When I looked at one point, I noticed that /var/log/pki-ca/catalina.out was owned by root. And in fact the whole /var/log/pki-ca directory was owned by root.
If the CA process runs as pkiuser, that would explain the permission denied bit. Adam, please reproduce and do not clean up. I can go in at that point and try to figure out what went wrong. Ade On Wed, 2011-08-24 at 22:29 -0400, Adam Young wrote: > Had some success earlier today, but I seem to be unable to replicate > it. I've been working with the "full" proxy.conf file lately,. and even > that seems to be preventing a replica. It is quite possible that the > problem is something on one of the two systems, as I've found that > install/uninstall often leaves some of the files being owned by > non-existent users. At this point, I'm not sure if the patch I've > submitted will work on a vanilla system. Testing it has proven to be a > pretty time consuming endeavour. > > > Here's what I've gotten it down to: > > ON One machine, run > > ipa-server-install -U -r ` hostname | tr '[:lower:]' '[:upper:]'` -p > freeipa4all -a freeipa4all --setup-dns --no-forwarders > > > once that succeeds, I have to reset /etc/resolv.conf as the lab DNS > server gets removed: > > cp ~/resolve.conf /etc > > then > > ipa-replica-prepare $REPLICA > > scp /var/lib/ipa/replica-info-$REPLICA.gpg root@$REPLICA: > > On the replica: > > ipa-replica-install --setup-ca replica-info-$HOSTNAME.gpg > > I have firewall off on master and replica > > > At one point I had a replica install that worked with the Proxy, so I > know it is possible, but for the last couple of hours this last command > has been failing with: > > creation of replica failed: Configuration of CA failed > > > > pkisilent reports the failure in the debug log, but not the URL it is > trying to reach. I'm going to modify it to give some more information > in the morning. > > > I'm not seeing anything in /var/log/httpd/error|access.log on the > master, which is weird. > > > I see this in /var/log/ipareplica-conncheck.log. We should not be > trying to do anything in /home/admin > > > 2011-08-24 21:52:18,544 DEBUG stderr= > 2011-08-24 21:52:19,521 DEBUG args=/usr/bin/ssh -q -o > StrictHostKeychecking=no -o UserKnownHostsFile=/dev/null > ad...@vm-088.idm.lab.bos.redhat.com /usr/sbin/ipa-replica-conncheck > --replica vm-116.idm.lab.bos.redhat.com --check-ca > 2011-08-24 21:52:19,521 DEBUG stdout=Check connection from master to > remote replica 'vm-116.idm.lab.bos.redhat.com': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos (88): OK > PKI-CA: Directory Service port (7389): OK > PKI-CA: Agent secure port (9443): OK > PKI-CA: EE secure port (9444): OK > PKI-CA: Admin secure port (9445): OK > PKI-CA: EE secure client auth port (9446): OK > PKI-CA: Unsecure port (9180): OK > > Connection from master to replica is OK. > > 2011-08-24 21:52:19,522 DEBUG stderr=Could not chdir to home directory > /home/admin: No such file or directory > > > > Ade Lee noticed that the replica install is failing before it ever > attempts to talk to the Master, which corresponds with what I am > seeing. I see in the PKI install log that > > [2011-08-24 22:23:50] [error] FAILED run_command("/sbin/service pki-cad > restart pki-ca"), exit status=1 output="Stopping pki-ca: [FAILED] > Starting pki-ca: [ OK ]^M" > > > Running this command by hand gets the same output. > > In less /var/log/pki-ca/catalina.out > > /var/lib/pki-ca/logs/catalina.out: Permission denied > /var/log/pki-ca/catalina.out (END) > > > SO it looks like another cleanup issue. > > > _______________________________________________ > Pki-devel mailing list > pki-de...@redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel