[Freeipa-users] IPA server having cert issues

Petr Vobornik pvoborni at redhat.com
Thu Apr 28 16:04:30 UTC 2016 

On 04/28/2016 05:49 PM, Bret Wortman wrote:
> My system shows pki-server is installed and V10.2.1-3.fc21, but I don't
> have the pki-server binary itself. Will reinstalling this rpm hurt me in
> any way? Without it, I'm not sure how to check my system against the
> messages you provided below.

Not sure what you mean. Running doesn't require any additional packages.
It is just to get additional logs.
  systemctl status  pki-tomcatd at pki-tomcat.service
  journalctl -u pki-tomcatd at pki-tomcat.service

And the links below are about checking if CA users have correctly mapped
certificates in LDAP database in ou=people,o=ipaca for that you need
only ldapsearch command and start directory server:
  systemctl start dirsrv at YOUR-REALM-TEST.service

Proper name for dirsrv at YOUR-REALM-TEST.service can be found using:
  systemctl | grep dirsrv@


> 
> On 04/28/2016 11:07 AM, Petr Vobornik wrote:
>> On 04/28/2016 04:07 PM, Bret Wortman wrote:
>>> Okay. This morning, I turned back time to 4/1 and started up IPA. It
>>> didn't
>>> work, but I got something new and interesting in the debug log, which
>>> I've
>>> posted to http://pastebin.com/M9VGCS8A. Lots of garbled junk came
>>> pouring out
>>> which doesn't happen when I'm set to real time. Is /this/ significant?
>> Anything in
>>    systemctl status  pki-tomcatd at pki-tomcat.service
>> or rather:
>>    journalctl -u pki-tomcatd at pki-tomcat.service
>> ?
>>
>> Just to be sure, it might be also worth to check if CA subsystem users
>> have correct certs assigned:
>>   *
>> https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html
>>   *
>> https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html
>>
>>>
>>> On 04/27/2016 02:24 PM, Bret Wortman wrote:
>>>> I put excerpts from the ca logs in http://pastebin.com/gYgskU79. It
>>>> looks
>>>> logical to me, but I can't spot anything that looks like a root
>>>> cause error.
>>>> The selftests are all okay, I think. The debug log might have
>>>> something, but
>>>> it might also just be complaining about ldap not being up because
>>>> it's not.
>>>>
>>>>
>>>> On 04/27/2016 01:11 PM, Rob Crittenden wrote:
>>>>> Bret Wortman wrote:
>>>>>> So in lieu of fixing these certs, is there an acceptable way to dump
>>>>>> them all and start over /without losing the contents of the IPA
>>>>>> database/? Or otherwise really screwing ourselves?
>>>>> I don't believe there is a way.
>>>>>
>>>>>> We have a replica that's still up and running and we've switched
>>>>>> everyone over to talking to it, but we're at risk with just the one.
>>>>> I'd ignore the two unknown certs for now. They look like someone was
>>>>> experimenting with issuing a cert and didn't quite get things working.
>>>>>
>>>>> The CA seems to be throwing an error. I'd check the syslog for
>>>>> messages from
>>>>> certmonger and look at the CA debug log and selftest log.
>>>>>
>>>>> rob
>>>>>
>>>> [snip]
>>>>
>>>
>>>
>>
> 


-- 
Petr Vobornik

More information about the Freeipa-users mailing list