Re: [Freeipa-users] Replica Creation hang at "configuring certificate server instance"
Ade Lee writes: > This is also not running the latest available pki-common code. This > code has been changed recently to make it more robust. > > Check updates-testing for pki-common > > Actually, you'll want to update : pki-common, pki-setup, pki-selinux, > pki-ca, pki-silent. Updating the pki-* to 9.0.11-1 and 389-ds-base to 1.2.9.6-1 (available in updates-testing) resolved this problem. Thanks -- Shawn Nock (OpenPGP: 0x8132E623) pgpCgeNMbF7Io.pgp Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replica Creation hang at "configuring certificate server instance"
This is also not running the latest available pki-common code. This code has been changed recently to make it more robust. Check updates-testing for pki-common Actually, you'll want to update : pki-common, pki-setup, pki-selinux, pki-ca, pki-silent. Ade On Fri, 2011-08-12 at 12:26 -0600, Rich Megginson wrote: > On 08/12/2011 12:06 PM, Shawn Nock wrote: > > I am trying to create a replica of my working FreeIPA 2.0.1 > > installation. Both the server and would-be replica are F15 minimal > > installs dedicated to FreeIPA. > > > > Both hosts are in DNS (forward and reverse) with iptables and > > selinux temporarily disabled. > > > > ipa-replica-install fails at: > > 2011-08-12 13:48:14,768 DEBUG [3/11]: restarting certificate server > > 2011-08-12 13:48:17,882 DEBUG args=/sbin/service pki-cad restart > > 2011-08-12 13:48:17,882 DEBUG stdout=Stopping pki-ca: [FAILED] > > Starting pki-ca: [ OK ] > > 'pki-ca' must still be CONFIGURED! > > (see /var/log/pki-ca-install.log) > > > > 2011-08-12 13:48:17,882 DEBUG stderr= > > 2011-08-12 13:48:17,905 DEBUG duration: 3 seconds > > 2011-08-12 13:48:17,906 DEBUG [4/11]: configuring certificate server > > instance > > > > The IPA-PKI instance access log on the replica is full of: > > > > SRCH base="ou=people,o=ipaca" scope=0 > > filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL > > > > The IPA-PKI instance error log on the replica contains: > > > > [12/Aug/2011:13:49:09 -0400] NSMMReplicationPlugin - > > agmt="cn=cloneAgreement1-ipa-slave.cfmi.georgetown.edu-pki-ca" (ipa:7389): > > Replica has a different generation ID than the local data. > > [12/Aug/2011:13:49:10 -0400] NSMMReplicationPlugin - > > multimaster_be_state_change: replica o=ipaca is going offline; disabling > > replication > > [12/Aug/2011:13:49:11 -0400] - entrycache_clear_int: there are still 2 > > entries in the entry cache. > > [12/Aug/2011:13:49:11 -0400] - dncache_clear_int: there are still 2 dn's in > > the dn cache. :/ > > [12/Aug/2011:13:49:11 -0400] - WARNING: Import is running with > > nsslapd-db-private-import-mem on; No other process is allowed to access the > > database > > [12/Aug/2011:13:49:15 -0400] - import ipaca: Workers finished; cleaning > > up... > > [12/Aug/2011:13:49:15 -0400] - import ipaca: Workers cleaned up. > > [12/Aug/2011:13:49:15 -0400] - import ipaca: Indexing complete. > > Post-processing... > > [12/Aug/2011:13:49:15 -0400] - import ipaca: Flushing caches... > > [12/Aug/2011:13:49:15 -0400] - import ipaca: Closing files... > > [12/Aug/2011:13:49:15 -0400] - entrycache_clear_int: there are still 12 > > entries in the entry cache. > > [12/Aug/2011:13:49:15 -0400] - dncache_clear_int: there are still 82 dn's > > in the dn cache. :/ > > [12/Aug/2011:13:49:15 -0400] - import ipaca: Import complete. Processed 82 > > entries in 4 seconds. (20.50 entries/sec) > > [12/Aug/2011:13:49:15 -0400] NSMMReplicationPlugin - > > multimaster_be_state_change: replica o=ipaca is coming online; enabling > > replication > > [12/Aug/2011:13:49:15 -0400] NSMMReplicationPlugin - > > _replica_configure_ruv: failed to create replica ruv tombstone entry > > (o=ipaca); LDAP error - 68 > > [12/Aug/2011:13:49:15 -0400] NSMMReplicationPlugin - > > replica_enable_replication: reloading ruv failed > > [12/Aug/2011:13:49:17 -0400] NSMMReplicationPlugin - > > _replica_configure_ruv: failed to create replica ruv tombstone entry > > (o=ipaca); LDAP error - 68 > > [12/Aug/2011:13:49:47 -0400] NSMMReplicationPlugin - > > _replica_configure_ruv: failed to create replica ruv tombstone entry > > (o=ipaca); LDAP error - 68 > > [12/Aug/2011:13:50:17 -0400] NSMMReplicationPlugin - > > _replica_configure_ruv: failed to create replica ruv tombstone entry > > (o=ipaca); LDAP error - 68 > > [12/Aug/2011:13:50:47 -0400] NSMMReplicationPlugin - > > _replica_configure_ruv: failed to create replica ruv tombstone entry > > (o=ipaca); LDAP error - 68 > > [12/Aug/2011:13:51:17 -0400] NSMMReplicationPlugin - > > _replica_configure_ruv: failed to create replica ruv tombstone entry > > (o=ipaca); LDAP error - 68 > > [12/Aug/2011:13:51:47 -0400] NSMMReplicationPlugin - > > _replica_configure_ruv: failed to create replica ruv tombstone entry > > (o=ipaca); LDAP error - 68 > > [12/Aug/2011:13:51:55 -0400] - Error: ldbm_txn_ruv_modify_context failed to > > retrieve and lock RUV entry > > [12/Aug/2011:13:51:55 -0400] - ldbm_back_modify: > > ldbm_txn_ruv_modify_context failed to construct RUV modify context > > [12/Aug/2011:13:52:17 -0400] NSMMReplicationPlugin - > > _replica_configure_ruv: failed to create replica ruv tombstone entry > > (o=ipaca); LDAP error - 68 > > [12/Aug/2011:13:52:47 -0400] NSMMReplicationPlugin - > > _replica_configure_ruv: failed to create replica ruv tombstone entry > > (o=ipaca); LDAP error - 68 > > [12/Aug/2011:13:53:17 -0400] NSMMReplicationPlugin - > > _replica_configure_ruv: failed to create replica ruv tombstone entry > >
Re: [Freeipa-users] Replica Creation hang at "configuring certificate server instance"
On 08/12/2011 12:06 PM, Shawn Nock wrote: I am trying to create a replica of my working FreeIPA 2.0.1 installation. Both the server and would-be replica are F15 minimal installs dedicated to FreeIPA. Both hosts are in DNS (forward and reverse) with iptables and selinux temporarily disabled. ipa-replica-install fails at: 2011-08-12 13:48:14,768 DEBUG [3/11]: restarting certificate server 2011-08-12 13:48:17,882 DEBUG args=/sbin/service pki-cad restart 2011-08-12 13:48:17,882 DEBUG stdout=Stopping pki-ca: [FAILED] Starting pki-ca: [ OK ] 'pki-ca' must still be CONFIGURED! (see /var/log/pki-ca-install.log) 2011-08-12 13:48:17,882 DEBUG stderr= 2011-08-12 13:48:17,905 DEBUG duration: 3 seconds 2011-08-12 13:48:17,906 DEBUG [4/11]: configuring certificate server instance The IPA-PKI instance access log on the replica is full of: SRCH base="ou=people,o=ipaca" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL The IPA-PKI instance error log on the replica contains: [12/Aug/2011:13:49:09 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-ipa-slave.cfmi.georgetown.edu-pki-ca" (ipa:7389): Replica has a different generation ID than the local data. [12/Aug/2011:13:49:10 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica o=ipaca is going offline; disabling replication [12/Aug/2011:13:49:11 -0400] - entrycache_clear_int: there are still 2 entries in the entry cache. [12/Aug/2011:13:49:11 -0400] - dncache_clear_int: there are still 2 dn's in the dn cache. :/ [12/Aug/2011:13:49:11 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [12/Aug/2011:13:49:15 -0400] - import ipaca: Workers finished; cleaning up... [12/Aug/2011:13:49:15 -0400] - import ipaca: Workers cleaned up. [12/Aug/2011:13:49:15 -0400] - import ipaca: Indexing complete. Post-processing... [12/Aug/2011:13:49:15 -0400] - import ipaca: Flushing caches... [12/Aug/2011:13:49:15 -0400] - import ipaca: Closing files... [12/Aug/2011:13:49:15 -0400] - entrycache_clear_int: there are still 12 entries in the entry cache. [12/Aug/2011:13:49:15 -0400] - dncache_clear_int: there are still 82 dn's in the dn cache. :/ [12/Aug/2011:13:49:15 -0400] - import ipaca: Import complete. Processed 82 entries in 4 seconds. (20.50 entries/sec) [12/Aug/2011:13:49:15 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica o=ipaca is coming online; enabling replication [12/Aug/2011:13:49:15 -0400] NSMMReplicationPlugin - _replica_configure_ruv: failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68 [12/Aug/2011:13:49:15 -0400] NSMMReplicationPlugin - replica_enable_replication: reloading ruv failed [12/Aug/2011:13:49:17 -0400] NSMMReplicationPlugin - _replica_configure_ruv: failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68 [12/Aug/2011:13:49:47 -0400] NSMMReplicationPlugin - _replica_configure_ruv: failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68 [12/Aug/2011:13:50:17 -0400] NSMMReplicationPlugin - _replica_configure_ruv: failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68 [12/Aug/2011:13:50:47 -0400] NSMMReplicationPlugin - _replica_configure_ruv: failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68 [12/Aug/2011:13:51:17 -0400] NSMMReplicationPlugin - _replica_configure_ruv: failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68 [12/Aug/2011:13:51:47 -0400] NSMMReplicationPlugin - _replica_configure_ruv: failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68 [12/Aug/2011:13:51:55 -0400] - Error: ldbm_txn_ruv_modify_context failed to retrieve and lock RUV entry [12/Aug/2011:13:51:55 -0400] - ldbm_back_modify: ldbm_txn_ruv_modify_context failed to construct RUV modify context [12/Aug/2011:13:52:17 -0400] NSMMReplicationPlugin - _replica_configure_ruv: failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68 [12/Aug/2011:13:52:47 -0400] NSMMReplicationPlugin - _replica_configure_ruv: failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68 [12/Aug/2011:13:53:17 -0400] NSMMReplicationPlugin - _replica_configure_ruv: failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68 [12/Aug/2011:13:53:47 -0400] NSMMReplicationPlugin - _replica_configure_ruv: failed to create replica ruv tombstone entry (o=ipaca); LDAP error - 68 /var/log/pki-ca/debug on the replica is full of: DatabasePanel comparetAndWaitEntries ou=people,o=ipaca not found, let's wait! This seems to be the problem described in the docs under troubleshooting (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html) when port 7389 is unavailable on the replica. This server is running nothing else, however, and lsof and netstat confirm that 7389 is available. The only other problem is a message about 7389 already existing in selinu
