subject:"\[Freeipa\-users\] can't add replica\: failed to start the directory server"

Re: [Freeipa-users] can't add replica: failed to start the directory server

2017-02-21 Thread Tiemen Ruiten

Can anyone help? At this point I'm stuck and I may have to consider
alternatives :(

On 21 February 2017 at 09:37, Tiemen Ruiten  wrote:

> Flo,
>
> Do you have any pointers?
>
> On 20 February 2017 at 10:05, Tiemen Ruiten  wrote:
>
>> Hello Flo,
>>
>> Thanks for your response. I ran that command and I seem to have a
>> different problem (connectors are defined as you indicated):
>>
>> [tiemen@copernicum ~]$ sudo getcert list -d
>>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/
>>> [sudo] password for tiemen:
>>> Number of certificates and requests being tracked: 2.
>>> Request ID '20170217130857':
>>> status: CA_UNREACHABLE
>>> ca-error: Server at https://moscovium.ipa.rdmedia.com/ipa/xml failed
>>> request, will retry: 4301 (RPC failed at server.  Certificate operation
>>> cannot be completed: FAILURE (*CA not found:
>>> 1ba8130c-56b8-4bd9-ae8a-8b0333d71b80*)).
>>> stuck: no
>>> key pair storage: type=NSSDB,location='/etc/dirs
>>> rv/slapd-IPA-RDMEDIA-COM',nickname='Server-Cert',token='NSS Certificate
>>> DB',pinfile='/etc/dirsrv/slapd-IPA-RDMEDIA-COM//pwdfile.txt'
>>> certificate: type=NSSDB,location='/etc/dirs
>>> rv/slapd-IPA-RDMEDIA-COM',nickname='Server-Cert'
>>> CA: IPA
>>> issuer:
>>> subject:
>>> expires: unknown
>>> pre-save command:
>>> post-save command:
>>> track: yes
>>> auto-renew: yes
>>
>>
>>
>>
>>
>>
>>
>> On 20 February 2017 at 09:28, Florence Blanc-Renaud 
>> wrote:
>>
>>> On 02/17/2017 10:36 AM, Tiemen Ruiten wrote:
>>>
 I went through that bugreport, particularly this section...

 OK, I think I found the error. On the logs I get something like this
 *before* the failing dirsrv restart:

 2017-01-14T03:41:28Z DEBUG   [27/44]: retrieving DS Certificate
 2017-01-14T03:41:28Z DEBUG Loading Index file from
 '/var/lib/ipa/sysrestore/sysrestore.index'
 2017-01-14T03:41:28Z DEBUG Starting external process
 2017-01-14T03:41:28Z DEBUG args=/usr/bin/certutil -d
 /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM 
 IPA CA -a
 2017-01-14T03:41:28Z DEBUG Process finished, return code=255
 2017-01-14T03:41:28Z DEBUG stdout=
 2017-01-14T03:41:28Z DEBUG stderr=certutil: Could not find cert:
 EXAMPLE.COM  IPA CA
 : PR_FILE_NOT_FOUND_ERROR: File not found


>>> Hi,
>>>
>>> this error shows that the server certificate for the LDAP server is not
>>> present in the NSS database. I am pretty sure that if you run
>>> $ getcert list -d /etc/dirsrv/slapd-DOMAIN
>>> you will get an error like this one:
>>> status: CA_UNREACHABLE
>>> ca-error: Server at https://ipa.EXAMPLE.COM/ipa/xml failed
>>> request, will retry: 4301 (RPC failed at server.  Certificate operation
>>> cannot be completed: Unable to communicate with CMS (503)).
>>>
>>> Make sure that the file /etc/pki/pki-tomcat/server.xml (on all the
>>> masters) defines the AJP connector like this:
>>> >> protocol="AJP/1.3"
>>> redirectPort="8443"
>>> address="localhost" />
>>> and that the /etc/hosts file (on all the masters) properly defines
>>> localhost:
>>> 127.0.0.1   localhost localhost.localdomain localhost4
>>> localhost4.localdomain4
>>> ::1 localhost localhost.localdomain localhost6
>>> localhost6.localdomain6
>>> Then restart the PKI service on the masters:
>>> systemctl stop pki-tomcatd@pki-tomcat.service
>>>
>>> After this, you should be able to re-run ipa-replica-install without any
>>> problem.
>>> HTH,
>>> Flo.
>>>
>>> So, when the process stopped, I run the command again:

 # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM
  IPA CA -a
 certutil: Could not find cert: EXAMPLE.COM 
 : PR_FILE_NOT_FOUND_ERROR: File not found

 and thought "wait... something is missing there":

 # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n "
 EXAMPLE.COM  IPA CA" -a
 -BEGIN CERTIFICATE-
 
 -END CERTIFICATE-

 So, could this be the problem?


 ...and indeed when I run

 [tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d
 /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM
  IPA CA -a
 [sudo] password for tiemen:
 certutil: Could not find cert: IPA.RDMEDIA.COM <
 http://IPA.RDMEDIA.COM>
 : PR_FILE_NOT_FOUND_ERROR: File not found


 and when I run

 [tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d
 /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n "IPA.RDMEDIA.COM
  IPA CA" -a
 -BEGIN CERTIFICATE-
 
 -END CERTIFICATE-

 valid certificate output. Where can I change this command to quote this
 string?


 On 16 February 2017 at 17:29, Jeff Goddard

Re: [Freeipa-users] can't add replica: failed to start the directory server

2017-02-21 Thread Tiemen Ruiten

Flo,

Do you have any pointers?

On 20 February 2017 at 10:05, Tiemen Ruiten  wrote:

> Hello Flo,
>
> Thanks for your response. I ran that command and I seem to have a
> different problem (connectors are defined as you indicated):
>
> [tiemen@copernicum ~]$ sudo getcert list -d /etc/dirsrv/slapd-IPA-RDMEDIA-
>> COM/
>> [sudo] password for tiemen:
>> Number of certificates and requests being tracked: 2.
>> Request ID '20170217130857':
>> status: CA_UNREACHABLE
>> ca-error: Server at https://moscovium.ipa.rdmedia.com/ipa/xml failed
>> request, will retry: 4301 (RPC failed at server.  Certificate operation
>> cannot be completed: FAILURE (*CA not found:
>> 1ba8130c-56b8-4bd9-ae8a-8b0333d71b80*)).
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/
>> dirsrv/slapd-IPA-RDMEDIA-COM',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-RDMEDIA-COM//pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-RDMEDIA-COM',
>> nickname='Server-Cert'
>> CA: IPA
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>
>
>
>
>
>
>
> On 20 February 2017 at 09:28, Florence Blanc-Renaud 
> wrote:
>
>> On 02/17/2017 10:36 AM, Tiemen Ruiten wrote:
>>
>>> I went through that bugreport, particularly this section...
>>>
>>> OK, I think I found the error. On the logs I get something like this
>>> *before* the failing dirsrv restart:
>>>
>>> 2017-01-14T03:41:28Z DEBUG   [27/44]: retrieving DS Certificate
>>> 2017-01-14T03:41:28Z DEBUG Loading Index file from
>>> '/var/lib/ipa/sysrestore/sysrestore.index'
>>> 2017-01-14T03:41:28Z DEBUG Starting external process
>>> 2017-01-14T03:41:28Z DEBUG args=/usr/bin/certutil -d
>>> /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM 
>>> IPA CA -a
>>> 2017-01-14T03:41:28Z DEBUG Process finished, return code=255
>>> 2017-01-14T03:41:28Z DEBUG stdout=
>>> 2017-01-14T03:41:28Z DEBUG stderr=certutil: Could not find cert:
>>> EXAMPLE.COM  IPA CA
>>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>>
>>>
>> Hi,
>>
>> this error shows that the server certificate for the LDAP server is not
>> present in the NSS database. I am pretty sure that if you run
>> $ getcert list -d /etc/dirsrv/slapd-DOMAIN
>> you will get an error like this one:
>> status: CA_UNREACHABLE
>> ca-error: Server at https://ipa.EXAMPLE.COM/ipa/xml failed
>> request, will retry: 4301 (RPC failed at server.  Certificate operation
>> cannot be completed: Unable to communicate with CMS (503)).
>>
>> Make sure that the file /etc/pki/pki-tomcat/server.xml (on all the
>> masters) defines the AJP connector like this:
>> > protocol="AJP/1.3"
>> redirectPort="8443"
>> address="localhost" />
>> and that the /etc/hosts file (on all the masters) properly defines
>> localhost:
>> 127.0.0.1   localhost localhost.localdomain localhost4
>> localhost4.localdomain4
>> ::1 localhost localhost.localdomain localhost6
>> localhost6.localdomain6
>> Then restart the PKI service on the masters:
>> systemctl stop pki-tomcatd@pki-tomcat.service
>>
>> After this, you should be able to re-run ipa-replica-install without any
>> problem.
>> HTH,
>> Flo.
>>
>> So, when the process stopped, I run the command again:
>>>
>>> # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM
>>>  IPA CA -a
>>> certutil: Could not find cert: EXAMPLE.COM 
>>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>>
>>> and thought "wait... something is missing there":
>>>
>>> # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n "EXAMPLE.COM
>>>  IPA CA" -a
>>> -BEGIN CERTIFICATE-
>>> 
>>> -END CERTIFICATE-
>>>
>>> So, could this be the problem?
>>>
>>>
>>> ...and indeed when I run
>>>
>>> [tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d
>>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM
>>>  IPA CA -a
>>> [sudo] password for tiemen:
>>> certutil: Could not find cert: IPA.RDMEDIA.COM <
>>> http://IPA.RDMEDIA.COM>
>>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>>
>>>
>>> and when I run
>>>
>>> [tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d
>>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n "IPA.RDMEDIA.COM
>>>  IPA CA" -a
>>> -BEGIN CERTIFICATE-
>>> 
>>> -END CERTIFICATE-
>>>
>>> valid certificate output. Where can I change this command to quote this
>>> string?
>>>
>>>
>>> On 16 February 2017 at 17:29, Jeff Goddard >> > wrote:
>>>
>>> Might be another instance of this:
>>> https://fedorahosted.org/freeipa/ticket/6613
>>> 
>>>
>>> Jeff
>>>
>>> On Thu, Feb 16, 2017 at 11:21 AM, Tiemen Ruiten
>>>

Re: [Freeipa-users] can't add replica: failed to start the directory server

2017-02-20 Thread Tiemen Ruiten

Hello Flo,

Thanks for your response. I ran that command and I seem to have a different
problem (connectors are defined as you indicated):

[tiemen@copernicum ~]$ sudo getcert list -d
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/
> [sudo] password for tiemen:
> Number of certificates and requests being tracked: 2.
> Request ID '20170217130857':
> status: CA_UNREACHABLE
> ca-error: Server at https://moscovium.ipa.rdmedia.com/ipa/xml failed
> request, will retry: 4301 (RPC failed at server.  Certificate operation
> cannot be completed: FAILURE (*CA not found:
> 1ba8130c-56b8-4bd9-ae8a-8b0333d71b80*)).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-IPA-RDMEDIA-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-RDMEDIA-COM//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-IPA-RDMEDIA-COM',nickname='Server-Cert'
> CA: IPA
> issuer:
> subject:
> expires: unknown
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes







On 20 February 2017 at 09:28, Florence Blanc-Renaud  wrote:

> On 02/17/2017 10:36 AM, Tiemen Ruiten wrote:
>
>> I went through that bugreport, particularly this section...
>>
>> OK, I think I found the error. On the logs I get something like this
>> *before* the failing dirsrv restart:
>>
>> 2017-01-14T03:41:28Z DEBUG   [27/44]: retrieving DS Certificate
>> 2017-01-14T03:41:28Z DEBUG Loading Index file from
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>> 2017-01-14T03:41:28Z DEBUG Starting external process
>> 2017-01-14T03:41:28Z DEBUG args=/usr/bin/certutil -d
>> /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM 
>> IPA CA -a
>> 2017-01-14T03:41:28Z DEBUG Process finished, return code=255
>> 2017-01-14T03:41:28Z DEBUG stdout=
>> 2017-01-14T03:41:28Z DEBUG stderr=certutil: Could not find cert:
>> EXAMPLE.COM  IPA CA
>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>
>>
> Hi,
>
> this error shows that the server certificate for the LDAP server is not
> present in the NSS database. I am pretty sure that if you run
> $ getcert list -d /etc/dirsrv/slapd-DOMAIN
> you will get an error like this one:
> status: CA_UNREACHABLE
> ca-error: Server at https://ipa.EXAMPLE.COM/ipa/xml failed
> request, will retry: 4301 (RPC failed at server.  Certificate operation
> cannot be completed: Unable to communicate with CMS (503)).
>
> Make sure that the file /etc/pki/pki-tomcat/server.xml (on all the
> masters) defines the AJP connector like this:
>  protocol="AJP/1.3"
> redirectPort="8443"
> address="localhost" />
> and that the /etc/hosts file (on all the masters) properly defines
> localhost:
> 127.0.0.1   localhost localhost.localdomain localhost4
> localhost4.localdomain4
> ::1 localhost localhost.localdomain localhost6
> localhost6.localdomain6
> Then restart the PKI service on the masters:
> systemctl stop pki-tomcatd@pki-tomcat.service
>
> After this, you should be able to re-run ipa-replica-install without any
> problem.
> HTH,
> Flo.
>
> So, when the process stopped, I run the command again:
>>
>> # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM <
>> http://EXAMPLE.COM> IPA CA -a
>> certutil: Could not find cert: EXAMPLE.COM 
>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>
>> and thought "wait... something is missing there":
>>
>> # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n "EXAMPLE.COM
>>  IPA CA" -a
>> -BEGIN CERTIFICATE-
>> 
>> -END CERTIFICATE-
>>
>> So, could this be the problem?
>>
>>
>> ...and indeed when I run
>>
>> [tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d
>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM
>>  IPA CA -a
>> [sudo] password for tiemen:
>> certutil: Could not find cert: IPA.RDMEDIA.COM <
>> http://IPA.RDMEDIA.COM>
>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>
>>
>> and when I run
>>
>> [tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d
>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n "IPA.RDMEDIA.COM
>>  IPA CA" -a
>> -BEGIN CERTIFICATE-
>> 
>> -END CERTIFICATE-
>>
>> valid certificate output. Where can I change this command to quote this
>> string?
>>
>>
>> On 16 February 2017 at 17:29, Jeff Goddard > > wrote:
>>
>> Might be another instance of this:
>> https://fedorahosted.org/freeipa/ticket/6613
>> 
>>
>> Jeff
>>
>> On Thu, Feb 16, 2017 at 11:21 AM, Tiemen Ruiten
>> > wrote:
>>
>> Hello,
>>
>> I'm trying to add a third replica to a FreeIPA 4.4 domain (level
>> 1), but I'm getting this error:
>>
>> [tiemen@copernicum ~]$ sudo ipa-replica-install -P admin -w
>>

Re: [Freeipa-users] can't add replica: failed to start the directory server

2017-02-20 Thread Florence Blanc-Renaud


On 02/17/2017 10:36 AM, Tiemen Ruiten wrote:

I went through that bugreport, particularly this section...

OK, I think I found the error. On the logs I get something like this
*before* the failing dirsrv restart:

2017-01-14T03:41:28Z DEBUG   [27/44]: retrieving DS Certificate
2017-01-14T03:41:28Z DEBUG Loading Index file from 
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-01-14T03:41:28Z DEBUG Starting external process
2017-01-14T03:41:28Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ 
-L -n EXAMPLE.COM  IPA CA -a
2017-01-14T03:41:28Z DEBUG Process finished, return code=255
2017-01-14T03:41:28Z DEBUG stdout=
2017-01-14T03:41:28Z DEBUG stderr=certutil: Could not find cert: EXAMPLE.COM 
 IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found



Hi,

this error shows that the server certificate for the LDAP server is not 
present in the NSS database. I am pretty sure that if you run

$ getcert list -d /etc/dirsrv/slapd-DOMAIN
you will get an error like this one:
status: CA_UNREACHABLE
	ca-error: Server at https://ipa.EXAMPLE.COM/ipa/xml failed request, 
will retry: 4301 (RPC failed at server.  Certificate operation cannot be 
completed: Unable to communicate with CMS (503)).


Make sure that the file /etc/pki/pki-tomcat/server.xml (on all the 
masters) defines the AJP connector like this:


and that the /etc/hosts file (on all the masters) properly defines 
localhost:
127.0.0.1   localhost localhost.localdomain localhost4 
localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 
localhost6.localdomain6

Then restart the PKI service on the masters:
systemctl stop pki-tomcatd@pki-tomcat.service

After this, you should be able to re-run ipa-replica-install without any 
problem.

HTH,
Flo.


So, when the process stopped, I run the command again:

# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM 
 IPA CA -a
certutil: Could not find cert: EXAMPLE.COM 
: PR_FILE_NOT_FOUND_ERROR: File not found

and thought "wait... something is missing there":

# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n "EXAMPLE.COM 
 IPA CA" -a
-BEGIN CERTIFICATE-

-END CERTIFICATE-

So, could this be the problem?


...and indeed when I run

[tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d
/etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM
 IPA CA -a
[sudo] password for tiemen:
certutil: Could not find cert: IPA.RDMEDIA.COM 
: PR_FILE_NOT_FOUND_ERROR: File not found


and when I run

[tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d
/etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n "IPA.RDMEDIA.COM
 IPA CA" -a
-BEGIN CERTIFICATE-

-END CERTIFICATE-

valid certificate output. Where can I change this command to quote this
string?


On 16 February 2017 at 17:29, Jeff Goddard > wrote:

Might be another instance of this:
https://fedorahosted.org/freeipa/ticket/6613


Jeff

On Thu, Feb 16, 2017 at 11:21 AM, Tiemen Ruiten
> wrote:

Hello,

I'm trying to add a third replica to a FreeIPA 4.4 domain (level
1), but I'm getting this error:

[tiemen@copernicum ~]$ sudo ipa-replica-install -P admin -w
"XX" --mkhomedir --setup-dns --forwarder 8.8.8.8
--forwarder 8.8.4.4
Checking DNS forwarders, please wait ...
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/44]: creating directory server user
  [2/44]: creating directory server instance
  [3/44]: updating configuration in dse.ldif
  [4/44]: restarting directory server
  [5/44]: adding default schema
  [6/44]: enabling memberof plugin
  [7/44]: enabling winsync plugin
  [8/44]: configuring replication version plugin
  [9/44]: enabling IPA enrollment plugin
  [10/44]: enabling ldapi
  [11/44]: configuring uniqueness plugin
  [12/44]: configuring uuid plugin
  [13/44]: configuring modrdn plugin
  [14/44]: configuring DNS plugin
  [15/44]: enabling entryUSN plugin
  [16/44]: configuring lockout plugin
  [17/44]: configuring topology plugin
  [18/44]: creating indices

Re: [Freeipa-users] can't add replica: failed to start the directory server

2017-02-20 Thread Tiemen Ruiten

Any help would be much appreciated! I really need to add this replica (and
others)...

On 17 February 2017 at 10:36, Tiemen Ruiten  wrote:

> I went through that bugreport, particularly this section...
>
> OK, I think I found the error. On the logs I get something like this
> *before* the failing dirsrv restart:
>
> 2017-01-14T03:41:28Z DEBUG   [27/44]: retrieving DS Certificate
> 2017-01-14T03:41:28Z DEBUG Loading Index file from 
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2017-01-14T03:41:28Z DEBUG Starting external process
> 2017-01-14T03:41:28Z DEBUG args=/usr/bin/certutil -d 
> /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM IPA CA -a
> 2017-01-14T03:41:28Z DEBUG Process finished, return code=255
> 2017-01-14T03:41:28Z DEBUG stdout=
> 2017-01-14T03:41:28Z DEBUG stderr=certutil: Could not find cert: EXAMPLE.COM 
> IPA CA
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
> So, when the process stopped, I run the command again:
>
> # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM IPA 
> CA -a
> certutil: Could not find cert: EXAMPLE.COM
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
>
> and thought "wait... something is missing there":
>
> # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n "EXAMPLE.COM IPA 
> CA" -a
> -BEGIN CERTIFICATE-
> 
> -END CERTIFICATE-
>
> So, could this be the problem?
>
> ...and indeed when I run
>
> [tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d
>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM IPA CA -a
>> [sudo] password for tiemen:
>> certutil: Could not find cert: IPA.RDMEDIA.COM
>> : PR_FILE_NOT_FOUND_ERROR: File not found
>
>
> and when I run
>
> [tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n "IPA.RDMEDIA.COM IPA CA" -a
> -BEGIN CERTIFICATE-
> 
> -END CERTIFICATE-
>
> valid certificate output. Where can I change this command to quote this
> string?
>
>
> On 16 February 2017 at 17:29, Jeff Goddard  wrote:
>
>> Might be another instance of this: https://fedorahosted.org/freei
>> pa/ticket/6613
>>
>> Jeff
>>
>> On Thu, Feb 16, 2017 at 11:21 AM, Tiemen Ruiten 
>> wrote:
>>
>>> Hello,
>>>
>>> I'm trying to add a third replica to a FreeIPA 4.4 domain (level 1), but
>>> I'm getting this error:
>>>
>>> [tiemen@copernicum ~]$ sudo ipa-replica-install -P admin -w
 "XX" --mkhomedir --setup-dns --forwarder 8.8.8.8 --forwarder 
 8.8.4.4
 Checking DNS forwarders, please wait ...
 Run connection check to master
 Connection check OK
 Configuring NTP daemon (ntpd)
   [1/4]: stopping ntpd
   [2/4]: writing configuration
   [3/4]: configuring ntpd to start on boot
   [4/4]: starting ntpd
 Done configuring NTP daemon (ntpd).
 Configuring directory server (dirsrv). Estimated time: 1 minute
   [1/44]: creating directory server user
   [2/44]: creating directory server instance
   [3/44]: updating configuration in dse.ldif
   [4/44]: restarting directory server
   [5/44]: adding default schema
   [6/44]: enabling memberof plugin
   [7/44]: enabling winsync plugin
   [8/44]: configuring replication version plugin
   [9/44]: enabling IPA enrollment plugin
   [10/44]: enabling ldapi
   [11/44]: configuring uniqueness plugin
   [12/44]: configuring uuid plugin
   [13/44]: configuring modrdn plugin
   [14/44]: configuring DNS plugin
   [15/44]: enabling entryUSN plugin
   [16/44]: configuring lockout plugin
   [17/44]: configuring topology plugin
   [18/44]: creating indices
   [19/44]: enabling referential integrity plugin
   [20/44]: configuring certmap.conf
   [21/44]: configure autobind for root
   [22/44]: configure new location for managed entries
   [23/44]: configure dirsrv ccache
   [24/44]: enabling SASL mapping fallback
   [25/44]: restarting directory server
   [26/44]: creating DS keytab
   [27/44]: retrieving DS Certificate
   [28/44]: restarting directory server
 ipa : CRITICAL Failed to restart the directory server (Command
 '/bin/systemctl restart dirsrv@IPA-RDMEDIA-COM.service' returned
 non-zero exit status 1). See the installation log for details.
   [29/44]: setting up initial replication
   [error] error: [Errno 111] Connection refused
 Your system may be partly configured.
 Run /usr/sbin/ipa-server-install --uninstall to clean up.
 ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
 Connection refused
 ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
 ipa-replica-install command failed. See /var/log/ipareplica-install.log
 for more information
>>>
>>>
>>> In /var/log/ipareplica-install.log we find:
>>>
>>> 2017-02-16T15:53:59Z DEBUG   [27/44]: retrieving DS Certificate
 2017-02-16T15:53:59Z DEBUG Loading Index file from

Re: [Freeipa-users] can't add replica: failed to start the directory server

2017-02-17 Thread Tiemen Ruiten

I went through that bugreport, particularly this section...

OK, I think I found the error. On the logs I get something like this
*before* the failing dirsrv restart:

2017-01-14T03:41:28Z DEBUG   [27/44]: retrieving DS Certificate
2017-01-14T03:41:28Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-01-14T03:41:28Z DEBUG Starting external process
2017-01-14T03:41:28Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM IPA CA -a
2017-01-14T03:41:28Z DEBUG Process finished, return code=255
2017-01-14T03:41:28Z DEBUG stdout=
2017-01-14T03:41:28Z DEBUG stderr=certutil: Could not find cert:
EXAMPLE.COM IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found

So, when the process stopped, I run the command again:

# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n
EXAMPLE.COM IPA CA -a
certutil: Could not find cert: EXAMPLE.COM
: PR_FILE_NOT_FOUND_ERROR: File not found


and thought "wait... something is missing there":

# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n
"EXAMPLE.COM IPA CA" -a
-BEGIN CERTIFICATE-

-END CERTIFICATE-

So, could this be the problem?

...and indeed when I run

[tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM IPA CA -a
> [sudo] password for tiemen:
> certutil: Could not find cert: IPA.RDMEDIA.COM
> : PR_FILE_NOT_FOUND_ERROR: File not found


and when I run

[tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d
/etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n "IPA.RDMEDIA.COM IPA CA" -a
-BEGIN CERTIFICATE-

-END CERTIFICATE-

valid certificate output. Where can I change this command to quote this
string?


On 16 February 2017 at 17:29, Jeff Goddard  wrote:

> Might be another instance of this: https://fedorahosted.org/
> freeipa/ticket/6613
>
> Jeff
>
> On Thu, Feb 16, 2017 at 11:21 AM, Tiemen Ruiten 
> wrote:
>
>> Hello,
>>
>> I'm trying to add a third replica to a FreeIPA 4.4 domain (level 1), but
>> I'm getting this error:
>>
>> [tiemen@copernicum ~]$ sudo ipa-replica-install -P admin -w "XX"
>>> --mkhomedir --setup-dns --forwarder 8.8.8.8 --forwarder 8.8.4.4
>>> Checking DNS forwarders, please wait ...
>>> Run connection check to master
>>> Connection check OK
>>> Configuring NTP daemon (ntpd)
>>>   [1/4]: stopping ntpd
>>>   [2/4]: writing configuration
>>>   [3/4]: configuring ntpd to start on boot
>>>   [4/4]: starting ntpd
>>> Done configuring NTP daemon (ntpd).
>>> Configuring directory server (dirsrv). Estimated time: 1 minute
>>>   [1/44]: creating directory server user
>>>   [2/44]: creating directory server instance
>>>   [3/44]: updating configuration in dse.ldif
>>>   [4/44]: restarting directory server
>>>   [5/44]: adding default schema
>>>   [6/44]: enabling memberof plugin
>>>   [7/44]: enabling winsync plugin
>>>   [8/44]: configuring replication version plugin
>>>   [9/44]: enabling IPA enrollment plugin
>>>   [10/44]: enabling ldapi
>>>   [11/44]: configuring uniqueness plugin
>>>   [12/44]: configuring uuid plugin
>>>   [13/44]: configuring modrdn plugin
>>>   [14/44]: configuring DNS plugin
>>>   [15/44]: enabling entryUSN plugin
>>>   [16/44]: configuring lockout plugin
>>>   [17/44]: configuring topology plugin
>>>   [18/44]: creating indices
>>>   [19/44]: enabling referential integrity plugin
>>>   [20/44]: configuring certmap.conf
>>>   [21/44]: configure autobind for root
>>>   [22/44]: configure new location for managed entries
>>>   [23/44]: configure dirsrv ccache
>>>   [24/44]: enabling SASL mapping fallback
>>>   [25/44]: restarting directory server
>>>   [26/44]: creating DS keytab
>>>   [27/44]: retrieving DS Certificate
>>>   [28/44]: restarting directory server
>>> ipa : CRITICAL Failed to restart the directory server (Command
>>> '/bin/systemctl restart dirsrv@IPA-RDMEDIA-COM.service' returned
>>> non-zero exit status 1). See the installation log for details.
>>>   [29/44]: setting up initial replication
>>>   [error] error: [Errno 111] Connection refused
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
>>> Connection refused
>>> ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
>>> ipa-replica-install command failed. See /var/log/ipareplica-install.log
>>> for more information
>>
>>
>> In /var/log/ipareplica-install.log we find:
>>
>> 2017-02-16T15:53:59Z DEBUG   [27/44]: retrieving DS Certificate
>>> 2017-02-16T15:53:59Z DEBUG Loading Index file from
>>> '/var/lib/ipa/sysrestore/sysrestore.index'
>>> 2017-02-16T15:53:59Z DEBUG Starting external process
>>> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
>>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM IPA CA -a
>>> 2017-02-16T15:53:59Z DEBUG Process finished, return code=255
>>> 2017-02-16T15:53:59Z DEBUG stdout=
>>>

Re: [Freeipa-users] can't add replica: failed to start the directory server

2017-02-16 Thread Carlos Silva

On Thu, Feb 16, 2017 at 5:23 PM, Tiemen Ruiten  wrote:

> @Jeff, I did see that on one of the existing masters the listener was
> configured to be "::1". I changed it to 127.0.0.1 but no difference. I
> commented the ::1 localhost entry in /etc/hosts on all three nodes, no
> difference either. My journal looks the same as in the bugreport you linked:
>

You did restart the service right? (Just to be sure)
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] can't add replica: failed to start the directory server

2017-02-16 Thread Tiemen Ruiten

Hello,

I'm trying to add a third replica to a FreeIPA 4.4 domain (level 1), but
I'm getting this error:

[tiemen@copernicum ~]$ sudo ipa-replica-install -P admin -w "XX"
> --mkhomedir --setup-dns --forwarder 8.8.8.8 --forwarder 8.8.4.4
> Checking DNS forwarders, please wait ...
> Run connection check to master
> Connection check OK
> Configuring NTP daemon (ntpd)
>   [1/4]: stopping ntpd
>   [2/4]: writing configuration
>   [3/4]: configuring ntpd to start on boot
>   [4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv). Estimated time: 1 minute
>   [1/44]: creating directory server user
>   [2/44]: creating directory server instance
>   [3/44]: updating configuration in dse.ldif
>   [4/44]: restarting directory server
>   [5/44]: adding default schema
>   [6/44]: enabling memberof plugin
>   [7/44]: enabling winsync plugin
>   [8/44]: configuring replication version plugin
>   [9/44]: enabling IPA enrollment plugin
>   [10/44]: enabling ldapi
>   [11/44]: configuring uniqueness plugin
>   [12/44]: configuring uuid plugin
>   [13/44]: configuring modrdn plugin
>   [14/44]: configuring DNS plugin
>   [15/44]: enabling entryUSN plugin
>   [16/44]: configuring lockout plugin
>   [17/44]: configuring topology plugin
>   [18/44]: creating indices
>   [19/44]: enabling referential integrity plugin
>   [20/44]: configuring certmap.conf
>   [21/44]: configure autobind for root
>   [22/44]: configure new location for managed entries
>   [23/44]: configure dirsrv ccache
>   [24/44]: enabling SASL mapping fallback
>   [25/44]: restarting directory server
>   [26/44]: creating DS keytab
>   [27/44]: retrieving DS Certificate
>   [28/44]: restarting directory server
> ipa : CRITICAL Failed to restart the directory server (Command
> '/bin/systemctl restart dirsrv@IPA-RDMEDIA-COM.service' returned non-zero
> exit status 1). See the installation log for details.
>   [29/44]: setting up initial replication
>   [error] error: [Errno 111] Connection refused
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
> Connection refused
> ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
> ipa-replica-install command failed. See /var/log/ipareplica-install.log for
> more information


In /var/log/ipareplica-install.log we find:

2017-02-16T15:53:59Z DEBUG   [27/44]: retrieving DS Certificate
> 2017-02-16T15:53:59Z DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2017-02-16T15:53:59Z DEBUG Starting external process
> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM IPA CA -a
> 2017-02-16T15:53:59Z DEBUG Process finished, return code=255
> 2017-02-16T15:53:59Z DEBUG stdout=
>
> *2017-02-16T15:53:59Z DEBUG stderr=certutil: Could not find cert:
> IPA.RDMEDIA.COM  IPA CA: PR_FILE_NOT_FOUND_ERROR:
> File not found*
> 2017-02-16T15:53:59Z DEBUG Starting external process
> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -N -f
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM//pwdfile.txt
> 2017-02-16T15:53:59Z DEBUG Process finished, return code=0
> 2017-02-16T15:53:59Z DEBUG stdout=
> 2017-02-16T15:53:59Z DEBUG stderr=
> 2017-02-16T15:53:59Z DEBUG Starting external process
> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -A -n IPA.RDMEDIA.COM IPA CA -t CT,C,C
> -a
> 2017-02-16T15:53:59Z DEBUG Process finished, return code=0
> 2017-02-16T15:53:59Z DEBUG stdout=
> 2017-02-16T15:53:59Z DEBUG stderr=
> 2017-02-16T15:53:59Z DEBUG certmonger request is in state
> dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1)
> 2017-02-16T15:54:04Z DEBUG certmonger request is in state
> dbus.String(u'CA_UNREACHABLE', variant_level=1)
> 2017-02-16T15:54:04Z DEBUG flushing
> ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket from SchemaCache
> 2017-02-16T15:54:04Z DEBUG retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket
> conn=
> 2017-02-16T15:54:05Z DEBUG   duration: 5 seconds
> 2017-02-16T15:54:05Z DEBUG   [28/44]: restarting directory server
> 2017-02-16T15:54:05Z DEBUG Starting external process
> 2017-02-16T15:54:05Z DEBUG args=/bin/systemctl --system daemon-reload
> 2017-02-16T15:54:05Z DEBUG Process finished, return code=0
> 2017-02-16T15:54:05Z DEBUG stdout=
> 2017-02-16T15:54:05Z DEBUG stderr=
> 2017-02-16T15:54:05Z DEBUG Starting external process
> 2017-02-16T15:54:05Z DEBUG args=/bin/systemctl restart
> dirsrv@IPA-RDMEDIA-COM.service
> 2017-02-16T15:54:06Z DEBUG Process finished, return code=1
> 2017-02-16T15:54:06Z DEBUG stdout=
> 2017-02-16T15:54:06Z DEBUG stderr=Job for dirsrv@IPA-RDMEDIA-COM.service
> failed because the control process exited with error code. See "systemctl
> status dirsrv@IPA-RDMEDIA-COM.service" and

Re: [Freeipa-users] can't add replica: failed to start the directory server

2017-02-16 Thread Martin Basti




On 16.02.2017 17:21, Tiemen Ruiten wrote:

Hello,

I'm trying to add a third replica to a FreeIPA 4.4 domain (level 1), 
but I'm getting this error:


[tiemen@copernicum ~]$ sudo ipa-replica-install -P admin -w
"XX" --mkhomedir --setup-dns --forwarder 8.8.8.8
--forwarder 8.8.4.4
Checking DNS forwarders, please wait ...
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/44]: creating directory server user
  [2/44]: creating directory server instance
  [3/44]: updating configuration in dse.ldif
  [4/44]: restarting directory server
  [5/44]: adding default schema
  [6/44]: enabling memberof plugin
  [7/44]: enabling winsync plugin
  [8/44]: configuring replication version plugin
  [9/44]: enabling IPA enrollment plugin
  [10/44]: enabling ldapi
  [11/44]: configuring uniqueness plugin
  [12/44]: configuring uuid plugin
  [13/44]: configuring modrdn plugin
  [14/44]: configuring DNS plugin
  [15/44]: enabling entryUSN plugin
  [16/44]: configuring lockout plugin
  [17/44]: configuring topology plugin
  [18/44]: creating indices
  [19/44]: enabling referential integrity plugin
  [20/44]: configuring certmap.conf
  [21/44]: configure autobind for root
  [22/44]: configure new location for managed entries
  [23/44]: configure dirsrv ccache
  [24/44]: enabling SASL mapping fallback
  [25/44]: restarting directory server
  [26/44]: creating DS keytab
  [27/44]: retrieving DS Certificate
  [28/44]: restarting directory server
ipa : CRITICAL Failed to restart the directory server
(Command '/bin/systemctl restart dirsrv@IPA-RDMEDIA-COM.service'
returned non-zero exit status 1). See the installation log for
details.
  [29/44]: setting up initial replication
  [error] error: [Errno 111] Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR  [Errno
111] Connection refused
ipa.ipapython.install.cli.install_tool(Replica): ERROR  The
ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information


In /var/log/ipareplica-install.log we find:

2017-02-16T15:53:59Z DEBUG   [27/44]: retrieving DS Certificate
2017-02-16T15:53:59Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-02-16T15:53:59Z DEBUG Starting external process
2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM
 IPA CA -a
2017-02-16T15:53:59Z DEBUG Process finished, return code=255
2017-02-16T15:53:59Z DEBUG stdout=
*2017-02-16T15:53:59Z DEBUG stderr=certutil: Could not find cert:
IPA.RDMEDIA.COM  IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found*
2017-02-16T15:53:59Z DEBUG Starting external process
2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -N -f
/etc/dirsrv/slapd-IPA-RDMEDIA-COM//pwdfile.txt
2017-02-16T15:53:59Z DEBUG Process finished, return code=0
2017-02-16T15:53:59Z DEBUG stdout=
2017-02-16T15:53:59Z DEBUG stderr=
2017-02-16T15:53:59Z DEBUG Starting external process
2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -A -n IPA.RDMEDIA.COM
 IPA CA -t CT,C,C -a
2017-02-16T15:53:59Z DEBUG Process finished, return code=0
2017-02-16T15:53:59Z DEBUG stdout=
2017-02-16T15:53:59Z DEBUG stderr=
2017-02-16T15:53:59Z DEBUG certmonger request is in state
dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1)
2017-02-16T15:54:04Z DEBUG certmonger request is in state
dbus.String(u'CA_UNREACHABLE', variant_level=1)
2017-02-16T15:54:04Z DEBUG flushing
ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket from SchemaCache
2017-02-16T15:54:04Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket
conn=
2017-02-16T15:54:05Z DEBUG   duration: 5 seconds
2017-02-16T15:54:05Z DEBUG   [28/44]: restarting directory server
2017-02-16T15:54:05Z DEBUG Starting external process
2017-02-16T15:54:05Z DEBUG args=/bin/systemctl --system daemon-reload
2017-02-16T15:54:05Z DEBUG Process finished, return code=0
2017-02-16T15:54:05Z DEBUG stdout=
2017-02-16T15:54:05Z DEBUG stderr=
2017-02-16T15:54:05Z DEBUG Starting external process
2017-02-16T15:54:05Z DEBUG args=/bin/systemctl restart

Re: [Freeipa-users] can't add replica: failed to start the directory server

2017-02-16 Thread Jeff Goddard

Might be another instance of this:
https://fedorahosted.org/freeipa/ticket/6613

Jeff

On Thu, Feb 16, 2017 at 11:21 AM, Tiemen Ruiten 
wrote:

> Hello,
>
> I'm trying to add a third replica to a FreeIPA 4.4 domain (level 1), but
> I'm getting this error:
>
> [tiemen@copernicum ~]$ sudo ipa-replica-install -P admin -w "XX"
>> --mkhomedir --setup-dns --forwarder 8.8.8.8 --forwarder 8.8.4.4
>> Checking DNS forwarders, please wait ...
>> Run connection check to master
>> Connection check OK
>> Configuring NTP daemon (ntpd)
>>   [1/4]: stopping ntpd
>>   [2/4]: writing configuration
>>   [3/4]: configuring ntpd to start on boot
>>   [4/4]: starting ntpd
>> Done configuring NTP daemon (ntpd).
>> Configuring directory server (dirsrv). Estimated time: 1 minute
>>   [1/44]: creating directory server user
>>   [2/44]: creating directory server instance
>>   [3/44]: updating configuration in dse.ldif
>>   [4/44]: restarting directory server
>>   [5/44]: adding default schema
>>   [6/44]: enabling memberof plugin
>>   [7/44]: enabling winsync plugin
>>   [8/44]: configuring replication version plugin
>>   [9/44]: enabling IPA enrollment plugin
>>   [10/44]: enabling ldapi
>>   [11/44]: configuring uniqueness plugin
>>   [12/44]: configuring uuid plugin
>>   [13/44]: configuring modrdn plugin
>>   [14/44]: configuring DNS plugin
>>   [15/44]: enabling entryUSN plugin
>>   [16/44]: configuring lockout plugin
>>   [17/44]: configuring topology plugin
>>   [18/44]: creating indices
>>   [19/44]: enabling referential integrity plugin
>>   [20/44]: configuring certmap.conf
>>   [21/44]: configure autobind for root
>>   [22/44]: configure new location for managed entries
>>   [23/44]: configure dirsrv ccache
>>   [24/44]: enabling SASL mapping fallback
>>   [25/44]: restarting directory server
>>   [26/44]: creating DS keytab
>>   [27/44]: retrieving DS Certificate
>>   [28/44]: restarting directory server
>> ipa : CRITICAL Failed to restart the directory server (Command
>> '/bin/systemctl restart dirsrv@IPA-RDMEDIA-COM.service' returned
>> non-zero exit status 1). See the installation log for details.
>>   [29/44]: setting up initial replication
>>   [error] error: [Errno 111] Connection refused
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
>> Connection refused
>> ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
>> ipa-replica-install command failed. See /var/log/ipareplica-install.log
>> for more information
>
>
> In /var/log/ipareplica-install.log we find:
>
> 2017-02-16T15:53:59Z DEBUG   [27/44]: retrieving DS Certificate
>> 2017-02-16T15:53:59Z DEBUG Loading Index file from
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>> 2017-02-16T15:53:59Z DEBUG Starting external process
>> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM IPA CA -a
>> 2017-02-16T15:53:59Z DEBUG Process finished, return code=255
>> 2017-02-16T15:53:59Z DEBUG stdout=
>>
>> *2017-02-16T15:53:59Z DEBUG stderr=certutil: Could not find cert:
>> IPA.RDMEDIA.COM  IPA CA: PR_FILE_NOT_FOUND_ERROR:
>> File not found*
>> 2017-02-16T15:53:59Z DEBUG Starting external process
>> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -N -f /etc/dirsrv/slapd-IPA-RDMEDIA-
>> COM//pwdfile.txt
>> 2017-02-16T15:53:59Z DEBUG Process finished, return code=0
>> 2017-02-16T15:53:59Z DEBUG stdout=
>> 2017-02-16T15:53:59Z DEBUG stderr=
>> 2017-02-16T15:53:59Z DEBUG Starting external process
>> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -A -n IPA.RDMEDIA.COM IPA CA -t
>> CT,C,C -a
>> 2017-02-16T15:53:59Z DEBUG Process finished, return code=0
>> 2017-02-16T15:53:59Z DEBUG stdout=
>> 2017-02-16T15:53:59Z DEBUG stderr=
>> 2017-02-16T15:53:59Z DEBUG certmonger request is in state
>> dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1)
>> 2017-02-16T15:54:04Z DEBUG certmonger request is in state
>> dbus.String(u'CA_UNREACHABLE', variant_level=1)
>> 2017-02-16T15:54:04Z DEBUG flushing 
>> ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket
>> from SchemaCache
>> 2017-02-16T15:54:04Z DEBUG retrieving schema for SchemaCache
>> url=ldapi://%2fvar%2frun%2fslapd-IPA-RDMEDIA-COM.socket
>> conn=
>> 2017-02-16T15:54:05Z DEBUG   duration: 5 seconds
>> 2017-02-16T15:54:05Z DEBUG   [28/44]: restarting directory server
>> 2017-02-16T15:54:05Z DEBUG Starting external process
>> 2017-02-16T15:54:05Z DEBUG args=/bin/systemctl --system daemon-reload
>> 2017-02-16T15:54:05Z DEBUG Process finished, return code=0
>> 2017-02-16T15:54:05Z DEBUG stdout=
>> 2017-02-16T15:54:05Z DEBUG stderr=
>> 2017-02-16T15:54:05Z DEBUG Starting external process
>> 2017-02-16T15:54:05Z DEBUG args=/bin/systemctl restart
>> dirsrv@IPA-RDMEDIA-COM.service
>>

Re: [Freeipa-users] can't add replica: failed to start the directory server

Re: [Freeipa-users] can't add replica: failed to start the directory server

Re: [Freeipa-users] can't add replica: failed to start the directory server

Re: [Freeipa-users] can't add replica: failed to start the directory server

Re: [Freeipa-users] can't add replica: failed to start the directory server

Re: [Freeipa-users] can't add replica: failed to start the directory server

Re: [Freeipa-users] can't add replica: failed to start the directory server

[Freeipa-users] can't add replica: failed to start the directory server

Re: [Freeipa-users] can't add replica: failed to start the directory server

Re: [Freeipa-users] can't add replica: failed to start the directory server

10 matches

Site Navigation

Mail list logo

Footer information