[Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)
Christopher Young
mexigabacho at gmail.com
Fri Dec 16 20:47:53 UTC 2016
I have a similar issue (see my recent list post), and I was wondering
if this was ever fixed? CA appears to work one system
(master/replica) but not the other.
On Mon, Jun 13, 2016 at 4:41 AM, Petr Vobornik <pvoborni at redhat.com> wrote:
> On 06/12/2016 07:05 PM, Dan.Finkelstein at high5games.com wrote:
>> The restore I was referring to was a red herring; we ended up wiping the server
>> and saving ipa-backup files, which was the only way we could successfully
>> reconfigure/reinitialize IPA on the host.
>>
>
> As Rob wrote, please check PKI logs. The most important ones here are:
>
> /var/log/pki/pki-tomcat/ca/selftests.log
> /var/log/pki/pki-tomcat/ca/debug
>
> Debug log usually has additional info for possible cause logged in
> selftest log.
>
>
>> *From: *Rob Crittenden <rcritten at redhat.com>
>> *Date: *Friday, June 10, 2016 at 17:17
>> *To: *Daniel Finkestein <Dan.Finkelstein at high5games.com>,
>> "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error
>> 4301: CertificateOperationError)
>>
>> Dan.Finkelstein at high5games.com <mailto:Dan.Finkelstein at high5games.com> wrote:
>>
>> And, from the 'ipactl -d --ignore-service-failures restart' we get this:
>>
>> ipa: DEBUG: stderr=
>>
>> ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 300
>>
>> ipa: DEBUG: Waiting until the CA is running
>>
>> ipa: DEBUG: Starting external process
>>
>> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>>
>> '--no-check-certificate'
>>
>> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'
>>
>> ipa: DEBUG: Process finished, return code=4
>>
>> ipa: DEBUG: stdout=
>>
>> ipa: DEBUG: stderr=--2016-06-10 15:29:38--
>>
>> https://ipa.example.com:8443/ca/admin/ca/getStatus
>>
>> Resolving ipa.example.com (ipa.example.com)... 10.55.10.31
>>
>> Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443...
>>
>> connected.
>>
>> Unable to establish SSL connection.
>>
>> ipa: DEBUG: The CA status is: check interrupted due to error: Command
>>
>> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
>>
>> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero
>>
>> exit status 4
>>
>> ipa: DEBUG: Waiting for CA to start...
>>
>> ipa: DEBUG: Starting external process
>>
>> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>>
>> '--no-check-certificate'
>>
>> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'
>>
>> ipa: DEBUG: Process finished, return code=4
>>
>> ipa: DEBUG: stdout=
>>
>> ipa: DEBUG: stderr=--2016-06-10 15:29:43--
>>
>> https://ipa.example.com:8443/ca/admin/ca/getStatus
>>
>> Resolving ipa.example.com (ipa.example.com)... 10.55.10.31
>>
>> Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443...
>>
>> connected.
>>
>> Unable to establish SSL connection.
>>
>> ipa: DEBUG: The CA status is: check interrupted due to error: Command
>>
>> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
>>
>> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero
>>
>> exit status 4
>>
>> ipa: DEBUG: Waiting for CA to start...
>>
>> ipa: DEBUG: Starting external process
>>
>> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>>
>> '--no-check-certificate'
>>
>> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'
>>
>> Which leads me to believe that tomcat doesn't have the right certificate(s).
>>
>> I don't think that's the problem. I'd check the pki logs to see if it
>>
>> started and if not, why. Note that it is quite possible for tomcat to
>>
>> start and the CA to fail because tomcat is just a container.
>>
>> In a previous e-mail you said something about a restore, what was that?
>>
>> rob
>>
>> <http://www.high5games.com/>
>>
>> *Daniel Alex Finkelstein*| Lead Dev Ops Engineer
>>
>> _Dan.Finkelstein at h5g.com <mailto:_Dan.Finkelstein at h5g.com>
>> <mailto:Dan.Finkelstein at h5g.com>_| <mailto:Dan.Finkelstein at h5g.com%3E_|>
>> 212.604.3447
>>
>> One World Trade Center, New York, NY 10007
>>
>> www.high5games.com <http://www.high5games.com/>
>>
>> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
>>
>> the Sky <https://apps.facebook.com/shakethesky/>
>>
>> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
>>
>> <https://twitter.com/High5Games>, YouTube
>>
>> <http://www.youtube.com/High5Games>, Linkedin
>>
>> <http://www.linkedin.com/company/1072533?trk=tyah>
>>
>> //
>>
>> /This message and any attachments may contain confidential or privileged
>>
>> information and are only for the use of the intended recipient of this
>>
>> message. If you are not the intended recipient, please notify the sender
>>
>> by return email, and delete or destroy this and all copies of this
>>
>> message and all attachments. Any unauthorized disclosure, use,
>>
>> distribution, or reproduction of this message or any attachments is
>>
>> prohibited and may be unlawful./
>>
>> *From: *<freeipa-users-bounces at redhat.com
>> <mailto:freeipa-users-bounces at redhat.com>> on behalf of Daniel
>>
>> Finkestein <Dan.Finkelstein at high5games.com
>> <mailto:Dan.Finkelstein at high5games.com>>
>>
>> *Date: *Friday, June 10, 2016 at 14:52
>>
>> *To: *"freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>"
>> <freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>>
>>
>> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA
>>
>> Error 4301: CertificateOperationError)
>>
>> That’s exactly right, and we got the files and links back to serviceable
>>
>> order. Now we're (merely) facing issues with our restored certificate
>>
>> store, which the pki-tomcatd process is not happy with. All IPA services
>>
>> start normally except for tomcat, which spits out SSL errors (and we're
>>
>> pretty sure must be related to bad certs… somewhere).
>>
>> Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
>>
>> Internal Database Error encountered: Could not connect to LDAP server
>>
>> host ipa.example.com port 636 Error netscape.ldap.LDAPException: IO
>>
>> Error creating JSS SSL Socket (-1)
>>
>> at
>>
>> com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:673)
>>
>> at
>>
>> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107)
>>
>> at
>>
>> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013)
>>
>> at
>>
>> com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510)
>>
>> at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>>
>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1601)
>>
>> at
>>
>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
>>
>> at
>>
>> javax.servlet.GenericServlet.init(GenericServlet.java:158)
>>
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>
>> Method)
>>
>> at
>>
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>
>> at
>>
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>
>> at java.lang.reflect.Method.invoke(Method.java:606)
>>
>> at
>>
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
>>
>> at
>>
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
>>
>> at java.security.AccessController.doPrivileged(Native
>>
>> Method)
>>
>> at
>>
>> javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
>>
>> at
>>
>> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
>>
>> at
>>
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
>>
>> at
>>
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
>>
>> at
>>
>> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
>>
>> at
>>
>> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
>>
>> at
>>
>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
>>
>> at
>>
>> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
>>
>> at
>>
>> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
>>
>> at
>>
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
>>
>> at
>>
>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
>>
>> at
>>
>> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
>>
>> at
>>
>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
>>
>> at
>>
>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
>>
>> at java.security.AccessController.doPrivileged(Native
>>
>> Method)
>>
>> at
>>
>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
>>
>> at
>>
>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
>>
>> at
>>
>> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
>>
>> at
>>
>> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
>>
>> at
>>
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>>
>> at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>
>> at
>>
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>
>> at
>>
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>
>> at java.lang.Thread.run(Thread.java:745)
>>
>> I think we might be willing to toss out the existing certificate store
>>
>> and start anew, which fortunately should preserve the DNS, user, group,
>>
>> etc., data already in LDAP. If we wanted to create a new trust and
>>
>> self-signed cert for the server, how are those steps different from
>>
>> promoting a replica to a cert-signing master?
>>
>> Thanks,
>>
>> Dan
>
>>
>> /This message and any attachments may contain confidential or privileged
>>
>> information and are only for the use of the intended recipient of this
>>
>> message. If you are not the intended recipient, please notify the sender
>>
>> by return email, and delete or destroy this and all copies of this
>>
>> message and all attachments. Any unauthorized disclosure, use,
>>
>> distribution, or reproduction of this message or any attachments is
>>
>> prohibited and may be unlawful./
>>
>> *From: *Rob Crittenden <rcritten at redhat.com <mailto:rcritten at redhat.com>>
>>
>> *Date: *Friday, June 10, 2016 at 14:48
>>
>> *To: *Daniel Finkestein <Dan.Finkelstein at high5games.com
>> <mailto:Dan.Finkelstein at high5games.com>>,
>>
>> "freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>"
>> <freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>>
>>
>> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA
>>
>> Error 4301: CertificateOperationError)
>>
>> I'd reinstall some rpms to properly create these:
>>
>> tomcat
>>
>> pki-base
>>
>> pki-server
>>
>> I'm not positive it will fix permissions, rpm -V on the same may point
>>
>> out problems as well.
>>
>> rob
>>
>>
>>
>
>
> --
> Petr Vobornik
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list