Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Hey, I tried recreating the replica information and doing the ipa-replica-install and it's still failing at trying to start the replication. I've also tried doing a force sync and it comes up with that generation ID error. Matt -Original Message- From: Jatin Nansi [mailto:jna...@redhat.com] Sent: Thursday, April 11, 2013 10:18 PM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors On 04/11/2013 08:55 PM, Joseph, Matthew (EXP) wrote: Hey, Sorry didn't read your full message and realize you wanted all of the information for it. The Signature Algorithm is PKCS #1 SHA-256 with RSA Encryption. OK, then it was just the CA certificate that was missing, the MD5 hash information that I provided does not apply. About: Replica Data has a different generation ID than the local data Its probably best if you reinitialize the replica. If the ipa-replica-install script never completed, you could try creating a new replica information file from the existing IPA server and redo the whole replica installation. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Hey, Here is the output; Server-Cert u,u,u I am using nss-3-13.3-6 I am using the IPA CA. Matt -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jatin Nansi Sent: Wednesday, April 10, 2013 9:36 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors On 04/10/2013 09:55 PM, Joseph, Matthew (EXP) wrote: Hey, I'm still trying to figure out this error but I am getting nothing. Anyone have any suggestions or ideas on why this is failing? Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph, Matthew (EXP) *Sent:* Monday, April 08, 2013 12:30 PM *To:* Nathan Kinder *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Hey, Yup, the client side says the following; Op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate. Matt Check the version of the nss package on your IPA server. There was a change that went into nss-3.14 that disables support for certificate signatures using the MD5 hash algorithm. To check if you are using MD5 certificate signatures, use this command to examine the certificates - cerutil -L -d/etc/dirsrv/slapd-DOMAIN-CA/ Server-Cert If this is the case, the workaround is to downgrade the nss package to version 3.13. The fix is to re-issue your certificates using the SHA256 hashes. Are you using the IPA CA, or are you managing the CA independently of IPA? -- Jatin Nansi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Hey, Sorry didn't read your full message and realize you wanted all of the information for it. The Signature Algorithm is PKCS #1 SHA-256 with RSA Encryption. Matt -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jatin Nansi Sent: Wednesday, April 10, 2013 9:36 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors On 04/10/2013 09:55 PM, Joseph, Matthew (EXP) wrote: Hey, I'm still trying to figure out this error but I am getting nothing. Anyone have any suggestions or ideas on why this is failing? Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph, Matthew (EXP) *Sent:* Monday, April 08, 2013 12:30 PM *To:* Nathan Kinder *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Hey, Yup, the client side says the following; Op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate. Matt Check the version of the nss package on your IPA server. There was a change that went into nss-3.14 that disables support for certificate signatures using the MD5 hash algorithm. To check if you are using MD5 certificate signatures, use this command to examine the certificates - cerutil -L -d/etc/dirsrv/slapd-DOMAIN-CA/ Server-Cert If this is the case, the workaround is to downgrade the nss package to version 3.13. The fix is to re-issue your certificates using the SHA256 hashes. Are you using the IPA CA, or are you managing the CA independently of IPA? -- Jatin Nansi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Joseph, Matthew (EXP) wrote: Hey, Here is the output; Server-Cert u,u,u I am using nss-3-13.3-6 I am using the IPA CA. The thing is, the IPA CA isn't there for some reason, on either side. You should also have something like EXAMPLE.COM IPA CA Ct,C,C You might check the working master with somethign like: certutil -V -u V -n Server-Cert -d /etc/dirsrv/slapd-REALM That will validate the cert trust. I'd suspect it will fail. So you'd need to add the IPA CA. certutil -A -n 'EXAMPLE.COM IPA CA' -d /etc/dirsrv/slapd-REALM -t CT,C,C -a -i /etc/ipa/ca.crt This may address the symptom but how you ended up with the CA missing is baffling. rob Matt -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jatin Nansi Sent: Wednesday, April 10, 2013 9:36 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors On 04/10/2013 09:55 PM, Joseph, Matthew (EXP) wrote: Hey, I'm still trying to figure out this error but I am getting nothing. Anyone have any suggestions or ideas on why this is failing? Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph, Matthew (EXP) *Sent:* Monday, April 08, 2013 12:30 PM *To:* Nathan Kinder *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Hey, Yup, the client side says the following; Op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate. Matt Check the version of the nss package on your IPA server. There was a change that went into nss-3.14 that disables support for certificate signatures using the MD5 hash algorithm. To check if you are using MD5 certificate signatures, use this command to examine the certificates - cerutil -L -d/etc/dirsrv/slapd-DOMAIN-CA/ Server-Cert If this is the case, the workaround is to downgrade the nss package to version 3.13. The fix is to re-issue your certificates using the SHA256 hashes. Are you using the IPA CA, or are you managing the CA independently of IPA? -- Jatin Nansi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Hey, Yes you are correct. For some reason my IPA CA certs were missing. I've added them back onto both the Server and Client so now I am back to getting the; Replica Data has a different generation ID than the local data Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, April 11, 2013 10:13 AM To: Joseph, Matthew (EXP); Jatin Nansi; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Joseph, Matthew (EXP) wrote: Hey, Here is the output; Server-Cert u,u,u I am using nss-3-13.3-6 I am using the IPA CA. The thing is, the IPA CA isn't there for some reason, on either side. You should also have something like EXAMPLE.COM IPA CA Ct,C,C You might check the working master with somethign like: certutil -V -u V -n Server-Cert -d /etc/dirsrv/slapd-REALM That will validate the cert trust. I'd suspect it will fail. So you'd need to add the IPA CA. certutil -A -n 'EXAMPLE.COM IPA CA' -d /etc/dirsrv/slapd-REALM -t CT,C,C -a -i /etc/ipa/ca.crt This may address the symptom but how you ended up with the CA missing is baffling. rob Matt -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jatin Nansi Sent: Wednesday, April 10, 2013 9:36 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors On 04/10/2013 09:55 PM, Joseph, Matthew (EXP) wrote: Hey, I'm still trying to figure out this error but I am getting nothing. Anyone have any suggestions or ideas on why this is failing? Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph, Matthew (EXP) *Sent:* Monday, April 08, 2013 12:30 PM *To:* Nathan Kinder *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Hey, Yup, the client side says the following; Op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate. Matt Check the version of the nss package on your IPA server. There was a change that went into nss-3.14 that disables support for certificate signatures using the MD5 hash algorithm. To check if you are using MD5 certificate signatures, use this command to examine the certificates - cerutil -L -d/etc/dirsrv/slapd-DOMAIN-CA/ Server-Cert If this is the case, the workaround is to downgrade the nss package to version 3.13. The fix is to re-issue your certificates using the SHA256 hashes. Are you using the IPA CA, or are you managing the CA independently of IPA? -- Jatin Nansi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
On 04/11/2013 08:55 PM, Joseph, Matthew (EXP) wrote: Hey, Sorry didn't read your full message and realize you wanted all of the information for it. The Signature Algorithm is PKCS #1 SHA-256 with RSA Encryption. OK, then it was just the CA certificate that was missing, the MD5 hash information that I provided does not apply. About: Replica Data has a different generation ID than the local data Its probably best if you reinitialize the replica. If the ipa-replica-install script never completed, you could try creating a new replica information file from the existing IPA server and redo the whole replica installation. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Joseph, Matthew (EXP) wrote: Hey, I’m still trying to figure out this error but I am getting nothing. Anyone have any suggestions or ideas on why this is failing? Is there a chance you're using a replica file prepared from a different IPA installation? I'd probably go ahead and use ipa-replica-prepare to create a new file and try installing that. rob Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph, Matthew (EXP) *Sent:* Monday, April 08, 2013 12:30 PM *To:* Nathan Kinder *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Hey, Yup, the client side says the following; Op=-1 fd=64 closed – Peer does not recognize and trust the CA that issued your certificate. Matt *From:*Nathan Kinder [mailto:nkin...@redhat.com] *Sent:* Monday, April 08, 2013 12:28 PM *To:* Joseph, Matthew (EXP) *Cc:* freeipa-users@redhat.com *Subject:* Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote: Hey, So on the IPA server under the access logs I am getting the following error. Error: could not send startTLS request: Error -11 (connect error) errno 0 (success) Any ideas? Does the access log on the receiving side show a connection attempt from the master at the same time? The access log will be located at /var/log/dirsrv/slapd-DOMAIN/access. -NGK Matt *From:*Nathan Kinder [mailto:nkin...@redhat.com] *Sent:* Thursday, April 04, 2013 6:00 PM *To:* Joseph, Matthew (EXP) *Cc:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: Hello, I’m trying to setup a replica server with ipa-2.2.0-16 on both the Server and the Replica Server. Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide); *IPA_Server:* ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ ipareplica:/var/lib/ipa/ *IPA_Replica:* ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg -- Below is the error I am getting when running ipa-replica-install; Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'IPA_Server.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@domain.ca mailto:ad...@domain.ca password: Execute check on remote master Check connection from master to remote replica 'IPA_Replica.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/13]: creating certificate server user [2/13]: creating pki-ca instance [3/13]: configuring certificate server instance [4/13]: disabling nonces [5/13]: creating RA agent certificate database [6/13]: importing CA chain to RA certificate database [7/13]: fixing RA database permissions [8/13]: setting up signing cert profile [9/13]: set up CRL publishing [10/13]: set certificate subject base [11/13]: enabling Subject Key Identifier [12/13]: configuring certificate server to start on boot [13/13
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Hey Rob, Yes I've tried to do that. Everytime I try to run an ipa-replica-install I make sure I create a new replica file from the server. Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, April 10, 2013 10:47 AM To: Joseph, Matthew (EXP); Nathan Kinder Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Joseph, Matthew (EXP) wrote: Hey, I'm still trying to figure out this error but I am getting nothing. Anyone have any suggestions or ideas on why this is failing? Is there a chance you're using a replica file prepared from a different IPA installation? I'd probably go ahead and use ipa-replica-prepare to create a new file and try installing that. rob Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph, Matthew (EXP) *Sent:* Monday, April 08, 2013 12:30 PM *To:* Nathan Kinder *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Hey, Yup, the client side says the following; Op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate. Matt *From:*Nathan Kinder [mailto:nkin...@redhat.com] *Sent:* Monday, April 08, 2013 12:28 PM *To:* Joseph, Matthew (EXP) *Cc:* freeipa-users@redhat.com *Subject:* Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote: Hey, So on the IPA server under the access logs I am getting the following error. Error: could not send startTLS request: Error -11 (connect error) errno 0 (success) Any ideas? Does the access log on the receiving side show a connection attempt from the master at the same time? The access log will be located at /var/log/dirsrv/slapd-DOMAIN/access. -NGK Matt *From:*Nathan Kinder [mailto:nkin...@redhat.com] *Sent:* Thursday, April 04, 2013 6:00 PM *To:* Joseph, Matthew (EXP) *Cc:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: Hello, I'm trying to setup a replica server with ipa-2.2.0-16 on both the Server and the Replica Server. Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide); *IPA_Server:* ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ ipareplica:/var/lib/ipa/ *IPA_Replica:* ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg -- Below is the error I am getting when running ipa-replica-install; Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'IPA_Server.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@domain.ca mailto:ad...@domain.ca password: Execute check on remote master Check connection from master to remote replica 'IPA_Replica.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/13]: creating certificate server user [2/13]: creating pki-ca instance
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Joseph, Matthew (EXP) wrote: Hey Rob, Yes I've tried to do that. Everytime I try to run an ipa-replica-install I make sure I create a new replica file from the server. Well, it is confusing because this worked once, when you got the error about replication ID. I guess I'd use certutil to compare what /etc/dirsrv/slapd-REALM looks like on the replica vs the existing master. The error is related to SSL trust. rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, April 10, 2013 10:47 AM To: Joseph, Matthew (EXP); Nathan Kinder Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Joseph, Matthew (EXP) wrote: Hey, I'm still trying to figure out this error but I am getting nothing. Anyone have any suggestions or ideas on why this is failing? Is there a chance you're using a replica file prepared from a different IPA installation? I'd probably go ahead and use ipa-replica-prepare to create a new file and try installing that. rob Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph, Matthew (EXP) *Sent:* Monday, April 08, 2013 12:30 PM *To:* Nathan Kinder *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Hey, Yup, the client side says the following; Op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate. Matt *From:*Nathan Kinder [mailto:nkin...@redhat.com] *Sent:* Monday, April 08, 2013 12:28 PM *To:* Joseph, Matthew (EXP) *Cc:* freeipa-users@redhat.com *Subject:* Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote: Hey, So on the IPA server under the access logs I am getting the following error. Error: could not send startTLS request: Error -11 (connect error) errno 0 (success) Any ideas? Does the access log on the receiving side show a connection attempt from the master at the same time? The access log will be located at /var/log/dirsrv/slapd-DOMAIN/access. -NGK Matt *From:*Nathan Kinder [mailto:nkin...@redhat.com] *Sent:* Thursday, April 04, 2013 6:00 PM *To:* Joseph, Matthew (EXP) *Cc:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: Hello, I'm trying to setup a replica server with ipa-2.2.0-16 on both the Server and the Replica Server. Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide); *IPA_Server:* ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ ipareplica:/var/lib/ipa/ *IPA_Replica:* ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg -- Below is the error I am getting when running ipa-replica-install; Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'IPA_Server.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@domain.ca mailto:ad...@domain.ca password: Execute check on remote master Check connection from master to remote replica 'IPA_Replica.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Hey Rob, Here is the output from cerutil -L -d /etc/dirsrv/slapd-DOMAIN-CA/ Server: Server-Cert u,u,u Client: Server-Cert u,u,u Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, April 10, 2013 11:01 AM To: Joseph, Matthew (EXP); Nathan Kinder Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Joseph, Matthew (EXP) wrote: Hey Rob, Yes I've tried to do that. Everytime I try to run an ipa-replica-install I make sure I create a new replica file from the server. Well, it is confusing because this worked once, when you got the error about replication ID. I guess I'd use certutil to compare what /etc/dirsrv/slapd-REALM looks like on the replica vs the existing master. The error is related to SSL trust. rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, April 10, 2013 10:47 AM To: Joseph, Matthew (EXP); Nathan Kinder Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Joseph, Matthew (EXP) wrote: Hey, I'm still trying to figure out this error but I am getting nothing. Anyone have any suggestions or ideas on why this is failing? Is there a chance you're using a replica file prepared from a different IPA installation? I'd probably go ahead and use ipa-replica-prepare to create a new file and try installing that. rob Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph, Matthew (EXP) *Sent:* Monday, April 08, 2013 12:30 PM *To:* Nathan Kinder *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Hey, Yup, the client side says the following; Op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate. Matt *From:*Nathan Kinder [mailto:nkin...@redhat.com] *Sent:* Monday, April 08, 2013 12:28 PM *To:* Joseph, Matthew (EXP) *Cc:* freeipa-users@redhat.com *Subject:* Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote: Hey, So on the IPA server under the access logs I am getting the following error. Error: could not send startTLS request: Error -11 (connect error) errno 0 (success) Any ideas? Does the access log on the receiving side show a connection attempt from the master at the same time? The access log will be located at /var/log/dirsrv/slapd-DOMAIN/access. -NGK Matt *From:*Nathan Kinder [mailto:nkin...@redhat.com] *Sent:* Thursday, April 04, 2013 6:00 PM *To:* Joseph, Matthew (EXP) *Cc:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: Hello, I'm trying to setup a replica server with ipa-2.2.0-16 on both the Server and the Replica Server. Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide); *IPA_Server:* ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ ipareplica:/var/lib/ipa/ *IPA_Replica:* ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg -- Below is the error I am getting when running ipa-replica-install; Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'IPA_Server.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@domain.ca mailto:ad...@domain.ca password: Execute check on remote master Check connection from master to remote replica 'IPA_Replica.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
On 04/10/2013 09:55 PM, Joseph, Matthew (EXP) wrote: Hey, I’m still trying to figure out this error but I am getting nothing. Anyone have any suggestions or ideas on why this is failing? Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph, Matthew (EXP) *Sent:* Monday, April 08, 2013 12:30 PM *To:* Nathan Kinder *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Hey, Yup, the client side says the following; Op=-1 fd=64 closed – Peer does not recognize and trust the CA that issued your certificate. Matt Check the version of the nss package on your IPA server. There was a change that went into nss-3.14 that disables support for certificate signatures using the MD5 hash algorithm. To check if you are using MD5 certificate signatures, use this command to examine the certificates - cerutil -L -d/etc/dirsrv/slapd-DOMAIN-CA/ Server-Cert If this is the case, the workaround is to downgrade the nss package to version 3.13. The fix is to re-issue your certificates using the SHA256 hashes. Are you using the IPA CA, or are you managing the CA independently of IPA? -- Jatin Nansi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Hey, So on the IPA server under the access logs I am getting the following error. Error: could not send startTLS request: Error -11 (connect error) errno 0 (success) Any ideas? Matt From: Nathan Kinder [mailto:nkin...@redhat.com] Sent: Thursday, April 04, 2013 6:00 PM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: Hello, I'm trying to setup a replica server with ipa-2.2.0-16 on both the Server and the Replica Server. Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide); IPA_Server: ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ ipareplica:/var/lib/ipa/ IPA_Replica: ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg -- Below is the error I am getting when running ipa-replica-install; Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'IPA_Server.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@domain.camailto:ad...@domain.ca password: Execute check on remote master Check connection from master to remote replica 'IPA_Replica.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/13]: creating certificate server user [2/13]: creating pki-ca instance [3/13]: configuring certificate server instance [4/13]: disabling nonces [5/13]: creating RA agent certificate database [6/13]: importing CA chain to RA certificate database [7/13]: fixing RA database permissions [8/13]: setting up signing cert profile [9/13]: set up CRL publishing [10/13]: set certificate subject base [11/13]: enabling Subject Key Identifier [12/13]: configuring certificate server to start on boot [13/13]: Configure HTTP to proxy connections done configuring pki-cad. Restarting the directory and certificate servers Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance [17/30]: configuring certmap.conf [18/30]: configure autobind for root [19/30]: configure new location for managed entries [20/30]: restarting directory server [21/30]: setting up initial replication Starting replication, please wait until this has completed. [IPA_Server.domain.ca] reports: Update failed! Status: [-11 - System error] creation of replica failed: Failed to start replication Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the following error; NSMMReplicationPlugin - agmt=cn=metoIPA_Server.domain.ca (ipa_server:389): Replica has a different generation ID than the local data. This is probably just fallout from the replica initialization failure. If a replica is never initialized, it will get a generation ID mismatch error when the master contacts it. Any thoughts or ideas on this issue? Searching google I don't see anyone getting the Status:-11 - System Error. There was
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Hey, Yup, the client side says the following; Op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate. Matt From: Nathan Kinder [mailto:nkin...@redhat.com] Sent: Monday, April 08, 2013 12:28 PM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.com Subject: Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote: Hey, So on the IPA server under the access logs I am getting the following error. Error: could not send startTLS request: Error -11 (connect error) errno 0 (success) Any ideas? Does the access log on the receiving side show a connection attempt from the master at the same time? The access log will be located at /var/log/dirsrv/slapd-DOMAIN/access. -NGK Matt From: Nathan Kinder [mailto:nkin...@redhat.com] Sent: Thursday, April 04, 2013 6:00 PM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: Hello, I'm trying to setup a replica server with ipa-2.2.0-16 on both the Server and the Replica Server. Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide); IPA_Server: ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ ipareplica:/var/lib/ipa/ IPA_Replica: ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg -- Below is the error I am getting when running ipa-replica-install; Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'IPA_Server.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@domain.camailto:ad...@domain.ca password: Execute check on remote master Check connection from master to remote replica 'IPA_Replica.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/13]: creating certificate server user [2/13]: creating pki-ca instance [3/13]: configuring certificate server instance [4/13]: disabling nonces [5/13]: creating RA agent certificate database [6/13]: importing CA chain to RA certificate database [7/13]: fixing RA database permissions [8/13]: setting up signing cert profile [9/13]: set up CRL publishing [10/13]: set certificate subject base [11/13]: enabling Subject Key Identifier [12/13]: configuring certificate server to start on boot [13/13]: Configure HTTP to proxy connections done configuring pki-cad. Restarting the directory and certificate servers Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance [17/30]: configuring certmap.conf [18/30]: configure autobind for root [19/30]: configure new location for managed entries [20/30]: restarting directory server [21/30]: setting up initial replication Starting replication, please wait until this has completed. [IPA_Server.domain.ca] reports: