Re: [Freeipa-users] ipa-replica-install: Certificate operation cannot be completed: Unable to communicate with CMS (503)
Hi Carlos, On 14/02/2017 15:11, Carlos Silva wrote: > It should be this problem: https://fedorahosted.org/freeipa/ticket/6613 Indeed this was the issue, changing in /etc/hosts ::1 localhost6.localdomain6 localhost6 to ::1 localhost localhost.localdomain localhost6.localdomain6 localhost6 made the ipa-replica-install work. Thank you very much! I could have spent a long time further debugging this. Regards Jens Timmerman > > On Tue, Feb 14, 2017 at 1:32 PM, Jens Timmerman > mailto:jens.timmer...@ugent.be>> wrote: > > Hi all, > > > I'm trying to setup a freeipa masterserver and a replica, on a fresh > install of CentOS 7.3 > > after running ipa-server-install on the master and running > ipa-client-install on the replica the ipa-replica-install command > fails > to restart the directory server. > > Turns out this is because the DS Certificate was never received. It > fails with status: CA_UNREACHABLE and I can't figure out why this is > failing. > > Could someone give me some pointers? > > on the replica: > > > /var/log/ipareplica-install.log > 2017-02-14T12:21:20Z DEBUG certmonger request is in state > dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1) > 2017-02-14T12:21:25Z DEBUG certmonger request is in state > dbus.String(u'CA_UNREACHABLE', variant_level=1) > 2017-02-14T12:21:25Z DEBUG flushing > ldapi://%2fvar%2frun%2fslapd-MY-REALM.socket from SchemaCache > 2017-02-14T12:21:25Z DEBUG retrieving schema for SchemaCache > url=ldapi://%2fvar%2frun%2fslapd-MY-REALM.socket > conn= > 2017-02-14T12:21:25Z DEBUG duration: 5 seconds > 2017-02-14T12:21:25Z DEBUG [28/44]: restarting directory server > > > > > # getcert list > Number of certificates and requests being tracked: 1. > Request ID '20170214122119': > status: CA_UNREACHABLE > ca-error: Server at https:///ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate operation > cannot be > completed: Unable to communicate with CMS (503)). > stuck: no > key pair storage: > > type=NSSDB,location='/etc/dirsrv/slapd-MY_REALM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-MY_REALM//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-MY_REALM',nickname='Server-Cert' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: > track: yes > auto-renew: yes > > > > # certutil -L -d /etc/dirsrv/slapd-MY_REALM/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > MY_REALM IPA CA CT,C,C > > > # certutil -L -d /etc/httpd/alias/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > cacert CTu,Cu,Cu > beta u,pu,u > alphau,pu,u > Server-Cert u,u,u > > > > > # curl --negotiate -u : https://ipa-server/ipa/xml --referer > https://ipa-server/ipa/xml -I > HTTP/1.1 401 Unauthorized > Date: Tue, 14 Feb 2017 12:07:02 GMT > Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_nss/1.0.14 > NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 > WWW-Authenticate: Negotiate > X-Frame-Options: DENY > Content-Security-Policy: frame-ancestors 'none' > Last-Modified: Tue, 17 Jan 2017 17:34:23 GMT > Accept-Ranges: bytes > Content-Length: 1474 > Content-Type: text/html; charset=UTF-8 > > HTTP/1.1 200 Success > Date: Tue, 14 Feb 2017 12:07:02 GMT > Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_nss/1.0.14 > NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 > Set-Cookie: ipa_session= > WWW-Authenticate: Negotiate > X-Frame-Options: DENY > Content-Security-Policy: frame-ancestors 'none' > Vary: Accept-Encoding > Content-Type: text/xml; charset=utf-8 > > > On the ipa-server: > > /var/log/pki/pki-tomcat/ca/debug > > > [14/Feb/2017:13:20:15][Timer-0]: SessionTimer: run() > [14/Feb/2017:13:20:15][Timer-0]: LDAPSecurityDomainSessionTable: > getSessionIds() > [14/Feb/2017:13:20:15][Timer-0]: LDAPSecurityDomainSessionTable: > searching ou=sessions,ou=Security Domain,o=ipaca > [14/Feb/2017:13:20:15][Timer-0]: In LdapBoundConnFactory::getConn() > [14/Feb/2017:13:20:15][Timer-0]: masterConn is connected: true > [14/Feb/2017:13:20:15][Timer-0]: getConn: conn is connected true > [14/Feb/2017:13:20:15][Timer-0]: getConn: mNumConns now 2 > [14/Feb/2017:13:20:15][Timer-0]: Sec
Re: [Freeipa-users] ipa-replica-install: Certificate operation cannot be completed: Unable to communicate with CMS (503)
It should be this problem: https://fedorahosted.org/freeipa/ticket/6613 On Tue, Feb 14, 2017 at 1:32 PM, Jens Timmerman wrote: > Hi all, > > > I'm trying to setup a freeipa masterserver and a replica, on a fresh > install of CentOS 7.3 > > after running ipa-server-install on the master and running > ipa-client-install on the replica the ipa-replica-install command fails > to restart the directory server. > > Turns out this is because the DS Certificate was never received. It > fails with status: CA_UNREACHABLE and I can't figure out why this is > failing. > > Could someone give me some pointers? > > on the replica: > > > /var/log/ipareplica-install.log > 2017-02-14T12:21:20Z DEBUG certmonger request is in state > dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1) > 2017-02-14T12:21:25Z DEBUG certmonger request is in state > dbus.String(u'CA_UNREACHABLE', variant_level=1) > 2017-02-14T12:21:25Z DEBUG flushing > ldapi://%2fvar%2frun%2fslapd-MY-REALM.socket from SchemaCache > 2017-02-14T12:21:25Z DEBUG retrieving schema for SchemaCache > url=ldapi://%2fvar%2frun%2fslapd-MY-REALM.socket > conn= > 2017-02-14T12:21:25Z DEBUG duration: 5 seconds > 2017-02-14T12:21:25Z DEBUG [28/44]: restarting directory server > > > > > # getcert list > Number of certificates and requests being tracked: 1. > Request ID '20170214122119': > status: CA_UNREACHABLE > ca-error: Server at https:///ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: Unable to communicate with CMS (503)). > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-MY_REALM', > nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-MY_REALM//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-MY_REALM',nickname='Server-Cert' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: > track: yes > auto-renew: yes > > > > # certutil -L -d /etc/dirsrv/slapd-MY_REALM/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > MY_REALM IPA CA CT,C,C > > > # certutil -L -d /etc/httpd/alias/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > cacert CTu,Cu,Cu > beta u,pu,u > alphau,pu,u > Server-Cert u,u,u > > > > > # curl --negotiate -u : https://ipa-server/ipa/xml --referer > https://ipa-server/ipa/xml -I > HTTP/1.1 401 Unauthorized > Date: Tue, 14 Feb 2017 12:07:02 GMT > Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_nss/1.0.14 > NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 > WWW-Authenticate: Negotiate > X-Frame-Options: DENY > Content-Security-Policy: frame-ancestors 'none' > Last-Modified: Tue, 17 Jan 2017 17:34:23 GMT > Accept-Ranges: bytes > Content-Length: 1474 > Content-Type: text/html; charset=UTF-8 > > HTTP/1.1 200 Success > Date: Tue, 14 Feb 2017 12:07:02 GMT > Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_nss/1.0.14 > NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 > Set-Cookie: ipa_session= > WWW-Authenticate: Negotiate > X-Frame-Options: DENY > Content-Security-Policy: frame-ancestors 'none' > Vary: Accept-Encoding > Content-Type: text/xml; charset=utf-8 > > > On the ipa-server: > > /var/log/pki/pki-tomcat/ca/debug > > > [14/Feb/2017:13:20:15][Timer-0]: SessionTimer: run() > [14/Feb/2017:13:20:15][Timer-0]: LDAPSecurityDomainSessionTable: > getSessionIds() > [14/Feb/2017:13:20:15][Timer-0]: LDAPSecurityDomainSessionTable: > searching ou=sessions,ou=Security Domain,o=ipaca > [14/Feb/2017:13:20:15][Timer-0]: In LdapBoundConnFactory::getConn() > [14/Feb/2017:13:20:15][Timer-0]: masterConn is connected: true > [14/Feb/2017:13:20:15][Timer-0]: getConn: conn is connected true > [14/Feb/2017:13:20:15][Timer-0]: getConn: mNumConns now 2 > [14/Feb/2017:13:20:15][Timer-0]: SecurityDomainSessionTable: No active > sessions. > [14/Feb/2017:13:20:15][Timer-0]: returnConn: mNumConns now 3 > [14/Feb/2017:13:25:15][Timer-0]: SessionTimer: run() > [14/Feb/2017:13:25:15][Timer-0]: LDAPSecurityDomainSessionTable: > getSessionIds() > [14/Feb/2017:13:25:15][Timer-0]: LDAPSecurityDomainSessionTable: > searching ou=sessions,ou=Security Domain,o=ipaca > [14/Feb/2017:13:25:15][Timer-0]: In LdapBoundConnFactory::getConn() > [14/Feb/2017:13:25:15][Timer-0]: masterConn is connected: true > [14/Feb/2017:13:25:15][Timer-0]: getConn: conn is connected true > [14/Feb/2017:13:25:15][Timer-0]: getConn: mNumConns now 2 > [14/Feb/2017:13:25:15][Timer-0]: SecurityDomainSessionTable: No active > sessions. > [14/Feb/2017:13:25:15][Timer-0]: returnConn: mNumConns now 3 > > > (so nothing at 13:21:1
[Freeipa-users] ipa-replica-install: Certificate operation cannot be completed: Unable to communicate with CMS (503)
Hi all, I'm trying to setup a freeipa masterserver and a replica, on a fresh install of CentOS 7.3 after running ipa-server-install on the master and running ipa-client-install on the replica the ipa-replica-install command fails to restart the directory server. Turns out this is because the DS Certificate was never received. It fails with status: CA_UNREACHABLE and I can't figure out why this is failing. Could someone give me some pointers? on the replica: /var/log/ipareplica-install.log 2017-02-14T12:21:20Z DEBUG certmonger request is in state dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1) 2017-02-14T12:21:25Z DEBUG certmonger request is in state dbus.String(u'CA_UNREACHABLE', variant_level=1) 2017-02-14T12:21:25Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-MY-REALM.socket from SchemaCache 2017-02-14T12:21:25Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-MY-REALM.socket conn= 2017-02-14T12:21:25Z DEBUG duration: 5 seconds 2017-02-14T12:21:25Z DEBUG [28/44]: restarting directory server # getcert list Number of certificates and requests being tracked: 1. Request ID '20170214122119': status: CA_UNREACHABLE ca-error: Server at https:///ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (503)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MY_REALM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MY_REALM//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-MY_REALM',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes # certutil -L -d /etc/dirsrv/slapd-MY_REALM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI MY_REALM IPA CA CT,C,C # certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI cacert CTu,Cu,Cu beta u,pu,u alphau,pu,u Server-Cert u,u,u # curl --negotiate -u : https://ipa-server/ipa/xml --referer https://ipa-server/ipa/xml -I HTTP/1.1 401 Unauthorized Date: Tue, 14 Feb 2017 12:07:02 GMT Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 WWW-Authenticate: Negotiate X-Frame-Options: DENY Content-Security-Policy: frame-ancestors 'none' Last-Modified: Tue, 17 Jan 2017 17:34:23 GMT Accept-Ranges: bytes Content-Length: 1474 Content-Type: text/html; charset=UTF-8 HTTP/1.1 200 Success Date: Tue, 14 Feb 2017 12:07:02 GMT Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 Set-Cookie: ipa_session= WWW-Authenticate: Negotiate X-Frame-Options: DENY Content-Security-Policy: frame-ancestors 'none' Vary: Accept-Encoding Content-Type: text/xml; charset=utf-8 On the ipa-server: /var/log/pki/pki-tomcat/ca/debug [14/Feb/2017:13:20:15][Timer-0]: SessionTimer: run() [14/Feb/2017:13:20:15][Timer-0]: LDAPSecurityDomainSessionTable: getSessionIds() [14/Feb/2017:13:20:15][Timer-0]: LDAPSecurityDomainSessionTable: searching ou=sessions,ou=Security Domain,o=ipaca [14/Feb/2017:13:20:15][Timer-0]: In LdapBoundConnFactory::getConn() [14/Feb/2017:13:20:15][Timer-0]: masterConn is connected: true [14/Feb/2017:13:20:15][Timer-0]: getConn: conn is connected true [14/Feb/2017:13:20:15][Timer-0]: getConn: mNumConns now 2 [14/Feb/2017:13:20:15][Timer-0]: SecurityDomainSessionTable: No active sessions. [14/Feb/2017:13:20:15][Timer-0]: returnConn: mNumConns now 3 [14/Feb/2017:13:25:15][Timer-0]: SessionTimer: run() [14/Feb/2017:13:25:15][Timer-0]: LDAPSecurityDomainSessionTable: getSessionIds() [14/Feb/2017:13:25:15][Timer-0]: LDAPSecurityDomainSessionTable: searching ou=sessions,ou=Security Domain,o=ipaca [14/Feb/2017:13:25:15][Timer-0]: In LdapBoundConnFactory::getConn() [14/Feb/2017:13:25:15][Timer-0]: masterConn is connected: true [14/Feb/2017:13:25:15][Timer-0]: getConn: conn is connected true [14/Feb/2017:13:25:15][Timer-0]: getConn: mNumConns now 2 [14/Feb/2017:13:25:15][Timer-0]: SecurityDomainSessionTable: No active sessions. [14/Feb/2017:13:25:15][Timer-0]: returnConn: mNumConns now 3 (so nothing at 13:21:14) ==> /var/log/pki/pki-tomcat/ca/selftests.log <== 0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters 0.localhost-startStop-1 - [14/Feb/2017:10:20:14 CET] [20] [1] SelfTestSubsystem