After libnsspem.so is added to Ubuntu16.04, all expired certificates pass the change time and the test is renewed normally. However, there are new problems during the IPA-replica-install test. The details are as follows:
ipa-client-install --domain=hiido.host.yydevops.com --realm=YYDEVOPS.COM --server=ipa-test-65-188.hiido.host.yydevops.com Everything is all right ....
root@fs-hiido-dn-12-65-18:/home/liangrui# ipa-replica-install Run connection check to master Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/43]: creating directory server user [2/43]: creating directory server instance [3/43]: restarting directory server [4/43]: adding default schema [5/43]: enabling memberof plugin [6/43]: enabling winsync plugin [7/43]: configuring replication version plugin [8/43]: enabling IPA enrollment plugin [9/43]: enabling ldapi [10/43]: configuring uniqueness plugin [11/43]: configuring uuid plugin [12/43]: configuring modrdn plugin [13/43]: configuring DNS plugin [14/43]: enabling entryUSN plugin [15/43]: configuring lockout plugin [16/43]: configuring topology plugin [17/43]: creating indices [18/43]: enabling referential integrity plugin [19/43]: configuring certmap.conf [20/43]: configure autobind for root [21/43]: configure new location for managed entries [22/43]: configure dirsrv ccache [23/43]: enabling SASL mapping fallback [24/43]: restarting directory server [25/43]: creating DS keytab [26/43]: retrieving DS Certificate [27/43]: restarting directory server ipa : CRITICAL Failed to restart the directory server. See the installation log for details. [error] SystemExit: 1 ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
#cat /var/log/ipareplica-install.log .... 2022-08-08T09:14:29Z DEBUG stdout= 2022-08-08T09:14:29Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/dirsrv/ds.keytab
2022-08-08T09:14:29Z DEBUG duration: 1 seconds 2022-08-08T09:14:29Z DEBUG [26/43]: retrieving DS Certificate 2022-08-08T09:14:29Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2022-08-08T09:14:29Z DEBUG Starting external process 2022-08-08T09:14:29Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-YYDEVOPS-COM/ -L -n YYDEVOPS.COM IPA CA -a 2022-08-08T09:14:29Z DEBUG Process finished, return code=255 2022-08-08T09:14:29Z DEBUG stdout= 2022-08-08T09:14:29Z DEBUG stderr=certutil: Could not find cert: YYDEVOPS.COM IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found
2022-08-08T09:14:29Z DEBUG Starting external process 2022-08-08T09:14:29Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-YYDEVOPS-COM/ -N -f /etc/dirsrv/slapd-YYDEVOPS-COM//pwdfile.txt 2022-08-08T09:14:29Z DEBUG Process finished, return code=0 2022-08-08T09:14:29Z DEBUG stdout= 2022-08-08T09:14:29Z DEBUG stderr= 2022-08-08T09:14:29Z DEBUG Starting external process 2022-08-08T09:14:29Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-YYDEVOPS-COM/ -A -n YYDEVOPS.COM IPA CA -t CT,C,C -a 2022-08-08T09:14:29Z DEBUG Process finished, return code=0 2022-08-08T09:14:29Z DEBUG stdout= 2022-08-08T09:14:29Z DEBUG stderr= 2022-08-08T09:14:29Z DEBUG Starting external process 2022-08-08T09:14:29Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-YYDEVOPS-COM/ -A -n YYDEVOPS.COM IPA CA -t CT,C,C -a 2022-08-08T09:14:29Z DEBUG Process finished, return code=0 2022-08-08T09:14:29Z DEBUG stdout= 2022-08-08T09:14:29Z DEBUG stderr= 2022-08-08T09:14:29Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2022-08-08T09:14:34Z DEBUG certmonger request is in state dbus.String(u'CA_UNREACHABLE', variant_level=1) 2022-08-08T09:14:34Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-YYDEVOPS-COM.socket from SchemaCache 2022-08-08T09:14:34Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-YYDEVOPS-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f36a4433e60> 2022-08-08T09:14:34Z DEBUG duration: 5 seconds 2022-08-08T09:14:34Z DEBUG [27/43]: restarting directory server 2022-08-08T09:14:34Z DEBUG Starting external process 2022-08-08T09:14:34Z DEBUG args=/bin/systemctl --system daemon-reload 2022-08-08T09:14:35Z DEBUG Process finished, return code=0 2022-08-08T09:14:35Z DEBUG stdout= 2022-08-08T09:14:35Z DEBUG stderr= 2022-08-08T09:14:35Z DEBUG Starting external process 2022-08-08T09:14:35Z DEBUG args=/bin/systemctl restart dirsrv(a)YYDEVOPS-COM.service 2022-08-08T09:14:36Z DEBUG Process finished, return code=0 2022-08-08T09:14:36Z DEBUG stdout= 2022-08-08T09:14:36Z DEBUG stderr= 2022-08-08T09:14:36Z DEBUG Starting external process 2022-08-08T09:14:36Z DEBUG args=/bin/systemctl is-active dirsrv(a)YYDEVOPS-COM.service 2022-08-08T09:14:36Z DEBUG Process finished, return code=3 2022-08-08T09:14:36Z DEBUG stdout=failed
2022-08-08T09:14:36Z DEBUG stderr= 2022-08-08T09:14:36Z DEBUG Starting external process 2022-08-08T09:14:36Z DEBUG args=/bin/systemctl is-active dirsrv(a)YYDEVOPS-COM.service 2022-08-08T09:14:36Z DEBUG Process finished, return code=3 2022-08-08T09:14:36Z DEBUG stdout=failed
2022-08-08T09:14:36Z DEBUG stderr= 2022-08-08T09:14:36Z CRITICAL Failed to restart the directory server. See the installation log for details. 2022-08-08T09:14:36Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 447, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 437, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 625, in __restart_instance self.restart(self.serverid) File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 619, in restart raise e SystemExit: 1
2022-08-08T09:14:36Z DEBUG [error] SystemExit: 1 2022-08-08T09:14:36Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/dist-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/replicainstall.py", line 1652, in main promote(self) File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/replicainstall.py", line 375, in decorated func(installer) File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/replicainstall.py", line 1359, in promote promote=True, pkcs12_info=dirsrv_pkcs12_info) File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/replicainstall.py", line 125, in install_replica_ds promote=promote, File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 399, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 447, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 437, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 625, in __restart_instance self.restart(self.serverid) File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 619, in restart raise e
2022-08-08T09:14:36Z DEBUG The ipa-replica-install command failed, exception: SystemExit: 1 2022-08-08T09:14:36Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
#less /var/log/dirsrv/slapd-YYDEVOPS-COM/errors [08/Aug/2022:17:14:36 +0800] - SSL alert: Security Initialization: Can't find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [08/Aug/2022:17:14:36 +0800] - SSL alert: Security Initialization: Unable to retrieve private key for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [08/Aug/2022:17:14:36 +0800] - SSL failure: None of the cipher are valid [08/Aug/2022:17:14:36 +0800] - ERROR: SSL2 Initialization Failed. Disabling SSL2. [08/Aug/2022:17:14:36 +0800] - 389-Directory/1.3.4.9 B2016.109.158 starting up [08/Aug/2022:17:14:36 +0800] - Can't find certificate Server-Cert in attrcrypt_fetch_private_key: -8174 - security library: bad database. [08/Aug/2022:17:14:36 +0800] - Can't get private key from cert Server-Cert in attrcrypt_fetch_private_key: -8174 - security library: bad database. [08/Aug/2022:17:14:36 +0800] - Error: unable to initialize attrcrypt system for userRoot [08/Aug/2022:17:14:36 +0800] - start: Failed to start databases, err=-1 BDB0092 Unknown error: -1 [08/Aug/2022:17:14:36 +0800] - Failed to start database plugin ldbm database [08/Aug/2022:17:14:36 +0800] - WARNING: ldbm instance userRoot already exists [08/Aug/2022:17:14:36 +0800] - ldbm_config_read_instance_entries: failed to add instance entry cn=userRoot,cn=ldbm database,cn=plugins,cn=config [08/Aug/2022:17:14:36 +0800] - ldbm_config_load_dse_info: failed to read instance entries [08/Aug/2022:17:14:36 +0800] - start: Loading database configuration failed [08/Aug/2022:17:14:36 +0800] - Failed to start database plugin ldbm database [08/Aug/2022:17:14:36 +0800] - Error: Failed to resolve plugin dependencies [08/Aug/2022:17:14:36 +0800] - Error: betxnpreoperation plugin 7-bit check is not started [08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin Account Usability Plugin is not started [08/Aug/2022:17:14:36 +0800] - Error: accesscontrol plugin ACL Plugin is not started [08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin ACL preoperation is not started [08/Aug/2022:17:14:36 +0800] - Error: betxnpreoperation plugin Auto Membership Plugin is not started [08/Aug/2022:17:14:36 +0800] - Error: object plugin Class of Service is not started [08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin deref is not started [08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin HTTP Client is not started [08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin IPA DNS is not started [08/Aug/2022:17:14:36 +0800] - Error: object plugin IPA Lockout is not started [08/Aug/2022:17:14:36 +0800] - Error: betxnpostoperation plugin IPA MODRDN is not started [08/Aug/2022:17:14:36 +0800] - Error: object plugin IPA Topology Configuration is not started [08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin IPA UUID is not started [08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin ipa-winsync is not started [08/Aug/2022:17:14:36 +0800] - Error: extendedop plugin ipa_enrollment_extop is not started [08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin ipaUniqueID uniqueness is not started [08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin krbCanonicalName uniqueness is not started [08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin krbPrincipalName uniqueness is not started [08/Aug/2022:17:14:36 +0800] - Error: database plugin ldbm database is not started [08/Aug/2022:17:14:36 +0800] - Error: object plugin Legacy Replication Plugin is not started [08/Aug/2022:17:14:36 +0800] - Error: betxnpreoperation plugin Linked Attributes is not started [08/Aug/2022:17:14:36 +0800] - Error: betxnpreoperation plugin Managed Entries is not started [08/Aug/2022:17:14:36 +0800] - Error: betxnpostoperation plugin MemberOf Plugin is not started [08/Aug/2022:17:14:36 +0800] - Error: object plugin Multimaster Replication Plugin is not started [08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin netgroup uniqueness is not started [08/Aug/2022:17:14:36 +0800] - Error: betxnpostoperation plugin referential integrity postoperation is not started [08/Aug/2022:17:14:36 +0800] - Error: object plugin Roles Plugin is not started [08/Aug/2022:17:14:36 +0800] - Error: preoperation plugin sudorule name uniqueness is not started [08/Aug/2022:17:14:36 +0800] - Error: object plugin USN is not started [08/Aug/2022:17:14:36 +0800] - Error: object plugin Views is not started [08/Aug/2022:17:14:36 +0800] - Error: extendedop plugin whoami is not started
root@fs-hiido-dn-12-65-18:/var/log/dirsrv/slapd-YYDEVOPS-COM# certutil -d /etc/dirsrv/slapd-YYDEVOPS-COM/ -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
YYDEVOPS.COM IPA CA CT,C,C YYDEVOPS.COM IPA CA CT,C,C
root@fs-hiido-dn-12-65-18:/var/log/dirsrv/slapd-YYDEVOPS-COM# certutil -d /etc/dirsrv/slapd-YYDEVOPS-COM/ -L -n YYDEVOPS.COM IPA CA -a certutil: Could not find cert: YYDEVOPS.COM : PR_FILE_NOT_FOUND_ERROR: File not found root@fs-hiido-dn-12-65-18:/var/log/dirsrv/slapd-YYDEVOPS-COM# certutil -d /etc/dirsrv/slapd-YYDEVOPS-COM/ -L -n 'YYDEVOPS.COM IPA CA' -a -----BEGIN CERTIFICATE----- MIIDpTCCAo2gAwIBAgIBEzANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxZWURF Vk9QUy5DT00xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMDA3 MzExNzExMzlaFw00MDA3MzExNzExMzlaMDcxFTATBgNVBAoMDFlZREVWT1BTLkNP TTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAvKlmpaCuohS3WQgnG2Ppzr56MCpjTyJgPifDZpvC NkRCS+MtqaRKC2NX2E8oZjQAqbkUaeVfduuTL7BmTQgblm29mfKEGWtQiezNbp2k X20xzRqRV85P7Vz1H+mGLUFb3WbKcFPFlWNqKwxPcpQi49ajACwjHaXBu+dtjT5D wTuV1tQskwl17x1r858DoW1L9OwwXT08f7zIWwdUaENwZKBhVBntA4se1Zow0euC KQOy1z9x1PQPhmVuHf8xqZnqHC7de95/k1JWBe8pa0k8EKKJ0SckI8siX7cSViKx rSC/yR5pn7Q4GuN6cT7epayO/voWStaKK0NnjMO/Ue6ShQIDAQABo4G7MIG4MB8G A1UdIwQYMBaAFLk6xAYxQbKeq6CoTqaaCAV6VJc/MB0GA1UdDgQWBBS5OsQGMUGy nqugqE6mmggFelSXPzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjBV BggrBgEFBQcBAQRJMEcwRQYIKwYBBQUHMAGGOWh0dHA6Ly9pcGEtdGVzdC02NS0x ODguaGlpZG8uaG9zdC55eWRldm9wcy5jb206ODAvY2Evb2NzcDANBgkqhkiG9w0B AQsFAAOCAQEAWQ27Ct/fKQ6AUg4szZ5zvoQ3H94GCxExQZRPhkx48XJnHF2mrAkd zlvUBOZ1HSAaB7ym4svjnrjVIC/BhjXH2k7BvfSCDJlkm5IP7J2DIJ+czvduRftz c+4TXOIJ14u5PY+Bcn4BHQ1iR1erR1LGaHa6G9IzbYVtNmY5gWHokFOcRbQmduLl ddZPlkdujWU8WxdXzuULBgfnHSFoNB8SATFo686RTmflAPG0So72LhzF4ElFm1An dUIftRc4PvS7DtQD7VVSc86VhCJVIGTCOx/BfbI05JP8HXQDYjBSUIezCH8rjOhu HA89ijC2ULSXBOdmtOddGxuc72wSjeqMVQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDpTCCAo2gAwIBAgIBATANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxZWURF Vk9QUy5DT00xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMDA3 MzExNjU2NDZaFw00MDA3MzExNjU2NDZaMDcxFTATBgNVBAoMDFlZREVWT1BTLkNP TTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAvKlmpaCuohS3WQgnG2Ppzr56MCpjTyJgPifDZpvC NkRCS+MtqaRKC2NX2E8oZjQAqbkUaeVfduuTL7BmTQgblm29mfKEGWtQiezNbp2k X20xzRqRV85P7Vz1H+mGLUFb3WbKcFPFlWNqKwxPcpQi49ajACwjHaXBu+dtjT5D wTuV1tQskwl17x1r858DoW1L9OwwXT08f7zIWwdUaENwZKBhVBntA4se1Zow0euC KQOy1z9x1PQPhmVuHf8xqZnqHC7de95/k1JWBe8pa0k8EKKJ0SckI8siX7cSViKx rSC/yR5pn7Q4GuN6cT7epayO/voWStaKK0NnjMO/Ue6ShQIDAQABo4G7MIG4MB8G A1UdIwQYMBaAFLk6xAYxQbKeq6CoTqaaCAV6VJc/MA8GA1UdEwEB/wQFMAMBAf8w DgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBS5OsQGMUGynqugqE6mmggFelSXPzBV BggrBgEFBQcBAQRJMEcwRQYIKwYBBQUHMAGGOWh0dHA6Ly9pcGEtdGVzdC02NS0x ODguaGlpZG8uaG9zdC55eWRldm9wcy5jb206ODAvY2Evb2NzcDANBgkqhkiG9w0B AQsFAAOCAQEAQcgq+Tm9Mqxy0Kk1eX/E7/7B0sa8WoeNFTpIweyeZEQdJyxQwe3T gQeDBZsP6meqscWTgsmxNdm9bCpPlBnPThbGNgHsdmLzCQvpLDU1cn7BQs+jFoNJ YC9g+eIzhFAw3E63WG//0VJyPkOOXrXc3o2QCqKHBZFrnn2YpYqXJN/bqN2rLwHS s5NOuK7Q70kq6etz+T9o+s5uM2A3RYTiPen4SY9kKkcMJ1CKyh6YatRUV0o7kTvA 0it2cFc74mIdsqb91VgYL+kzKTIIWH88OZYaMIWxj60gGBntKyF61RlCnhW94GQw SkdKwEAIXTJTMJwk849tbGwi7Tk4MOT5pA== -----END CERTIFICATE----- root@fs-hiido-dn-12-65-18:/var/log/dirsrv/slapd-YYDEVOPS-COM#
According to the log output, are the quotes missing, so the name cannot be found, or are there two (YYDEVOPS.COM IPA CA) names, so the service cannot be replicated?
/var/log/ipareplica-install.log 2022-08-08T09:14:29Z DEBUG stderr=certutil: Could not find cert: YYDEVOPS.COM IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found
Strangely, after a few days, I tried IPA-certupDate again Then execute on the new node Ipa - up - install, debug Ipa - up - install, setup - ca - the debug It all worked. The data was replicated.The main reason seems to be libnsspem.so