[Freeipa-users] IPA server having cert issues

Bret Wortman bret.wortman at damascusgrp.com
Thu Apr 28 17:53:57 UTC 2016 

Okay, I ran 'ldapsearch -x -h zsipa -p 389 -b 'ou=people,o=ipaca' and 
dumped that to a file. I'm still not clear on what I'm supposed to be 
looking for in the output, though.

The result of systemctl | grep dirsrv@ was pretty uninformative. If the 
answer was "dirsrv", then I don't find that in the ldapsearch results. 
Assuming that was the ldapsearch command I needed to run....

On 04/28/2016 12:04 PM, Petr Vobornik wrote:
> On 04/28/2016 05:49 PM, Bret Wortman wrote:
>> My system shows pki-server is installed and V10.2.1-3.fc21, but I don't
>> have the pki-server binary itself. Will reinstalling this rpm hurt me in
>> any way? Without it, I'm not sure how to check my system against the
>> messages you provided below.
> Not sure what you mean. Running doesn't require any additional packages.
> It is just to get additional logs.
>    systemctl status  pki-tomcatd at pki-tomcat.service
>    journalctl -u pki-tomcatd at pki-tomcat.service
>
> And the links below are about checking if CA users have correctly mapped
> certificates in LDAP database in ou=people,o=ipaca for that you need
> only ldapsearch command and start directory server:
>    systemctl start dirsrv at YOUR-REALM-TEST.service
>
> Proper name for dirsrv at YOUR-REALM-TEST.service can be found using:
>    systemctl | grep dirsrv@
>
>
>> On 04/28/2016 11:07 AM, Petr Vobornik wrote:
>>> On 04/28/2016 04:07 PM, Bret Wortman wrote:
>>>> Okay. This morning, I turned back time to 4/1 and started up IPA. It
>>>> didn't
>>>> work, but I got something new and interesting in the debug log, which
>>>> I've
>>>> posted to http://pastebin.com/M9VGCS8A. Lots of garbled junk came
>>>> pouring out
>>>> which doesn't happen when I'm set to real time. Is /this/ significant?
>>> Anything in
>>>     systemctl status  pki-tomcatd at pki-tomcat.service
>>> or rather:
>>>     journalctl -u pki-tomcatd at pki-tomcat.service
>>> ?
>>>
>>> Just to be sure, it might be also worth to check if CA subsystem users
>>> have correct certs assigned:
>>>    *
>>> https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html
>>>    *
>>> https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html
>>>
>>>> On 04/27/2016 02:24 PM, Bret Wortman wrote:
>>>>> I put excerpts from the ca logs in http://pastebin.com/gYgskU79. It
>>>>> looks
>>>>> logical to me, but I can't spot anything that looks like a root
>>>>> cause error.
>>>>> The selftests are all okay, I think. The debug log might have
>>>>> something, but
>>>>> it might also just be complaining about ldap not being up because
>>>>> it's not.
>>>>>
>>>>>
>>>>> On 04/27/2016 01:11 PM, Rob Crittenden wrote:
>>>>>> Bret Wortman wrote:
>>>>>>> So in lieu of fixing these certs, is there an acceptable way to dump
>>>>>>> them all and start over /without losing the contents of the IPA
>>>>>>> database/? Or otherwise really screwing ourselves?
>>>>>> I don't believe there is a way.
>>>>>>
>>>>>>> We have a replica that's still up and running and we've switched
>>>>>>> everyone over to talking to it, but we're at risk with just the one.
>>>>>> I'd ignore the two unknown certs for now. They look like someone was
>>>>>> experimenting with issuing a cert and didn't quite get things working.
>>>>>>
>>>>>> The CA seems to be throwing an error. I'd check the syslog for
>>>>>> messages from
>>>>>> certmonger and look at the CA debug log and selftest log.
>>>>>>
>>>>>> rob
>>>>>>
>>>>> [snip]
>>>>>
>>>>
>

More information about the Freeipa-users mailing list