On 11/29/2016 12:43 PM, David Kupka wrote: > On 29/11/16 12:15, David Dejaeghere wrote: >> Seems like it is but it does not show a server cert for dirsrv >> >> [root@ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/ >> total 468 >> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 >> 65536 >> Nov 29 11:29 cert8.db >> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 >> 65536 >> Nov 29 11:29 cert8.db.orig >> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 >> 1623 >> Nov 29 11:29 certmap.conf >> -rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 >> 89977 >> Nov 29 11:29 dse.ldif >> -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 >> 89977 >> Nov 29 11:29 dse.ldif.bak >> -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 >> 89977 >> Nov 29 11:29 dse.ldif.startOK >> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 >> 36228 >> Nov 29 11:28 dse_original.ldif >> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 >> 16384 >> Nov 29 11:29 key3.db >> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 >> 16384 >> Nov 29 11:29 key3.db.orig >> -r--------. 1 dirsrv dirsrv >> unconfined_u:object_r:dirsrv_config_t:s0 66 >> Nov 29 11:29 pin.txt >> -rw-------. 1 dirsrv dirsrv >> unconfined_u:object_r:dirsrv_config_t:s0 40 >> Nov 29 11:29 pwdfile.txt >> drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 >> 4096 >> Nov 29 11:29 schema >> -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 >> 16384 >> Nov 29 11:29 secmod.db >> -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 >> 16384 >> Nov 29 11:29 secmod.db.orig >> -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 >> 15142 >> Nov 29 11:28 slapd-collations.conf >> >> [root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> CN=something-PAPRIKA-CA,DC=something,DC=local >> CT,C,C >> SOMETHING.BE IPA CA CT,C,C >> [root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> CN=something-PAPRIKA-CA,DC=something,DC=local >> CT,C,C >> SOMETHING.BE IPA CA CT,C,C >> >> [root@ns02 ~]# ausearch -m avc -i >> <no matches> >> >> > > Exactly, the NSSDB should be accessible to dirsrv and is missing the > Server-Cert but I don't understand why there's "bad database" error in > the errors log. I'll try to reproduce it. What version of FreeIPA are > you using? On what system?
Right. Seems bit similar to https://fedorahosted.org/freeipa/ticket/6514 would be good to check if it has the same symptoms, mainly certmonger request is in state dbus.String(u'CA_UNREACHABLE', variant_level=1) in replica install log. > >> >> 2016-11-29 12:09 GMT+01:00 David Kupka <dku...@redhat.com>: >> >>> On 29/11/16 11:51, David Dejaeghere wrote: >>> >>>> Hi, >>>> >>>> I have a setup where i want to add a replica. The first master >>>> setup has >>>> an externally signed cert for dirsrv and httpd. The replica is >>>> prepapred >>>> succesfully with ipa-client-install but the replica install then keeps >>>> failing. It seems that during install dirserv is not configured >>>> correctly >>>> with a valid server certificate. Output from the dirsrv error added to >>>> this >>>> email as well. >>>> >>>> [root@ns02 ~]# ipa-replica-install --setup-ca >>>> WARNING: conflicting time&date synchronization service 'chronyd' will >>>> be disabled in favor of ntpd >>>> >>>> Run connection check to master >>>> Connection check OK >>>> Configuring NTP daemon (ntpd) >>>> [1/4]: stopping ntpd >>>> [2/4]: writing configuration >>>> [3/4]: configuring ntpd to start on boot >>>> [4/4]: starting ntpd >>>> Done configuring NTP daemon (ntpd). >>>> Configuring directory server (dirsrv). Estimated time: 1 minute >>>> [1/43]: creating directory server user >>>> [2/43]: creating directory server instance >>>> [3/43]: restarting directory server >>>> [4/43]: adding default schema >>>> [5/43]: enabling memberof plugin >>>> [6/43]: enabling winsync plugin >>>> [7/43]: configuring replication version plugin >>>> [8/43]: enabling IPA enrollment plugin >>>> [9/43]: enabling ldapi >>>> [10/43]: configuring uniqueness plugin >>>> [11/43]: configuring uuid plugin >>>> [12/43]: configuring modrdn plugin >>>> [13/43]: configuring DNS plugin >>>> [14/43]: enabling entryUSN plugin >>>> [15/43]: configuring lockout plugin >>>> [16/43]: configuring topology plugin >>>> [17/43]: creating indices >>>> [18/43]: enabling referential integrity plugin >>>> [19/43]: configuring certmap.conf >>>> [20/43]: configure autobind for root >>>> [21/43]: configure new location for managed entries >>>> [22/43]: configure dirsrv ccache >>>> [23/43]: enabling SASL mapping fallback >>>> [24/43]: restarting directory server >>>> [25/43]: creating DS keytab >>>> [26/43]: retrieving DS Certificate >>>> [27/43]: restarting directory server >>>> ipa : CRITICAL Failed to restart the directory server (Command >>>> '/bin/systemctl restart dirsrv@SOMETHING-BE.service' returned non-zero >>>> exit >>>> status 1). See the installation log for details. >>>> [28/43]: setting up initial replication >>>> [error] error: [Errno 111] Connection refused >>>> Your system may be partly configured. >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>> >>>> >>>> [29/Nov/2016:11:29:44.034285579 +0100] SSL alert: Security >>>> Initialization: >>>> Can't find certificate (Server-Cert) for family >>>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - >>>> security library: bad database.) >>>> [29/Nov/2016:11:29:44.045039728 +0100] SSL alert: Security >>>> Initialization: >>>> Unable to retrieve private key for cert Server-Cert of family >>>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - >>>> security library: bad database.) >>>> >>>> >>>> >>>> >>> Hello David, >>> >>> The error from the log indicates that either the NSSDB for dirsrv is not >>> initialized or not accessible. >>> >>> Could you please send output of the following commands? >>> >>> # ls -lZ /etc/dirsrv/slapd-$REALM/ >>> # certutil -d /etc/dirsrv/slapd-$REALM/ -L >>> # ausearch -m avc -i >>> >>> >>> -- >>> David Kupka >>> -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project