On 06/01/2011 11:40 AM, Rob Crittenden wrote: > Uzor Ide wrote: >> >> Hi all >> >> We are trying to setup a backup IPA server and decided to toe that >> replication route. >> The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to fedora >> 15 and freeipa 2.0.1. >> Note we first did ipa-server-install --uninstall before upgrading the >> freeipa packages so as to make sure that the server is relatively clean. >> >> However when I run that ipa-replica-install command, I end up with the >> following error in the ipareplica-install.log >> >> 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart PKI-IPA >> 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv: >> PKI-IPA...[ OK ] >> Starting dirsrv: >> PKI-IPA...[FAILED] >> *** Warning: 1 instance(s) failed to start >> >> 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23 -0400] - SSL >> alert: Security Initialization: Unable to authenticate (Netscape >> Portable Runtime error -8192 - An I/O error occurred during security >> authorization.) >> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed. >> >> 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status >> 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped >> >> 2011-05-31 23:54:33,501 DEBUG stderr= >> 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory server. >> See the installation log for details. >> >> This are the tomcat rpms on the server >> >> tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch >> tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch >> tomcat6-6.0.30-6.fc15.noarch >> tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch >> tomcat6-lib-6.0.30-6.fc15.noarch >> tomcat6-el-2.1-api-6.0.30-6.fc15.noarch >> tomcatjss-2.1.1-1.fc15.noarch >> >> So the tomcat6 version is definitely greater than tomcat6-6-0.30-5. >> >> The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any other >> thing different from same, >> >> [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: >> Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O >> error occurred during security authorization.) >> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed >> >> >> Any help will be greatly appreciated >> >> Ide > > I think we need more context. Can you compress and send > /var/log/ipareplica-install.log ? > > I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and errors > to see if there is anything interesting there. > > And can you provide the output for: > > certutil -L -d /etc/dirsrv/slapd-PKI-IPA > > It would seem that your 389-ds instance is missing a copy of the CA cert. > > thanks > > rob > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > I just for the record, I did a similar thing yesterday. I had F14 with old ipa instance. I did ipa-server-install -- uninstall removed ipa packages Upgraded Fedora. Installed new IPA packages Ran install and hit a similar error.
It seems that ipa-server uninstall does not destroy all the instances correctly for the PKI. So when the package is updated and the install is rerun it fails since there is a PKI DS instance. This might be a bug in the uninstall that we already fixed. To clean the system I ran the --uninstall several times. Each time it was failing but moving further. At some point it was successful and I was able to install. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
