[Freeipa-users] (no subject)

Jimmy g17jimmy at gmail.com
Fri Mar 16 18:31:20 UTC 2012 

The ca_audit problem was caused by me accidentally moving the
directory to a backup location. I was cleaning up the logs to make
reading easier. When I moved the directory back that issue went away.
No changes were made in the NSS database(s) or any other internal
workings of IPA. This system is used for very basic user
authentication, DNS, etc.

I can do the ldif export/import for dogtag. Just from comparing
everything, it looks like the dogtag db is in
/var/lib/dirsrv/slapd-PKI-IPA/db/userRoot, is that correct?

-J

On Fri, Mar 16, 2012 at 12:51 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Jimmy wrote:
>>
>> Here are the latest logs and info. Thanks. Jimmy
>
>
> What did you change to fix the ca_audit problem?
>
> There are two problems that I can see:
>
> 1. certmonger is failing because of SSL trust issues. Have you changed the
> NSS database(s) recently for Apache or 389-ds, or /etc/pki/nssdb?
>
> 2. Looks like there is some corruption in the dogtag LDAP instance based on
> all the entries not found.
>
> rob
>
>
>>
>> ipagetcert list output- http://fpaste.org/OAra/
>>
>> pki-ca system log -- http://fpaste.org/Uomy/
>> catalina.out -- http://fpaste.org/5MR1/
>> selftests -- http://fpaste.org/CwDF/
>> debug -- http://fpaste.org/Wy0o/
>>
>> On Fri, Mar 16, 2012 at 11:08 AM, Rob Crittenden<rcritten at redhat.com>
>>  wrote:
>>>
>>> Jimmy wrote:
>>>>
>>>>
>>>> I didn't see a catalina.log on my system, but there is a catalina.out:
>>>>
>>>> http://fpaste.org/KgJn/
>>>
>>>
>>>
>>> That's the one. Looks like the CA isn't starting.
>>>
>>> Does /var/lib/pki-ca/logs/signedAudit/ca_audit exist? If so, what is the
>>> SELinux context (ls -lZ)?
>>>
>>> rob
>>>
>>>>
>>>> -J
>>>>
>>>> On Thu, Mar 15, 2012 at 5:37 PM, Rob Crittenden<rcritten at redhat.com>
>>>>  wrote:
>>>>>
>>>>>
>>>>> Jimmy wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> error log: http://fpaste.org/efyf/
>>>>>>
>>>>>> CA debug: http://fpaste.org/LemM/
>>>>>>
>>>>>> CA localhost log: http://fpaste.org/q4MU/
>>>>>>
>>>>>> That's all I can find the correspond to the time I ran the getcert.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> I'd look at the catalina.log, is dogtag coming up ok?
>>>>>
>>>>> rob
>>>>>
>>>>>
>>>>>>
>>>>>> Jimmy
>>>>>> On Thu, Mar 15, 2012 at 4:47 PM, Rob Crittenden<rcritten at redhat.com>
>>>>>>  wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Jimmy wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Still shows status: CA_UNREACHABLE
>>>>>>>>
>>>>>>>> http://fpaste.org/UrTJ/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> If there was an Internal Server Error there should be an error in the
>>>>>>> Apache
>>>>>>> error log or something in the CA debug/transaction log (or both). Can
>>>>>>> you
>>>>>>> check those?
>>>>>>>
>>>>>>> rob
>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Mar 15, 2012 at 3:22 PM, Rob Crittenden<rcritten at redhat.com>
>>>>>>>>  wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jimmy wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I used yum to upgrade cert monger now the access_log has nothing
>>>>>>>>>> new
>>>>>>>>>> when I run the ipa-getcert, but error_log shows this:
>>>>>>>>>>
>>>>>>>>>> [Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
>>>>>>>>>> 'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
>>>>>>>>>> [Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
>>>>>>>>>> host/xyz-ipa.abc.xyz at ABC.XYZ:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2t
>
> sp
>>>
>>>
>>> 0K
>>>>>
>>>>>
>>>>>
>>>>> zH
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> IM
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> principal=u'ldap/xyz-ipa.abc.xyz at ABC.XYZ', add=True):
>>>>>>>>>> CertificateOperationError
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> What does ipa-getcert list show?
>>>>>>>>>
>>>>>>>>> You may now have something in the CA logs too.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> rob
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Thu, Mar 15, 2012 at 2:07 PM, Rob
>>>>>>>>>> Crittenden<rcritten at redhat.com>
>>>>>>>>>>  wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Jimmy wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Which error log? the pki-ca error log has nothing and the httpd
>>>>>>>>>>>> error
>>>>>>>>>>>> log has nothing, and the httpd access log has this: (yes, the
>>>>>>>>>>>> dates
>>>>>>>>>>>> are set back a few days, bc the current cert expires on 3/11)
>>>>>>>>>>>>
>>>>>>>>>>>> 192.168.201.102 - - [10/Mar/2012:21:27:24 +0000] "POST /ipa/xml
>>>>>>>>>>>> HTTP/1.1" 401 1775
>>>>>>>>>>>> 192.168.201.102 - host/abc-ipa.abc.xyz at ABC.XYZ
>>>>>>>>>>>> [10/Mar/2012:21:27:25
>>>>>>>>>>>> +0000] "POST /ipa/xml HTTP/1.1" 200 314
>>>>>>>>>>>>
>>>>>>>>>>>> here is the ipa-getcert list:
>>>>>>>>>>>>
>>>>>>>>>>>> http://fpaste.org/Dzr3/
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> You need to update certmonger, it isn't setting a Referer HTTP
>>>>>>>>>>> header
>>>>>>>>>>> in
>>>>>>>>>>> its
>>>>>>>>>>> request. That is now required by IPA.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> rob
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Thu, Mar 15, 2012 at 1:33 PM, Rob
>>>>>>>>>>>> Crittenden<rcritten at redhat.com>
>>>>>>>>>>>>  wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jimmy wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Restarted IPA and now the interface loads, but resubmitting
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> cert
>>>>>>>>>>>>>> has this result -
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ipa-getcert resubmit -i 20110913154233
>>>>>>>>>>>>>> 192.168.201.102 - - [10/Mar/2012:20:53:13 +0000] "POST
>>>>>>>>>>>>>> /ipa/xml
>>>>>>>>>>>>>> HTTP/1.1" 401 1775
>>>>>>>>>>>>>> 192.168.201.102 - host/abc-ipa.abc.xyz at ABC.XYZ
>>>>>>>>>>>>>> [10/Mar/2012:20:53:13
>>>>>>>>>>>>>> +0000] "POST /ipa/xml HTTP/1.1" 200 314
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> but the cert still shows these dates-
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>  Not Before: Tue Sep 13 15:43:37 2011
>>>>>>>>>>>>>>             Not After : Sun Mar 11 15:43:37 2012
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> The error log will contain more interesting information.
>>>>>>>>>>>>>
>>>>>>>>>>>>> What does the status show in the output of ipa-getcert list?
>>>>>>>>>>>>>
>>>>>>>>>>>>> rob
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Thu, Mar 15, 2012 at 1:06 PM, Jimmy<g17jimmy at gmail.com>
>>>>>>>>>>>>>>  wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I can now start the upgraded IPA, but now going to the IPA
>>>>>>>>>>>>>>> admin
>>>>>>>>>>>>>>> page
>>>>>>>>>>>>>>> I get this:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ====
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Not Found
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The requested URL /ipa was not found on this server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ====
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> Freeipa-users mailing list
>>>>>>>>>>>>>> Freeipa-users at redhat.com
>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>>
>

More information about the Freeipa-users mailing list