Tony Brian Albers via FreeIPA-users wrote: > On Thu, 2020-07-09 at 06:13 +0000, Tony Brian Albers via FreeIPA-users > wrote: >> Hi guys, >> >> This is a new install, software used is: >> ipa-server.x86_64 4.8.4-7.module+el8.2.0+6046+aaa49f96 >> 389-ds-base.x86_64 1.4.2.4-8.module+el8.2.0+5959+cfcaedbd >> >> I followed the install instructions in the documentation, and >> everything went fine. I haven't added any users or groups yet. >> >> I have a master and a replica. The master dies, but the replica seems >> totally happy. >> >> I restarted the master yesterday at 13:25. However, after a short >> time >> running, the log files in /var/log/pki/pki-tomcat/ca/debug.. starts >> filling up with java SocketExceptions like these: >> >> 2020-07-08 13:57:49 [profileChangeMonitor] SEVERE: Profile change >> monitor: Caught exception: netscape.ldap.LDAPException: Server or >> network error (81) >> netscape.ldap.LDAPException: Server or network error (81) >> at netscape.ldap.LDAPConnThread.networkError(Unknown Source) >> at netscape.ldap.LDAPConnThread.run(Unknown Source) >> at java.lang.Thread.run(Thread.java:748) >> >> 2020-07-08 13:57:49 [AuthorityMonitor] WARNING: AuthorityMonitor: >> Failed to execute LDAP search for lightweight CAs: >> netscape.ldap.LDAPException: Server or network error (81) >> netscape.ldap.LDAPException: Server or network error (81) >> at netscape.ldap.LDAPConnThread.networkError(Unknown Source) >> at netscape.ldap.LDAPConnThread.run(Unknown Source) >> at java.lang.Thread.run(Thread.java:748) >> >> 2020-07-08 13:57:49 [profileChangeMonitor] SEVERE: Unable to create >> socket: java.net.SocketException: Network is unreachable (connect >> failed) >> java.net.SocketException: Network is unreachable (connect failed) >> ... >> >> So it's pretty obvious that the LDAP server is not working properly. >> >> In /var/log/dirsrv/slapd-YAK2-NET/errors I see: >> >> 389-Directory/1.4.2.4 B2020.121.2358 >> fipa001.yak2.net:636 (/etc/dirsrv/slapd-YAK2-NET) >> >> [08/Jul/2020:13:25:36.982866396 +0200] - INFO - slapd_extract_cert - >> CA >> CERT NAME: YAK2.NET IPA CA >> [08/Jul/2020:13:25:37.002136210 +0200] - WARN - Security >> Initialization >> - SSL alert: Sending pin request to SVRCore. You may need to run >> systemd-tty-ask-password-agent to provide the password. >> [08/Jul/2020:13:25:37.030257707 +0200] - INFO - slapd_extract_cert - >> SERVER CERT NAME: Server-Cert >> [08/Jul/2020:13:25:37.049921505 +0200] - INFO - Security >> Initialization >> - SSL info: Enabling default cipher set. >> [08/Jul/2020:13:25:37.074564197 +0200] - INFO - Security >> Initialization >> - SSL info: Configured NSS Ciphers >> [08/Jul/2020:13:25:37.091262372 +0200] - INFO - Security >> Initialization >> - SSL info: TLS_AES_128_GCM_SHA256: enabled >> ... >> All ciphers enabled >> ... >> [08/Jul/2020:13:25:37.601009917 +0200] - INFO - Security >> Initialization >> - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, ma >> x: TLS1.2 >> [08/Jul/2020:13:25:37.616336615 +0200] - INFO - Security >> Initialization >> - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, >> max: TLS1.2 >> ... >> [08/Jul/2020:13:25:38.547791102 +0200] - NOTICE - bdb_start - >> Detected >> Disorderly Shutdown last time Directory Server was running, >> recovering >> database. >> [08/Jul/2020:13:25:38.792474100 +0200] - ERR - attrcrypt_unwrap_key - >> Failed to unwrap key for cipher AES >> [08/Jul/2020:13:25:38.817182778 +0200] - ERR - attrcrypt_cipher_init >> - >> Symmetric key failed to unwrap with the private key; Cert might have >> been renewed since the key is wrapped. To recover the encrypted >> contents, keep the wrapped symmetric key value. >> [08/Jul/2020:13:25:38.852524974 +0200] - ERR - attrcrypt_unwrap_key - >> Failed to unwrap key for cipher 3DES >> [08/Jul/2020:13:25:38.871423186 +0200] - ERR - attrcrypt_cipher_init >> - >> Symmetric key failed to unwrap with the private key; Cert might have >> been renewed since the key is wrapped. To recover the encrypted >> contents, keep the wrapped symmetric key value. >> [08/Jul/2020:13:25:38.880537833 +0200] - ERR - attrcrypt_init - All >> prepared ciphers are not available. Please disable attribute >> encryption. >> [08/Jul/2020:13:25:38.891681971 +0200] - ERR - attrcrypt_unwrap_key - >> Failed to unwrap key for cipher AES >> [08/Jul/2020:13:25:38.916694998 +0200] - ERR - attrcrypt_cipher_init >> - >> Symmetric key failed to unwrap with the private key; Cert might have >> been renewed since the key is wrapped. To recover the encrypted >> contents, keep the wrapped symmetric key value. >> [08/Jul/2020:13:25:38.925787580 +0200] - ERR - attrcrypt_unwrap_key - >> Failed to unwrap key for cipher 3DES >> [08/Jul/2020:13:25:38.934688993 +0200] - ERR - attrcrypt_cipher_init >> - >> Symmetric key failed to unwrap with the private key; Cert might have >> been renewed since the key is wrapped. To recover the encrypted >> contents, keep the wrapped symmetric key value. >> [08/Jul/2020:13:25:38.943696327 +0200] - ERR - attrcrypt_init - All >> prepared ciphers are not available. Please disable attribute >> encryption. > > > Right, so I tried doing what it says here: > https://access.redhat.com/solutions/461893 > > Basically remove all entries starting with: > dn: cn=AES,cn=encrypted attribute keys,cn=NetscapeRoot,cn=ldbm > database,cn=plugins,cn=config > > In /etc/dirsrv/sladp-instance/dse.ldif > > And then I rebooted. But when it came back up, pki-tomcat was still > acting up and systemd quickly set it to "failed". > > However, doing a 'systemctl restart [email protected]' > seemed to make it run. And soon I saw this in the dirsrv errors log: > > [09/Jul/2020:08:50:45.683765835 +0200] - INFO - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meTofipa002.yak2.net" (fipa002:389): > Replication bind with GSSAPI auth resumed > > Seems that the communication with the replica is now ok. > > > Now pki-tomcat on the master has been running for 4 hours without any > errors. > > So this looks good. > > > But after a reboot, it's back, pki-tomcat debug-log: > > 2020-07-09 13:23:33 [main] SEVERE: Unable to create socket: > java.net.SocketException: Network is unreachable (connect failed) > java.net.SocketException: Network is unreachable (connect failed) > > And again, restarting [email protected] seems to fix it, > so it's like pki-tomcat tries to start before the LDAP server is ready > and then it just goes fubar. > > Any good ideas anyone?
How much memory does this system have? rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
