[Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

Dan.Finkelstein at high5games.com Dan.Finkelstein at high5games.com
Fri Jun 10 15:24:48 UTC 2016 

An update: The journalctl command has some really interesting output:

Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING:  Symbolic link '/var/lib/pki/pki-tomcat/alias' does NOT exist!
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to create '/var/lib/pki/pki-tomcat/alias' -> '/etc/pki/pki-tomcat/aliJun 10 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic link ‘/var/lib/pki/pki-tomcat/alias’: Permission denied
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to create '/var/lib/pki/pki-tomcat/alias' -> '/etc/pki/pki-tomcat/alias'Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING:  Symbolic link '/var/lib/pki/pki-tomcat/logs' does NOT exist!
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to create '/var/lib/pki/pki-tomcat/logs' -> '/var/log/pki/pki-tomcat'Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic link ‘/var/lib/pki/pki-tomcat/logs’: Permission denied
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to create '/var/lib/pki/pki-tomcat/logs' -> '/var/log/pki/pki-tomcat'!
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING:  Symbolic link '/var/lib/pki/pki-tomcat/bin' does NOT exist!
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to create '/var/lib/pki/pki-tomcat/bin' -> '/usr/share/tomcat/bin' . Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic link ‘/var/lib/pki/pki-tomcat/bin’: Permission denied
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to create '/var/lib/pki/pki-tomcat/bin' -> '/usr/share/tomcat/bin'!
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING:  Symbolic link '/var/lib/pki/pki-tomcat/conf' does NOT exist!
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to create '/var/lib/pki/pki-tomcat/conf' -> '/etc/pki/pki-tomcat' . .Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic link ‘/var/lib/pki/pki-tomcat/conf’: Permission denied
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to create '/var/lib/pki/pki-tomcat/conf' -> '/etc/pki/pki-tomcat'!
Jun 10 11:16:23 ipa.example.com systemd[1]: pki-tomcatd at pki-tomcat.service: control process exited, code=exited status=1
Jun 10 11:16:23 ipa.example.com systemd[1]: Failed to start PKI Tomcat Server pki-tomcat.

Which makes me think All we have to do is create the right directory structures/links and/or change the file permissions? But which ones and to whom?

—Dan

[cid:image001.jpg at 01D1C30A.B174B4C0]<http://www.high5games.com/>
Daniel Alex Finkelstein| Lead Dev Ops Engineer
Dan.Finkelstein at h5g.com<mailto:Dan.Finkelstein at h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, Twitter<https://twitter.com/High5Games>, YouTube<http://www.youtube.com/High5Games>, Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>

This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.

From: <freeipa-users-bounces at redhat.com> on behalf of Daniel Finkestein <Dan.Finkelstein at high5games.com>
Date: Wednesday, June 8, 2016 at 17:11
To: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Subject: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

I have a promoted CA master/FreeIPA 4.2.0 instance on CentOS 7 that emits this error in the httpd logs whenever the WebUI tries to see the certificates page:

[Wed Jun 08 16:56:27.052106 2016] [:error] [pid 2863] ipa: ERROR: ipaserver.plugins.dogtag.ra.find(): Unable to communicate with CMS ([Errno 111] Connection refused)
[Wed Jun 08 16:56:27.052401 2016] [:error] [pid 2863] ipa: INFO: [jsonserver_session] dfinkelstein at EXAMPLE.COM: cert_find(version=u'2.156'): CertificateOperationError

The certificates appear as follows:

[root at ipa httpd]# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u
auditSigningCert cert-pki-ca                                 u,u,u
EXAMPLE.COM IPA CA                                             CTu,u,Cu
ipaCert                                                      u,u,u
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u

Upon reboot, httpd fails to start with the error: Failed to start Identity, Policy, Audit. But it can be started later with `ipactl restart`. Finally, the two last IPA services don't appear to start:

[root at ipa]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: STOPPED
ipa-dnskeysyncd Service: STOPPED
ipa: INFO: The ipactl command was successful

I'd appreciate any guidance or suggestions.

Thanks,
Dan


[cid:image002.jpg at 01D1C30A.B174B4C0]<http://www.high5games.com/>
Daniel Alex Finkelstein| Senior Dev Ops Engineer
Dan.Finkelstein at h5g.com<mailto:Dan.Finkelstein at h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, Twitter<https://twitter.com/High5Games>, YouTube<http://www.youtube.com/High5Games>, Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>

This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160610/3f4a0e20/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 4333 bytes
Desc: image001.jpg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160610/3f4a0e20/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 4332 bytes
Desc: image002.jpg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160610/3f4a0e20/attachment-0001.jpg>

More information about the Freeipa-users mailing list