[Freeipa-users] (no subject)

Rob Crittenden rcritten at redhat.com
Fri Mar 16 17:29:51 UTC 2012 

Jimmy wrote:
> When I try `ipa-getcert resubmit -i 20110913154233` I see this in the CA logs:
>
> localhost.2012-03-08.log---
> Mar 8, 2012 1:54:34 AM org.apache.catalina.core.ApplicationContext log
> INFO: caDisplayBySerial-agent: Invalid Credential.
>
> debug---
> [08/Mar/2012:01:54:34][TP-Processor3]: In LdapBoundConnFactory::getConn()
> [08/Mar/2012:01:54:34][TP-Processor3]: masterConn is connected: true
> [08/Mar/2012:01:54:34][TP-Processor3]: getConn: conn is connected true
> [08/Mar/2012:01:54:34][TP-Processor3]: getConn: mNumConns now 2
> [08/Mar/2012:01:54:34][TP-Processor3]: returnConn: mNumConns now 3
> [08/Mar/2012:01:54:34][TP-Processor3]: Authentication: cannot map
> certificate to user
> [08/Mar/2012:01:54:34][TP-Processor3]: SignedAuditEventFactory:
> create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
> RA,O=ABC.XYZ] authentication failure

Right, I think your dogtag 389-ds instance is similarly corrupted to 
your IPA instance so it can't find any entries.

rob

>
>
>
> On Fri, Mar 16, 2012 at 12:15 PM, Jimmy<g17jimmy at gmail.com>  wrote:
>> Here are the latest logs and info. Thanks. Jimmy
>>
>> ipagetcert list output- http://fpaste.org/OAra/
>>
>> pki-ca system log -- http://fpaste.org/Uomy/
>> catalina.out -- http://fpaste.org/5MR1/
>> selftests -- http://fpaste.org/CwDF/
>> debug -- http://fpaste.org/Wy0o/
>>
>> On Fri, Mar 16, 2012 at 11:08 AM, Rob Crittenden<rcritten at redhat.com>  wrote:
>>> Jimmy wrote:
>>>>
>>>> I didn't see a catalina.log on my system, but there is a catalina.out:
>>>>
>>>> http://fpaste.org/KgJn/
>>>
>>>
>>> That's the one. Looks like the CA isn't starting.
>>>
>>> Does /var/lib/pki-ca/logs/signedAudit/ca_audit exist? If so, what is the
>>> SELinux context (ls -lZ)?
>>>
>>> rob
>>>
>>>>
>>>> -J
>>>>
>>>> On Thu, Mar 15, 2012 at 5:37 PM, Rob Crittenden<rcritten at redhat.com>
>>>>   wrote:
>>>>>
>>>>> Jimmy wrote:
>>>>>>
>>>>>>
>>>>>> error log: http://fpaste.org/efyf/
>>>>>>
>>>>>> CA debug: http://fpaste.org/LemM/
>>>>>>
>>>>>> CA localhost log: http://fpaste.org/q4MU/
>>>>>>
>>>>>> That's all I can find the correspond to the time I ran the getcert.
>>>>>
>>>>>
>>>>>
>>>>> I'd look at the catalina.log, is dogtag coming up ok?
>>>>>
>>>>> rob
>>>>>
>>>>>
>>>>>>
>>>>>> Jimmy
>>>>>> On Thu, Mar 15, 2012 at 4:47 PM, Rob Crittenden<rcritten at redhat.com>
>>>>>>   wrote:
>>>>>>>
>>>>>>>
>>>>>>> Jimmy wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Still shows status: CA_UNREACHABLE
>>>>>>>>
>>>>>>>> http://fpaste.org/UrTJ/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> If there was an Internal Server Error there should be an error in the
>>>>>>> Apache
>>>>>>> error log or something in the CA debug/transaction log (or both). Can
>>>>>>> you
>>>>>>> check those?
>>>>>>>
>>>>>>> rob
>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Mar 15, 2012 at 3:22 PM, Rob Crittenden<rcritten at redhat.com>
>>>>>>>>   wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jimmy wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I used yum to upgrade cert monger now the access_log has nothing new
>>>>>>>>>> when I run the ipa-getcert, but error_log shows this:
>>>>>>>>>>
>>>>>>>>>> [Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
>>>>>>>>>> 'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
>>>>>>>>>> [Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
>>>>>>>>>> host/xyz-ipa.abc.xyz at ABC.XYZ:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2
tsp
>>>
>>> 0K
>>>>>
>>>>>
>>>>> zH
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> IM
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> principal=u'ldap/xyz-ipa.abc.xyz at ABC.XYZ', add=True):
>>>>>>>>>> CertificateOperationError
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> What does ipa-getcert list show?
>>>>>>>>>
>>>>>>>>> You may now have something in the CA logs too.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> rob
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Thu, Mar 15, 2012 at 2:07 PM, Rob Crittenden<rcritten at redhat.com>
>>>>>>>>>>   wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Jimmy wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Which error log? the pki-ca error log has nothing and the httpd
>>>>>>>>>>>> error
>>>>>>>>>>>> log has nothing, and the httpd access log has this: (yes, the
>>>>>>>>>>>> dates
>>>>>>>>>>>> are set back a few days, bc the current cert expires on 3/11)
>>>>>>>>>>>>
>>>>>>>>>>>> 192.168.201.102 - - [10/Mar/2012:21:27:24 +0000] "POST /ipa/xml
>>>>>>>>>>>> HTTP/1.1" 401 1775
>>>>>>>>>>>> 192.168.201.102 - host/abc-ipa.abc.xyz at ABC.XYZ
>>>>>>>>>>>> [10/Mar/2012:21:27:25
>>>>>>>>>>>> +0000] "POST /ipa/xml HTTP/1.1" 200 314
>>>>>>>>>>>>
>>>>>>>>>>>> here is the ipa-getcert list:
>>>>>>>>>>>>
>>>>>>>>>>>> http://fpaste.org/Dzr3/
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> You need to update certmonger, it isn't setting a Referer HTTP
>>>>>>>>>>> header
>>>>>>>>>>> in
>>>>>>>>>>> its
>>>>>>>>>>> request. That is now required by IPA.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> rob
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Thu, Mar 15, 2012 at 1:33 PM, Rob
>>>>>>>>>>>> Crittenden<rcritten at redhat.com>
>>>>>>>>>>>>   wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jimmy wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Restarted IPA and now the interface loads, but resubmitting the
>>>>>>>>>>>>>> cert
>>>>>>>>>>>>>> has this result -
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ipa-getcert resubmit -i 20110913154233
>>>>>>>>>>>>>> 192.168.201.102 - - [10/Mar/2012:20:53:13 +0000] "POST /ipa/xml
>>>>>>>>>>>>>> HTTP/1.1" 401 1775
>>>>>>>>>>>>>> 192.168.201.102 - host/abc-ipa.abc.xyz at ABC.XYZ
>>>>>>>>>>>>>> [10/Mar/2012:20:53:13
>>>>>>>>>>>>>> +0000] "POST /ipa/xml HTTP/1.1" 200 314
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> but the cert still shows these dates-
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>   Not Before: Tue Sep 13 15:43:37 2011
>>>>>>>>>>>>>>              Not After : Sun Mar 11 15:43:37 2012
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> The error log will contain more interesting information.
>>>>>>>>>>>>>
>>>>>>>>>>>>> What does the status show in the output of ipa-getcert list?
>>>>>>>>>>>>>
>>>>>>>>>>>>> rob
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Thu, Mar 15, 2012 at 1:06 PM, Jimmy<g17jimmy at gmail.com>
>>>>>>>>>>>>>>   wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I can now start the upgraded IPA, but now going to the IPA
>>>>>>>>>>>>>>> admin
>>>>>>>>>>>>>>> page
>>>>>>>>>>>>>>> I get this:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ====
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Not Found
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The requested URL /ipa was not found on this server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ====
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> Freeipa-users mailing list
>>>>>>>>>>>>>> Freeipa-users at redhat.com
>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>>

More information about the Freeipa-users mailing list