[Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)
Rob Crittenden
rcritten at redhat.com
Fri Jun 10 21:17:49 UTC 2016
Dan.Finkelstein at high5games.com wrote:
> And, from the 'ipactl -d --ignore-service-failures restart' we get this:
>
> ipa: DEBUG: stderr=
>
> ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 300
>
> ipa: DEBUG: Waiting until the CA is running
>
> ipa: DEBUG: Starting external process
>
> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> '--no-check-certificate'
> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'
>
> ipa: DEBUG: Process finished, return code=4
>
> ipa: DEBUG: stdout=
>
> ipa: DEBUG: stderr=--2016-06-10 15:29:38--
> https://ipa.example.com:8443/ca/admin/ca/getStatus
>
> Resolving ipa.example.com (ipa.example.com)... 10.55.10.31
>
> Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443...
> connected.
>
> Unable to establish SSL connection.
>
> ipa: DEBUG: The CA status is: check interrupted due to error: Command
> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero
> exit status 4
>
> ipa: DEBUG: Waiting for CA to start...
>
> ipa: DEBUG: Starting external process
>
> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> '--no-check-certificate'
> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'
>
> ipa: DEBUG: Process finished, return code=4
>
> ipa: DEBUG: stdout=
>
> ipa: DEBUG: stderr=--2016-06-10 15:29:43--
> https://ipa.example.com:8443/ca/admin/ca/getStatus
>
> Resolving ipa.example.com (ipa.example.com)... 10.55.10.31
>
> Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443...
> connected.
>
> Unable to establish SSL connection.
>
> ipa: DEBUG: The CA status is: check interrupted due to error: Command
> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero
> exit status 4
>
> ipa: DEBUG: Waiting for CA to start...
>
> ipa: DEBUG: Starting external process
>
> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> '--no-check-certificate'
> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'
>
> Which leads me to believe that tomcat doesn't have the right certificate(s).
I don't think that's the problem. I'd check the pki logs to see if it
started and if not, why. Note that it is quite possible for tomcat to
start and the CA to fail because tomcat is just a container.
In a previous e-mail you said something about a restore, what was that?
rob
>
> <http://www.high5games.com/>
>
> *Daniel Alex Finkelstein*| Lead Dev Ops Engineer
>
> _Dan.Finkelstein at h5g.com <mailto:Dan.Finkelstein at h5g.com>_| 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
> www.high5games.com <http://www.high5games.com/>
>
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
> the Sky <https://apps.facebook.com/shakethesky/>
>
> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
> <https://twitter.com/High5Games>, YouTube
> <http://www.youtube.com/High5Games>, Linkedin
> <http://www.linkedin.com/company/1072533?trk=tyah>
>
> //
>
> /This message and any attachments may contain confidential or privileged
> information and are only for the use of the intended recipient of this
> message. If you are not the intended recipient, please notify the sender
> by return email, and delete or destroy this and all copies of this
> message and all attachments. Any unauthorized disclosure, use,
> distribution, or reproduction of this message or any attachments is
> prohibited and may be unlawful./
>
> *From: *<freeipa-users-bounces at redhat.com> on behalf of Daniel
> Finkestein <Dan.Finkelstein at high5games.com>
> *Date: *Friday, June 10, 2016 at 14:52
> *To: *"freeipa-users at redhat.com" <freeipa-users at redhat.com>
> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA
> Error 4301: CertificateOperationError)
>
> That’s exactly right, and we got the files and links back to serviceable
> order. Now we're (merely) facing issues with our restored certificate
> store, which the pki-tomcatd process is not happy with. All IPA services
> start normally except for tomcat, which spits out SSL errors (and we're
> pretty sure must be related to bad certs
somewhere).
>
> Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
>
> Internal Database Error encountered: Could not connect to LDAP server
> host ipa.example.com port 636 Error netscape.ldap.LDAPException: IO
> Error creating JSS SSL Socket (-1)
>
> at
> com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:673)
>
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107)
>
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013)
>
> at
> com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510)
>
> at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>
> at com.netscape.certsrv.apps.CMS.start(CMS.java:1601)
>
> at
> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
>
> at
> javax.servlet.GenericServlet.init(GenericServlet.java:158)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
>
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:606)
>
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
>
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
>
> at java.security.AccessController.doPrivileged(Native
> Method)
>
> at
> javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
>
> at
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
>
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
>
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
>
> at
> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
>
> at
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
>
> at
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
>
> at
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
>
> at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
>
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
>
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
>
> at
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
>
> at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
>
> at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
>
> at java.security.AccessController.doPrivileged(Native
> Method)
>
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
>
> at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
>
> at
> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
>
> at
> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
>
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>
> at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>
> at java.lang.Thread.run(Thread.java:745)
>
> I think we might be willing to toss out the existing certificate store
> and start anew, which fortunately should preserve the DNS, user, group,
> etc., data already in LDAP. If we wanted to create a new trust and
> self-signed cert for the server, how are those steps different from
> promoting a replica to a cert-signing master?
>
> Thanks,
>
> Dan
>
> <http://www.high5games.com/>
>
> *Daniel Alex Finkelstein*| Lead Dev Ops Engineer
>
> _Dan.Finkelstein at h5g.com <mailto:Dan.Finkelstein at h5g.com>_| 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
> www.high5games.com <http://www.high5games.com/>
>
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
> the Sky <https://apps.facebook.com/shakethesky/>
>
> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
> <https://twitter.com/High5Games>, YouTube
> <http://www.youtube.com/High5Games>, Linkedin
> <http://www.linkedin.com/company/1072533?trk=tyah>
>
> //
>
> /This message and any attachments may contain confidential or privileged
> information and are only for the use of the intended recipient of this
> message. If you are not the intended recipient, please notify the sender
> by return email, and delete or destroy this and all copies of this
> message and all attachments. Any unauthorized disclosure, use,
> distribution, or reproduction of this message or any attachments is
> prohibited and may be unlawful./
>
> *From: *Rob Crittenden <rcritten at redhat.com>
> *Date: *Friday, June 10, 2016 at 14:48
> *To: *Daniel Finkestein <Dan.Finkelstein at high5games.com>,
> "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA
> Error 4301: CertificateOperationError)
>
> I'd reinstall some rpms to properly create these:
>
> tomcat
>
> pki-base
>
> pki-server
>
> I'm not positive it will fix permissions, rpm -V on the same may point
>
> out problems as well.
>
> rob
>
>
>
More information about the Freeipa-users
mailing list