[Freeipa-users] Replica Server's ipactl does not control named after reinstallation
Dmitri Pal
dpal at redhat.com
Sat Jan 10 23:10:31 UTC 2015
On 01/10/2015 05:47 PM, Sina Owolabi wrote:
>
> Yes, I've had this installed more than three years, and I upgrade from
> time to time, not frequently because I don't want to break anything. I
> just did an upgrade to the latest RHEL version about a week ago, when
> the replica started acting up. Directory services would hang
> indefinitely, and nothing else would function. So I took it down and
> reinstalled ipa and resynced.
> Is there a fix I can apply?
>
You situation has quite similar symptoms to the case of expired
certificates.
What most likely happened is that the certificates we not renewed
properly or not renewed properly on all servers.
Here is the procedure
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
there have also been some threads as a lot of people hit this.
Check IPA mailing archives.
Rob Crittenden is the person who was hand holding other people on the
list through this and similar procedures, so look for his posts.
But before you go there please check that this is actually the case and
your certs in fact expired. Check all your servers.
Here is the pointer
http://www.freeipa.org/page/Troubleshooting#PKI_Issues
> On Jan 10, 2015 10:42 PM, "Dmitri Pal" <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 01/10/2015 04:41 AM, Sina Owolabi wrote:
>
> I've run ipa-dns-install after the fact now, and named is setup.
> Strange, it used to work without me having to do this manually
> (whenever I needed to take down a replica).
> However when I ran dnsconfig-mod on the new replica, I get:
>
> ipa dnsconfig-mod
> ipa: ERROR: cert validation failed for
> "CN=services01.mydom.com
> <http://services01.mydom.com>,O=MYDOM.COM <http://MYDOM.COM>"
> ((SEC_ERROR_UNTRUSTED_ISSUER)
> Peer's certificate issuer has been marked as not trusted by
> the user.)
> ipa: ERROR: cert validation failed for
> "CN=services.mydom.com <http://services.mydom.com>,O=MYDOM.COM
> <http://MYDOM.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER)
> Peer's certificate issuer has been marked as not trusted by
> the user.)
> ipa: ERROR: cannot connect to Gettext('any of the configured
> servers',
> domain='ipa', localedir=None):
> https://services01.mydom.com/ipa/xml,
> https://services.mydom.com/ipa/xml
>
>
> Can it be that your certs have expired and were not properly renewed?
> How long have you been running this setup?
> More than two years?
> Have you been upgrading since early versions?
>
>
>
> On Sat, Jan 10, 2015 at 10:22 AM, Sina Owolabi
> <notify.sina at gmail.com <mailto:notify.sina at gmail.com>> wrote:
>
> I did run it with --setup-dns.
>
> [root at services01 ~]# ipa-replica-install --setup-dns
> --forwarder=8.8.8.8 --forwarder=8.8.4.4
> replica-info-services01.mydom.com.gpg
>
> How can I fix this, please?
>
> On Fri, Jan 9, 2015 at 8:33 PM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>
> Sina Owolabi wrote:
>
> Hi List,
>
> I've seen this happen on two occasions, now, in
> two different
> environments, one with RHEL6.6 and RHEL 6.3.
>
> I have issues with a replica sever, I delete the
> replication
> agreement, remove the server from ipa dns, run
> ipa-server-install
> --uninstall -U.
> Reboot the server, create new replication settings
> from the existing
> master, and restore the replica.
> Running ipactl status, I see:
>
> ipactl status
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: RUNNING
> MEMCACHE Service: RUNNING
> HTTP Service: RUNNING
>
> No DNS service listed. Named is not running.
>
> ipactl restart
> Restarting Directory Service
> Shutting down dirsrv:
> MYDOM-COM... [ OK ]
> Starting dirsrv:
> MYDOM-COM... [ OK ]
> Restarting KDC Service
> Stopping Kerberos 5 KDC: [ OK ]
> Starting Kerberos 5 KDC: [ OK ]
> Restarting KPASSWD Service
> Stopping Kerberos 5 Admin Server: [ OK ]
> Starting Kerberos 5 Admin Server: [ OK ]
> Restarting MEMCACHE Service
> Stopping ipa_memcached: [ OK ]
> Starting ipa_memcached: [ OK ]
> Restarting HTTP Service
> Stopping httpd: [ OK ]
> Starting httpd: [ OK ]
>
> Checking on named:
> service named status
> rndc: connect failed: 127.0.0.1#953: connection
> refused
> named is stopped
> # service named start
> Starting named: [ OK ]
> # service named status
> version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
> CPUs found: 2
> worker threads: 2
> number of zones: 19
> debug level: 0
> xfers running: 0
> xfers deferred: 0
> soa queries in progress: 0
> query logging is OFF
> recursive clients: 0/0/1000
> tcp clients: 0/100
> server is up and running
> named (pid 25017) is running...
>
> But it does not resolve. Please what is happening
> and how can I fix this?
> I don't know what logs to provide, but please let
> me know what is
> necessary and I'll make them available.
>
> Bind is an optional service. You can either configure
> it at the time you
> install replica using the --setup-dns option or
> afterward using
> ipa-dns-install.
>
> rob
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150110/661956b8/attachment.htm>
More information about the Freeipa-users
mailing list