[Freeipa-users] ipa host-del

John Dennis jdennis at redhat.com
Tue Sep 4 14:40:29 UTC 2012 

On 09/04/2012 10:23 AM, george he wrote:
> First of all, i don't see any java process after ipactl stop.
>
> Then I turned on debug and this is what I get on terminal:
> # ipa host-del hnl09.psych.yale.edu
> ......
> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
> ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU"
> ipa: DEBUG: handshake complete, peer = 130.132.167.68:443
> ipa: DEBUG: Caught fault 4301 from server
> http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be
> completed: Unable to communicate with CMS (Service Temporarily Unavailable)
> ipa: DEBUG: Destroyed connection context.xmlclient
> ipa: ERROR: Certificate operation cannot be completed: Unable to
> communicate with CMS (Service Temporarily Unavailable)
>
> So there's a "fault 4301" being caught.
> And this is at the end of /var/log/httpd/error_log:
> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage =
> SSLServer intended_usage = SSLServer
> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for
> "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU"
> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer
> = 130.132.167.68:443
> [Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP:
> attempt to connect to 127.0.0.1:9447 (localhost) failed
> [Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling
> worker for (localhost)
> [Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection
> to backend: localhost
> [Tue Sep 04 10:17:05 2012] [error] ipa: INFO: admin at PSYCH.YALE.EDU:
> host_del((u'hnl09.psych.yale.edu',), updatedns=False):
> CertificateOperationError
> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response:
> CertificateOperationError: Certificate operation cannot be completed:
> Unable to communicate with CMS (Service Temporarily Unavailable)
> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection
> context.ldap2
>
> Thanks,
> George

It appears as if your CA instance is not running (pki-ca). Depending on 
which OS you're running on could you verify pki-ca is running via either 
the service or systemctl command. Do you see any errors in the log files 
found under /var/log/pki-ca?

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list