[Freeipa-users] IPA server having cert issues
Bret Wortman
bret.wortman at damascusgrp.com
Thu Apr 28 15:49:47 UTC 2016
My system shows pki-server is installed and V10.2.1-3.fc21, but I don't
have the pki-server binary itself. Will reinstalling this rpm hurt me in
any way? Without it, I'm not sure how to check my system against the
messages you provided below.
On 04/28/2016 11:07 AM, Petr Vobornik wrote:
> On 04/28/2016 04:07 PM, Bret Wortman wrote:
>> Okay. This morning, I turned back time to 4/1 and started up IPA. It didn't
>> work, but I got something new and interesting in the debug log, which I've
>> posted to http://pastebin.com/M9VGCS8A. Lots of garbled junk came pouring out
>> which doesn't happen when I'm set to real time. Is /this/ significant?
> Anything in
> systemctl status pki-tomcatd at pki-tomcat.service
> or rather:
> journalctl -u pki-tomcatd at pki-tomcat.service
> ?
>
> Just to be sure, it might be also worth to check if CA subsystem users
> have correct certs assigned:
> * https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html
> * https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html
>
>>
>> On 04/27/2016 02:24 PM, Bret Wortman wrote:
>>> I put excerpts from the ca logs in http://pastebin.com/gYgskU79. It looks
>>> logical to me, but I can't spot anything that looks like a root cause error.
>>> The selftests are all okay, I think. The debug log might have something, but
>>> it might also just be complaining about ldap not being up because it's not.
>>>
>>>
>>> On 04/27/2016 01:11 PM, Rob Crittenden wrote:
>>>> Bret Wortman wrote:
>>>>> So in lieu of fixing these certs, is there an acceptable way to dump
>>>>> them all and start over /without losing the contents of the IPA
>>>>> database/? Or otherwise really screwing ourselves?
>>>> I don't believe there is a way.
>>>>
>>>>> We have a replica that's still up and running and we've switched
>>>>> everyone over to talking to it, but we're at risk with just the one.
>>>> I'd ignore the two unknown certs for now. They look like someone was
>>>> experimenting with issuing a cert and didn't quite get things working.
>>>>
>>>> The CA seems to be throwing an error. I'd check the syslog for messages from
>>>> certmonger and look at the CA debug log and selftest log.
>>>>
>>>> rob
>>>>
>>> [snip]
>>>
>>
>>
>
More information about the Freeipa-users
mailing list