[Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape
Rob Crittenden
rcritten at redhat.com
Mon Mar 28 15:00:33 UTC 2016
Timothy Geier wrote:
>
>> On Feb 28, 2016, at 2:15 AM, Timothy Geier <tgeier at accertify.com
>> <mailto:tgeier at accertify.com>> wrote:
>>
>>
>>> On Feb 23, 2016, at 4:22 AM, Ludwig Krispenz <lkrispen at redhat.com
>>> <mailto:lkrispen at redhat.com>> wrote:
>>>
>>>
>>> On 02/22/2016 11:51 PM, Timothy Geier wrote:
>>>>
>>>> What’s the established procedure to start a 389 instance without any
>>>> replication agreements enabled? The only thing that seemed close on
>>>> google
>>>> (http://directory.fedoraproject.org/docs/389ds/howto/howto-fix-and-reset-time-skew.html)
>>>> seems risky and couldn’t be done
>>>> trivially in a production environment.
>>> no, this is about how to get out of problems when replication could
>>> no longer synchronize its csn time generation, either by too many
>>> accumulate time drifts o playing with system time, hope you don't
>>> have to go thru this.
>>>
>>> Enabling disabling a replication agreement can be done by setting the
>>> configuration parameter:
>>>
>>> look for replication agreements (entries with
>>> objectclass=nsDS5ReplicationAgreement) and set
>>> nsds5ReplicaEnabled: off
>>>
>>> you can do this with an ldapmodify when the server is running or by
>>> editing /etc/dirsrv/slapd-<INSTANCE>/dse.ldif when teh server is stopped
>>
>> Thanks for the procedure..the good news is this worked quite well in
>> making sure that 389 didn’t crash immediately after startup. The bad
>> news is that the certificates still didn’t renew due to
>>
>> Server at "http://master_server:8080/ca/ee/ca/profileSubmit
>> <https://mail.accertify.com/owa/redir.aspx?REF=hBo37W2qnlmUfAeXTrhGw6WdavZzsQoMPQ85UuuxxhZLgX6LCUDTCAFodHRwOi8vbWFzdGVyX3NlcnZlcjo4MDgwL2NhL2VlL2NhL3Byb2ZpbGVTdWJtaXQ.>"
>> replied: Profile caServerCert Not Found
>>
>> which was the same error in getcert list I saw that one time 389
>> didn’t crash right away. At least now this can be further
>> troubleshooted without worrying about 389.
>>
>>
>
> To follow up on this issue, we haven’t been able to get any further
> since last month due to the missing caServerCert profile..the
> configuration files /usr/share/pki/ca/profiles/ca/caServerCert.cfg
> and /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are present
> and are identical. The pki-ca package
> passes rpm -V as well. Are there any other troubleshooting steps we
> can take?
Maybe Endi or Ade have some ideas why the CA isn't recognizing the profile.
rob
More information about the Freeipa-users
mailing list