[Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)
Petr Vobornik
pvoborni at redhat.com
Mon Jun 13 08:41:39 UTC 2016
On 06/12/2016 07:05 PM, Dan.Finkelstein at high5games.com wrote:
> The restore I was referring to was a red herring; we ended up wiping the server
> and saving ipa-backup files, which was the only way we could successfully
> reconfigure/reinitialize IPA on the host.
>
As Rob wrote, please check PKI logs. The most important ones here are:
/var/log/pki/pki-tomcat/ca/selftests.log
/var/log/pki/pki-tomcat/ca/debug
Debug log usually has additional info for possible cause logged in
selftest log.
> *From: *Rob Crittenden <rcritten at redhat.com>
> *Date: *Friday, June 10, 2016 at 17:17
> *To: *Daniel Finkestein <Dan.Finkelstein at high5games.com>,
> "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error
> 4301: CertificateOperationError)
>
> Dan.Finkelstein at high5games.com <mailto:Dan.Finkelstein at high5games.com> wrote:
>
> And, from the 'ipactl -d --ignore-service-failures restart' we get this:
>
> ipa: DEBUG: stderr=
>
> ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 300
>
> ipa: DEBUG: Waiting until the CA is running
>
> ipa: DEBUG: Starting external process
>
> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>
> '--no-check-certificate'
>
> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'
>
> ipa: DEBUG: Process finished, return code=4
>
> ipa: DEBUG: stdout=
>
> ipa: DEBUG: stderr=--2016-06-10 15:29:38--
>
> https://ipa.example.com:8443/ca/admin/ca/getStatus
>
> Resolving ipa.example.com (ipa.example.com)... 10.55.10.31
>
> Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443...
>
> connected.
>
> Unable to establish SSL connection.
>
> ipa: DEBUG: The CA status is: check interrupted due to error: Command
>
> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
>
> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero
>
> exit status 4
>
> ipa: DEBUG: Waiting for CA to start...
>
> ipa: DEBUG: Starting external process
>
> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>
> '--no-check-certificate'
>
> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'
>
> ipa: DEBUG: Process finished, return code=4
>
> ipa: DEBUG: stdout=
>
> ipa: DEBUG: stderr=--2016-06-10 15:29:43--
>
> https://ipa.example.com:8443/ca/admin/ca/getStatus
>
> Resolving ipa.example.com (ipa.example.com)... 10.55.10.31
>
> Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443...
>
> connected.
>
> Unable to establish SSL connection.
>
> ipa: DEBUG: The CA status is: check interrupted due to error: Command
>
> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
>
> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero
>
> exit status 4
>
> ipa: DEBUG: Waiting for CA to start...
>
> ipa: DEBUG: Starting external process
>
> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>
> '--no-check-certificate'
>
> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'
>
> Which leads me to believe that tomcat doesn't have the right certificate(s).
>
> I don't think that's the problem. I'd check the pki logs to see if it
>
> started and if not, why. Note that it is quite possible for tomcat to
>
> start and the CA to fail because tomcat is just a container.
>
> In a previous e-mail you said something about a restore, what was that?
>
> rob
>
> <http://www.high5games.com/>
>
> *Daniel Alex Finkelstein*| Lead Dev Ops Engineer
>
> _Dan.Finkelstein at h5g.com <mailto:_Dan.Finkelstein at h5g.com>
> <mailto:Dan.Finkelstein at h5g.com>_| <mailto:Dan.Finkelstein at h5g.com%3E_|>
> 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
> www.high5games.com <http://www.high5games.com/>
>
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
>
> the Sky <https://apps.facebook.com/shakethesky/>
>
> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
>
> <https://twitter.com/High5Games>, YouTube
>
> <http://www.youtube.com/High5Games>, Linkedin
>
> <http://www.linkedin.com/company/1072533?trk=tyah>
>
> //
>
> /This message and any attachments may contain confidential or privileged
>
> information and are only for the use of the intended recipient of this
>
> message. If you are not the intended recipient, please notify the sender
>
> by return email, and delete or destroy this and all copies of this
>
> message and all attachments. Any unauthorized disclosure, use,
>
> distribution, or reproduction of this message or any attachments is
>
> prohibited and may be unlawful./
>
> *From: *<freeipa-users-bounces at redhat.com
> <mailto:freeipa-users-bounces at redhat.com>> on behalf of Daniel
>
> Finkestein <Dan.Finkelstein at high5games.com
> <mailto:Dan.Finkelstein at high5games.com>>
>
> *Date: *Friday, June 10, 2016 at 14:52
>
> *To: *"freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>"
> <freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>>
>
> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA
>
> Error 4301: CertificateOperationError)
>
> That’s exactly right, and we got the files and links back to serviceable
>
> order. Now we're (merely) facing issues with our restored certificate
>
> store, which the pki-tomcatd process is not happy with. All IPA services
>
> start normally except for tomcat, which spits out SSL errors (and we're
>
> pretty sure must be related to bad certs… somewhere).
>
> Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
>
> Internal Database Error encountered: Could not connect to LDAP server
>
> host ipa.example.com port 636 Error netscape.ldap.LDAPException: IO
>
> Error creating JSS SSL Socket (-1)
>
> at
>
> com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:673)
>
> at
>
> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107)
>
> at
>
> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013)
>
> at
>
> com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510)
>
> at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>
> at com.netscape.certsrv.apps.CMS.start(CMS.java:1601)
>
> at
>
> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
>
> at
>
> javax.servlet.GenericServlet.init(GenericServlet.java:158)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>
> Method)
>
> at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>
> at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:606)
>
> at
>
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
>
> at
>
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
>
> at java.security.AccessController.doPrivileged(Native
>
> Method)
>
> at
>
> javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
>
> at
>
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
>
> at
>
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
>
> at
>
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
>
> at
>
> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
>
> at
>
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
>
> at
>
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
>
> at
>
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
>
> at
>
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
>
> at
>
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
>
> at
>
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
>
> at
>
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
>
> at
>
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
>
> at
>
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
>
> at java.security.AccessController.doPrivileged(Native
>
> Method)
>
> at
>
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
>
> at
>
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
>
> at
>
> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
>
> at
>
> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
>
> at
>
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>
> at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>
> at
>
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>
> at
>
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>
> at java.lang.Thread.run(Thread.java:745)
>
> I think we might be willing to toss out the existing certificate store
>
> and start anew, which fortunately should preserve the DNS, user, group,
>
> etc., data already in LDAP. If we wanted to create a new trust and
>
> self-signed cert for the server, how are those steps different from
>
> promoting a replica to a cert-signing master?
>
> Thanks,
>
> Dan
>
> /This message and any attachments may contain confidential or privileged
>
> information and are only for the use of the intended recipient of this
>
> message. If you are not the intended recipient, please notify the sender
>
> by return email, and delete or destroy this and all copies of this
>
> message and all attachments. Any unauthorized disclosure, use,
>
> distribution, or reproduction of this message or any attachments is
>
> prohibited and may be unlawful./
>
> *From: *Rob Crittenden <rcritten at redhat.com <mailto:rcritten at redhat.com>>
>
> *Date: *Friday, June 10, 2016 at 14:48
>
> *To: *Daniel Finkestein <Dan.Finkelstein at high5games.com
> <mailto:Dan.Finkelstein at high5games.com>>,
>
> "freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>"
> <freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>>
>
> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA
>
> Error 4301: CertificateOperationError)
>
> I'd reinstall some rpms to properly create these:
>
> tomcat
>
> pki-base
>
> pki-server
>
> I'm not positive it will fix permissions, rpm -V on the same may point
>
> out problems as well.
>
> rob
>
>
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list