[Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

Rob Crittenden rcritten at redhat.com
Fri Jun 10 18:48:54 UTC 2016 

Dan.Finkelstein at high5games.com wrote:
> An update: The journalctl command has some really interesting output:
>
> Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING:  Symbolic
> link '/var/lib/pki/pki-tomcat/alias' does NOT exist!
>
> Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to
> create '/var/lib/pki/pki-tomcat/alias' -> '/etc/pki/pki-tomcat/aliJun 10
> 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic
> link ‘/var/lib/pki/pki-tomcat/alias’: Permission denied
>
> Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to
> create '/var/lib/pki/pki-tomcat/alias' -> '/etc/pki/pki-tomcat/alias'Jun
> 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING:  Symbolic link
> '/var/lib/pki/pki-tomcat/logs' does NOT exist!
>
> Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to
> create '/var/lib/pki/pki-tomcat/logs' -> '/var/log/pki/pki-tomcat'Jun 10
> 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic
> link ‘/var/lib/pki/pki-tomcat/logs’: Permission denied
>
> Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to
> create '/var/lib/pki/pki-tomcat/logs' -> '/var/log/pki/pki-tomcat'!
>
> Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING:  Symbolic
> link '/var/lib/pki/pki-tomcat/bin' does NOT exist!
>
> Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to
> create '/var/lib/pki/pki-tomcat/bin' -> '/usr/share/tomcat/bin' . Jun 10
> 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic
> link ‘/var/lib/pki/pki-tomcat/bin’: Permission denied
>
> Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to
> create '/var/lib/pki/pki-tomcat/bin' -> '/usr/share/tomcat/bin'!
>
> Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING:  Symbolic
> link '/var/lib/pki/pki-tomcat/conf' does NOT exist!
>
> Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to
> create '/var/lib/pki/pki-tomcat/conf' -> '/etc/pki/pki-tomcat' . .Jun 10
> 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic
> link ‘/var/lib/pki/pki-tomcat/conf’: Permission denied
>
> Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to
> create '/var/lib/pki/pki-tomcat/conf' -> '/etc/pki/pki-tomcat'!
>
> Jun 10 11:16:23 ipa.example.com systemd[1]:
> pki-tomcatd at pki-tomcat.service: control process exited, code=exited status=1
>
> Jun 10 11:16:23 ipa.example.com systemd[1]: Failed to start PKI Tomcat
> Server pki-tomcat.
>
> Which makes me think All we have to do is create the right directory
> structures/links and/or change the file permissions? But which ones and
> to whom?

I'd reinstall some rpms to properly create these:

tomcat
pki-base
pki-server

I'm not positive it will fix permissions, rpm -V on the same may point 
out problems as well.

rob

>
> —Dan
>
> <http://www.high5games.com/>
>
> *Daniel Alex Finkelstein*| Lead Dev Ops Engineer
>
> _Dan.Finkelstein at h5g.com <mailto:Dan.Finkelstein at h5g.com>_ | 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
> www.high5games.com <http://www.high5games.com/>
>
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
> the Sky <https://apps.facebook.com/shakethesky/>
>
> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
> <https://twitter.com/High5Games>, YouTube
> <http://www.youtube.com/High5Games>, Linkedin
> <http://www.linkedin.com/company/1072533?trk=tyah>
>
> //
>
> /This message and any attachments may contain confidential or privileged
> information and are only for the use of the intended recipient of this
> message. If you are not the intended recipient, please notify the sender
> by return email, and delete or destroy this and all copies of this
> message and all attachments. Any unauthorized disclosure, use,
> distribution, or reproduction of this message or any attachments is
> prohibited and may be unlawful./
>
> *From: *<freeipa-users-bounces at redhat.com> on behalf of Daniel
> Finkestein <Dan.Finkelstein at high5games.com>
> *Date: *Wednesday, June 8, 2016 at 17:11
> *To: *"freeipa-users at redhat.com" <freeipa-users at redhat.com>
> *Subject: *[Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA
> Error 4301: CertificateOperationError)
>
> I have a promoted CA master/FreeIPA 4.2.0 instance on CentOS 7 that
> emits this error in the httpd logs whenever the WebUI tries to see the
> certificates page:
>
> [Wed Jun 08 16:56:27.052106 2016] [:error] [pid 2863] ipa: ERROR:
> ipaserver.plugins.dogtag.ra.find(): Unable to communicate with CMS
> ([Errno 111] Connection refused)
>
> [Wed Jun 08 16:56:27.052401 2016] [:error] [pid 2863] ipa: INFO:
> [jsonserver_session] dfinkelstein at EXAMPLE.COM:
> cert_find(version=u'2.156'): CertificateOperationError
>
> The certificates appear as follows:
>
> [root at ipa httpd]# certutil -L -d /etc/httpd/alias/
>
> Certificate Nickname                                         Trust
> Attributes
>
>
> SSL,S/MIME,JAR/XPI
>
> Server-Cert                                                  u,u,u
>
> auditSigningCert cert-pki-ca                                 u,u,u
>
> EXAMPLE.COM IPA CA                                             CTu,u,Cu
>
> ipaCert                                                      u,u,u
>
> ocspSigningCert cert-pki-ca                                  u,u,u
>
> subsystemCert cert-pki-ca                                    u,u,u
>
> Upon reboot, httpd fails to start with the error: Failed to start
> Identity, Policy, Audit. But it can be started later with `ipactl
> restart`. Finally, the two last IPA services don't appear to start:
>
> [root at ipa]# ipactl status
>
> Directory Service: RUNNING
>
> krb5kdc Service: RUNNING
>
> kadmin Service: RUNNING
>
> named Service: RUNNING
>
> ipa_memcached Service: RUNNING
>
> httpd Service: RUNNING
>
> pki-tomcatd Service: RUNNING
>
> ipa-otpd Service: STOPPED
>
> ipa-dnskeysyncd Service: STOPPED
>
> ipa: INFO: The ipactl command was successful
>
> I'd appreciate any guidance or suggestions.
>
> Thanks,
>
> Dan
>
> <http://www.high5games.com/>
>
> *Daniel Alex Finkelstein*| Senior Dev Ops Engineer
>
> _Dan.Finkelstein at h5g.com <mailto:Dan.Finkelstein at h5g.com>_ | 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
> www.high5games.com <http://www.high5games.com/>
>
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
> the Sky <https://apps.facebook.com/shakethesky/>
>
> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
> <https://twitter.com/High5Games>, YouTube
> <http://www.youtube.com/High5Games>, Linkedin
> <http://www.linkedin.com/company/1072533?trk=tyah>
>
> //
>
> /This message and any attachments may contain confidential or privileged
> information and are only for the use of the intended recipient of this
> message. If you are not the intended recipient, please notify the sender
> by return email, and delete or destroy this and all copies of this
> message and all attachments. Any unauthorized disclosure, use,
> distribution, or reproduction of this message or any attachments is
> prohibited and may be unlawful./
>
>
>

More information about the Freeipa-users mailing list