<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div><span>I did:<br></span></div><div># setenforce 0<br># ipactl restart<br> (here still the same error about worker ajp://localhost:9447/ already used by another worker )</div><div># ipa host-del myclient</div><div>ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable)</div><div><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;">By the way, I can delete other clients with no problem. The only difference of this client is that I once did ipa-getkeytab on it for nfs client (and it turns out I don't need a keytab to be an nfs client).</div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif;
background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;">Thanks,</div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;">George</div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; margin-top: 5px; padding-left: 5px;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div dir="ltr"> <font face="Arial" size="2"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Ade Lee
<alee@redhat.com><br> <b><span style="font-weight: bold;">To:</span></b> george he <george_he7@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> Rob Crittenden <rcritten@redhat.com>; "freeipa-users@redhat.com" <freeipa-users@redhat.com> <br> <b><span style="font-weight: bold;">Sent:</span></b> Wednesday, September 5, 2012 11:38 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [Freeipa-users] ipa host-del<br> </font> </div> <br>weird. Can you try putting selinux in permissive mode, and then<br>restarting ipa?<br><br>On Wed, 2012-09-05 at 08:21 -0700, george he wrote:<br>> This is a newly installed system. It does most of the things, but I<br>> just cannot del the host that I have uninstalled ipa-client, which<br>> prvents me from re-installing ipa-client.<br>> Here are the versions:<br>> <br>> pki-ca.noarch
9.0.3-24.el6<br>> pki-common.noarch 9.0.3-24.el6<br>> jss.x86_64 4.2.6-22.el6<br>> nss.x86_64 3.13.5-1.el6_3<br>> tomcat6.noarch 6.0.24-45.el6<br>> java-1.5.0-gcj.x86_64 1.5.0.0-29.1.el6 <br>> java-1.6.0-openjdk.x86_64 1:1.6.0.0-1.48.1.11.3.el6_2<br>> java_cup.x86_64 1:0.10k-5.el6<br>> Thanks for your help.<br>> George<br>> <br>> <br>> ______________________________________________________________<br>> From: Ade Lee <<a ymailto="mailto:alee@redhat.com"
href="mailto:alee@redhat.com">alee@redhat.com</a>><br>> To: george he <<a ymailto="mailto:george_he7@yahoo.com" href="mailto:george_he7@yahoo.com">george_he7@yahoo.com</a>> <br>> Cc: Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>;<br>> "<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>" <<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> <br>> Sent: Wednesday, September 5, 2012 10:46 AM<br>> Subject: Re: [Freeipa-users] ipa host-del<br>> <br>> <br>> The logs seem to show that the CA cannot find
JSS.<br>> <br>> What versions of the following are on your system?<br>> pki-ca, pki-common, jss, nss, tomcat6, tomcat, java<br>> <br>> Is this a system that was working and now fails to work? Or<br>> is this a<br>> new instance?<br>> <br>> Ade<br>> On Wed, 2012-09-05 at 06:41 -0700, george he wrote:<br>> > there are somethign like these:<br>> > <br>> > type=AVC msg=audit(1346710042.243:56): avc: denied<br>> { execute } for<br>> > pid=4243 comm="gdm" name="arch" dev=dm-0
ino=786829<br>> > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023<br>> > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file<br>> > type=AVC msg=audit(1346710042.243:57): avc: denied<br>> { execute } for<br>> > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829<br>> > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023<br>> > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file<br>> > <br>> > <br>> > <br>> > and some others like these:<br>> > type=AVC msg=audit(1346838993.154:2567): avc: denied<br>> {
search } for<br>> > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879<br>> > scontext=unconfined_u:system_r:pki_ca_t:s0<br>> > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir<br>> > type=AVC msg=audit(1346838993.154:2568): avc: denied<br>> { search } for<br>> > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879<br>> > scontext=unconfined_u:system_r:pki_ca_t:s0<br>> > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir<br>> > <br>> > <br>> > <br>> > And yes, I did yum update recently.<br>>
> Where else should I look?<br>> > Thanks,<br>> > George<br>> > <br>> > <br>> ><br>> ______________________________________________________________<br>> > From: Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>> > To: george he <<a ymailto="mailto:george_he7@yahoo.com" href="mailto:george_he7@yahoo.com">george_he7@yahoo.com</a>> <br>> > Cc: Ade Lee <<a ymailto="mailto:alee@redhat.com" href="mailto:alee@redhat.com">alee@redhat.com</a>>;<br>>
"<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>"<br>> > <<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> <br>> > Sent: Wednesday, September 5, 2012 8:40 AM<br>> > Subject: Re: [Freeipa-users] ipa host-del<br>> > <br>> > <br>> > george he wrote:<br>> > > here are the new errors:<br>> > > # rm
/var/log/pki-ca/*<br>> > > # service dirsrv restart<br>> > > # service pki-cad restart<br>> > > # grep -i error /var/log/pki-ca/*<br>> > > /var/log/pki-ca/catalina.2012-09-05.log:WARNING:<br>> Error while<br>> > removing<br>> > > context [/ca]<br>> > > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE:<br>> Error<br>> > initializing<br>> >
> socket factory<br>> ><br>> > /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error<br>> > > loading SSL Implementation<br>> > > org.apache.tomcat.util.net.jss.JSSImplementation<br>> > > :java.lang.ClassNotFoundException:<br>> > org.mozilla.jss.ssl.SSLSocket<br>> ><br>> > /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException:<br>> > Protocol<br>> > > handler initialization failed:<br>>
> java.lang.ClassNotFoundException: Error<br>> > > loading SSL Implementation<br>> > > org.apache.tomcat.util.net.jss.JSSImplementation<br>> > > :java.lang.ClassNotFoundException:<br>> > org.mozilla.jss.ssl.SSLSocket<br>> > > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE:<br>> Error<br>> > deploying web<br>> > > application directory ca<br>> > > /var/log/pki-ca/catalina.out:SEVERE:
Error<br>> initializing<br>> > socket factory<br>> ><br>> > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error<br>> > > loading SSL Implementation<br>> > > org.apache.tomcat.util.net.jss.JSSImplementation<br>> > > :java.lang.ClassNotFoundException:<br>> > org.mozilla.jss.ssl.SSLSocket<br>> > > /var/log/pki-ca/catalina.out:LifecycleException:<br>> Protocol<br>> >
handler<br>> > > initialization failed:<br>> java.lang.ClassNotFoundException:<br>> > Error loading<br>> > > SSL Implementation<br>> > org.apache.tomcat.util.net.jss.JSSImplementation<br>> > > :java.lang.ClassNotFoundException:<br>> > org.mozilla.jss.ssl.SSLSocket<br>> > > /var/log/pki-ca/catalina.out:SEVERE: Error<br>> deploying web<br>> > application<br>> >
> directory ca<br>> > > /var/log/pki-ca/catalina.out:SEVERE: Error<br>> initializing<br>> > socket factory<br>> ><br>> > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error<br>> > > loading SSL Implementation<br>> > > org.apache.tomcat.util.net.jss.JSSImplementation<br>> > > :java.lang.ClassNotFoundException:<br>> > org.mozilla.jss.ssl.SSLSocket<br>> > >
/var/log/pki-ca/catalina.out:LifecycleException:<br>> Protocol<br>> > handler<br>> > > initialization failed:<br>> java.lang.ClassNotFoundException:<br>> > Error loading<br>> > > SSL Implementation<br>> > org.apache.tomcat.util.net.jss.JSSImplementation<br>> > > :java.lang.ClassNotFoundException:<br>> > org.mozilla.jss.ssl.SSLSocket<br>> > <br>> >
Hmm. Is there any additional information in the debug<br>> log? Any<br>> > AVCs in <br>> > /var/log/audit/audit.log?<br>> > <br>> > Have you updated any packages recently? I'm not sure<br>> why<br>> > dogtag would be <br>> > throwing this exception.<br>> > <br>> > rob<br>> > <br>> >
><br>> > ><br>> ><br>> ------------------------------------------------------------------------<br>> > > *From:* Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>> > > *To:* george he <<a ymailto="mailto:george_he7@yahoo.com" href="mailto:george_he7@yahoo.com">george_he7@yahoo.com</a>><br>> > > *Cc:* John Dennis <<a ymailto="mailto:jdennis@redhat.com" href="mailto:jdennis@redhat.com">jdennis@redhat.com</a>>;<br>> > "<a
ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>"<br>> > > <<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><br>> > > *Sent:* Tuesday, September 4, 2012 9:49 PM<br>> > > *Subject:* Re: [Freeipa-users] ipa host-del<br>> > ><br>> > > george he wrote:<br>> > > > both of the commands "service dirsrv<br>> restart" and<br>>
> "service pki-cad<br>> > > > restart" reported:<br>> > > > stopping ... OK<br>> > > > starting ... OK<br>> > > > but host-del still has the same error.<br>> > > > More suggestions?<br>> > ><br>> > > Check the logs again. The service starting does<br>> not mean<br>> >
it kept<br>> > > running.<br>> > ><br>> > > rob<br>> > ><br>> > > > Thanks,<br>> > > > George<br>> > > ><br>> > > ><br>> > ><br>> ><br>>
------------------------------------------------------------------------<br>> > > > *From:* Rob Crittenden<br>> <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>> > > <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>><br>> > > > *To:* george he <<a ymailto="mailto:george_he7@yahoo.com" href="mailto:george_he7@yahoo.com">george_he7@yahoo.com</a><br>> > > <mailto:<a ymailto="mailto:george_he7@yahoo.com"
href="mailto:george_he7@yahoo.com">george_he7@yahoo.com</a>>><br>> > > > *Cc:* John Dennis <<a ymailto="mailto:jdennis@redhat.com" href="mailto:jdennis@redhat.com">jdennis@redhat.com</a><br>> > > <mailto:<a ymailto="mailto:jdennis@redhat.com" href="mailto:jdennis@redhat.com">jdennis@redhat.com</a>>>;<br>> "<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>> > > <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>"<br>> > > >
<<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>> > <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>><br>> > > > *Sent:* Tuesday, September 4, 2012 4:20<br>> PM<br>> > > > *Subject:* Re: [Freeipa-users] ipa<br>> host-del<br>> > > ><br>> > > > george he wrote:<br>>
> > > > I'm running centos 6.3<br>> > > > > # uname -r<br>> > > > > 2.6.32-279.5.2.el6.x86_64<br>> > > > ><br>> > > > > pki-ca: unrecognized service<br>> > > > ><br>> > > > > There are tons of errors<br>>
in /var/log/pki-ca/*,<br>> > some of<br>> > > them are:<br>> > > > > /var/log/pki-ca/system:11605.main -<br>> > [30/Aug/2012:16:34:56 EDT]<br>> > > > [3] [3]<br>> > > > > Cannot build CA chain. Error<br>> > > java.security.cert.CertificateException:<br>> > > >
> Certificate is not a PKCS #11<br>> certificate<br>> > > > > /var/log/pki-ca/system:11605.main -<br>> > [30/Aug/2012:16:34:56 EDT]<br>> > > > [13] [3]<br>> > > > > authz instance DirAclAuthz<br>> initialization<br>> > failed and skipped,<br>> > > > > error=Property<br>> internaldb.ldapconn.port<br>>
> missing value<br>> > > ><br>> > /var/log/pki-ca/system:11605.http-9445-1 -<br>> > > [30/Aug/2012:16:35:01 EDT]<br>> > > > > [3] [3] Cannot build CA chain. Error<br>> > > > ><br>> java.security.cert.CertificateException:<br>> > Certificate is not a<br>> > > > PKCS #11<br>>
> > > > certificate<br>> > > ><br>> > /var/log/pki-ca/system:11605.http-9445-1 -<br>> > > [30/Aug/2012:16:35:10 EDT]<br>> > > > > [3] [3] CASigningUnit: Object<br>> certificate not<br>> > found. Error<br>> > > > ><br>> org.mozilla.jss.crypto.ObjectNotFoundException<br>> > >
> > /var/log/pki-ca/system:3281.main -<br>> > [31/Aug/2012:17:54:28<br>> > > EDT] [8]<br>> > > > [3] In<br>> > > > > Ldap (bound) connection pool to host<br>> > > cushing.psych.yale.edu port<br>> > > > 7389,<br>> > > > > Cannot connect to LDAP server. Error:<br>>
> > netscape.ldap.LDAPException:<br>> > > > > failed to connect to server<br>> > > ldap://cushing.psych.yale.edu:7389 (91)<br>> > > > ><br>> > > ><br>> > > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE:<br>> Error<br>> > > initializing<br>> > > > > socket
factory<br>> > > > ><br>> > > ><br>> > ><br>> ><br>> /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException:<br>> > > > Error<br>> > > > > loading SSL Implementation<br>> > > > ><br>> >
org.apache.tomcat.util.net.jss.JSSImplementation<br>> > > > > :java.lang.ClassNotFoundException:<br>> > > org.mozilla.jss.ssl.SSLSocket<br>> > > > ><br>> > ><br>> ><br>> /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException:<br>> > Protocol<br>> > > > > handler initialization failed:<br>> >
> java.lang.ClassNotFoundException:<br>> > > > Error<br>> > > > > loading SSL Implementation<br>> > > > ><br>> > org.apache.tomcat.util.net.jss.JSSImplementation<br>> > > > > :java.lang.ClassNotFoundException:<br>> > > org.mozilla.jss.ssl.SSLSocket<br>> > > ><br>>
> > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE:<br>> Error<br>> > > deploying web<br>> > > > > application directory ca<br>> > > ><br>> > > > The problem looks to be that the dogtag<br>> 389-ds<br>> > instance is not<br>> > > started.<br>> > > > I'd try:
service dirsrv restart PKI-IPA<br>> > > ><br>> > > > Then service pki-cad restart<br>> > > ><br>> > > > rob<br>> > > ><br>> > > ><br>> > > ><br>> > > ><br>> > ><br>>
> ><br>> > ><br>> > <br>> > <br>> > <br>> > <br>> <br>> <br>> <br>> <br>> <br><br><br><br><br> </div> </div> </blockquote></div> </div></body></html>