[Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)
Dan.Finkelstein at high5games.com
Dan.Finkelstein at high5games.com
Fri Jun 10 18:52:45 UTC 2016
That’s exactly right, and we got the files and links back to serviceable order. Now we're (merely) facing issues with our restored certificate store, which the pki-tomcatd process is not happy with. All IPA services start normally except for tomcat, which spits out SSL errors (and we're pretty sure must be related to bad certs… somewhere).
Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
Internal Database Error encountered: Could not connect to LDAP server host ipa.example.com port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:673)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510)
at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1601)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
I think we might be willing to toss out the existing certificate store and start anew, which fortunately should preserve the DNS, user, group, etc., data already in LDAP. If we wanted to create a new trust and self-signed cert for the server, how are those steps different from promoting a replica to a cert-signing master?
Thanks,
Dan
[cid:image001.jpg at 01D1C327.BEB26C00]<http://www.high5games.com/>
Daniel Alex Finkelstein| Lead Dev Ops Engineer
Dan.Finkelstein at h5g.com<mailto:Dan.Finkelstein at h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, Twitter<https://twitter.com/High5Games>, YouTube<http://www.youtube.com/High5Games>, Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>
This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.
From: Rob Crittenden <rcritten at redhat.com>
Date: Friday, June 10, 2016 at 14:48
To: Daniel Finkestein <Dan.Finkelstein at high5games.com>, "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)
I'd reinstall some rpms to properly create these:
tomcat
pki-base
pki-server
I'm not positive it will fix permissions, rpm -V on the same may point
out problems as well.
rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160610/084fa4eb/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 4333 bytes
Desc: image001.jpg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160610/084fa4eb/attachment.jpg>
More information about the Freeipa-users
mailing list