On 01/10/2015 05:47 PM, Sina Owolabi wrote:
Yes, I've had this installed more than three years, and I upgrade from
time to time, not frequently because I don't want to break anything. I
just did an upgrade to the latest RHEL version about a week ago, when
the replica started acting up. Directory services would hang
indefinitely, and nothing else would function. So I took it down and
reinstalled ipa and resynced.
Is there a fix I can apply?
You situation has quite similar symptoms to the case of expired
certificates.
What most likely happened is that the certificates we not renewed
properly or not renewed properly on all servers.
Here is the procedure
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
there have also been some threads as a lot of people hit this.
Check IPA mailing archives.
Rob Crittenden is the person who was hand holding other people on the
list through this and similar procedures, so look for his posts.
But before you go there please check that this is actually the case and
your certs in fact expired. Check all your servers.
Here is the pointer
http://www.freeipa.org/page/Troubleshooting#PKI_Issues
On Jan 10, 2015 10:42 PM, "Dmitri Pal" <[email protected]
<mailto:[email protected]>> wrote:
On 01/10/2015 04:41 AM, Sina Owolabi wrote:
I've run ipa-dns-install after the fact now, and named is setup.
Strange, it used to work without me having to do this manually
(whenever I needed to take down a replica).
However when I ran dnsconfig-mod on the new replica, I get:
ipa dnsconfig-mod
ipa: ERROR: cert validation failed for
"CN=services01.mydom.com
<http://services01.mydom.com>,O=MYDOM.COM <http://MYDOM.COM>"
((SEC_ERROR_UNTRUSTED_ISSUER)
Peer's certificate issuer has been marked as not trusted by
the user.)
ipa: ERROR: cert validation failed for
"CN=services.mydom.com <http://services.mydom.com>,O=MYDOM.COM
<http://MYDOM.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER)
Peer's certificate issuer has been marked as not trusted by
the user.)
ipa: ERROR: cannot connect to Gettext('any of the configured
servers',
domain='ipa', localedir=None):
https://services01.mydom.com/ipa/xml,
https://services.mydom.com/ipa/xml
Can it be that your certs have expired and were not properly renewed?
How long have you been running this setup?
More than two years?
Have you been upgrading since early versions?
On Sat, Jan 10, 2015 at 10:22 AM, Sina Owolabi
<[email protected] <mailto:[email protected]>> wrote:
I did run it with --setup-dns.
[root@services01 ~]# ipa-replica-install --setup-dns
--forwarder=8.8.8.8 --forwarder=8.8.4.4
replica-info-services01.mydom.com.gpg
How can I fix this, please?
On Fri, Jan 9, 2015 at 8:33 PM, Rob Crittenden
<[email protected] <mailto:[email protected]>> wrote:
Sina Owolabi wrote:
Hi List,
I've seen this happen on two occasions, now, in
two different
environments, one with RHEL6.6 and RHEL 6.3.
I have issues with a replica sever, I delete the
replication
agreement, remove the server from ipa dns, run
ipa-server-install
--uninstall -U.
Reboot the server, create new replication settings
from the existing
master, and restore the replica.
Running ipactl status, I see:
ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
No DNS service listed. Named is not running.
ipactl restart
Restarting Directory Service
Shutting down dirsrv:
MYDOM-COM... [ OK ]
Starting dirsrv:
MYDOM-COM... [ OK ]
Restarting KDC Service
Stopping Kerberos 5 KDC: [ OK ]
Starting Kerberos 5 KDC: [ OK ]
Restarting KPASSWD Service
Stopping Kerberos 5 Admin Server: [ OK ]
Starting Kerberos 5 Admin Server: [ OK ]
Restarting MEMCACHE Service
Stopping ipa_memcached: [ OK ]
Starting ipa_memcached: [ OK ]
Restarting HTTP Service
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Checking on named:
service named status
rndc: connect failed: 127.0.0.1#953: connection
refused
named is stopped
# service named start
Starting named: [ OK ]
# service named status
version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
CPUs found: 2
worker threads: 2
number of zones: 19
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
named (pid 25017) is running...
But it does not resolve. Please what is happening
and how can I fix this?
I don't know what logs to provide, but please let
me know what is
necessary and I'll make them available.
Bind is an optional service. You can either configure
it at the time you
install replica using the --setup-dns option or
afterward using
ipa-dns-install.
rob
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
