[Freeipa-users] Issue with replication install
Uzor Ide
ide4you at gmail.com
Fri Jun 3 14:28:02 UTC 2011
The IPA server is version 2.0.0 R3 which is supposed to install on fc14 with
some packages from updates-testing repo, while the replica install is on
server 2.0.1
Yes, there is no dogtagcert.p12 file; here are the files contained:
realm_info/httpcert.p12
realm_info/cacert.p12
realm_info/ldappwd
realm_info/ra.p12
realm_info/http_pin.txt
realm_info/realm_info
realm_info/configure.jar
realm_info/dscert.p12
realm_info/dirsrv_pin.txt
realm_info/pwdfile.txt.ori
realm_info/pwdfile.txt
realm_info/kpasswd.keytab
realm_info/preferences.htm
realm_info/ca.crt
I have upgraded the IPA box to fc15 and freeipa-2.0.1 in the quest to get a
correct replica package but that seems to have created another problem as it
has broken the tomcat and thus pki-ca.
Jun 3, 2011 10:09:29 AM org.apache.catalina.loader.WebappLoader start
SEVERE: LifecycleException
java.io.IOException: Failed to access resource
/WEB-INF/lib/jakarta-commons-collections.jar
at
org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1050)
at
org.apache.catalina.loader.WebappLoader.start(WebappLoader.java:681)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4541)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546)
at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1061)
at
org.apache.catalina.core.StandardHost.start(StandardHost.java:785)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463)
at
org.apache.catalina.core.StandardService.start(StandardService.java:525)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:701)
at org.apache.catalina.startup.Catalina.start(Catalina.java:585)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: javax.naming.NamingException: Resource
jakarta-commons-collections.jar not found
at
org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:209)
at
org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1048)
... 24 more
It seems to me that it is looking for jakarta-commons-collections.jar which
exist but is a package from the old tomcat6-6.0.26.
Thanks
__Ide
On Thu, Jun 2, 2011 at 11:08 AM, Rob Crittenden <rcritten at redhat.com> wrote:
> Uzor Ide wrote:
>
>> Thanks Rob
>>
>> I did run the certutil -L -d /etc/dirsrv/slapd-PKI-IPA command; the
>> nssdb is empty
>> If the CA cert is supposed to exist there at that stage of install,
>> then that would be the problem.
>>
>> Both the slapd-PKI-IPA error and access does not contain much. I
>> attached them herein with the ipareplica-install.log.
>>
>>
> How old is the prepared replica file, and was it created with an older
> version of IPA?
>
> In one of the last release candidates we started creating a separate SSL
> certificate for the 389-ds instance used by dogtag. I get the feeling that
> doesn't exist which would explain why SSL is failing.
>
> You can check by doing something like:
> # gpg -d replica-info-<your-server>.gpg | tar tvf -
>
> The file you're looking for is dogtagcert.p12
>
> rob
>
>> thanks
>>
>> Ide
>>
>>
>> On Wed, Jun 1, 2011 at 11:40 AM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>> Uzor Ide wrote:
>>
>>
>> Hi all
>>
>> We are trying to setup a backup IPA server and decided to toe that
>> replication route.
>> The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to
>> fedora
>> 15 and freeipa 2.0.1.
>> Note we first did ipa-server-install --uninstall before
>> upgrading the
>> freeipa packages so as to make sure that the server is
>> relatively clean.
>>
>> However when I run that ipa-replica-install command, I end up
>> with the
>> following error in the ipareplica-install.log
>>
>> 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart
>> PKI-IPA
>> 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv:
>> PKI-IPA...[ OK ]
>> Starting dirsrv:
>> PKI-IPA...[FAILED]
>> *** Warning: 1 instance(s) failed to start
>>
>> 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23
>> -0400] - SSL
>> alert: Security Initialization: Unable to authenticate (Netscape
>> Portable Runtime error -8192 - An I/O error occurred during
>> security
>> authorization.)
>> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed.
>>
>> 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status
>> 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped
>>
>> 2011-05-31 23:54:33,501 DEBUG stderr=
>> 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory
>> server.
>> See the installation log for details.
>>
>> This are the tomcat rpms on the server
>>
>> tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch
>> tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch
>> tomcat6-6.0.30-6.fc15.noarch
>> tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch
>> tomcat6-lib-6.0.30-6.fc15.noarch
>> tomcat6-el-2.1-api-6.0.30-6.fc15.noarch
>> tomcatjss-2.1.1-1.fc15.noarch
>>
>> So the tomcat6 version is definitely greater than tomcat6-6-0.30-5.
>>
>> The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any
>> other
>> thing different from same,
>>
>> [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization:
>> Unable to authenticate (Netscape Portable Runtime error -8192 -
>> An I/O
>> error occurred during security authorization.)
>> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed
>>
>>
>> Any help will be greatly appreciated
>>
>> Ide
>>
>>
>> I think we need more context. Can you compress and send
>> /var/log/ipareplica-install.log ?
>>
>> I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and
>> errors to see if there is anything interesting there.
>>
>> And can you provide the output for:
>>
>> certutil -L -d /etc/dirsrv/slapd-PKI-IPA
>>
>> It would seem that your 389-ds instance is missing a copy of the CA
>> cert.
>>
>> thanks
>>
>> rob
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110603/a58587b2/attachment.htm>
More information about the Freeipa-users
mailing list