Re: [Freeipa-users] Issue with replication install
Anybody with idea why my replication setup is hanging at stage 4 of the 11 stage process. # Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 6 minutes [1/11]: creating certificate server user [2/11]: creating pki-ca instance [3/11]: restarting certificate server [4/11]: configuring certificate server instance ### When I checked the pki-ca debug log, everything is okay until it gets to the this stage and it keeps repeating the last entry. [06/Jun/2011:16:00:13][http-9445-1]: DatabasePanel initializeConsumer: initializeConsumer host: company.domain.com port: 7389 [06/Jun/2011:16:00:13][http-9445-1]: DatabasePanel initializeConsumer: start modifying [06/Jun/2011:16:00:14][http-9445-1]: DatabasePanel initializeConsumer: Finish modification. [06/Jun/2011:16:00:14][http-9445-1]: DatabasePanel initializeConsumer: thread sleeping for 5 seconds. [06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel initializeConsumer: finish sleeping. [06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel initializeConsumer: Successfully initialize consumer [06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel comparetAndWaitEntries checking ou=people,o=ipaca [06/Jun/2011:16:00:30][http-9445-1]: DatabasePanel comparetAndWaitEntries ou=people,o=ipaca not found, let's wait! [06/Jun/2011:16:00:35][http-9445-1]: DatabasePanel comparetAndWaitEntries checking ou=people,o=ipaca [06/Jun/2011:16:00:35][http-9445-1]: DatabasePanel comparetAndWaitEntries ou=people,o=ipaca not found, let's wait! If leave for hours, it will continue will keep repeating the last entry. In the catalina.out log, I get the following java execption ### INFO: Deploying web application directory ca Jun 6, 2011 3:58:36 PM org.apache.catalina.startup.Catalina stopServer SEVERE: Catalina.stop: java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384) at java.net.Socket.connect(Socket.java:546) at java.net.Socket.connect(Socket.java:495) at java.net.Socket.init(Socket.java:392) at java.net.Socket.init(Socket.java:206) at org.apache.catalina.startup.Catalina.stopServer(Catalina.java:412) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:338) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:416) 32-bit osutil library loaded 32-bit osutil library loaded CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| Server is started. Jun 6, 2011 3:58:44 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory ROOT # While this points to connection failure, I don't know why that is so because there is not firewall running on the two boxes, also I disabled selinux just to make sure but it did not make any difference. There is a bug number 643449 with this exception thrown here in bugzilla but that issue was supposed to be caused by missing xalan-j2-serializer.jar file in the tomcat5. This is tomcat6. Please any help will be appreciated. Thanks __Ide On Fri, Jun 3, 2011 at 2:32 PM, Uzor Ide ide4...@gmail.com wrote: I have corrected the problem with the ipa server, from the broken tomcat/pki-ca; The problem comes a sym link that was created during the setup of pki-ca from PKI-HOME for jakarta-commons-collections.jar to /usr/share/java/jakarta-commons-collections.jar. This file is a member of jakarta-commons-collections rpm package in fc14. In fc15 jakarta-commons-collections package appears to have been renamed to apache-commons-collections and an
Re: [Freeipa-users] Issue with replication install
Uzor Ide wrote: Anybody with idea why my replication setup is hanging at stage 4 of the 11 stage process. # Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 6 minutes [1/11]: creating certificate server user [2/11]: creating pki-ca instance [3/11]: restarting certificate server [4/11]: configuring certificate server instance ### When I checked the pki-ca debug log, everything is okay until it gets to the this stage and it keeps repeating the last entry. [06/Jun/2011:16:00:13][http-9445-1]: DatabasePanel initializeConsumer: initializeConsumer host: company.domain.com http://company.domain.com port: 7389 [06/Jun/2011:16:00:13][http-9445-1]: DatabasePanel initializeConsumer: start modifying [06/Jun/2011:16:00:14][http-9445-1]: DatabasePanel initializeConsumer: Finish modification. [06/Jun/2011:16:00:14][http-9445-1]: DatabasePanel initializeConsumer: thread sleeping for 5 seconds. [06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel initializeConsumer: finish sleeping. [06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel initializeConsumer: Successfully initialize consumer [06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel comparetAndWaitEntries checking ou=people,o=ipaca [06/Jun/2011:16:00:30][http-9445-1]: DatabasePanel comparetAndWaitEntries ou=people,o=ipaca not found, let's wait! [06/Jun/2011:16:00:35][http-9445-1]: DatabasePanel comparetAndWaitEntries checking ou=people,o=ipaca [06/Jun/2011:16:00:35][http-9445-1]: DatabasePanel comparetAndWaitEntries ou=people,o=ipaca not found, let's wait! Can you reproduce this again and while it is looping like this telnet from the master to your replica on port 9445? Perhaps it is something else in the network, but something is preventing replication from proceeding. The 389-ds access and error logs on the master may hold some clues as well. If leave for hours, it will continue will keep repeating the last entry. In the catalina.out log, I get the following java execption ### INFO: Deploying web application directory ca Jun 6, 2011 3:58:36 PM org.apache.catalina.startup.Catalina stopServer SEVERE: Catalina.stop: java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384) at java.net.Socket.connect(Socket.java:546) at java.net.Socket.connect(Socket.java:495) at java.net.Socket.init(Socket.java:392) at java.net.Socket.init(Socket.java:206) at org.apache.catalina.startup.Catalina.stopServer(Catalina.java:412) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:338) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:416) 32-bit osutil library loaded 32-bit osutil library loaded CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| Server is started. Jun 6, 2011 3:58:44 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory ROOT # While this points to connection failure, I don't know why that is so because there is not firewall running on the two boxes, also I disabled selinux just to make sure but it did not make any difference. The backtrace is just tomcat being tomcat. If you ask tomcat to stop itself and it isn't running it throws this big scary message. This is not likely to be an SELinux issue, if it were you would see lots of AVCs in /var/log/audit/audit.log if you want to check. There is a bug number 643449 with this exception thrown here in bugzilla but that issue was supposed to be caused by
Re: [Freeipa-users] Issue with replication install
The IPA server is version 2.0.0 R3 which is supposed to install on fc14 with some packages from updates-testing repo, while the replica install is on server 2.0.1 Yes, there is no dogtagcert.p12 file; here are the files contained: realm_info/httpcert.p12 realm_info/cacert.p12 realm_info/ldappwd realm_info/ra.p12 realm_info/http_pin.txt realm_info/realm_info realm_info/configure.jar realm_info/dscert.p12 realm_info/dirsrv_pin.txt realm_info/pwdfile.txt.ori realm_info/pwdfile.txt realm_info/kpasswd.keytab realm_info/preferences.htm realm_info/ca.crt I have upgraded the IPA box to fc15 and freeipa-2.0.1 in the quest to get a correct replica package but that seems to have created another problem as it has broken the tomcat and thus pki-ca. Jun 3, 2011 10:09:29 AM org.apache.catalina.loader.WebappLoader start SEVERE: LifecycleException java.io.IOException: Failed to access resource /WEB-INF/lib/jakarta-commons-collections.jar at org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1050) at org.apache.catalina.loader.WebappLoader.start(WebappLoader.java:681) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4541) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1061) at org.apache.catalina.core.StandardHost.start(StandardHost.java:785) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463) at org.apache.catalina.core.StandardService.start(StandardService.java:525) at org.apache.catalina.core.StandardServer.start(StandardServer.java:701) at org.apache.catalina.startup.Catalina.start(Catalina.java:585) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Caused by: javax.naming.NamingException: Resource jakarta-commons-collections.jar not found at org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:209) at org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1048) ... 24 more It seems to me that it is looking for jakarta-commons-collections.jar which exist but is a package from the old tomcat6-6.0.26. Thanks __Ide On Thu, Jun 2, 2011 at 11:08 AM, Rob Crittenden rcrit...@redhat.com wrote: Uzor Ide wrote: Thanks Rob I did run the certutil -L -d /etc/dirsrv/slapd-PKI-IPA command; the nssdb is empty If the CA cert is supposed to exist there at that stage of install, then that would be the problem. Both the slapd-PKI-IPA error and access does not contain much. I attached them herein with the ipareplica-install.log. How old is the prepared replica file, and was it created with an older version of IPA? In one of the last release candidates we started creating a separate SSL certificate for the 389-ds instance used by dogtag. I get the feeling that doesn't exist which would explain why SSL is failing. You can check by doing something like: # gpg -d replica-info-your-server.gpg | tar tvf - The file you're looking for is dogtagcert.p12 rob thanks Ide On Wed, Jun 1, 2011 at 11:40 AM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Uzor Ide wrote: Hi all We are trying to setup a backup IPA server and decided to toe that replication route. The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to fedora 15 and freeipa 2.0.1. Note we first did ipa-server-install --uninstall before upgrading the freeipa packages so as to make sure that the server is relatively clean. However when I run that ipa-replica-install command, I end up with the following error in the
Re: [Freeipa-users] Issue with replication install
Uzor Ide wrote: Thanks Rob I did run the certutil -L -d /etc/dirsrv/slapd-PKI-IPA command; the nssdb is empty If the CA cert is supposed to exist there at that stage of install, then that would be the problem. Both the slapd-PKI-IPA error and access does not contain much. I attached them herein with the ipareplica-install.log. How old is the prepared replica file, and was it created with an older version of IPA? In one of the last release candidates we started creating a separate SSL certificate for the 389-ds instance used by dogtag. I get the feeling that doesn't exist which would explain why SSL is failing. You can check by doing something like: # gpg -d replica-info-your-server.gpg | tar tvf - The file you're looking for is dogtagcert.p12 rob thanks Ide On Wed, Jun 1, 2011 at 11:40 AM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Uzor Ide wrote: Hi all We are trying to setup a backup IPA server and decided to toe that replication route. The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to fedora 15 and freeipa 2.0.1. Note we first did ipa-server-install --uninstall before upgrading the freeipa packages so as to make sure that the server is relatively clean. However when I run that ipa-replica-install command, I end up with the following error in the ipareplica-install.log 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart PKI-IPA 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv: PKI-IPA...[ OK ] Starting dirsrv: PKI-IPA...[FAILED] *** Warning: 1 instance(s) failed to start 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed. 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped 2011-05-31 23:54:33,501 DEBUG stderr= 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory server. See the installation log for details. This are the tomcat rpms on the server tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch tomcat6-6.0.30-6.fc15.noarch tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch tomcat6-lib-6.0.30-6.fc15.noarch tomcat6-el-2.1-api-6.0.30-6.fc15.noarch tomcatjss-2.1.1-1.fc15.noarch So the tomcat6 version is definitely greater than tomcat6-6-0.30-5. The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any other thing different from same, [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed Any help will be greatly appreciated Ide I think we need more context. Can you compress and send /var/log/ipareplica-install.log ? I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and errors to see if there is anything interesting there. And can you provide the output for: certutil -L -d /etc/dirsrv/slapd-PKI-IPA It would seem that your 389-ds instance is missing a copy of the CA cert. thanks rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Issue with replication install
Hi all We are trying to setup a backup IPA server and decided to toe that replication route. The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to fedora 15 and freeipa 2.0.1. Note we first did ipa-server-install --uninstall before upgrading the freeipa packages so as to make sure that the server is relatively clean. However when I run that ipa-replica-install command, I end up with the following error in the ipareplica-install.log 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart PKI-IPA 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv: PKI-IPA...[ OK ] Starting dirsrv: PKI-IPA...[FAILED] *** Warning: 1 instance(s) failed to start 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed. 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped 2011-05-31 23:54:33,501 DEBUG stderr= 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory server. See the installation log for details. This are the tomcat rpms on the server tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch tomcat6-6.0.30-6.fc15.noarch tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch tomcat6-lib-6.0.30-6.fc15.noarch tomcat6-el-2.1-api-6.0.30-6.fc15.noarch tomcatjss-2.1.1-1.fc15.noarch So the tomcat6 version is definitely greater than tomcat6-6-0.30-5. The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any other thing different from same, [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed Any help will be greatly appreciated Ide ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issue with replication install
Uzor Ide wrote: Hi all We are trying to setup a backup IPA server and decided to toe that replication route. The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to fedora 15 and freeipa 2.0.1. Note we first did ipa-server-install --uninstall before upgrading the freeipa packages so as to make sure that the server is relatively clean. However when I run that ipa-replica-install command, I end up with the following error in the ipareplica-install.log 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart PKI-IPA 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv: PKI-IPA...[ OK ] Starting dirsrv: PKI-IPA...[FAILED] *** Warning: 1 instance(s) failed to start 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed. 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped 2011-05-31 23:54:33,501 DEBUG stderr= 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory server. See the installation log for details. This are the tomcat rpms on the server tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch tomcat6-6.0.30-6.fc15.noarch tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch tomcat6-lib-6.0.30-6.fc15.noarch tomcat6-el-2.1-api-6.0.30-6.fc15.noarch tomcatjss-2.1.1-1.fc15.noarch So the tomcat6 version is definitely greater than tomcat6-6-0.30-5. The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any other thing different from same, [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed Any help will be greatly appreciated Ide I think we need more context. Can you compress and send /var/log/ipareplica-install.log ? I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and errors to see if there is anything interesting there. And can you provide the output for: certutil -L -d /etc/dirsrv/slapd-PKI-IPA It would seem that your 389-ds instance is missing a copy of the CA cert. thanks rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issue with replication install
Thanks Rob I did run the certutil -L -d /etc/dirsrv/slapd-PKI-IPA command; the nssdb is empty If the CA cert is supposed to exist there at that stage of install, then that would be the problem. Both the slapd-PKI-IPA error and access does not contain much. I attached them herein with the ipareplica-install.log. thanks Ide On Wed, Jun 1, 2011 at 11:40 AM, Rob Crittenden rcrit...@redhat.com wrote: Uzor Ide wrote: Hi all We are trying to setup a backup IPA server and decided to toe that replication route. The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to fedora 15 and freeipa 2.0.1. Note we first did ipa-server-install --uninstall before upgrading the freeipa packages so as to make sure that the server is relatively clean. However when I run that ipa-replica-install command, I end up with the following error in the ipareplica-install.log 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart PKI-IPA 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv: PKI-IPA...[ OK ] Starting dirsrv: PKI-IPA...[FAILED] *** Warning: 1 instance(s) failed to start 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed. 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped 2011-05-31 23:54:33,501 DEBUG stderr= 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory server. See the installation log for details. This are the tomcat rpms on the server tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch tomcat6-6.0.30-6.fc15.noarch tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch tomcat6-lib-6.0.30-6.fc15.noarch tomcat6-el-2.1-api-6.0.30-6.fc15.noarch tomcatjss-2.1.1-1.fc15.noarch So the tomcat6 version is definitely greater than tomcat6-6-0.30-5. The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any other thing different from same, [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed Any help will be greatly appreciated Ide I think we need more context. Can you compress and send /var/log/ipareplica-install.log ? I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and errors to see if there is anything interesting there. And can you provide the output for: certutil -L -d /etc/dirsrv/slapd-PKI-IPA It would seem that your 389-ds instance is missing a copy of the CA cert. thanks rob ipainstallogs.tgz Description: GNU Zip compressed data ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issue with replication install
On 06/01/2011 11:40 AM, Rob Crittenden wrote: Uzor Ide wrote: Hi all We are trying to setup a backup IPA server and decided to toe that replication route. The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to fedora 15 and freeipa 2.0.1. Note we first did ipa-server-install --uninstall before upgrading the freeipa packages so as to make sure that the server is relatively clean. However when I run that ipa-replica-install command, I end up with the following error in the ipareplica-install.log 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart PKI-IPA 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv: PKI-IPA...[ OK ] Starting dirsrv: PKI-IPA...[FAILED] *** Warning: 1 instance(s) failed to start 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed. 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped 2011-05-31 23:54:33,501 DEBUG stderr= 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory server. See the installation log for details. This are the tomcat rpms on the server tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch tomcat6-6.0.30-6.fc15.noarch tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch tomcat6-lib-6.0.30-6.fc15.noarch tomcat6-el-2.1-api-6.0.30-6.fc15.noarch tomcatjss-2.1.1-1.fc15.noarch So the tomcat6 version is definitely greater than tomcat6-6-0.30-5. The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any other thing different from same, [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed Any help will be greatly appreciated Ide I think we need more context. Can you compress and send /var/log/ipareplica-install.log ? I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and errors to see if there is anything interesting there. And can you provide the output for: certutil -L -d /etc/dirsrv/slapd-PKI-IPA It would seem that your 389-ds instance is missing a copy of the CA cert. thanks rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I just for the record, I did a similar thing yesterday. I had F14 with old ipa instance. I did ipa-server-install -- uninstall removed ipa packages Upgraded Fedora. Installed new IPA packages Ran install and hit a similar error. It seems that ipa-server uninstall does not destroy all the instances correctly for the PKI. So when the package is updated and the install is rerun it fails since there is a PKI DS instance. This might be a bug in the uninstall that we already fixed. To clean the system I ran the --uninstall several times. Each time it was failing but moving further. At some point it was successful and I was able to install. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
