[Freeipa-users] Asking for help with crashed freeIPA istance

Daniel Schimpfoessl daniel at schimpfoessl.com
Tue Dec 20 15:36:46 UTC 2016 

Thanks for getting back to me.

getcert list | grep expires shows dates years in the future for all
certificates
[image: Inline-Bild 1]

ipactl start --force

Eventually the system started with:
     Forced start, ignoring pki-tomcatd Service, continuing normal
operations.

systemctl status ipa shows: failed

ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w password
-b "" -s base
ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w
*********** -b "" -s base
[image: Inline-Bild 2]

The logs have thousands of lines like it, what am I looking for
specifically?

Daniel


2016-12-20 4:18 GMT-06:00 Florence Blanc-Renaud <flo at redhat.com>:

> On 12/19/2016 07:15 PM, Daniel Schimpfoessl wrote:
>
>> Good day and happy holidays,
>>
>> I have been running a freeIPA instance for a few years and been very
>> happy. Recently the certificate expired and I updated it using the
>> documented methods. At first all seemed fine. Added a Nagios monitor for
>> the certificate expiration and restarted the server (single server). I
>> have weekly snapshots, daily backups (using Amanda on the entire disk).
>>
>> One day the services relying on IPA failed to authenticate. Looking at
>> the server the ipa service had stopped. Restarting the service fails.
>> Restoring a few weeks old snapshot does not start either. Resetting the
>> date to a few month back does not work either as httpd fails to start .
>>
>> I am at a loss.
>>
>> Here a few details:
>> # ipa --version
>> VERSION: 4.4.0, API_VERSION: 2.213
>>
>>
>> # /usr/sbin/ipactl start
>> ...
>> out -> Failed to start pki-tomcatd Service
>> /var/log/pki/pki-tomcat/ca/debug -> Could not connect to LDAP server
>> host ipa.myorg.com <http://ipa.myorg.com> port 636 Error
>> netscape.ldap.LDAPException: Authentication failed (48)
>> 2016-12-19T03:02:16Z DEBUG The CA status is: check interrupted due to
>> error: Retrieving CA status failed with status 500
>>
>> Any help would be appreciated as all connected services are now down.
>>
>> Thanks,
>>
>> Daniel
>>
>>
>>
>>
>> Hi Daniel,
>
> more information would be required to understand what is going on. First
> of all, which certificate did you renew? Can you check with
> $ getcert list
> if other certificates also expired?
>
> PKI fails to start and the error seems linked to the SSL connection with
> the LDAP server. You may want to check if the LDAP server is listening on
> the LDAPs port:
> - start the stack with
> $ ipactl start --force
> - check the LDAPs port with
> $ ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w
> password -b "" -s base
>
> The communication between PKI and the LDAP server is authenticated with
> the certificate 'subsystemCert cert-pki-ca' located in
> /etc/pki/pki-tomcat/alias, so you may also want to check if it is still
> valid.
> The directory server access logs (in /var/log/dirsrv/slapd-DOMAIN-COM/access)
> would also show the connection with logs similar to:
>
> [...] conn=47 fd=84 slot=84 SSL connection from 10.34.58.150 to
> 10.34.58.150
> [...] conn=47 TLS1.2 128-bit AES; client CN=CA Subsystem,O=DOMAIN.COM;
> issuer CN=Certificate Authority,O=DOMAIN.COM
> [...] conn=47 TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipaca
> [...] conn=47 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
> [...] conn=47 op=0 RESULT err=0 tag=97 nentries=0 etime=0
> dn="uid=pkidbuser,ou=people,o=ipaca"
>
>
>
> HTH,
> Flo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161220/2892401c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 8557 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161220/2892401c/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 3927 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161220/2892401c/attachment-0001.png>

More information about the Freeipa-users mailing list