On Thu, Feb 10, 2011 at 11:10:19AM -0500, Christopher Wood wrote: > On Thu, Feb 10, 2011 at 09:01:52AM -0700, Rich Megginson wrote: > > On 02/10/2011 08:57 AM, Christopher Wood wrote: > > >On Thu, Feb 10, 2011 at 08:42:45AM -0700, Rich Megginson wrote: > > >>On 02/10/2011 08:23 AM, Christopher Wood wrote: > > >>>On Thu, Feb 10, 2011 at 08:11:09AM -0700, Rich Megginson wrote: > > >>>>On 02/10/2011 07:45 AM, Christopher Wood wrote: > > >>>>>11;rgb:0000/0000/0000On Wed, Feb 09, 2011 at 05:49:28PM -0700, Rich > > >>>>>Megginson wrote: > > >>>>>>On 02/09/2011 07:59 AM, Christopher Wood wrote: > > >>>>>>>On Tue, Feb 08, 2011 at 06:14:27PM -0700, Rich Megginson wrote: > > >>>>>>>>On 02/08/2011 04:11 PM, Christopher Wood wrote: > > >>>>>>>>>These bugs are almost exactly the issue I'm experiencing: > > >>>>>>>>> > > >>>>>>>>>https://bugzilla.redhat.com/show_bug.cgi?id=430499 > > >>>>>>>>>https://bugzilla.redhat.com/show_bug.cgi?id=442103 > > >>>>>>>>> > > >>>>>>>>>In my case, the admin server on host1 can use the "Manage > > >>>>>>>>>Certificates" button on the admin server, and the directory server > > >>>>>>>>>installed on the same host. So the bug is not happening to me. > > >>>>>>>>> > > >>>>>>>>>However, I get "java.net.ConnectException: Connection refused" > > >>>>>>>>>when I use the "Manage Certificates" button on host2's directory > > >>>>>>>>>server that I registered with host1's admin server. > > >>>>>>>>> > > >>>>>>>>>I don't get any output on the console when I repeat this procedure > > >>>>>>>>>having run 389-console from the command line. I don't see anything > > >>>>>>>>>immediately obvious under /var/log/dirsrv/*/errors on both > > >>>>>>>>>servers. I can run ldapsearch against ldaps://host1 and > > >>>>>>>>>ldaps://host2. > > >>>>>>>>> > > >>>>>>>>>Would you list denizens possibly have any hints as to how to > > >>>>>>>>>troubleshoot this? > > >>>>>>>>389-console -D 9 -f console.log - paste the log to fpaste.org or > > >>>>>>>>similar - be sure to remove or obscure any sensitive information - > > >>>>>>>>post the link here > > >>>>>>>Thank you, I appreciate it. > > >>>>>>> > > >>>>>>>The full paste: http://fpaste.org/mgYb/ > > >>>>>>> > > >>>>>>>My procedure was to run 389-console with the above command line, > > >>>>>>>click "Manage Certificates" in the directory server on the same host > > >>>>>>>as the admin server ("host1"), then close that and click "Manage > > >>>>>>>Certificates" in the directory server on the other host ("host2"). > > >>>>>>> > > >>>>>>>Just from reading along as I clicked buttons, it appears that the > > >>>>>>>console is trying to itself talk to an admin server on host2. There > > >>>>>>>is no admin server running on that host since I registered the > > >>>>>>>directory server on host2 with the admin server on host1. > > >>>>>>Even if you use setup-ds-admin.pl to create a directory server and > > >>>>>>register it with another configuration directory server, there > > >>>>>>always has to be one admin server running on each machine. The > > >>>>>>admin server executes CGIs, such as the log viewer, server process > > >>>>>>management, etc. - tasks that must be done outside of the directory > > >>>>>>server process. > > >>>>>>>ResourceSet: found in cache > > >>>>>>>loader9690857:com.netscape.management.client.security.securityResource > > >>>>>>>CommManager> New CommRecord > > >>>>>>>(http://host2.mycompany.com:3389/admin-serv/tasks/configuration/SecurityOp) > > >>>>>>>java.net.ConnectException: Connection refused > > >>>>>>The admin server should always be running, unless you explicitly > > >>>>>>shut it down. > > >>>>>In my case (host1 having admin/ds and host2 just having ds), I > > >>>>>registered host2's directory server with host1's config directory > > >>>>>server. However, host2's admin server failed to start. From > > >>>>>/var/log/dirsrv/admin-serv/error when I try to start it manually: > > >>>>> > > >>>>>[root@host2 admin-serv]# cat /var/log/dirsrv/admin-serv/error > > >>>>>[Wed Feb 09 13:01:29 2011] [crit] host_ip_init(): PSET failure: Failed > > >>>>>to create PSET handle (pset error = ) > > >>>>>Configuration Failed > > >>>>>[Thu Feb 10 09:22:51 2011] [crit] host_ip_init(): PSET failure: Failed > > >>>>>to create PSET handle (pset error = ) > > >>>>>Configuration Failed > > >>>>Start the admin server like this: > > >>>>/usr/sbin/start-ds-admin -e debug > > >>>>then post the admin server error log > > >>>http://fpaste.org/kIAu/ > > >>Can you paste your /etc/dirsrv/admin-serv/adm.conf and local.conf? > > >adm.conf from host2: http://pastebin.com/HqL8c1hK > > ldapurl: ldaps://host1/o=NetscapeRoot > > > > host1 has to be the fqdn of host1 since you're using ldaps. > > In the original it is the fqdn. > > > Did you install, into the cert db in /etc/dirsrv/admin-serv, the CA > > certificate of the CA that issued the server cert of host1? > > Aha. Before running the setup-ds-admin.pl script I did not manually install > the CA certs into the dirsrv/admin-serv cert dbs on host2. That appears to be > my skipped step. I will try this again with that step included. >
Oddly, that didn't help either (due to time constraints I've only gotten back to this now). Also, I get more debug output on the console than the log file, but neither is giving me a really good hint. [root@cwtmp-01 admin-serv]# tail /tmp/setupC5b4yV.log [11/03/11:16:00:43] - [Setup] Info Updating adm.conf . . . [11/03/11:16:00:43] - [Setup] Info Updating admpw . . . [11/03/11:16:00:43] - [Setup] Info Registering admin server with the configuration directory server . . . [11/03/11:16:00:43] - [Setup] Info Updating adm.conf with information from configuration directory server . . . [11/03/11:16:00:43] - [Setup] Info Updating the configuration for the httpd engine . . . [11/03/11:16:00:49] - [Setup] Info Starting admin server . . . [11/03/11:16:00:50] - [Setup] Fatal Failed to create and configure the admin server [11/03/11:16:00:50] - [Setup] Fatal Exiting . . . Log file is '/tmp/setupC5b4yV.log' [root@cwtmp-01 admin-serv]# tail /tmp/setup10Kboe.log [11/03/14:14:53:58] - [Setup] Info Creating Admin Server files and directories . . . [11/03/14:14:53:58] - [Setup] Info Updating adm.conf . . . [11/03/14:14:53:58] - [Setup] Info Updating admpw . . . [11/03/14:14:53:58] - [Setup] Info Registering admin server with the configuration directory server . . . [11/03/14:14:53:58] - [Setup] Info Updating adm.conf with information from configuration directory server . . . [11/03/14:14:53:58] - [Setup] Info Updating the configuration for the httpd engine . . . [11/03/14:14:53:58] - [Setup] Fatal Failed to create and configure the admin server [11/03/14:14:53:58] - [Setup] Fatal Exiting . . . Log file is '/tmp/setup10Kboe.log' > > If the above are "yes", paste excerpts from the access log of host1 > > showing the connection attempts from host2. http://pastebin.com/YJkzg918 That's the whole thing, slightly redacted for private names. cdnfqdn is the configuration directory server's fqdn fqdn is the log file server's fqdn > > >local.conf from host2: http://pastebin.com/xGpYJyUs > > > > > >Also, I should say that I used host1's "Configuration directory server > > >admin domain" when I was filling in configuration directory server details > > >in host2's setup-ds-admin.pl. (It seemed sensible at the time.) > > > > > >>>>>> From /tmp/setuphtlOC3.log on host2 (I chose a "Typical" (2) setup): > > >>>>>[11/02/09:13:01:28] - [Setup] Info Starting admin server . . . > > >>>>>[11/02/09:13:01:29] - [Setup] Fatal Failed to create and configure the > > >>>>>admin server > > >>>>>[11/02/09:13:01:29] - [Setup] Fatal Exiting . . . > > >>>>> > > >>>>>That happened every time when in the setup-ds-admin.pl stage on > > >>>>>something other than host1 where I would pick > > >>>>>ldaps://host1/o=NetscapeRoot as the configuration directory server > > >>>>>url. Of course, for the setup on host1 I set everything up with > > >>>>>basically defaults and added the encryption later. Not certain if > > >>>>>that's pertinent, though. > > >>>>> > > >>>>>I'm starting to think that I've misread something in the install docs, > > >>>>>will re-read. > > >>>>> > > >>>>>>>admserv version = null > > >-- > > >389 users mailing list > > >389-us...@lists.fedoraproject.org > > >https://admin.fedoraproject.org/mailman/listinfo/389-users > > > > > -- > 389 users mailing list > 389-us...@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
