[Freeipa-users] FreeIPA 4.2 CA issues

Petr Vobornik pvoborni at redhat.com
Thu Jan 26 11:31:58 UTC 2017 

On 01/25/2017 02:30 PM, Gendy Tartovsky wrote:
>   Hi,
> 
> I'm having a PKI-tomcat issue that started after upgrade.
> My configuration has 4 servers with CA, where servers 2, 3 and 4 are replicated 
> from the first one.
> At first it didn't cause much trouble since all the issue came down to 
> pki-tomcat getting to start about 2 minutes.
> But it seems that problem is progressed a lot and is causing issues in multiple 
> parts of the system.
> 
> After upgrading FreeIPA from 4.1 to 4.2  ipactl would not on the first node 
> start without the --ignore-service-failures.
> 
>   I found that in the menu Authentication-->Certificates
>   I have multiple certificates for same hosts in some cases there were up to 30 
> duplicates per host and it is unclear what is generating them.
> 
> Next issue is that if I try to add a new replica with ipa-replica-prepare utility
> I get an error: "Failed to generate certificate"
> 
> And the last problem I found is that I am unable to restore a backup.
> The ipa-restore utility is able to unpack the backup but once I try to start 
> FreeIPA on a new node
> the pki-tomcat fails to start. And I see this message in debug:
> 
> ipa: DEBUG: Waiting for CA to start...
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' 
> '--no-check-certificate' 'https://XXXX:8443/ca/admin/ca/getStatus'
> ipa: DEBUG: Process finished, return code=8
> 
> 
> In the /var/log/dirsrv/slapd-XXX/errors I see a lot of these
>   NSMMReplicationPlugin - process_postop: Failed to apply update 
> (57c3cc550002000d0000) error (-1).  Aborting replication session(conn=272420 op=6)
> 
>   but I'm not sure if it is directly related to the problem.
> 
>   In /var/log/pki/pki-tomcat/ca/debug I see a lot of these messages:
> Can't create master connection in LdapBoundConnFactory::getConn! Could not 
> connect to LDAP server host bos-admin1.hq.datarobot.com 
> <http://bos-admin1.hq.datarobot.com> port 636 Error netscape.ldap.LDAPException: 
> IO Error creating JSS SSL Socket
> 
> My guess was that the CA certificate got expired, so I tried to run 
> 'ipa-cacert-manage renew'
> but it failed with this message:
> 
> Resubmitting certmonger request '20151222031110' timed out, please check the 
> request manually
> 
> 
> Don't really know what else to try right now.
> 

Could you check:

Is directory server listening on ports 389 and 636?

Is PKI server listening on port 8009 i.e. if you are hitting bug
https://fedorahosted.org/freeipa/ticket/6575

You can verify if certs are expired by running

# getcert list

And check expiration date.
-- 
Petr Vobornik

More information about the Freeipa-users mailing list