[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] Issue with replication install



I have corrected the problem with the ipa server, from the broken tomcat/pki-ca;

The problem comes a sym link that was created during the setup of pki-ca from PKI-HOME for
jakarta-commons-collections.jar to /usr/share/java/jakarta-commons-collections.jar.
This file is a member of jakarta-commons-collections rpm package in fc14. In fc15 jakarta-commons-collections package appears to have been renamed to apache-commons-collections and an equivalent file apache-commons-collections.jar is contained.
However when you upgrade, at least in my own case using preupgrade, it leaves
/var/lib/pki-ca/webapps/ca/WEB-INF/lib/jakarta-commons-collections.jar link orphaned. recreating the sym link to /usr/share/java/apache-commons-collections.jar fixes the problem.

I have create a new replica package and I see that it contained the dogtagcert.p12 file.

I will try to install the replica and see how it goes.

Thanks

__Ide




On Fri, Jun 3, 2011 at 10:28 AM, Uzor Ide <ide4you gmail com> wrote:
The IPA server is version 2.0.0 R3 which is supposed to install on fc14 with some packages from updates-testing repo, while the replica install is on server  2.0.1

Yes, there is no dogtagcert.p12 file; here are the files contained:
 realm_info/httpcert.p12
 realm_info/cacert.p12
 realm_info/ldappwd
 realm_info/ra.p12
 realm_info/http_pin.txt
 realm_info/realm_info
 realm_info/configure.jar
 realm_info/dscert.p12
 realm_info/dirsrv_pin.txt
 realm_info/pwdfile.txt.ori
 realm_info/pwdfile.txt
 realm_info/kpasswd.keytab
 realm_info/preferences.htm
 realm_info/ca.crt

I have upgraded the IPA  box to fc15 and freeipa-2.0.1 in the quest to get a correct replica package but that seems to have created another problem as it has broken the tomcat and thus pki-ca.

Jun 3, 2011 10:09:29 AM org.apache.catalina.loader.WebappLoader start
SEVERE: LifecycleException
java.io.IOException: Failed to access resource /WEB-INF/lib/jakarta-commons-collections.jar
        at org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1050)
        at org.apache.catalina.loader.WebappLoader.start(WebappLoader.java:681)
        at org.apache.catalina.core.StandardContext.start(StandardContext.java:4541)
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546)
        at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
        at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
        at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
        at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
        at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
        at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1061)
        at org.apache.catalina.core.StandardHost.start(StandardHost.java:785)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
        at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463)
        at org.apache.catalina.core.StandardService.start(StandardService.java:525)
        at org.apache.catalina.core.StandardServer.start(StandardServer.java:701)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:585)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: javax.naming.NamingException: Resource jakarta-commons-collections.jar not found
        at org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:209)
        at org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1048)
        ... 24 more

It seems to me that it is looking for jakarta-commons-collections.jar which exist but is a package from the old tomcat6-6.0.26.


Thanks

__Ide




On Thu, Jun 2, 2011 at 11:08 AM, Rob Crittenden <rcritten redhat com> wrote:
Uzor Ide wrote:
Thanks Rob

I did run the certutil -L -d /etc/dirsrv/slapd-PKI-IPA command; the
nssdb is empty
If  the CA cert is supposed to exist there at that stage of install,
then that would be the problem.

Both the slapd-PKI-IPA error and access does not contain much. I
attached them herein with the ipareplica-install.log.


How old is the prepared replica file, and was it created with an older version of IPA?

In one of the last release candidates we started creating a separate SSL certificate for the 389-ds instance used by dogtag. I get the feeling that doesn't exist which would explain why SSL is failing.

You can check by doing something like:
# gpg -d replica-info-<your-server>.gpg | tar tvf -

The file you're looking for is dogtagcert.p12

rob
 thanks

Ide


On Wed, Jun 1, 2011 at 11:40 AM, Rob Crittenden <rcritten redhat com
<mailto:rcritten redhat com>> wrote:

   Uzor Ide wrote:


       Hi all

       We are trying to setup a backup IPA server and decided to toe that
       replication route.
       The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to
       fedora
       15 and freeipa 2.0.1.
       Note we first did ipa-server-install --uninstall before
       upgrading the
       freeipa packages so as to make sure that the server is
       relatively clean.

       However when I run that ipa-replica-install command, I end up
       with the
       following error in the ipareplica-install.log

       2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart
       PKI-IPA
       2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv:
            PKI-IPA...[  OK  ]
       Starting dirsrv:
            PKI-IPA...[FAILED]
          *** Warning: 1 instance(s) failed to start

       2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23
       -0400] - SSL
       alert: Security Initialization: Unable to authenticate (Netscape
       Portable Runtime error -8192 - An I/O error occurred during security
       authorization.)
       [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed.

       2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status
       2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped

       2011-05-31 23:54:33,501 DEBUG stderr=
       2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory
       server.
       See the installation log for details.

       This are the tomcat rpms on the server

       tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch
       tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch
       tomcat6-6.0.30-6.fc15.noarch
       tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch
       tomcat6-lib-6.0.30-6.fc15.noarch
       tomcat6-el-2.1-api-6.0.30-6.fc15.noarch
       tomcatjss-2.1.1-1.fc15.noarch

       So the tomcat6 version is definitely greater than tomcat6-6-0.30-5.

       The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any
       other
       thing different from same,

       [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization:
       Unable to authenticate (Netscape Portable Runtime error -8192 -
       An I/O
       error occurred during security authorization.)
       [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed


       Any help will be greatly appreciated

       Ide


   I think we need more context. Can you compress and send
   /var/log/ipareplica-install.log ?

   I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and
   errors to see if there is anything interesting there.

   And can you provide the output for:

   certutil -L -d /etc/dirsrv/slapd-PKI-IPA

   It would seem that your 389-ds instance is missing a copy of the CA
   cert.

   thanks

   rob




_______________________________________________
Freeipa-users mailing list
Freeipa-users redhat com
https://www.redhat.com/mailman/listinfo/freeipa-users




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]