[Freeipa-users] Asking for help with crashed freeIPA istance
Rob Crittenden
rcritten at redhat.com
Wed Dec 21 15:27:02 UTC 2016
Daniel Schimpfoessl wrote:
> Thanks for getting back to me.
>
> getcert list | grep expires shows dates years in the future for all
> certificates
> Inline-Bild 1
>
> ipactl start --force
>
> Eventually the system started with:
> Forced start, ignoring pki-tomcatd Service, continuing normal
> operations.
>
> systemctl status ipa shows: failed
I don't think this is a certificate problem at all. I think the timing
with your renewal is just coincidence.
Did you change your Directory Manager password at some point?
>
> ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w
> password -b "" -s base
> ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w
> *********** -b "" -s base
> Inline-Bild 2
You need the -x flag to indicate simple bind.
rob
> The logs have thousands of lines like it, what am I looking for
> specifically?
>
> Daniel
>
>
> 2016-12-20 4:18 GMT-06:00 Florence Blanc-Renaud <flo at redhat.com
> <mailto:flo at redhat.com>>:
>
> On 12/19/2016 07:15 PM, Daniel Schimpfoessl wrote:
>
> Good day and happy holidays,
>
> I have been running a freeIPA instance for a few years and been very
> happy. Recently the certificate expired and I updated it using the
> documented methods. At first all seemed fine. Added a Nagios
> monitor for
> the certificate expiration and restarted the server (single
> server). I
> have weekly snapshots, daily backups (using Amanda on the entire
> disk).
>
> One day the services relying on IPA failed to authenticate.
> Looking at
> the server the ipa service had stopped. Restarting the service
> fails.
> Restoring a few weeks old snapshot does not start either.
> Resetting the
> date to a few month back does not work either as httpd fails to
> start .
>
> I am at a loss.
>
> Here a few details:
> # ipa --version
> VERSION: 4.4.0, API_VERSION: 2.213
>
>
> # /usr/sbin/ipactl start
> ...
> out -> Failed to start pki-tomcatd Service
> /var/log/pki/pki-tomcat/ca/debug -> Could not connect to LDAP server
> host ipa.myorg.com <http://ipa.myorg.com> <http://ipa.myorg.com>
> port 636 Error
> netscape.ldap.LDAPException: Authentication failed (48)
> 2016-12-19T03:02:16Z DEBUG The CA status is: check interrupted
> due to
> error: Retrieving CA status failed with status 500
>
> Any help would be appreciated as all connected services are now
> down.
>
> Thanks,
>
> Daniel
>
>
>
>
> Hi Daniel,
>
> more information would be required to understand what is going on.
> First of all, which certificate did you renew? Can you check with
> $ getcert list
> if other certificates also expired?
>
> PKI fails to start and the error seems linked to the SSL connection
> with the LDAP server. You may want to check if the LDAP server is
> listening on the LDAPs port:
> - start the stack with
> $ ipactl start --force
> - check the LDAPs port with
> $ ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w
> password -b "" -s base
>
> The communication between PKI and the LDAP server is authenticated
> with the certificate 'subsystemCert cert-pki-ca' located in
> /etc/pki/pki-tomcat/alias, so you may also want to check if it is
> still valid.
> The directory server access logs (in
> /var/log/dirsrv/slapd-DOMAIN-COM/access) would also show the
> connection with logs similar to:
>
> [...] conn=47 fd=84 slot=84 SSL connection from 10.34.58.150 to
> 10.34.58.150
> [...] conn=47 TLS1.2 128-bit AES; client CN=CA
> Subsystem,O=DOMAIN.COM <http://DOMAIN.COM>; issuer CN=Certificate
> Authority,O=DOMAIN.COM <http://DOMAIN.COM>
> [...] conn=47 TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipaca
> [...] conn=47 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
> [...] conn=47 op=0 RESULT err=0 tag=97 nentries=0 etime=0
> dn="uid=pkidbuser,ou=people,o=ipaca"
>
>
>
> HTH,
> Flo
>
>
>
>
More information about the Freeipa-users
mailing list