Mike Mercier
2009-May-21 16:29 UTC
[389-users] Errors installing PKI Clone / chicken or egg question
Hello,
Note: I have cross posted this because it seems to be related to both
applications.
The steps I have taken:
1. Install fedora 10 on 2 servers (service-1, service-2)
2. run yum update on both systems
3. on service-1 and service-2
a) yum install fedora-ds
b) setup replication agreement for
i) o=NetscapeRoot
ii) userRoot
Everything at this point seems to be fine.
4. on service-1 yum install pki-ca
a) run through setup screens
i) Create new security domain
ii) Configure this Instance as a New CA Subsystem
iii) Make this a Self-Signed Root CA within this new PKI hierarchy
iv) use ''localhost'' for internal database
v) use defaults for rest of screen (exporting pkcs12)
b) pki-ca looks like it is running fine
5. on service-2 yum install pki-ca
a) run through setup screens
i) Join an Existing Security Domain (pointing to service-1:9444)
ii) type username / password
iii) chose to clone a system (only one option in drop down for service-1)
iv) import keys
v) use ''localhost'' for internal database
At this point, the installation seems to hang... (see
/var/log/pki-ca/debug for what it is waiting for)
Should I not be using ''localhost'' for the internal database?
An additional question:
When running through the setup for dogtag, you have the option of
using ssl for communication. What if you want to use your dogtag CA
(which you are setting up) to provide the sign the ldap certificate?
I have the following in my logs:
Service-1:
/var/log/dirsrv/slapd-TEST/errors
[21/May/2009:12:13:30 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:30 -0400] NSMMReplicationPlugin -
agmt="cn=masterAgreement1-service-2-pki-ca" (localhost:389):
Replication bind with SIMPLE auth failed: LDAP error 32 (No such
object) ()
[21/May/2009:12:13:31 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:31 -0400] NSMMReplicationPlugin -
agmt="cn=masterAgreement1-service-2-pki-ca" (localhost:389):
Replication bind with SIMPLE auth failed: LDAP error 32 (No such
object) ()
[21/May/2009:12:13:31 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:35 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:41 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:53 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:14:17 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
Service-2:
/var/log/dirsrv/slapd-TEST/errors
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allExpiredCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allInvalidCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allInValidCertsNotBefore-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allNonRevokedCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedCaCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allRevokedCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedCertsNotAfter-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedExpiredCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedOrRevokedExpiredCaCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedOrRevokedExpiredCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allValidCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allValidCertsNotAfter-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allValidOrRevokedCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caAll-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCanceled-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCanceledEnrollment-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCanceledRenewal-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCanceledRevocation-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caComplete-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCompleteEnrollment-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCompleteRenewal-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCompleteRevocation-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caEnrollment-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caPending-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caPendingEnrollment-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caPendingRenewal-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caPendingRevocation-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRejected-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caRejectedEnrollment-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caRejectedRenewal-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caRejectedRevocation-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRenewal-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRevocation-pki-caIndex
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=certificaterepository,ou=ca,dc=pki-ca''; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=certificaterepository,ou=ca,dc=pki-ca''; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=certificaterepository,ou=ca,dc=pki-ca''; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=certificaterepository,ou=ca,dc=pki-ca''; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=certificaterepository,ou=ca,dc=pki-ca''; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=certificaterepository,ou=ca,dc=pki-ca''; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=certificaterepository,ou=ca,dc=pki-ca''; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=certificaterepository,ou=ca,dc=pki-ca''; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=certificaterepository,ou=ca,dc=pki-ca''; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=certificaterepository,ou=ca,dc=pki-ca''; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=certificaterepository,ou=ca,dc=pki-ca''; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=certificaterepository,ou=ca,dc=pki-ca''; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=certificaterepository,ou=ca,dc=pki-ca''; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=certificaterepository,ou=ca,dc=pki-ca''; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
''ou=ca,ou=requests,dc=pki-ca''; entry
ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - pki-ca: Finished indexing.
[21/May/2009:12:13:30 -0400] NSMMReplicationPlugin -
agmt="cn=cloneAgreement1-service-2-pki-ca" (service-1:389): Replica
has a different generation ID than the local data.
/var/log/pki-ca/debug - this is what shows up continuously
[21/May/2009:12:21:02][http-9444-Processor25]: DatabasePanel
comparetAndWaitEntries checking ou=people,dc=pki-ca
[21/May/2009:12:21:02][http-9444-Processor25]: DatabasePanel
comparetAndWaitEntries ou=people,dc=pki-ca not found, let''s wait!
Thanks,
Mike
Marc Sauton
2009-May-21 17:06 UTC
Re: [389-users] Errors installing PKI Clone / chicken or egg question
Mike Mercier wrote:> Hello, > > Note: I have cross posted this because it seems to be related to both > applications. > > > The steps I have taken: > > 1. Install fedora 10 on 2 servers (service-1, service-2) > 2. run yum update on both systems > 3. on service-1 and service-2 > a) yum install fedora-ds > b) setup replication agreement for > i) o=NetscapeRoot > ii) userRoot > Everything at this point seems to be fine. > > 4. on service-1 yum install pki-ca > a) run through setup screens > i) Create new security domain > ii) Configure this Instance as a New CA Subsystem > iii) Make this a Self-Signed Root CA within this new PKI hierarchy > iv) use ''localhost'' for internal database > v) use defaults for rest of screen (exporting pkcs12) > b) pki-ca looks like it is running fine > > 5. on service-2 yum install pki-ca > a) run through setup screens > i) Join an Existing Security Domain (pointing to service-1:9444) > ii) type username / password > iii) chose to clone a system (only one option in drop down for service-1) > iv) import keys > v) use ''localhost'' for internal database > > At this point, the installation seems to hang... (see > /var/log/pki-ca/debug for what it is waiting for) > > Should I not be using ''localhost'' for the internal database? > >I would not, that was likely the first issue you encountered when replication could not be initialized by the Dogtag web configuration wizard.> An additional question: > > When running through the setup for dogtag, you have the option of > using ssl for communication. What if you want to use your dogtag CA > (which you are setting up) to provide the sign the ldap certificate? >The web configuration wizard creates all the necessary certificates and keys, as well all the replication agreements. Assuming the nsDS5ReplicaHost is not localhost, you may have hit a regression with Bugzilla 454032, with modified status, for RHCS 8.0, which should also be in Dogtag, what exact version are you using? (may want to check if you have this fix) In that case, a possible work around would be to not select SSL in the Dogtag web configuration wizard, and then later configure SSL replication either manually or using the Directory Server console.> > I have the following in my logs: > > Service-1: > /var/log/dirsrv/slapd-TEST/errors > [21/May/2009:12:13:30 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > [21/May/2009:12:13:30 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-service-2-pki-ca" (localhost:389): > Replication bind with SIMPLE auth failed: LDAP error 32 (No such > object) () > [21/May/2009:12:13:31 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > [21/May/2009:12:13:31 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-service-2-pki-ca" (localhost:389): > Replication bind with SIMPLE auth failed: LDAP error 32 (No such > object) () > [21/May/2009:12:13:31 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > [21/May/2009:12:13:35 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > [21/May/2009:12:13:41 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > [21/May/2009:12:13:53 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > [21/May/2009:12:14:17 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > > Service-2: > /var/log/dirsrv/slapd-TEST/errors > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allExpiredCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allInvalidCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allInValidCertsNotBefore-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allNonRevokedCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allRevokedCaCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allRevokedCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allRevokedCertsNotAfter-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allRevokedExpiredCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allRevokedOrRevokedExpiredCaCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allRevokedOrRevokedExpiredCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allValidCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allValidCertsNotAfter-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allValidOrRevokedCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caAll-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCanceled-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > caCanceledEnrollment-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > caCanceledRenewal-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > caCanceledRevocation-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caComplete-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > caCompleteEnrollment-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > caCompleteRenewal-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > caCompleteRevocation-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caEnrollment-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caPending-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: > caPendingEnrollment-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: > caPendingRenewal-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: > caPendingRevocation-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRejected-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: > caRejectedEnrollment-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: > caRejectedRenewal-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: > caRejectedRevocation-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRenewal-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRevocation-pki-caIndex > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=certificaterepository,ou=ca,dc=pki-ca''; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=certificaterepository,ou=ca,dc=pki-ca''; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=certificaterepository,ou=ca,dc=pki-ca''; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=certificaterepository,ou=ca,dc=pki-ca''; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=certificaterepository,ou=ca,dc=pki-ca''; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=certificaterepository,ou=ca,dc=pki-ca''; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=certificaterepository,ou=ca,dc=pki-ca''; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=certificaterepository,ou=ca,dc=pki-ca''; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=certificaterepository,ou=ca,dc=pki-ca''; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=certificaterepository,ou=ca,dc=pki-ca''; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=certificaterepository,ou=ca,dc=pki-ca''; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=certificaterepository,ou=ca,dc=pki-ca''; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=certificaterepository,ou=ca,dc=pki-ca''; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=certificaterepository,ou=ca,dc=pki-ca''; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > ''ou=ca,ou=requests,dc=pki-ca''; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - pki-ca: Finished indexing. > [21/May/2009:12:13:30 -0400] NSMMReplicationPlugin - > agmt="cn=cloneAgreement1-service-2-pki-ca" (service-1:389): Replica > has a different generation ID than the local data. > > /var/log/pki-ca/debug - this is what shows up continuously > [21/May/2009:12:21:02][http-9444-Processor25]: DatabasePanel > comparetAndWaitEntries checking ou=people,dc=pki-ca > [21/May/2009:12:21:02][http-9444-Processor25]: DatabasePanel > comparetAndWaitEntries ou=people,dc=pki-ca not found, let''s wait! > > Thanks, > Mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Mike Mercier
2009-May-21 17:21 UTC
Re: [389-users] Errors installing PKI Clone / chicken or egg question
Hello, I am running: [root@service-1 ~]# rpm -qa|grep pki pki-selinux-1.1.0-1.fc10.noarch pki-java-tools-1.1.0-1.fc10.noarch pki-native-tools-1.1.0-1.fc10.x86_64 dogtag-pki-ca-ui-1.1.0-1.fc10.noarch pki-setup-1.1.0-1.fc10.noarch dogtag-pki-common-ui-1.1.0-1.fc10.noarch pki-common-1.1.0-1.fc10.noarch pki-util-1.1.0-1.fc10.noarch pki-ca-1.1.0-1.fc10.noarch Looking at the dse.ldif file, it shows that the replication server in *not* localhost, service-1 shows service-2 and server-2 shows service-1 I am going to retry the install using the fqdn of the local machine as the internal database on each system. Thanks, Mike On Thu, May 21, 2009 at 1:06 PM, Marc Sauton <msauton@redhat.com> wrote:> I would not, that was likely the first issue you encountered when > replication could not be initialized by the Dogtag web configuration wizard. >> >> An additional question: >> >> When running through the setup for dogtag, you have the option of >> using ssl for communication. What if you want to use your dogtag CA >> (which you are setting up) to provide the sign the ldap certificate? >> > > The web configuration wizard creates all the necessary certificates and > keys, as well all the replication agreements. > Assuming the nsDS5ReplicaHost is not localhost, you may have hit a > regression with Bugzilla 454032, with modified status, for RHCS 8.0, which > should also be in Dogtag, what exact version are you using? (may want to > check if you have this fix) > In that case, a possible work around would be to not select SSL in the > Dogtag web configuration wizard, and then later configure SSL replication > either manually or using the Directory Server console.
Mike Mercier
2009-May-21 17:31 UTC
Re: [389-users] Errors installing PKI Clone / chicken or egg question
Hello, Re-installing the application using the fqdn of the system instead of ''localhost'' has resolved the problem I was seeing. Thanks for the help, Mike On Thu, May 21, 2009 at 1:21 PM, Mike Mercier <mmercier@gmail.com> wrote:> Hello, > > I am running: > > [root@service-1 ~]# rpm -qa|grep pki > pki-selinux-1.1.0-1.fc10.noarch > pki-java-tools-1.1.0-1.fc10.noarch > pki-native-tools-1.1.0-1.fc10.x86_64 > dogtag-pki-ca-ui-1.1.0-1.fc10.noarch > pki-setup-1.1.0-1.fc10.noarch > dogtag-pki-common-ui-1.1.0-1.fc10.noarch > pki-common-1.1.0-1.fc10.noarch > pki-util-1.1.0-1.fc10.noarch > pki-ca-1.1.0-1.fc10.noarch > > Looking at the dse.ldif file, it shows that the replication server in > *not* localhost, > service-1 shows service-2 and server-2 shows service-1 > > I am going to retry the install using the fqdn of the local machine as > the internal database on each system. > > Thanks, > Mike > > On Thu, May 21, 2009 at 1:06 PM, Marc Sauton <msauton@redhat.com> wrote: > >> I would not, that was likely the first issue you encountered when >> replication could not be initialized by the Dogtag web configuration wizard. >>> >>> An additional question: >>> >>> When running through the setup for dogtag, you have the option of >>> using ssl for communication. What if you want to use your dogtag CA >>> (which you are setting up) to provide the sign the ldap certificate? >>> >> >> The web configuration wizard creates all the necessary certificates and >> keys, as well all the replication agreements. >> Assuming the nsDS5ReplicaHost is not localhost, you may have hit a >> regression with Bugzilla 454032, with modified status, for RHCS 8.0, which >> should also be in Dogtag, what exact version are you using? (may want to >> check if you have this fix) >> In that case, a possible work around would be to not select SSL in the >> Dogtag web configuration wizard, and then later configure SSL replication >> either manually or using the Directory Server console. >