Re: [Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process

David Kupka Tue, 29 Nov 2016 06:07:20 -0800

On 29/11/16 13:55, David Dejaeghere wrote:

Correct.  Same symptoms.


2016-11-29T10:29:42Z DEBUG certmonger request is in state
dbus.String(u'CA_UNREACHABLE', variant_level=1)

Fedora 24 Server

[root@ns02 ~]# dnf history userinstalled
Packages installed by user
freeipa-client-4.3.2-2.fc24.x86_64
freeipa-server-4.3.2-2.fc24.x86_64
grub2-1:2.02-0.34.fc24.x86_64
kernel-4.5.5-300.fc24.x86_64
kernel-4.8.8-200.fc24.x86_64
lvm2-2.02.150-2.fc24.x86_64
xfsprogs-4.5.0-2.fc24.x86_64

Ok. I've reproduced it by simply stopping dogtag on FreeIPA server whileinstalling the replica. I see the exactly same errors as you've reportedand are described in the ticket, now.

Is dogtag running on your master? Is in responding (e.g. issuingcertificates for users)? Is it accessible from the replica?


2016-11-29 13:41 GMT+01:00 Petr Vobornik <pvobo...@redhat.com>:

On 11/29/2016 12:43 PM, David Kupka wrote:

On 29/11/16 12:15, David Dejaeghere wrote:

Seems like it is but it does not show a server cert for dirsrv

[root@ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/
total 468
-rw-------. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0
65536
Nov 29 11:29 cert8.db
-rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
65536
Nov 29 11:29 cert8.db.orig
-r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
1623
Nov 29 11:29 certmap.conf
-rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
89977
Nov 29 11:29 dse.ldif
-rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
89977
Nov 29 11:29 dse.ldif.bak
-rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0
89977
Nov 29 11:29 dse.ldif.startOK
-r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
36228
Nov 29 11:28 dse_original.ldif
-rw-------. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0
16384
Nov 29 11:29 key3.db
-rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
16384
Nov 29 11:29 key3.db.orig
-r--------. 1 dirsrv dirsrv
unconfined_u:object_r:dirsrv_config_t:s0    66
Nov 29 11:29 pin.txt
-rw-------. 1 dirsrv dirsrv
unconfined_u:object_r:dirsrv_config_t:s0    40
Nov 29 11:29 pwdfile.txt
drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
4096
Nov 29 11:29 schema
-rw-------. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0
16384
Nov 29 11:29 secmod.db
-rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
16384
Nov 29 11:29 secmod.db.orig
-r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0
15142
Nov 29 11:28 slapd-collations.conf

[root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L

Certificate Nickname                                         Trust
Attributes

 SSL,S/MIME,JAR/XPI

CN=something-PAPRIKA-CA,DC=something,DC=local
CT,C,C
SOMETHING.BE IPA CA                                         CT,C,C
[root@ns02 ~]# certutil -d /etc/dirsrv/slapd-SOMETHING-BE -L

Certificate Nickname                                         Trust
Attributes

 SSL,S/MIME,JAR/XPI

CN=something-PAPRIKA-CA,DC=something,DC=local
CT,C,C
SOMETHING.BE IPA CA                                         CT,C,C

[root@ns02 ~]# ausearch -m avc -i
<no matches>


Exactly, the NSSDB should be accessible to dirsrv and is missing the
Server-Cert but I don't understand why there's "bad database" error in
the errors log. I'll try to reproduce it. What version of FreeIPA are
you using? On what system?


Right.

Seems bit similar to https://fedorahosted.org/freeipa/ticket/6514 would
be good to check if it has the same symptoms, mainly
  certmonger request is in state dbus.String(u'CA_UNREACHABLE',
variant_level=1)

in replica install log.


2016-11-29 12:09 GMT+01:00 David Kupka <dku...@redhat.com>:

On 29/11/16 11:51, David Dejaeghere wrote:

Hi,

I have a setup where i want to add a replica.  The first master
setup has
an externally signed cert for dirsrv and httpd.  The replica is
prepapred
succesfully with ipa-client-install but the replica install then keeps
failing.  It seems that during install dirserv is not configured
correctly
with a valid server certificate. Output from the dirsrv error added to
this
email as well.

[root@ns02 ~]# ipa-replica-install --setup-ca
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/43]: creating directory server user
  [2/43]: creating directory server instance
  [3/43]: restarting directory server
  [4/43]: adding default schema
  [5/43]: enabling memberof plugin
  [6/43]: enabling winsync plugin
  [7/43]: configuring replication version plugin
  [8/43]: enabling IPA enrollment plugin
  [9/43]: enabling ldapi
  [10/43]: configuring uniqueness plugin
  [11/43]: configuring uuid plugin
  [12/43]: configuring modrdn plugin
  [13/43]: configuring DNS plugin
  [14/43]: enabling entryUSN plugin
  [15/43]: configuring lockout plugin
  [16/43]: configuring topology plugin
  [17/43]: creating indices
  [18/43]: enabling referential integrity plugin
  [19/43]: configuring certmap.conf
  [20/43]: configure autobind for root
  [21/43]: configure new location for managed entries
  [22/43]: configure dirsrv ccache
  [23/43]: enabling SASL mapping fallback
  [24/43]: restarting directory server
  [25/43]: creating DS keytab
  [26/43]: retrieving DS Certificate
  [27/43]: restarting directory server
ipa         : CRITICAL Failed to restart the directory server (Command
'/bin/systemctl restart dirsrv@SOMETHING-BE.service' returned

non-zero

exit
status 1). See the installation log for details.
  [28/43]: setting up initial replication
  [error] error: [Errno 111] Connection refused
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


[29/Nov/2016:11:29:44.034285579 +0100] SSL alert: Security
Initialization:
Can't find certificate (Server-Cert) for family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174

security library: bad database.)
[29/Nov/2016:11:29:44.045039728 +0100] SSL alert: Security
Initialization:
Unable to retrieve private key for cert Server-Cert of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174

security library: bad database.)

Hello David,

The error from the log indicates that either the NSSDB for dirsrv is

not

initialized or not accessible.

Could you please send output of the following commands?

# ls -lZ /etc/dirsrv/slapd-$REALM/
# certutil -d /etc/dirsrv/slapd-$REALM/ -L
# ausearch -m avc -i


--
David Kupka



--
Petr Vobornik



--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process

Reply via email to