[Freeipa-users] IPA server having cert issues

Thu Apr 28 15:07:08 UTC 2016

On 04/28/2016 04:07 PM, Bret Wortman wrote:
> Okay. This morning, I turned back time to 4/1 and started up IPA. It didn't 
> work, but I got something new and interesting in the debug log, which I've 
> posted to http://pastebin.com/M9VGCS8A. Lots of garbled junk came pouring out 
> which doesn't happen when I'm set to real time. Is /this/ significant?

Anything in
  systemctl status  pki-tomcatd at pki-tomcat.service
or rather:
  journalctl -u pki-tomcatd at pki-tomcat.service
?

Just to be sure, it might be also worth to check if CA subsystem users
have correct certs assigned:
 * https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html
 * https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html

> 
> 
> On 04/27/2016 02:24 PM, Bret Wortman wrote:
>> I put excerpts from the ca logs in http://pastebin.com/gYgskU79. It looks 
>> logical to me, but I can't spot anything that looks like a root cause error. 
>> The selftests are all okay, I think. The debug log might have something, but 
>> it might also just be complaining about ldap not being up because it's not.
>>
>>
>> On 04/27/2016 01:11 PM, Rob Crittenden wrote:
>>> Bret Wortman wrote:
>>>> So in lieu of fixing these certs, is there an acceptable way to dump
>>>> them all and start over /without losing the contents of the IPA
>>>> database/? Or otherwise really screwing ourselves?
>>>
>>> I don't believe there is a way.
>>>
>>>> We have a replica that's still up and running and we've switched
>>>> everyone over to talking to it, but we're at risk with just the one.
>>>
>>> I'd ignore the two unknown certs for now. They look like someone was 
>>> experimenting with issuing a cert and didn't quite get things working.
>>>
>>> The CA seems to be throwing an error. I'd check the syslog for messages from 
>>> certmonger and look at the CA debug log and selftest log.
>>>
>>> rob
>>>
>> [snip]
>>
> 
> 
> 

-- 
Petr Vobornik