[Freeipa-users] Issue with replication install
Uzor Ide
ide4you at gmail.com
Mon Jun 6 20:27:34 UTC 2011
Anybody with idea why my replication setup is hanging at stage 4 of the 11
stage process.
#########################################################
Configuring directory server for the CA: Estimated time 30 seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 6 minutes
[1/11]: creating certificate server user
[2/11]: creating pki-ca instance
[3/11]: restarting certificate server
[4/11]: configuring certificate server instance
###############################################################
When I checked the pki-ca debug log, everything is okay until it gets to the
this stage and it keeps repeating the last entry.
####################################################################
[06/Jun/2011:16:00:13][http-9445-1]: DatabasePanel initializeConsumer:
initializeConsumer host: company.domain.com port: 7389
[06/Jun/2011:16:00:13][http-9445-1]: DatabasePanel initializeConsumer: start
modifying
[06/Jun/2011:16:00:14][http-9445-1]: DatabasePanel initializeConsumer:
Finish modification.
[06/Jun/2011:16:00:14][http-9445-1]: DatabasePanel initializeConsumer:
thread sleeping for 5 seconds.
[06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel initializeConsumer:
finish sleeping.
[06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel initializeConsumer:
Successfully initialize consumer
[06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel comparetAndWaitEntries
checking ou=people,o=ipaca
[06/Jun/2011:16:00:30][http-9445-1]: DatabasePanel comparetAndWaitEntries
ou=people,o=ipaca not found, let's wait!
[06/Jun/2011:16:00:35][http-9445-1]: DatabasePanel comparetAndWaitEntries
checking ou=people,o=ipaca
[06/Jun/2011:16:00:35][http-9445-1]: DatabasePanel comparetAndWaitEntries
ou=people,o=ipaca not found, let's wait!
########################################################################
If leave for hours, it will continue will keep repeating the last entry.
In the catalina.out log, I get the following java execption
###########################################################################
INFO: Deploying web application directory ca
Jun 6, 2011 3:58:36 PM org.apache.catalina.startup.Catalina stopServer
SEVERE: Catalina.stop:
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327)
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193)
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384)
at java.net.Socket.connect(Socket.java:546)
at java.net.Socket.connect(Socket.java:495)
at java.net.Socket.<init>(Socket.java:392)
at java.net.Socket.<init>(Socket.java:206)
at
org.apache.catalina.startup.Catalina.stopServer(Catalina.java:412)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at
org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:338)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:416)
32-bit osutil library loaded
32-bit osutil library loaded
CMS Warning: FAILURE: Cannot build CA chain. Error
java.security.cert.CertificateException: Certificate is not a PKCS #11
certificate|FAILURE: authz instance DirAclAuthz initialization failed and
skipped, error=Property internaldb.ldapconn.port missing value|
Server is started.
Jun 6, 2011 3:58:44 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory ROOT
#############################################################
While this points to connection failure, I don't know why that is so because
there is not firewall running on the two boxes, also I disabled selinux just
to make sure but it did not make any difference.
There is a bug number 643449 with this exception thrown here in bugzilla but
that issue was supposed to be caused by missing xalan-j2-serializer.jar file
in the tomcat5. This is tomcat6.
Please any help will be appreciated.
Thanks
__Ide
On Fri, Jun 3, 2011 at 2:32 PM, Uzor Ide <ide4you at gmail.com> wrote:
> I have corrected the problem with the ipa server, from the broken
> tomcat/pki-ca;
>
> The problem comes a sym link that was created during the setup of pki-ca
> from PKI-HOME for
> jakarta-commons-collections.jar to
> /usr/share/java/jakarta-commons-collections.jar.
> This file is a member of jakarta-commons-collections rpm package in fc14.
> In fc15 jakarta-commons-collections package appears to have been renamed to
> apache-commons-collections and an equivalent file
> apache-commons-collections.jar is contained.
> However when you upgrade, at least in my own case using preupgrade, it
> leaves
> /var/lib/pki-ca/webapps/ca/WEB-INF/lib/jakarta-commons-collections.jar link
> orphaned. recreating the sym link to
> /usr/share/java/apache-commons-collections.jar fixes the problem.
>
> I have create a new replica package and I see that it contained the
> dogtagcert.p12 file.
>
> I will try to install the replica and see how it goes.
>
> Thanks
>
> __Ide
>
>
>
>
>
> On Fri, Jun 3, 2011 at 10:28 AM, Uzor Ide <ide4you at gmail.com> wrote:
>
>> The IPA server is version 2.0.0 R3 which is supposed to install on fc14
>> with some packages from updates-testing repo, while the replica install is
>> on server 2.0.1
>>
>> Yes, there is no dogtagcert.p12 file; here are the files contained:
>> realm_info/httpcert.p12
>> realm_info/cacert.p12
>> realm_info/ldappwd
>> realm_info/ra.p12
>> realm_info/http_pin.txt
>> realm_info/realm_info
>> realm_info/configure.jar
>> realm_info/dscert.p12
>> realm_info/dirsrv_pin.txt
>> realm_info/pwdfile.txt.ori
>> realm_info/pwdfile.txt
>> realm_info/kpasswd.keytab
>> realm_info/preferences.htm
>> realm_info/ca.crt
>>
>> I have upgraded the IPA box to fc15 and freeipa-2.0.1 in the quest to get
>> a correct replica package but that seems to have created another problem as
>> it has broken the tomcat and thus pki-ca.
>>
>> Jun 3, 2011 10:09:29 AM org.apache.catalina.loader.WebappLoader start
>> SEVERE: LifecycleException
>> java.io.IOException: Failed to access resource
>> /WEB-INF/lib/jakarta-commons-collections.jar
>> at
>> org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1050)
>> at
>> org.apache.catalina.loader.WebappLoader.start(WebappLoader.java:681)
>> at
>> org.apache.catalina.core.StandardContext.start(StandardContext.java:4541)
>> at
>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799)
>> at
>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779)
>> at
>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546)
>> at
>> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
>> at
>> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
>> at
>> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
>> at
>> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
>> at
>> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
>> at
>> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
>> at
>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1061)
>> at
>> org.apache.catalina.core.StandardHost.start(StandardHost.java:785)
>> at
>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
>> at
>> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463)
>> at
>> org.apache.catalina.core.StandardService.start(StandardService.java:525)
>> at
>> org.apache.catalina.core.StandardServer.start(StandardServer.java:701)
>> at org.apache.catalina.startup.Catalina.start(Catalina.java:585)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:616)
>> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
>> Caused by: javax.naming.NamingException: Resource
>> jakarta-commons-collections.jar not found
>> at
>> org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:209)
>> at
>> org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1048)
>> ... 24 more
>>
>> It seems to me that it is looking for jakarta-commons-collections.jar
>> which exist but is a package from the old tomcat6-6.0.26.
>>
>>
>> Thanks
>>
>> __Ide
>>
>>
>>
>>
>> On Thu, Jun 2, 2011 at 11:08 AM, Rob Crittenden <rcritten at redhat.com>wrote:
>>
>>> Uzor Ide wrote:
>>>
>>>> Thanks Rob
>>>>
>>>> I did run the certutil -L -d /etc/dirsrv/slapd-PKI-IPA command; the
>>>> nssdb is empty
>>>> If the CA cert is supposed to exist there at that stage of install,
>>>> then that would be the problem.
>>>>
>>>> Both the slapd-PKI-IPA error and access does not contain much. I
>>>> attached them herein with the ipareplica-install.log.
>>>>
>>>>
>>> How old is the prepared replica file, and was it created with an older
>>> version of IPA?
>>>
>>> In one of the last release candidates we started creating a separate SSL
>>> certificate for the 389-ds instance used by dogtag. I get the feeling that
>>> doesn't exist which would explain why SSL is failing.
>>>
>>> You can check by doing something like:
>>> # gpg -d replica-info-<your-server>.gpg | tar tvf -
>>>
>>> The file you're looking for is dogtagcert.p12
>>>
>>> rob
>>>
>>>> thanks
>>>>
>>>> Ide
>>>>
>>>>
>>>> On Wed, Jun 1, 2011 at 11:40 AM, Rob Crittenden <rcritten at redhat.com
>>>> <mailto:rcritten at redhat.com>> wrote:
>>>>
>>>> Uzor Ide wrote:
>>>>
>>>>
>>>> Hi all
>>>>
>>>> We are trying to setup a backup IPA server and decided to toe
>>>> that
>>>> replication route.
>>>> The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to
>>>> fedora
>>>> 15 and freeipa 2.0.1.
>>>> Note we first did ipa-server-install --uninstall before
>>>> upgrading the
>>>> freeipa packages so as to make sure that the server is
>>>> relatively clean.
>>>>
>>>> However when I run that ipa-replica-install command, I end up
>>>> with the
>>>> following error in the ipareplica-install.log
>>>>
>>>> 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart
>>>> PKI-IPA
>>>> 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv:
>>>> PKI-IPA...[ OK ]
>>>> Starting dirsrv:
>>>> PKI-IPA...[FAILED]
>>>> *** Warning: 1 instance(s) failed to start
>>>>
>>>> 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23
>>>> -0400] - SSL
>>>> alert: Security Initialization: Unable to authenticate (Netscape
>>>> Portable Runtime error -8192 - An I/O error occurred during
>>>> security
>>>> authorization.)
>>>> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed.
>>>>
>>>> 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status
>>>> 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped
>>>>
>>>> 2011-05-31 23:54:33,501 DEBUG stderr=
>>>> 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory
>>>> server.
>>>> See the installation log for details.
>>>>
>>>> This are the tomcat rpms on the server
>>>>
>>>> tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch
>>>> tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch
>>>> tomcat6-6.0.30-6.fc15.noarch
>>>> tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch
>>>> tomcat6-lib-6.0.30-6.fc15.noarch
>>>> tomcat6-el-2.1-api-6.0.30-6.fc15.noarch
>>>> tomcatjss-2.1.1-1.fc15.noarch
>>>>
>>>> So the tomcat6 version is definitely greater than
>>>> tomcat6-6-0.30-5.
>>>>
>>>> The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any
>>>> other
>>>> thing different from same,
>>>>
>>>> [31/May/2011:23:54:23 -0400] - SSL alert: Security
>>>> Initialization:
>>>> Unable to authenticate (Netscape Portable Runtime error -8192 -
>>>> An I/O
>>>> error occurred during security authorization.)
>>>> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed
>>>>
>>>>
>>>> Any help will be greatly appreciated
>>>>
>>>> Ide
>>>>
>>>>
>>>> I think we need more context. Can you compress and send
>>>> /var/log/ipareplica-install.log ?
>>>>
>>>> I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and
>>>> errors to see if there is anything interesting there.
>>>>
>>>> And can you provide the output for:
>>>>
>>>> certutil -L -d /etc/dirsrv/slapd-PKI-IPA
>>>>
>>>> It would seem that your 389-ds instance is missing a copy of the CA
>>>> cert.
>>>>
>>>> thanks
>>>>
>>>> rob
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110606/7c696412/attachment.htm>
More information about the Freeipa-users
mailing list