[Pki-devel] Proxy/Port work status
Ade Lee
alee at redhat.com
Thu Aug 25 02:59:31 UTC 2011
When I looked at one point, I noticed that /var/log/pki-ca/catalina.out
was owned by root. And in fact the whole /var/log/pki-ca directory was
owned by root.
If the CA process runs as pkiuser, that would explain the permission
denied bit.
Adam, please reproduce and do not clean up. I can go in at that point
and try to figure out what went wrong.
Ade
On Wed, 2011-08-24 at 22:29 -0400, Adam Young wrote:
> Had some success earlier today, but I seem to be unable to replicate
> it. I've been working with the "full" proxy.conf file lately,. and even
> that seems to be preventing a replica. It is quite possible that the
> problem is something on one of the two systems, as I've found that
> install/uninstall often leaves some of the files being owned by
> non-existent users. At this point, I'm not sure if the patch I've
> submitted will work on a vanilla system. Testing it has proven to be a
> pretty time consuming endeavour.
>
>
> Here's what I've gotten it down to:
>
> ON One machine, run
>
> ipa-server-install -U -r ` hostname | tr '[:lower:]' '[:upper:]'` -p
> freeipa4all -a freeipa4all --setup-dns --no-forwarders
>
>
> once that succeeds, I have to reset /etc/resolv.conf as the lab DNS
> server gets removed:
>
> cp ~/resolve.conf /etc
>
> then
>
> ipa-replica-prepare $REPLICA
>
> scp /var/lib/ipa/replica-info-$REPLICA.gpg root@$REPLICA:
>
> On the replica:
>
> ipa-replica-install --setup-ca replica-info-$HOSTNAME.gpg
>
> I have firewall off on master and replica
>
>
> At one point I had a replica install that worked with the Proxy, so I
> know it is possible, but for the last couple of hours this last command
> has been failing with:
>
> creation of replica failed: Configuration of CA failed
>
>
>
> pkisilent reports the failure in the debug log, but not the URL it is
> trying to reach. I'm going to modify it to give some more information
> in the morning.
>
>
> I'm not seeing anything in /var/log/httpd/error|access.log on the
> master, which is weird.
>
>
> I see this in /var/log/ipareplica-conncheck.log. We should not be
> trying to do anything in /home/admin
>
>
> 2011-08-24 21:52:18,544 DEBUG stderr=
> 2011-08-24 21:52:19,521 DEBUG args=/usr/bin/ssh -q -o
> StrictHostKeychecking=no -o UserKnownHostsFile=/dev/null
> admin at vm-088.idm.lab.bos.redhat.com /usr/sbin/ipa-replica-conncheck
> --replica vm-116.idm.lab.bos.redhat.com --check-ca
> 2011-08-24 21:52:19,521 DEBUG stdout=Check connection from master to
> remote replica 'vm-116.idm.lab.bos.redhat.com':
> Directory Service: Unsecure port (389): OK
> Directory Service: Secure port (636): OK
> Kerberos (88): OK
> PKI-CA: Directory Service port (7389): OK
> PKI-CA: Agent secure port (9443): OK
> PKI-CA: EE secure port (9444): OK
> PKI-CA: Admin secure port (9445): OK
> PKI-CA: EE secure client auth port (9446): OK
> PKI-CA: Unsecure port (9180): OK
>
> Connection from master to replica is OK.
>
> 2011-08-24 21:52:19,522 DEBUG stderr=Could not chdir to home directory
> /home/admin: No such file or directory
>
>
>
> Ade Lee noticed that the replica install is failing before it ever
> attempts to talk to the Master, which corresponds with what I am
> seeing. I see in the PKI install log that
>
> [2011-08-24 22:23:50] [error] FAILED run_command("/sbin/service pki-cad
> restart pki-ca"), exit status=1 output="Stopping pki-ca: [FAILED]
> Starting pki-ca: [ OK ]^M"
>
>
> Running this command by hand gets the same output.
>
> In less /var/log/pki-ca/catalina.out
>
> /var/lib/pki-ca/logs/catalina.out: Permission denied
> /var/log/pki-ca/catalina.out (END)
>
>
> SO it looks like another cleanup issue.
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list