Flo, Do you have any pointers?
On 20 February 2017 at 10:05, Tiemen Ruiten <t.rui...@rdmedia.com> wrote: > Hello Flo, > > Thanks for your response. I ran that command and I seem to have a > different problem (connectors are defined as you indicated): > > [tiemen@copernicum ~]$ sudo getcert list -d /etc/dirsrv/slapd-IPA-RDMEDIA- >> COM/ >> [sudo] password for tiemen: >> Number of certificates and requests being tracked: 2. >> Request ID '20170217130857': >> status: CA_UNREACHABLE >> ca-error: Server at https://moscovium.ipa.rdmedia.com/ipa/xml failed >> request, will retry: 4301 (RPC failed at server. Certificate operation >> cannot be completed: FAILURE (*CA not found: >> 1ba8130c-56b8-4bd9-ae8a-8b0333d71b80*)). >> stuck: no >> key pair storage: type=NSSDB,location='/etc/ >> dirsrv/slapd-IPA-RDMEDIA-COM',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-RDMEDIA-COM//pwdfile.txt' >> certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-RDMEDIA-COM', >> nickname='Server-Cert' >> CA: IPA >> issuer: >> subject: >> expires: unknown >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes > > > > > > > > On 20 February 2017 at 09:28, Florence Blanc-Renaud <f...@redhat.com> > wrote: > >> On 02/17/2017 10:36 AM, Tiemen Ruiten wrote: >> >>> I went through that bugreport, particularly this section... >>> >>> OK, I think I found the error. On the logs I get something like this >>> *before* the failing dirsrv restart: >>> >>> 2017-01-14T03:41:28Z DEBUG [27/44]: retrieving DS Certificate >>> 2017-01-14T03:41:28Z DEBUG Loading Index file from >>> '/var/lib/ipa/sysrestore/sysrestore.index' >>> 2017-01-14T03:41:28Z DEBUG Starting external process >>> 2017-01-14T03:41:28Z DEBUG args=/usr/bin/certutil -d >>> /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM <http://EXAMPLE.COM> >>> IPA CA -a >>> 2017-01-14T03:41:28Z DEBUG Process finished, return code=255 >>> 2017-01-14T03:41:28Z DEBUG stdout= >>> 2017-01-14T03:41:28Z DEBUG stderr=certutil: Could not find cert: >>> EXAMPLE.COM <http://EXAMPLE.COM> IPA CA >>> : PR_FILE_NOT_FOUND_ERROR: File not found >>> >>> >> Hi, >> >> this error shows that the server certificate for the LDAP server is not >> present in the NSS database. I am pretty sure that if you run >> $ getcert list -d /etc/dirsrv/slapd-DOMAIN >> you will get an error like this one: >> status: CA_UNREACHABLE >> ca-error: Server at https://ipa.EXAMPLE.COM/ipa/xml failed >> request, will retry: 4301 (RPC failed at server. Certificate operation >> cannot be completed: Unable to communicate with CMS (503)). >> >> Make sure that the file /etc/pki/pki-tomcat/server.xml (on all the >> masters) defines the AJP connector like this: >> <Connector port="8009" >> protocol="AJP/1.3" >> redirectPort="8443" >> address="localhost" /> >> and that the /etc/hosts file (on all the masters) properly defines >> localhost: >> 127.0.0.1 localhost localhost.localdomain localhost4 >> localhost4.localdomain4 >> ::1 localhost localhost.localdomain localhost6 >> localhost6.localdomain6 >> Then restart the PKI service on the masters: >> systemctl stop pki-tomcatd@pki-tomcat.service >> >> After this, you should be able to re-run ipa-replica-install without any >> problem. >> HTH, >> Flo. >> >> So, when the process stopped, I run the command again: >>> >>> # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM >>> <http://EXAMPLE.COM> IPA CA -a >>> certutil: Could not find cert: EXAMPLE.COM <http://EXAMPLE.COM> >>> : PR_FILE_NOT_FOUND_ERROR: File not found >>> >>> and thought "wait... something is missing there": >>> >>> # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n "EXAMPLE.COM >>> <http://EXAMPLE.COM> IPA CA" -a >>> -----BEGIN CERTIFICATE----- >>> <strip> >>> -----END CERTIFICATE----- >>> >>> So, could this be the problem? >>> >>> >>> ...and indeed when I run >>> >>> [tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d >>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM >>> <http://IPA.RDMEDIA.COM> IPA CA -a >>> [sudo] password for tiemen: >>> certutil: Could not find cert: IPA.RDMEDIA.COM < >>> http://IPA.RDMEDIA.COM> >>> : PR_FILE_NOT_FOUND_ERROR: File not found >>> >>> >>> and when I run >>> >>> [tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d >>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n "IPA.RDMEDIA.COM >>> <http://IPA.RDMEDIA.COM> IPA CA" -a >>> -----BEGIN CERTIFICATE----- >>> <snip> >>> -----END CERTIFICATE----- >>> >>> valid certificate output. Where can I change this command to quote this >>> string? >>> >>> >>> On 16 February 2017 at 17:29, Jeff Goddard <jgodd...@emerlyn.com >>> <mailto:jgodd...@emerlyn.com>> wrote: >>> >>> Might be another instance of this: >>> https://fedorahosted.org/freeipa/ticket/6613 >>> <https://fedorahosted.org/freeipa/ticket/6613> >>> >>> Jeff >>> >>> On Thu, Feb 16, 2017 at 11:21 AM, Tiemen Ruiten >>> <t.rui...@rdmedia.com <mailto:t.rui...@rdmedia.com>> wrote: >>> >>> Hello, >>> >>> I'm trying to add a third replica to a FreeIPA 4.4 domain (level >>> 1), but I'm getting this error: >>> >>> [tiemen@copernicum ~]$ sudo ipa-replica-install -P admin -w >>> "XXXXXXXXXX" --mkhomedir --setup-dns --forwarder 8.8.8.8 >>> --forwarder 8.8.4.4 >>> Checking DNS forwarders, please wait ... >>> Run connection check to master >>> Connection check OK >>> Configuring NTP daemon (ntpd) >>> [1/4]: stopping ntpd >>> [2/4]: writing configuration >>> [3/4]: configuring ntpd to start on boot >>> [4/4]: starting ntpd >>> Done configuring NTP daemon (ntpd). >>> Configuring directory server (dirsrv). Estimated time: 1 >>> minute >>> [1/44]: creating directory server user >>> [2/44]: creating directory server instance >>> [3/44]: updating configuration in dse.ldif >>> [4/44]: restarting directory server >>> [5/44]: adding default schema >>> [6/44]: enabling memberof plugin >>> [7/44]: enabling winsync plugin >>> [8/44]: configuring replication version plugin >>> [9/44]: enabling IPA enrollment plugin >>> [10/44]: enabling ldapi >>> [11/44]: configuring uniqueness plugin >>> [12/44]: configuring uuid plugin >>> [13/44]: configuring modrdn plugin >>> [14/44]: configuring DNS plugin >>> [15/44]: enabling entryUSN plugin >>> [16/44]: configuring lockout plugin >>> [17/44]: configuring topology plugin >>> [18/44]: creating indices >>> [19/44]: enabling referential integrity plugin >>> [20/44]: configuring certmap.conf >>> [21/44]: configure autobind for root >>> [22/44]: configure new location for managed entries >>> [23/44]: configure dirsrv ccache >>> [24/44]: enabling SASL mapping fallback >>> [25/44]: restarting directory server >>> [26/44]: creating DS keytab >>> [27/44]: retrieving DS Certificate >>> [28/44]: restarting directory server >>> ipa : CRITICAL Failed to restart the directory >>> server (Command '/bin/systemctl restart >>> dirsrv@IPA-RDMEDIA-COM.service' returned non-zero exit >>> status 1). See the installation log for details. >>> [29/44]: setting up initial replication >>> [error] error: [Errno 111] Connection refused >>> Your system may be partly configured. >>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR >>> [Errno 111] Connection refused >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR >>> The ipa-replica-install command failed. See >>> /var/log/ipareplica-install.log for more information >>> >>> >>> In /var/log/ipareplica-install.log we find: >>> >>> 2017-02-16T15:53:59Z DEBUG [27/44]: retrieving DS >>> Certificate >>> 2017-02-16T15:53:59Z DEBUG Loading Index file from >>> '/var/lib/ipa/sysrestore/sysrestore.index' >>> 2017-02-16T15:53:59Z DEBUG Starting external process >>> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d >>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM >>> <http://IPA.RDMEDIA.COM> IPA CA -a >>> 2017-02-16T15:53:59Z DEBUG Process finished, return code=255 >>> 2017-02-16T15:53:59Z DEBUG stdout= >>> *2017-02-16T15:53:59Z DEBUG stderr=certutil: Could not find >>> cert: IPA.RDMEDIA.COM <http://IPA.RDMEDIA.COM> IPA CA >>> : PR_FILE_NOT_FOUND_ERROR: File not found* >>> 2017-02-16T15:53:59Z DEBUG Starting external process >>> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d >>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -N -f >>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM//pwdfile.txt >>> 2017-02-16T15:53:59Z DEBUG Process finished, return code=0 >>> 2017-02-16T15:53:59Z DEBUG stdout= >>> 2017-02-16T15:53:59Z DEBUG stderr= >>> 2017-02-16T15:53:59Z DEBUG Starting external process >>> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d >>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -A -n IPA.RDMEDIA.COM >>> <http://IPA.RDMEDIA.COM> IPA CA -t CT,C,C -a >>> >>> 2017-02-16T15:53:59Z DEBUG Process finished, return code=0 >>> 2017-02-16T15:53:59Z DEBUG stdout= >>> 2017-02-16T15:53:59Z DEBUG stderr= >>> 2017-02-16T15:53:59Z DEBUG certmonger request is in state >>> dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1) >>> 2017-02-16T15:54:04Z DEBUG certmonger request is in state >>> dbus.String(u'CA_UNREACHABLE', variant_level=1) >>> 2017-02-16T15:54:04Z DEBUG flushing >>> ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket from >>> SchemaCache >>> 2017-02-16T15:54:04Z DEBUG retrieving schema for SchemaCache >>> url=ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket >>> conn=<ldap.ldapobject.SimpleLDAPObject instance at >>> 0x74efd40> >>> 2017-02-16T15:54:05Z DEBUG duration: 5 seconds >>> 2017-02-16T15:54:05Z DEBUG [28/44]: restarting directory >>> server >>> 2017-02-16T15:54:05Z DEBUG Starting external process >>> 2017-02-16T15:54:05Z DEBUG args=/bin/systemctl --system >>> daemon-reload >>> 2017-02-16T15:54:05Z DEBUG Process finished, return code=0 >>> 2017-02-16T15:54:05Z DEBUG stdout= >>> 2017-02-16T15:54:05Z DEBUG stderr= >>> 2017-02-16T15:54:05Z DEBUG Starting external process >>> 2017-02-16T15:54:05Z DEBUG args=/bin/systemctl restart >>> dirsrv@IPA-RDMEDIA-COM.service >>> 2017-02-16T15:54:06Z DEBUG Process finished, return code=1 >>> 2017-02-16T15:54:06Z DEBUG stdout= >>> 2017-02-16T15:54:06Z DEBUG stderr=Job for >>> dirsrv@IPA-RDMEDIA-COM.service failed because the control >>> process exited with error code. See "systemctl status >>> dirsrv@IPA-RDMEDIA-COM.service" and "journalctl -xe" for >>> details. >>> 2017-02-16T15:54:06Z CRITICAL Failed to restart the >>> directory server (Command '/bin/systemctl restart >>> dirsrv@IPA-RDMEDIA-COM.service' returned non-zero exit >>> status 1). See the installation log for details. >>> 2017-02-16T15:54:06Z DEBUG duration: 1 seconds >>> 2017-02-16T15:54:06Z DEBUG [29/44]: setting up initial >>> replication >>> 2017-02-16T15:54:16Z DEBUG Traceback (most recent call last): >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/service. >>> py", >>> line 449, in start_creation >>> run_step(full_msg, method) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/service. >>> py", >>> line 439, in run_step >>> method() >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstan >>> ce.py", >>> line 405, in __setup_replica >>> self.dm_password) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replicat >>> ion.py", >>> line 118, in enable_replication_version_checking >>> conn.do_simple_bind(bindpw=dirman_passwd) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", >>> line 1665, in do_simple_bind >>> self.__bind_with_wait(self.simple_bind, timeout, binddn, >>> bindpw) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", >>> line 1660, in __bind_with_wait >>> self.__wait_for_connection(timeout) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", >>> line 1643, in __wait_for_connection >>> wait_for_open_socket(lurl.hostport, timeout) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", >>> line 1286, in wait_for_open_socket >>> raise e >>> error: [Errno 111] Connection refused >>> 2017-02-16T15:54:16Z DEBUG [error] error: [Errno 111] >>> Connection refused >>> 2017-02-16T15:54:16Z DEBUG Destroyed connection >>> context.ldap2_78478480 >>> 2017-02-16T15:54:16Z DEBUG File >>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", >>> line 171, in execute >>> return_value = self.run() >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >>> line 318, in run >>> cfgr.run() >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line >>> 310, in run >>> self.execute() >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line >>> 332, in execute >>> for nothing in self._executor(): >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line >>> 372, in __runner >>> self._handle_exception(exc_info) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line >>> 394, in _handle_exception >>> six.reraise(*exc_info) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line >>> 362, in __runner >>> step() >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line >>> 359, in <lambda> >>> step = lambda: next(self.__gen) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line >>> 81, in run_generator_with_yield_from >>> six.reraise(*exc_info) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line >>> 59, in run_generator_with_yield_from >>> value = gen.send(prev_value) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line >>> 586, in _configure >>> next(executor) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line >>> 372, in __runner >>> self._handle_exception(exc_info) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line >>> 449, in _handle_exception >>> self.__parent._handle_exception(exc_info) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line >>> 394, in _handle_exception >>> six.reraise(*exc_info) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line >>> 446, in _handle_exception >>> super(ComponentBase, self)._handle_exception(exc_info) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line >>> 394, in _handle_exception >>> six.reraise(*exc_info) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line >>> 362, in __runner >>> step() >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line >>> 359, in <lambda> >>> step = lambda: next(self.__gen) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line >>> 81, in run_generator_with_yield_from >>> six.reraise(*exc_info) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line >>> 59, in run_generator_with_yield_from >>> value = gen.send(prev_value) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/common.p >>> y", >>> line 63, in _install >>> for nothing in self._installer(self.parent): >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/r >>> eplicainstall.py", >>> line 1714, in main >>> promote(self) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/r >>> eplicainstall.py", >>> line 364, in decorated >>> func(installer) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/r >>> eplicainstall.py", >>> line 1415, in promote >>> promote=True, pkcs12_info=dirsrv_pkcs12_info) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/r >>> eplicainstall.py", >>> line 127, in install_replica_ds >>> api=remote_api, >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstan >>> ce.py", >>> line 399, in create_replica >>> self.start_creation(runtime=60) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/service. >>> py", >>> line 449, in start_creation >>> run_step(full_msg, method) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/service. >>> py", >>> line 439, in run_step >>> method() >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstan >>> ce.py", >>> line 405, in __setup_replica >>> self.dm_password) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replicat >>> ion.py", >>> line 118, in enable_replication_version_checking >>> conn.do_simple_bind(bindpw=dirman_passwd) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", >>> line 1665, in do_simple_bind >>> self.__bind_with_wait(self.simple_bind, timeout, binddn, >>> bindpw) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", >>> line 1660, in __bind_with_wait >>> self.__wait_for_connection(timeout) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", >>> line 1643, in __wait_for_connection >>> wait_for_open_socket(lurl.hostport, timeout) >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", >>> line 1286, in wait_for_open_socket >>> raise e >>> 2017-02-16T15:54:16Z DEBUG The ipa-replica-install command >>> failed, exception: error: [Errno 111] Connection refused >>> 2017-02-16T15:54:16Z ERROR [Errno 111] Connection refused >>> 2017-02-16T15:54:16Z ERROR The ipa-replica-install command >>> failed. See /var/log/ipareplica-install.log for more >>> information >>> >>> >>> How can I troubleshoot this? >>> >>> >>> >>> -- >>> Tiemen Ruiten >>> Systems Engineer >>> R&D Media >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> <https://www.redhat.com/mailman/listinfo/freeipa-users> >>> Go to http://freeipa.org for more info on the project >>> >>> >>> >>> >>> >>> >>> >>> >>> -- >>> Tiemen Ruiten >>> Systems Engineer >>> R&D Media >>> >>> >>> >> > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > -- Tiemen Ruiten Systems Engineer R&D Media
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project