[Freeipa-users] ipa host-del

Tue Sep 4 14:23:01 UTC 2012

First of all, i don't see any java process after ipactl stop.

Then I turned on debug and this is what I get on terminal:
# ipa host-del hnl09.psych.yale.edu

......

ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU"
ipa: DEBUG: handshake complete, peer = 130.132.167.68:443
ipa: DEBUG: Caught fault 4301 from server http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable)
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable)

So there's a "fault 4301" being caught.
And this is at the end of /var/log/httpd/error_log:

[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU"
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer = 130.132.167.68:443
[Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP: attempt to connect to 127.0.0.1:9447 (localhost) failed
[Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling worker for (localhost)
[Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection to backend: localhost
[Tue Sep 04 10:17:05 2012] [error] ipa: INFO: admin at PSYCH.YALE.EDU: host_del((u'hnl09.psych.yale.edu',), updatedns=False): CertificateOperationError
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response: CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable)
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection context.ldap2

Thanks,
George

>________________________________
> From: John Dennis <jdennis at redhat.com>
>To: george he <george_he7 at yahoo.com> 
>Cc: "freeipa-users at redhat.com" <freeipa-users at redhat.com> 
>Sent: Tuesday, September 4, 2012 8:53 AM
>Subject: Re: [Freeipa-users] ipa host-del
> 
>On 09/04/2012 08:28 AM, george he wrote:
>> 
>> There's only one conf file in /etc/ipa/, which is default.conf. ca_host
>> is not defined there. But I think my CA is the IPA server.
>> 
>> Everything is reported running:
>> # ipactl status
>> Directory Service: RUNNING
>> KDC Service: RUNNING
>> KPASSWD Service: RUNNING
>> MEMCACHE Service: RUNNING
>> HTTP Service: RUNNING
>> CA Service: RUNNING
>> 
>> but when I try # ipactl restart, it reports:
>> Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker
>> ajp://localhost:9447/ already used by another worker
>> [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already
>> used by another worker
>
>ajp worker threads are used by tomcat instances of which the CA is one example. It sounds like your CA has gotten into a funny state. I would do a ipactl stop to shut down all your services and then do a ps to look for any Java processes that are still running (I'm assuming the only Java you're running on this box would be for the CA). If you can identify a running Java process that you believe belongs to the CA then kill it and try starting IPA again (or you could use a big hammer and reboot).
>
>BTW, the ajp threads are the listeners on the CA communication ports, if those treads are not in the right state you could see the CA communication problems you reported.
>
>If that still does not work then my next suggestion would be to add this line to /etc/ipa/default.conf
>
>debug=True
>
>and restart IPA, that will cause verbose logging to be written to /var/log/httpd/error_log which may have more detailed messages indicating where things might be going wrong.
>
>
>-- John Dennis <jdennis at redhat.com>
>
>Looking to carve out IT costs?
>www.redhat.com/carveoutcosts/
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120904/fe009b21/attachment.htm>