Re: [Freeipa-users] problem creating replica
On 23/07/2013 6:18 PM, Martin Kosek mko...@redhat.com wrote: On 07/19/2013 08:20 PM, Ade Lee wrote: On Fri, 2013-07-19 at 14:14 +1000, Pete Brown wrote: I was just trying this again and noticed there is a /var/log/pki/pki-ca-spawn.20130719140342.log file with what i assume is the logging for the attempt to create the pki. right at the end is this entry. 2013-07-19 14:04:42 pkispawn: INFO ... unable to access security domain through REST interface. Trying old interface. 503 Server Error: Service Unavailable Does anyone know what that means and how to fix it? This means that the dogtag CA is trying to contact the dogtag master - and is failing to do so. It may be trying to access the wrong port. What version do you have for : rpm -q pki-ca ? Please attach the logs for the replica CA. /var/log/pki/pki-tomcat/* You are also exactly correct in creating a replica before upgrading to F19. Much older dogtag instances (based on dogtag 9) will not work in f19 due to tomcat6 not being available in f19. Ade Note that there is a related article also for FreeIPA with migration instructions, see: http://www.freeipa.org/page/Howto/Dogtag9ToDogtag10Migration Martin Thanks martin. I shall see if I can get that to work tomorrow at work. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] problem creating replica
On 18 July 2013 19:50, Petr Viktorin pvikt...@redhat.com wrote: On 07/18/2013 03:31 AM, Pete Brown wrote: I opened all the ports that seemed to be listening n the master. I also ran the setup again without disabling the connection check to see what else needed fixing. It seems after much investigation and log dredging it seems my admin password had expired. I wasn't aware that was possible. I reset the password and it seemed to get further. This for some reason not mentioned in the documentation the replica is trying to ssh into the master as admin. I managed to fix that by changing my setup and ssh config files. Then it actually managed to start the setup process. But again it fails at exactly the same point mentioned in my initial email. After some further digging with reference to the log output below it seems I have run into a bug that seems to have been fixed. https://fedorahosted.org/freeipa/ticket/3213 As I mentioned I am running current Fedora 18 so freeipa is 3.1.5-1.fc18 is that fixed in my version? Yes, that bug was fixed in 3.1.0. Well the script is still complaining about not being able to find dogtag_master_ds_port and the option still appears in my version of the script. Which from the bug seems to be what was causing the issue and the ipareplica-install log I included below says this is the case. It seems a bit odd because this is a fresh install of 3.1.5. It also seems the dogatg and IPA directories will be or have been merged? Which version did this happen in and will it get applied to my server? Also in 3.1.0; new servers installed using that version have merged databases. I still seem to have split instances. I did the install before Fedora 18 was released because I wanted ipa 3 and that was the only way I could get it. Will they get merged at some point or can I do it manually? Can anyone suggest how I go about fixing this issue? Well, ipa-server-uninstall can misbehave if CA installation goes wrong (ticket #2796). So I would start by uninstalling, then running the following command to make sure CA is not left: sudo pkidestroy -s CA -i pki-tomcat then installing again. Ran that on my replica after the install and before the clean and it said this. That would make sense because it fails during the ca creation stage. root@ipa2 ~]# pkidestroy -s CA -i pki-tomcat ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! Can you also provide logs without the --skip-conncheck flag? Specifically the /var/log/ipareplica-conncheck.log should be interesting. From what I can tell all the tests in the connection check passed. I wanted to create a replica so I could upgrade to fedora 19 and not have to take my single instance of FreeIPA offline while that was happening. Will I need to upgrade to Fedora 19 to fix my issue? For reference this is the point of failure in the /var/log/ipareplica-install.log file 2013-07-18T01:06:16Z DEBUG Starting external process 2013-07-18T01:06:16Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW 2013-07-18T01:08:16Z DEBUG Process finished, return code=1 2013-07-18T01:08:16Z DEBUG stdout=Loading deployment configuration from /tmp/tmpFKBxMW. ERROR: Unable to access security domain: 503 Server Error: Service Unavailable Please also check logs on the existing server. Is the CA available? Does e.g. `ipa cert-show 1` work? 2013-07-18T01:08:16Z DEBUG stderr= 2013-07-18T01:08:16Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW' returned non-zero exit status 1 2013-07-18T01:08:16Z INFO File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 619, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 652, in main (CA, cs) = cainstance.install_replica_ca(config, dogtag_master_ds_port) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1809, in install_replica_ca subject_base=config.subject_base) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 625, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 358, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 744, in __spawn_instance raise RuntimeError('Configuration of CA failed') 2013-07-18T01:08:16Z INFO The ipa-replica-install command failed, exception: RuntimeError: Configuration of CA failed On 17 July 2013 15:52, Pete Brown rendhal...@gmail.com wrote: Hi everyone, I am attempting to create a replica of my freeipa server. I am following the docs but they are not working for me. I am getting the vague impression I am missing a step that doesn't seem to be documented. For the record all the posts listed are open and it was a clean install of Fedora 18. I thought the
Re: [Freeipa-users] problem creating replica
I was just trying this again and noticed there is a /var/log/pki/pki-ca-spawn.20130719140342.log file with what i assume is the logging for the attempt to create the pki. right at the end is this entry. 2013-07-19 14:04:42 pkispawn: INFO ... unable to access security domain through REST interface. Trying old interface. 503 Server Error: Service Unavailable Does anyone know what that means and how to fix it? On 19 July 2013 12:46, Pete Brown rendhal...@gmail.com wrote: On 18 July 2013 19:50, Petr Viktorin pvikt...@redhat.com wrote: On 07/18/2013 03:31 AM, Pete Brown wrote: I opened all the ports that seemed to be listening n the master. I also ran the setup again without disabling the connection check to see what else needed fixing. It seems after much investigation and log dredging it seems my admin password had expired. I wasn't aware that was possible. I reset the password and it seemed to get further. This for some reason not mentioned in the documentation the replica is trying to ssh into the master as admin. I managed to fix that by changing my setup and ssh config files. Then it actually managed to start the setup process. But again it fails at exactly the same point mentioned in my initial email. After some further digging with reference to the log output below it seems I have run into a bug that seems to have been fixed. https://fedorahosted.org/freeipa/ticket/3213 As I mentioned I am running current Fedora 18 so freeipa is 3.1.5-1.fc18 is that fixed in my version? Yes, that bug was fixed in 3.1.0. Well the script is still complaining about not being able to find dogtag_master_ds_port and the option still appears in my version of the script. Which from the bug seems to be what was causing the issue and the ipareplica-install log I included below says this is the case. It seems a bit odd because this is a fresh install of 3.1.5. It also seems the dogatg and IPA directories will be or have been merged? Which version did this happen in and will it get applied to my server? Also in 3.1.0; new servers installed using that version have merged databases. I still seem to have split instances. I did the install before Fedora 18 was released because I wanted ipa 3 and that was the only way I could get it. Will they get merged at some point or can I do it manually? Can anyone suggest how I go about fixing this issue? Well, ipa-server-uninstall can misbehave if CA installation goes wrong (ticket #2796). So I would start by uninstalling, then running the following command to make sure CA is not left: sudo pkidestroy -s CA -i pki-tomcat then installing again. Ran that on my replica after the install and before the clean and it said this. That would make sense because it fails during the ca creation stage. root@ipa2 ~]# pkidestroy -s CA -i pki-tomcat ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! Can you also provide logs without the --skip-conncheck flag? Specifically the /var/log/ipareplica-conncheck.log should be interesting. From what I can tell all the tests in the connection check passed. I wanted to create a replica so I could upgrade to fedora 19 and not have to take my single instance of FreeIPA offline while that was happening. Will I need to upgrade to Fedora 19 to fix my issue? For reference this is the point of failure in the /var/log/ipareplica-install.log file 2013-07-18T01:06:16Z DEBUG Starting external process 2013-07-18T01:06:16Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW 2013-07-18T01:08:16Z DEBUG Process finished, return code=1 2013-07-18T01:08:16Z DEBUG stdout=Loading deployment configuration from /tmp/tmpFKBxMW. ERROR: Unable to access security domain: 503 Server Error: Service Unavailable Please also check logs on the existing server. Is the CA available? Does e.g. `ipa cert-show 1` work? 2013-07-18T01:08:16Z DEBUG stderr= 2013-07-18T01:08:16Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW' returned non-zero exit status 1 2013-07-18T01:08:16Z INFO File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 619, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 652, in main (CA, cs) = cainstance.install_replica_ca(config, dogtag_master_ds_port) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1809, in install_replica_ca subject_base=config.subject_base) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 625, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 358, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 744, in __spawn_instance raise RuntimeError('Configuration of CA failed')
Re: [Freeipa-users] problem creating replica
I opened all the ports that seemed to be listening n the master. I also ran the setup again without disabling the connection check to see what else needed fixing. It seems after much investigation and log dredging it seems my admin password had expired. I wasn't aware that was possible. I reset the password and it seemed to get further. This for some reason not mentioned in the documentation the replica is trying to ssh into the master as admin. I managed to fix that by changing my setup and ssh config files. Then it actually managed to start the setup process. But again it fails at exactly the same point mentioned in my initial email. After some further digging with reference to the log output below it seems I have run into a bug that seems to have been fixed. https://fedorahosted.org/freeipa/ticket/3213 As I mentioned I am running current Fedora 18 so freeipa is 3.1.5-1.fc18 is that fixed in my version? It also seems the dogatg and IPA directories will be or have been merged? Which version did this happen in and will it get applied to my server? Can anyone suggest how I go about fixing this issue? I wanted to create a replica so I could upgrade to fedora 19 and not have to take my single instance of FreeIPA offline while that was happening. Will I need to upgrade to Fedora 19 to fix my issue? For reference this is the point of failure in the /var/log/ipareplica-install.log file 2013-07-18T01:06:16Z DEBUG Starting external process 2013-07-18T01:06:16Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW 2013-07-18T01:08:16Z DEBUG Process finished, return code=1 2013-07-18T01:08:16Z DEBUG stdout=Loading deployment configuration from /tmp/tmpFKBxMW. ERROR: Unable to access security domain: 503 Server Error: Service Unavailable 2013-07-18T01:08:16Z DEBUG stderr= 2013-07-18T01:08:16Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpFKBxMW' returned non-zero exit status 1 2013-07-18T01:08:16Z INFO File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 619, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 652, in main (CA, cs) = cainstance.install_replica_ca(config, dogtag_master_ds_port) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1809, in install_replica_ca subject_base=config.subject_base) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 625, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 358, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 744, in __spawn_instance raise RuntimeError('Configuration of CA failed') 2013-07-18T01:08:16Z INFO The ipa-replica-install command failed, exception: RuntimeError: Configuration of CA failed On 17 July 2013 15:52, Pete Brown rendhal...@gmail.com wrote: Hi everyone, I am attempting to create a replica of my freeipa server. I am following the docs but they are not working for me. I am getting the vague impression I am missing a step that doesn't seem to be documented. For the record all the posts listed are open and it was a clean install of Fedora 18. I thought the server may need to be a client of the master before I set it up as a replica but it just said I needed to uninstall the client setup. After running ipa-replica-prepare on the master and scping the file to the new replica. I ran this command on the new replica ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns --forwarder=XXX.XXX.XXX.XX --forwarder=XX.XXX.XXX.XXX /var/lib/ipa/replica-info-ipa2.domain.com.gpg The error I am seeing is from that command is this: Cannot acquire Kerberos ticket: kinit: Cannot read password while getting initial credentials Connection check failed! Please fix your network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter. So I cleaned everything off (i think) and tried it with this command ipa-replica-install --setup-ca --mkhomedir --ssh-trust-dns --setup-dns --forwarder=61.9.211.33 --forwarder=61.9.211.1 --skip-conncheck /var/lib/ipa/replica-info-ipa2.webgatetec.com.gpg This seems to actually start the install and setup process i remember from installing the ipa server initially This it fails with this output WARNING: conflicting timedate synchronization service 'chronyd' will be disabled in favor of ntpd Directory Manager (existing master) password: Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/31]: creating directory server user [2/31]: creating directory server instance [3/31]:
Re: [Freeipa-users] Problem creating replica file
On 04/16/2012 05:14 PM, Jorge Argibay Molina wrote: Hi, I'm in the testing phase of the deployment of FreeIPA in my network. So far I've been able to configure the server, and several clients. What I've been unable to do, and seems very easy going thru the documentation, is generate the replica. Whenever I do: ipa-replica-prepare hades.watea.com.ar --ip-address 192.168.1.180 I get Directory Manager (existing master) password: Warning: Hostname (hades.watea.com.ar) not found in DNS Preparing replica for hades.watea.com.ar from ares.watea.com.ar Creating SSL certificate for the Directory Server Certificate issuance failed I'm attaching the pki-ca debug log, where I get an error. I'm out of ideas, Can anyone suggest what maybe broken or any documentation that has a suggestion about fixing this issue? Please provide package versions for the ipa, 389 and dogtag. Did you use any specific certificate related option when installed the first IPA master? Thanks Jorge Argibay jorge.argi...@watea.com.ar Tel.: (+54) 11 5277 0305 Int.: 4900 Cel: (+549) 11 4028 4900 USA: (+1) 786 866 7837 Int.: 4900 C. Rica: (+506) 4000 1650 Int.: 4900 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users