[Freeipa-users] (no subject)

Jimmy g17jimmy at gmail.com
Fri Mar 16 17:32:12 UTC 2012 

What is the proper way to recover from this? I've been digging and
searching but don't see anything about this in relation to IPA.

On Fri, Mar 16, 2012 at 1:29 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Jimmy wrote:
>>
>> When I try `ipa-getcert resubmit -i 20110913154233` I see this in the CA
>> logs:
>>
>> localhost.2012-03-08.log---
>> Mar 8, 2012 1:54:34 AM org.apache.catalina.core.ApplicationContext log
>> INFO: caDisplayBySerial-agent: Invalid Credential.
>>
>> debug---
>> [08/Mar/2012:01:54:34][TP-Processor3]: In LdapBoundConnFactory::getConn()
>> [08/Mar/2012:01:54:34][TP-Processor3]: masterConn is connected: true
>> [08/Mar/2012:01:54:34][TP-Processor3]: getConn: conn is connected true
>> [08/Mar/2012:01:54:34][TP-Processor3]: getConn: mNumConns now 2
>> [08/Mar/2012:01:54:34][TP-Processor3]: returnConn: mNumConns now 3
>> [08/Mar/2012:01:54:34][TP-Processor3]: Authentication: cannot map
>> certificate to user
>> [08/Mar/2012:01:54:34][TP-Processor3]: SignedAuditEventFactory:
>> create()
>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
>> RA,O=ABC.XYZ] authentication failure
>
>
> Right, I think your dogtag 389-ds instance is similarly corrupted to your
> IPA instance so it can't find any entries.
>
> rob
>
>
>>
>>
>>
>> On Fri, Mar 16, 2012 at 12:15 PM, Jimmy<g17jimmy at gmail.com>  wrote:
>>>
>>> Here are the latest logs and info. Thanks. Jimmy
>>>
>>> ipagetcert list output- http://fpaste.org/OAra/
>>>
>>> pki-ca system log -- http://fpaste.org/Uomy/
>>> catalina.out -- http://fpaste.org/5MR1/
>>> selftests -- http://fpaste.org/CwDF/
>>> debug -- http://fpaste.org/Wy0o/
>>>
>>> On Fri, Mar 16, 2012 at 11:08 AM, Rob Crittenden<rcritten at redhat.com>
>>>  wrote:
>>>>
>>>> Jimmy wrote:
>>>>>
>>>>>
>>>>> I didn't see a catalina.log on my system, but there is a catalina.out:
>>>>>
>>>>> http://fpaste.org/KgJn/
>>>>
>>>>
>>>>
>>>> That's the one. Looks like the CA isn't starting.
>>>>
>>>> Does /var/lib/pki-ca/logs/signedAudit/ca_audit exist? If so, what is the
>>>> SELinux context (ls -lZ)?
>>>>
>>>> rob
>>>>
>>>>>
>>>>> -J
>>>>>
>>>>> On Thu, Mar 15, 2012 at 5:37 PM, Rob Crittenden<rcritten at redhat.com>
>>>>>  wrote:
>>>>>>
>>>>>>
>>>>>> Jimmy wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> error log: http://fpaste.org/efyf/
>>>>>>>
>>>>>>> CA debug: http://fpaste.org/LemM/
>>>>>>>
>>>>>>> CA localhost log: http://fpaste.org/q4MU/
>>>>>>>
>>>>>>> That's all I can find the correspond to the time I ran the getcert.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> I'd look at the catalina.log, is dogtag coming up ok?
>>>>>>
>>>>>> rob
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Jimmy
>>>>>>> On Thu, Mar 15, 2012 at 4:47 PM, Rob Crittenden<rcritten at redhat.com>
>>>>>>>  wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Jimmy wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Still shows status: CA_UNREACHABLE
>>>>>>>>>
>>>>>>>>> http://fpaste.org/UrTJ/
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> If there was an Internal Server Error there should be an error in
>>>>>>>> the
>>>>>>>> Apache
>>>>>>>> error log or something in the CA debug/transaction log (or both).
>>>>>>>> Can
>>>>>>>> you
>>>>>>>> check those?
>>>>>>>>
>>>>>>>> rob
>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, Mar 15, 2012 at 3:22 PM, Rob
>>>>>>>>> Crittenden<rcritten at redhat.com>
>>>>>>>>>  wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Jimmy wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I used yum to upgrade cert monger now the access_log has nothing
>>>>>>>>>>> new
>>>>>>>>>>> when I run the ipa-getcert, but error_log shows this:
>>>>>>>>>>>
>>>>>>>>>>> [Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
>>>>>>>>>>> 'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
>>>>>>>>>>> [Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
>>>>>>>>>>> host/xyz-ipa.abc.xyz at ABC.XYZ:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2
>
> tsp
>>>>
>>>>
>>>> 0K
>>>>>>
>>>>>>
>>>>>>
>>>>>> zH
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> IM
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> principal=u'ldap/xyz-ipa.abc.xyz at ABC.XYZ', add=True):
>>>>>>>>>>> CertificateOperationError
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> What does ipa-getcert list show?
>>>>>>>>>>
>>>>>>>>>> You may now have something in the CA logs too.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> rob
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Thu, Mar 15, 2012 at 2:07 PM, Rob
>>>>>>>>>>> Crittenden<rcritten at redhat.com>
>>>>>>>>>>>  wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Jimmy wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Which error log? the pki-ca error log has nothing and the httpd
>>>>>>>>>>>>> error
>>>>>>>>>>>>> log has nothing, and the httpd access log has this: (yes, the
>>>>>>>>>>>>> dates
>>>>>>>>>>>>> are set back a few days, bc the current cert expires on 3/11)
>>>>>>>>>>>>>
>>>>>>>>>>>>> 192.168.201.102 - - [10/Mar/2012:21:27:24 +0000] "POST /ipa/xml
>>>>>>>>>>>>> HTTP/1.1" 401 1775
>>>>>>>>>>>>> 192.168.201.102 - host/abc-ipa.abc.xyz at ABC.XYZ
>>>>>>>>>>>>> [10/Mar/2012:21:27:25
>>>>>>>>>>>>> +0000] "POST /ipa/xml HTTP/1.1" 200 314
>>>>>>>>>>>>>
>>>>>>>>>>>>> here is the ipa-getcert list:
>>>>>>>>>>>>>
>>>>>>>>>>>>> http://fpaste.org/Dzr3/
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> You need to update certmonger, it isn't setting a Referer HTTP
>>>>>>>>>>>> header
>>>>>>>>>>>> in
>>>>>>>>>>>> its
>>>>>>>>>>>> request. That is now required by IPA.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> rob
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Thu, Mar 15, 2012 at 1:33 PM, Rob
>>>>>>>>>>>>> Crittenden<rcritten at redhat.com>
>>>>>>>>>>>>>  wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jimmy wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Restarted IPA and now the interface loads, but resubmitting
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> cert
>>>>>>>>>>>>>>> has this result -
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ipa-getcert resubmit -i 20110913154233
>>>>>>>>>>>>>>> 192.168.201.102 - - [10/Mar/2012:20:53:13 +0000] "POST
>>>>>>>>>>>>>>> /ipa/xml
>>>>>>>>>>>>>>> HTTP/1.1" 401 1775
>>>>>>>>>>>>>>> 192.168.201.102 - host/abc-ipa.abc.xyz at ABC.XYZ
>>>>>>>>>>>>>>> [10/Mar/2012:20:53:13
>>>>>>>>>>>>>>> +0000] "POST /ipa/xml HTTP/1.1" 200 314
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> but the cert still shows these dates-
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>  Not Before: Tue Sep 13 15:43:37 2011
>>>>>>>>>>>>>>>             Not After : Sun Mar 11 15:43:37 2012
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The error log will contain more interesting information.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> What does the status show in the output of ipa-getcert list?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> rob
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Thu, Mar 15, 2012 at 1:06 PM, Jimmy<g17jimmy at gmail.com>
>>>>>>>>>>>>>>>  wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I can now start the upgraded IPA, but now going to the IPA
>>>>>>>>>>>>>>>> admin
>>>>>>>>>>>>>>>> page
>>>>>>>>>>>>>>>> I get this:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ====
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Not Found
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> The requested URL /ipa was not found on this server.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ====
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>> Freeipa-users mailing list
>>>>>>>>>>>>>>> Freeipa-users at redhat.com
>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>

More information about the Freeipa-users mailing list