On Thu, Feb 10, 2011 at 09:01:52AM -0700, Rich Megginson wrote: > On 02/10/2011 08:57 AM, Christopher Wood wrote: > >On Thu, Feb 10, 2011 at 08:42:45AM -0700, Rich Megginson wrote: > >>On 02/10/2011 08:23 AM, Christopher Wood wrote: > >>>On Thu, Feb 10, 2011 at 08:11:09AM -0700, Rich Megginson wrote: > >>>>On 02/10/2011 07:45 AM, Christopher Wood wrote: > >>>>>11;rgb:0000/0000/0000On Wed, Feb 09, 2011 at 05:49:28PM -0700, Rich > >>>>>Megginson wrote: > >>>>>>On 02/09/2011 07:59 AM, Christopher Wood wrote: > >>>>>>>On Tue, Feb 08, 2011 at 06:14:27PM -0700, Rich Megginson wrote: > >>>>>>>>On 02/08/2011 04:11 PM, Christopher Wood wrote: > >>>>>>>>>These bugs are almost exactly the issue I'm experiencing: > >>>>>>>>> > >>>>>>>>>https://bugzilla.redhat.com/show_bug.cgi?id=430499 > >>>>>>>>>https://bugzilla.redhat.com/show_bug.cgi?id=442103 > >>>>>>>>> > >>>>>>>>>In my case, the admin server on host1 can use the "Manage > >>>>>>>>>Certificates" button on the admin server, and the directory server > >>>>>>>>>installed on the same host. So the bug is not happening to me. > >>>>>>>>> > >>>>>>>>>However, I get "java.net.ConnectException: Connection refused" when > >>>>>>>>>I use the "Manage Certificates" button on host2's directory server > >>>>>>>>>that I registered with host1's admin server. > >>>>>>>>> > >>>>>>>>>I don't get any output on the console when I repeat this procedure > >>>>>>>>>having run 389-console from the command line. I don't see anything > >>>>>>>>>immediately obvious under /var/log/dirsrv/*/errors on both servers. > >>>>>>>>>I can run ldapsearch against ldaps://host1 and ldaps://host2. > >>>>>>>>> > >>>>>>>>>Would you list denizens possibly have any hints as to how to > >>>>>>>>>troubleshoot this? > >>>>>>>>389-console -D 9 -f console.log - paste the log to fpaste.org or > >>>>>>>>similar - be sure to remove or obscure any sensitive information - > >>>>>>>>post the link here > >>>>>>>Thank you, I appreciate it. > >>>>>>> > >>>>>>>The full paste: http://fpaste.org/mgYb/ > >>>>>>> > >>>>>>>My procedure was to run 389-console with the above command line, click > >>>>>>>"Manage Certificates" in the directory server on the same host as the > >>>>>>>admin server ("host1"), then close that and click "Manage > >>>>>>>Certificates" in the directory server on the other host ("host2"). > >>>>>>> > >>>>>>>Just from reading along as I clicked buttons, it appears that the > >>>>>>>console is trying to itself talk to an admin server on host2. There is > >>>>>>>no admin server running on that host since I registered the directory > >>>>>>>server on host2 with the admin server on host1. > >>>>>>Even if you use setup-ds-admin.pl to create a directory server and > >>>>>>register it with another configuration directory server, there > >>>>>>always has to be one admin server running on each machine. The > >>>>>>admin server executes CGIs, such as the log viewer, server process > >>>>>>management, etc. - tasks that must be done outside of the directory > >>>>>>server process. > >>>>>>>ResourceSet: found in cache > >>>>>>>loader9690857:com.netscape.management.client.security.securityResource > >>>>>>>CommManager> New CommRecord > >>>>>>>(http://host2.mycompany.com:3389/admin-serv/tasks/configuration/SecurityOp) > >>>>>>>java.net.ConnectException: Connection refused > >>>>>>The admin server should always be running, unless you explicitly > >>>>>>shut it down. > >>>>>In my case (host1 having admin/ds and host2 just having ds), I > >>>>>registered host2's directory server with host1's config directory > >>>>>server. However, host2's admin server failed to start. From > >>>>>/var/log/dirsrv/admin-serv/error when I try to start it manually: > >>>>> > >>>>>[root@host2 admin-serv]# cat /var/log/dirsrv/admin-serv/error > >>>>>[Wed Feb 09 13:01:29 2011] [crit] host_ip_init(): PSET failure: Failed > >>>>>to create PSET handle (pset error = ) > >>>>>Configuration Failed > >>>>>[Thu Feb 10 09:22:51 2011] [crit] host_ip_init(): PSET failure: Failed > >>>>>to create PSET handle (pset error = ) > >>>>>Configuration Failed > >>>>Start the admin server like this: > >>>>/usr/sbin/start-ds-admin -e debug > >>>>then post the admin server error log > >>>http://fpaste.org/kIAu/ > >>Can you paste your /etc/dirsrv/admin-serv/adm.conf and local.conf? > >adm.conf from host2: http://pastebin.com/HqL8c1hK > ldapurl: ldaps://host1/o=NetscapeRoot > > host1 has to be the fqdn of host1 since you're using ldaps.
In the original it is the fqdn. > Did you install, into the cert db in /etc/dirsrv/admin-serv, the CA > certificate of the CA that issued the server cert of host1? Aha. Before running the setup-ds-admin.pl script I did not manually install the CA certs into the dirsrv/admin-serv cert dbs on host2. That appears to be my skipped step. I will try this again with that step included. > If the above are "yes", paste excerpts from the access log of host1 > showing the connection attempts from host2. > >local.conf from host2: http://pastebin.com/xGpYJyUs > > > >Also, I should say that I used host1's "Configuration directory server admin > >domain" when I was filling in configuration directory server details in > >host2's setup-ds-admin.pl. (It seemed sensible at the time.) > > > >>>>>> From /tmp/setuphtlOC3.log on host2 (I chose a "Typical" (2) setup): > >>>>>[11/02/09:13:01:28] - [Setup] Info Starting admin server . . . > >>>>>[11/02/09:13:01:29] - [Setup] Fatal Failed to create and configure the > >>>>>admin server > >>>>>[11/02/09:13:01:29] - [Setup] Fatal Exiting . . . > >>>>> > >>>>>That happened every time when in the setup-ds-admin.pl stage on > >>>>>something other than host1 where I would pick > >>>>>ldaps://host1/o=NetscapeRoot as the configuration directory server url. > >>>>>Of course, for the setup on host1 I set everything up with basically > >>>>>defaults and added the encryption later. Not certain if that's > >>>>>pertinent, though. > >>>>> > >>>>>I'm starting to think that I've misread something in the install docs, > >>>>>will re-read. > >>>>> > >>>>>>>admserv version = null > >-- > >389 users mailing list > >389-users@lists.fedoraproject.org > >https://admin.fedoraproject.org/mailman/listinfo/389-users > > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
