
>>             line 318, in run
>>                 cfgr.run()
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line
>>             310, in run
>>                 self.execute()
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line
>>             332, in execute
>>                 for nothing in self._executor():
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line
>>             372, in __runner
>>                 self._handle_exception(exc_info)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line
>>             394, in _handle_exception
>>                 six.reraise(*exc_info)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line
>>             362, in __runner
>>                 step()
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line
>>             359, in <lambda>
>>                 step = lambda: next(self.__gen)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line
>>             81, in run_generator_with_yield_from
>>                 six.reraise(*exc_info)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line
>>             59, in run_generator_with_yield_from
>>                 value = gen.send(prev_value)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line
>>             586, in _configure
>>                 next(executor)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line
>>             372, in __runner
>>                 self._handle_exception(exc_info)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line
>>             449, in _handle_exception
>>                 self.__parent._handle_exception(exc_info)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line
>>             394, in _handle_exception
>>                 six.reraise(*exc_info)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line
>>             446, in _handle_exception
>>                 super(ComponentBase, self)._handle_exception(exc_info)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line
>>             394, in _handle_exception
>>                 six.reraise(*exc_info)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line
>>             362, in __runner
>>                 step()
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line
>>             359, in <lambda>
>>                 step = lambda: next(self.__gen)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line
>>             81, in run_generator_with_yield_from
>>                 six.reraise(*exc_info)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line
>>             59, in run_generator_with_yield_from
>>                 value = gen.send(prev_value)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/install/common.
>> py",
>>             line 63, in _install
>>                 for nothing in self._installer(self.parent):
>>               File
>>             "/usr/lib/python2.7/site-packages/ipaserver/install/server/
>> replicainstall.py",
>>             line 1714, in main
>>                 promote(self)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipaserver/install/server/
>> replicainstall.py",
>>             line 364, in decorated
>>                 func(installer)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipaserver/install/server/
>> replicainstall.py",
>>             line 1415, in promote
>>                 promote=True, pkcs12_info=dirsrv_pkcs12_info)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipaserver/install/server/
>> replicainstall.py",
>>             line 127, in install_replica_ds
>>                 api=remote_api,
>>               File
>>             "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstan
>> ce.py",
>>             line 399, in create_replica
>>                 self.start_creation(runtime=60)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipaserver/install/service.
>> py",
>>             line 449, in start_creation
>>                 run_step(full_msg, method)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipaserver/install/service.
>> py",
>>             line 439, in run_step
>>                 method()
>>               File
>>             "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstan
>> ce.py",
>>             line 405, in __setup_replica
>>                 self.dm_password)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipaserver/install/replicat
>> ion.py",
>>             line 118, in enable_replication_version_checking
>>                 conn.do_simple_bind(bindpw=dirman_passwd)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>             line 1665, in do_simple_bind
>>                 self.__bind_with_wait(self.simple_bind, timeout, binddn,
>>             bindpw)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>             line 1660, in __bind_with_wait
>>                 self.__wait_for_connection(timeout)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>             line 1643, in __wait_for_connection
>>                 wait_for_open_socket(lurl.hostport, timeout)
>>               File
>>             "/usr/lib/python2.7/site-packages/ipapython/ipautil.py",
>>             line 1286, in wait_for_open_socket
>>                 raise e
>>             2017-02-16T15:54:16Z DEBUG The ipa-replica-install command
>>             failed, exception: error: [Errno 111] Connection refused
>>             2017-02-16T15:54:16Z ERROR [Errno 111] Connection refused
>>             2017-02-16T15:54:16Z ERROR The ipa-replica-install command
>>             failed. See /var/log/ipareplica-install.log for more
>> information
>>
>>
>>         How can I troubleshoot this?
>>
>>
>>
>>         --
>>         Tiemen Ruiten
>>         Systems Engineer
>>         R&D Media
>>
>>         --
>>         Manage your subscription for the Freeipa-users mailing list:
>>         https://www.redhat.com/mailman/listinfo/freeipa-users
>>         <https://www.redhat.com/mailman/listinfo/freeipa-users>
>>         Go to http://freeipa.org for more info on the project
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Tiemen Ruiten
>> Systems Engineer
>> R&D Media
>>
>>
>>
>


-- 
Tiemen Ruiten
Systems Engineer
R&D Media
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to