[Freeipa-users] IPA server having cert issues
Petr Vobornik
pvoborni at redhat.com
Fri Apr 29 08:59:15 UTC 2016
comments inline
On 04/28/2016 06:30 PM, Bret Wortman wrote:
> Look, I'll be honest. When IPA is in this much of a knot, I don't know how to do
> the simplest things with its various components. For example, I've no clue how
> to search the ldap database for anything. Or even how to authenticate since
> Kerberos isn't running. IPA has sheltered me from ldap for so long that it's a
> problem at times like this.
>
> That being said, here are the things I /was/ able to handle:
>
> Apr 01 11:02:40 zsipa.private.net server[6896]: Java virtual machine used:
> /usr/lib/jvm/jre/bin/java
> Apr 01 11:02:40 zsipa.private.net server[6896]: classpath used:
> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.j
> Apr 01 11:02:40 zsipa.private.net server[6896]: main class used:
> org.apache.catalina.startup.Bootstrap
> Apr 01 11:02:40 zsipa.private.net server[6896]: flags used:
> -DRESTEASY_LIB=/usr/share/java/resteasy
> Apr 01 11:02:40 zsipa.private.net server[6896]: options used:
> -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat
> -Djava.endorsed.dirs= -Djava.io.
> Apr 01 11:02:40 zsipa.private.net server[6896]: arguments used: start
> Apr 01 11:02:40 zsipa.private.net server[6896]: Apr 01, 2016 11:02:40 AM
> org.apache.catalina.startup.ClassLoaderFactory validateFile
> Apr 01 11:02:40 zsipa.private.net server[6896]: WARNING: Problem with JAR file
> [/var/lib/pki/pki-tomcat/lib/log4j.jar], exists: [false], canRead: [false]
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP'
> to 'false' did not find a matchi
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'ocspResponderURL' to 'http://zsipa.private.net:9
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'ocspResponderCertNickname' to 'ocspSigningCe
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'ocspCacheSize' to '1000' did not find a matc
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'ocspMinCacheEntryDuration' to '60' did not f
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'ocspMaxCacheEntryDuration' to '120' did not
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout'
> to '10' did not find a matching
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'strictCiphers' to 'true' did not find a matc
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions'
> to 'ssl2=true,ssl3=true,tls=true
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers'
> to '-SSL2_RC4_128_WITH_MD5,-SSL
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers'
> to '-SSL3_FORTEZZA_DMS_WITH_NUL
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers'
> to '-TLS_ECDH_ECDSA_WITH_AES_128
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'serverCertNickFile' to '/var/lib/pki/pki-tom
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile'
> to '/var/lib/pki/pki-tomcat/co
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'passwordClass' to 'org.apache.tomcat.util.ne
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to
> '/var/lib/pki/pki-tomcat/alias
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'sslVersionRangeStream' to 'tls1_0:tls1_2' di
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'sslVersionRangeDatagram' to 'tls1_1:tls1_2'
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.catalina.startup.SetAllPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AE
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.tomcat.util.digester.SetPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation'
> to 'false' did not find a matc
> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.tomcat.util.digester.SetPropertiesRule begin
> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING:
> [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> 'xmlNamespaceAware' to 'false' did not find a
> Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM
> org.apache.coyote.AbstractProtocol init
> Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Initializing
> ProtocolHandler ["http-bio-8080"]
> Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM
> org.apache.coyote.AbstractProtocol init
> Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Initializing
> ProtocolHandler ["http-bio-8443"]
> Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher
> "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss
> Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher
> "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss
> Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher
> "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss
> Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher
> "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss
> Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher
> "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss
> Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher
> "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss
> Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher
> "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" unsupported by NSS
> Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher
> "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS
> Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher
> "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS
> Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM
> org.apache.coyote.AbstractProtocol init
> Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Initializing
> ProtocolHandler ["ajp-bio-127.0.0.1-8009"]
> Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM
> org.apache.catalina.startup.Catalina load
> Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Initialization processed
> in 988 ms
> Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM
> org.apache.catalina.core.StandardService startInternal
> Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Starting service Catalina
> Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM
> org.apache.catalina.core.StandardEngine startInternal
> Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Starting Servlet Engine:
> Apache Tomcat/7.0.59
> Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM
> org.apache.catalina.startup.HostConfig deployDescriptor
> Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Deploying configuration
> descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml
> Apr 01 11:02:43 zsipa.private.net server[6896]: Apr 01, 2016 11:02:43 AM
> org.apache.catalina.startup.HostConfig deployDescriptor
> Apr 01 11:02:43 zsipa.private.net server[6896]: INFO: Deployment of
> configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has
> finished in 1,194 ms
> Apr 01 11:02:43 zsipa.private.net server[6896]: Apr 01, 2016 11:02:43 AM
> org.apache.catalina.startup.HostConfig deployDescriptor
> Apr 01 11:02:43 zsipa.private.net server[6896]: INFO: Deploying configuration
> descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml
> Apr 01 11:02:43 zsipa.private.net server[6896]: SSLAuthenticatorWithFallback:
> Creating SSL authenticator with fallback
> Apr 01 11:02:43 zsipa.private.net server[6896]: SSLAuthenticatorWithFallback:
> Setting container
> Apr 01 11:02:45 zsipa.private.net server[6896]: SSLAuthenticatorWithFallback:
> Initializing authenticators
> Apr 01 11:02:45 zsipa.private.net server[6896]: SSLAuthenticatorWithFallback:
> Starting authenticators
> Apr 01 11:02:51 zsipa.private.net server[6896]: Server is started.
> Apr 01 11:02:51 zsipa.private.net server[6896]: Apr 01, 2016 11:02:51 AM
> org.apache.catalina.startup.HostConfig deployDescriptor
> Apr 01 11:02:51 zsipa.private.net server[6896]: INFO: Deployment of
> configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has
> finished in 7,993 ms
> Apr 01 11:02:51 zsipa.private.net server[6896]: Apr 01, 2016 11:02:51 AM
> org.apache.catalina.startup.HostConfig deployDescriptor
> Apr 01 11:02:51 zsipa.private.net server[6896]: INFO: Deploying configuration
> descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml
> Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM
> org.apache.catalina.startup.HostConfig deployDescriptor
> Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Deployment of
> configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has
> finished in 661 ms
> Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM
> org.apache.coyote.AbstractProtocol start
> Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Starting ProtocolHandler
> ["http-bio-8080"]
> Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM
> org.apache.coyote.AbstractProtocol start
> Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Starting ProtocolHandler
> ["http-bio-8443"]
> Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM
> org.apache.coyote.AbstractProtocol start
> Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Starting ProtocolHandler
> ["ajp-bio-127.0.0.1-8009"]
> Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM
> org.apache.catalina.startup.Catalina start
> Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Server startup in 9918 ms
Here the PKI server started. And below, 5 minutes later, something
stopped it.
> Apr 01 11:07:53 zsipa.private.net server[7974]: Java virtual machine used:
> /usr/lib/jvm/jre/bin/java
> Apr 01 11:07:53 zsipa.private.net server[7974]: classpath used:
> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.j
> Apr 01 11:07:53 zsipa.private.net server[7974]: main class used:
> org.apache.catalina.startup.Bootstrap
> Apr 01 11:07:53 zsipa.private.net server[7974]: flags used:
> -DRESTEASY_LIB=/usr/share/java/resteasy
> Apr 01 11:07:53 zsipa.private.net server[7974]: options used:
> -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat
> -Djava.endorsed.dirs= -Djava.io.
> Apr 01 11:07:53 zsipa.private.net server[7974]: arguments used: stop
> Apr 01 11:07:53 zsipa.private.net server[7974]: Apr 01, 2016 11:07:53 AM
> org.apache.catalina.startup.ClassLoaderFactory validateFile
> Apr 01 11:07:53 zsipa.private.net server[7974]: WARNING: Problem with JAR file
> [/var/lib/pki/pki-tomcat/lib/log4j.jar], exists: [false], canRead: [false]
> Apr 01 11:07:54 zsipa.private.net server[6896]: Apr 01, 2016 11:07:54 AM
> org.apache.catalina.core.StandardServer await
> Apr 01 11:07:54 zsipa.private.net server[6896]: INFO: A valid shutdown command
> was received via the shutdown port. Stopping the Server instance.
> Apr 01 11:07:54 zsipa.private.net server[6896]: Apr 01, 2016 11:07:54 AM
> org.apache.coyote.AbstractProtocol pause
> Apr 01 11:07:54 zsipa.private.net server[6896]: INFO: Pausing ProtocolHandler
> ["http-bio-8080"]
>
> # systemctl status pki-tomcatd at pki-tomcat.service -l
> ● pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat
> Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd at .service; enabled)
> Active: inactive (dead)
>
> Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM
> org.apache.catalina.core.StandardServer await
> Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: A valid shutdown command
> was received via the shutdown port. Stopping the Server instance.
> Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM
> org.apache.coyote.AbstractProtocol pause
> Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: Pausing ProtocolHandler
> ["http-bio-8080"]
> Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM
> org.apache.coyote.AbstractProtocol pause
> Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: Pausing ProtocolHandler
> ["http-bio-8443"]
> Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM
> org.apache.coyote.AbstractProtocol pause
> Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: Pausing ProtocolHandler
> ["ajp-bio-127.0.0.1-8009"]
> Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM
> org.apache.catalina.core.StandardService stopInternal
> Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: Stopping service Catalina
Why is the time different here?
Given that the PKI server seems to start could you:
1. move date to Apr 1
2. # date
3. # ipactl stop
4. # date
5. # ipactl start -d
6. # date
7. # ipactl status
8. # getcert list
9. # journalctl -u pki-tomcatd at pki-tomcat.service
paste here output of 1-8. Plus output of 9 since date in 2. Or ideally
attach it as text file so that lines won't be wrapped(hard to read).
>
>
>
> # systemctl | grep dirsrv@
> dirsrv at PRIVATE-NET.service
> loaded active running 389 Directory Server PRIVATE-NET.
>
> On 04/28/2016 12:04 PM, Petr Vobornik wrote:
>> On 04/28/2016 05:49 PM, Bret Wortman wrote:
>>> My system shows pki-server is installed and V10.2.1-3.fc21, but I don't
>>> have the pki-server binary itself. Will reinstalling this rpm hurt me in
>>> any way? Without it, I'm not sure how to check my system against the
>>> messages you provided below.
>> Not sure what you mean. Running doesn't require any additional packages.
>> It is just to get additional logs.
>> systemctl statuspki-tomcatd at pki-tomcat.service
>> journalctl -upki-tomcatd at pki-tomcat.service
>>
>> And the links below are about checking if CA users have correctly mapped
>> certificates in LDAP database in ou=people,o=ipaca for that you need
>> only ldapsearch command and start directory server:
We may skip this part, it might not be needed.
>> systemctl startdirsrv at YOUR-REALM-TEST.service
>>
>> Proper name fordirsrv at YOUR-REALM-TEST.service can be found using:
>> systemctl | grep dirsrv@
>>
>>
>>> On 04/28/2016 11:07 AM, Petr Vobornik wrote:
>>>> On 04/28/2016 04:07 PM, Bret Wortman wrote:
>>>>> Okay. This morning, I turned back time to 4/1 and started up IPA. It
>>>>> didn't
>>>>> work, but I got something new and interesting in the debug log, which
>>>>> I've
>>>>> posted tohttp://pastebin.com/M9VGCS8A. Lots of garbled junk came
>>>>> pouring out
>>>>> which doesn't happen when I'm set to real time. Is /this/ significant?
>>>> Anything in
>>>> systemctl statuspki-tomcatd at pki-tomcat.service
>>>> or rather:
>>>> journalctl -upki-tomcatd at pki-tomcat.service
>>>> ?
>>>>
>>>> Just to be sure, it might be also worth to check if CA subsystem users
>>>> have correct certs assigned:
>>>> *
>>>> https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html
>>>> *
>>>> https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html
>>>>
>>>>> On 04/27/2016 02:24 PM, Bret Wortman wrote:
>>>>>> I put excerpts from the ca logs inhttp://pastebin.com/gYgskU79. It
>>>>>> looks
>>>>>> logical to me, but I can't spot anything that looks like a root
>>>>>> cause error.
>>>>>> The selftests are all okay, I think. The debug log might have
>>>>>> something, but
>>>>>> it might also just be complaining about ldap not being up because
>>>>>> it's not.
>>>>>>
>>>>>>
>>>>>> On 04/27/2016 01:11 PM, Rob Crittenden wrote:
>>>>>>> Bret Wortman wrote:
>>>>>>>> So in lieu of fixing these certs, is there an acceptable way to dump
>>>>>>>> them all and start over /without losing the contents of the IPA
>>>>>>>> database/? Or otherwise really screwing ourselves?
>>>>>>> I don't believe there is a way.
>>>>>>>
>>>>>>>> We have a replica that's still up and running and we've switched
>>>>>>>> everyone over to talking to it, but we're at risk with just the one.
>>>>>>> I'd ignore the two unknown certs for now. They look like someone was
>>>>>>> experimenting with issuing a cert and didn't quite get things working.
>>>>>>>
>>>>>>> The CA seems to be throwing an error. I'd check the syslog for
>>>>>>> messages from
>>>>>>> certmonger and look at the CA debug log and selftest log.
>>>>>>>
>>>>>>> rob
>>>>>>>
>>>>>> [snip]
>>>>>>
>>>>>
>>
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list