[Freeipa-users] ACIerrors is httpd log

Rob Crittenden rcritten at redhat.com
Fri Dec 2 03:56:57 UTC 2016 

Jim Richard wrote:
> I think I know what the issue is.
> 
> I had 2 IPA servers, both with CA’s
> 
> I dropped one and rebuilt without the CA but a bunch of clients are
> still pointing at this one server that now is without a CA.
> 
> Will rebuild that one with a CA and almost sure that will fix.

I'm rather skeptical of that. Not having a CA should not result in an
ACI error. It should internally forward any cert requests to an IPA
server that does have a CA and relay the result back to the requester.

rob

> 
> <http://www.placeiq.com/><http://www.placeiq.com/><http://www.placeiq.com/>
> Jim Richard
> <https://twitter.com/placeiq><https://twitter.com/placeiq><https://twitter.com/placeiq>
> <https://www.facebook.com/PlaceIQ><https://www.facebook.com/PlaceIQ>
> <https://www.linkedin.com/company/placeiq><https://www.linkedin.com/company/placeiq>
> SYSTEM ADMINISTRATOR III
> /(646) 338-8905 / 
> 
> 
> PlaceIQ:Alibaba
> <http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/>
> 
> 
> 
> 
>> On Nov 28, 2016, at 2:39 PM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>> Jim Richard wrote:
>>> Honestly I’m not even sure if something is not working correctly :)
>>>
>>> All I know is that my httpd, access and krb5 logs are filling up all my
>>> disk space extremely quickly and I have no idea why.
>>>
>>> Centos 6.8 + IPA 3.0
>>>
>>> One master and one replica.
>>>
>>> Are these things related?
>>>
>>> How do I fix, where do I even start?
>>>
>>> Thanks !
>>>
>>> On the replica the httpd log is constantly getting spammed with:
>>>
>>> [Thu Nov 24 05:55:18 2016] [error] ipa: INFO:
>>> host/phoenix-153.nym1.placeiq.net at PLACEIQ.NET
>>> <mailto:host/phoenix-153.nym1.placeiq.net at placeiq.net>:
>>> cert_request(u’actual cert removed
>> .. , add=True): ACIError
>>>
>>> and on the master the access log is filling up quickly with:
>>>
>>> 10.1.41.110 - - [24/Nov/2016:06:09:54 +0000] "POST
>>> /ca/agent/ca/displayBySerial HTTP/1.1" 200 10106
>>
>> Looks like certmonger trying to renew the per-client SSL certificate.
>> You can confirm by pulling out the CSR and poking at it with openssl req.
>>
>> On the client you can try running: ipa-getcert list
>>
>> This may show more details on why the request was rejected.
>>
>> rob
>

More information about the Freeipa-users mailing list