[Freeipa-users] Delete host: Unable to communicate with CMS (Not Found)
Dan Scott
danieljamesscott at gmail.com
Thu Nov 17 16:34:55 UTC 2011
On Thu, Nov 17, 2011 at 11:25, Adam Young <ayoung at redhat.com> wrote:
> On 11/17/2011 10:58 AM, Dan Scott wrote:
>
> On Wed, Nov 16, 2011 at 14:01, Rob Crittenden <rcritten at redhat.com> wrote:
>
> Dan Scott wrote:
>
> On Wed, Nov 16, 2011 at 10:39, Rob Crittenden<rcritten at redhat.com> wrote:
>
> Dan Scott wrote:
>
> On Wed, Nov 16, 2011 at 09:23, Rob Crittenden<rcritten at redhat.com>
> wrote:
>
> Dan Scott wrote:
>
> Hi,
>
> I receive the following error when I try to remove a host from IPA:
>
> djscott at pc35:~$ ipa host-del pc60
> ipa: ERROR: Certificate operation cannot be completed: Unable to
> communicate with CMS (Not Found)
>
> I'm running a Fedora 16 (freeipa-server-2.1.3-5.fc16.x86_64) server
> replicated with a Fedora 15 (freeipa-server-2.1.3-2.fc15.i686) server.
>
> I've looked at this:
>
> https://fedorahosted.org/freeipa/ticket/1889
>
> But it looks like it was fixed in 2.1.2 or 2.1.3. Any ideas for what I
> need to do?
>
> Thanks,
>
> Dan
>
> This would suggest that dogtag isn't running. Is dogtag and its LDAP
> instance up?
>
> It seems to be, there are 2 entries 'loaded active running' for the
> dirsrv@ instances. I don't see any errors in the
> /var/log/dirsrv/slapd-PKI-IPA/errors file.
>
> Tomcat is running too.
>
> Dan
>
> Hmm, ok, lets see if we can talk to the cert system at all.
>
> $ ipa cert-show 1
>
> fileserver1 is the IPA server with PKI-IPA running:
>
> [root at fileserver1 ~]# ipa cert-show 1
> ipa: ERROR: Certificate operation cannot be completed: Unable to
> communicate with CMS (Not Found)
>
> SELinux is my normal culprit when things don't work. It may be so in
> this case. My /var/log/audit/audit.log hasn't changed since 11th
> November.....
>
> Unfortunately, temporarily disabling it doesn't seem to help:
>
> [root at fileserver1 ~]# setenforce Permissive
> [root at fileserver1 ~]# ipa cert-show 1
> ipa: ERROR: Certificate operation cannot be completed: Unable to
> communicate with CMS (Not Found)
>
> What processes should be running for the certificate server? I have
> the ns-slapd process and tomcat6 running. The tomcat logs are empty.
>
> Dan
>
> It sounds like you have the right processes running.
>
> The dogtag logs are in /var/log/pki-ca. debug is rather verbose and where I
> usually start looking for issues.
>
> The /var/log/pki-ca/debug file hasn't been updated since the 11th
> November. I've attached an extract from catalina.out which contains
> some pretty severe errors.
>
> To summarise, the errors are:
> SEVERE: Error initializing socket factory
> java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-9443]]
> java.io.IOException: Failed to access resource /WEB-INF/lib/osutil.jar
>
> I'd guess that this means I'm missing a package? I'm having trouble
> figuring out which one contains the code I'm missing. Maybe I need to
> reinstall one?
>
> Thanks,
>
> Dan
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Is this on F16? It might be that the package is there but not being picked
> up.
>
>
> JSS and osutils are a JNI packages, and you should find them in
> /usr/lib64/java/jss4.jar and osutil.jar, but they might end up in
> /usr/lib/java/jss4.jar and osutil,jar
Both of those files exist, in the lib64 directory:
[root at fileserver1 ~]# ls -l /usr/lib64/java/
total 700
-rw-r--r--. 1 root root 698429 Oct 5 22:14 jss4.jar
-rw-r--r--. 1 root root 9390 Oct 5 23:11 osutil.jar
-rw-r--r--. 1 root root 1858 Oct 7 23:06 symkey.jar
I'm not sure which of the pki* and dogtag* packages should be
installed. The dogtag packages that I have installed have older
version numbers than the pki packages.
[root at fileserver1 ~]# rpm -qa|grep pki
pki-silent-9.0.15-1.fc16.noarch
pki-symkey-9.0.15-1.fc16.x86_64
pki-java-tools-9.0.15-1.fc16.noarch
dogtag-pki-common-theme-9.0.9-1.fc15.noarch
krb5-pkinit-openssl-1.9.1-18.fc16.x86_64
pki-common-9.0.15-1.fc16.noarch
pki-native-tools-9.0.15-1.fc16.x86_64
pki-selinux-9.0.15-1.fc16.noarch
pki-util-9.0.15-1.fc16.noarch
pki-setup-9.0.15-1.fc16.noarch
pki-ca-9.0.15-1.fc16.noarch
dogtag-pki-ca-theme-9.0.9-1.fc15.noarch
And I have the following 'orphans':
[root at fileserver1 ~]# package-cleanup --orphans
dogtag-pki-ca-theme-9.0.9-1.fc15.noarch
dogtag-pki-common-theme-9.0.9-1.fc15.noarch
Do you know which versions should be installed?
Thanks,
Dan
More information about the Freeipa-users
mailing list