[Freeipa-users] ipa host-del
Ade Lee
alee at redhat.com
Wed Sep 5 14:46:16 UTC 2012
The logs seem to show that the CA cannot find JSS.
What versions of the following are on your system?
pki-ca, pki-common, jss, nss, tomcat6, tomcat, java
Is this a system that was working and now fails to work? Or is this a
new instance?
Ade
On Wed, 2012-09-05 at 06:41 -0700, george he wrote:
> there are somethign like these:
>
> type=AVC msg=audit(1346710042.243:56): avc: denied { execute } for
> pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
> type=AVC msg=audit(1346710042.243:57): avc: denied { execute } for
> pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
>
>
>
> and some others like these:
> type=AVC msg=audit(1346838993.154:2567): avc: denied { search } for
> pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
> scontext=unconfined_u:system_r:pki_ca_t:s0
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
> type=AVC msg=audit(1346838993.154:2568): avc: denied { search } for
> pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
> scontext=unconfined_u:system_r:pki_ca_t:s0
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
>
>
>
> And yes, I did yum update recently.
> Where else should I look?
> Thanks,
> George
>
>
> ______________________________________________________________
> From: Rob Crittenden <rcritten at redhat.com>
> To: george he <george_he7 at yahoo.com>
> Cc: Ade Lee <alee at redhat.com>; "freeipa-users at redhat.com"
> <freeipa-users at redhat.com>
> Sent: Wednesday, September 5, 2012 8:40 AM
> Subject: Re: [Freeipa-users] ipa host-del
>
>
> george he wrote:
> > here are the new errors:
> > # rm /var/log/pki-ca/*
> > # service dirsrv restart
> > # service pki-cad restart
> > # grep -i error /var/log/pki-ca/*
> > /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while
> removing
> > context [/ca]
> > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error
> initializing
> > socket factory
> > /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error
> > loading SSL Implementation
> > org.apache.tomcat.util.net.jss.JSSImplementation
> > :java.lang.ClassNotFoundException:
> org.mozilla.jss.ssl.SSLSocket
> > /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException:
> Protocol
> > handler initialization failed:
> java.lang.ClassNotFoundException: Error
> > loading SSL Implementation
> > org.apache.tomcat.util.net.jss.JSSImplementation
> > :java.lang.ClassNotFoundException:
> org.mozilla.jss.ssl.SSLSocket
> > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error
> deploying web
> > application directory ca
> > /var/log/pki-ca/catalina.out:SEVERE: Error initializing
> socket factory
> > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
> > loading SSL Implementation
> > org.apache.tomcat.util.net.jss.JSSImplementation
> > :java.lang.ClassNotFoundException:
> org.mozilla.jss.ssl.SSLSocket
> > /var/log/pki-ca/catalina.out:LifecycleException: Protocol
> handler
> > initialization failed: java.lang.ClassNotFoundException:
> Error loading
> > SSL Implementation
> org.apache.tomcat.util.net.jss.JSSImplementation
> > :java.lang.ClassNotFoundException:
> org.mozilla.jss.ssl.SSLSocket
> > /var/log/pki-ca/catalina.out:SEVERE: Error deploying web
> application
> > directory ca
> > /var/log/pki-ca/catalina.out:SEVERE: Error initializing
> socket factory
> > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
> > loading SSL Implementation
> > org.apache.tomcat.util.net.jss.JSSImplementation
> > :java.lang.ClassNotFoundException:
> org.mozilla.jss.ssl.SSLSocket
> > /var/log/pki-ca/catalina.out:LifecycleException: Protocol
> handler
> > initialization failed: java.lang.ClassNotFoundException:
> Error loading
> > SSL Implementation
> org.apache.tomcat.util.net.jss.JSSImplementation
> > :java.lang.ClassNotFoundException:
> org.mozilla.jss.ssl.SSLSocket
>
> Hmm. Is there any additional information in the debug log? Any
> AVCs in
> /var/log/audit/audit.log?
>
> Have you updated any packages recently? I'm not sure why
> dogtag would be
> throwing this exception.
>
> rob
>
> >
> >
> ------------------------------------------------------------------------
> > *From:* Rob Crittenden <rcritten at redhat.com>
> > *To:* george he <george_he7 at yahoo.com>
> > *Cc:* John Dennis <jdennis at redhat.com>;
> "freeipa-users at redhat.com"
> > <freeipa-users at redhat.com>
> > *Sent:* Tuesday, September 4, 2012 9:49 PM
> > *Subject:* Re: [Freeipa-users] ipa host-del
> >
> > george he wrote:
> > > both of the commands "service dirsrv restart" and
> "service pki-cad
> > > restart" reported:
> > > stopping ... OK
> > > starting ... OK
> > > but host-del still has the same error.
> > > More suggestions?
> >
> > Check the logs again. The service starting does not mean
> it kept
> > running.
> >
> > rob
> >
> > > Thanks,
> > > George
> > >
> > >
> >
> ------------------------------------------------------------------------
> > > *From:* Rob Crittenden <rcritten at redhat.com
> > <mailto:rcritten at redhat.com>>
> > > *To:* george he <george_he7 at yahoo.com
> > <mailto:george_he7 at yahoo.com>>
> > > *Cc:* John Dennis <jdennis at redhat.com
> > <mailto:jdennis at redhat.com>>; "freeipa-users at redhat.com
> > <mailto:freeipa-users at redhat.com>"
> > > <freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>>
> > > *Sent:* Tuesday, September 4, 2012 4:20 PM
> > > *Subject:* Re: [Freeipa-users] ipa host-del
> > >
> > > george he wrote:
> > > > I'm running centos 6.3
> > > > # uname -r
> > > > 2.6.32-279.5.2.el6.x86_64
> > > >
> > > > pki-ca: unrecognized service
> > > >
> > > > There are tons of errors in /var/log/pki-ca/*,
> some of
> > them are:
> > > > /var/log/pki-ca/system:11605.main -
> [30/Aug/2012:16:34:56 EDT]
> > > [3] [3]
> > > > Cannot build CA chain. Error
> > java.security.cert.CertificateException:
> > > > Certificate is not a PKCS #11 certificate
> > > > /var/log/pki-ca/system:11605.main -
> [30/Aug/2012:16:34:56 EDT]
> > > [13] [3]
> > > > authz instance DirAclAuthz initialization
> failed and skipped,
> > > > error=Property internaldb.ldapconn.port
> missing value
> > > > /var/log/pki-ca/system:11605.http-9445-1 -
> > [30/Aug/2012:16:35:01 EDT]
> > > > [3] [3] Cannot build CA chain. Error
> > > > java.security.cert.CertificateException:
> Certificate is not a
> > > PKCS #11
> > > > certificate
> > > > /var/log/pki-ca/system:11605.http-9445-1 -
> > [30/Aug/2012:16:35:10 EDT]
> > > > [3] [3] CASigningUnit: Object certificate not
> found. Error
> > > > org.mozilla.jss.crypto.ObjectNotFoundException
> > > > /var/log/pki-ca/system:3281.main -
> [31/Aug/2012:17:54:28
> > EDT] [8]
> > > [3] In
> > > > Ldap (bound) connection pool to host
> > cushing.psych.yale.edu port
> > > 7389,
> > > > Cannot connect to LDAP server. Error:
> > netscape.ldap.LDAPException:
> > > > failed to connect to server
> > ldap://cushing.psych.yale.edu:7389 (91)
> > > >
> > >
> > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error
> > initializing
> > > > socket factory
> > > >
> > >
> >
> /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException:
> > > Error
> > > > loading SSL Implementation
> > > >
> org.apache.tomcat.util.net.jss.JSSImplementation
> > > > :java.lang.ClassNotFoundException:
> > org.mozilla.jss.ssl.SSLSocket
> > > >
> >
> /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException:
> Protocol
> > > > handler initialization failed:
> > java.lang.ClassNotFoundException:
> > > Error
> > > > loading SSL Implementation
> > > >
> org.apache.tomcat.util.net.jss.JSSImplementation
> > > > :java.lang.ClassNotFoundException:
> > org.mozilla.jss.ssl.SSLSocket
> > >
> > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error
> > deploying web
> > > > application directory ca
> > >
> > > The problem looks to be that the dogtag 389-ds
> instance is not
> > started.
> > > I'd try: service dirsrv restart PKI-IPA
> > >
> > > Then service pki-cad restart
> > >
> > > rob
> > >
> > >
> > >
> > >
> >
> >
> >
>
>
>
>
More information about the Freeipa-users
mailing list