[Freeipa-users] FreeIPA 4.2 CA issues
Gendy Tartovsky
intiro at gmail.com
Thu Jan 26 12:30:28 UTC 2017
Hi Petr,
# getcert list showed that allcertificates are valid for 10 more months.
Server is listening on both ports 389 and 636 and external service are able
to use them.
Also port 8009 is active, I was able to do a telnet on it from localhost.
On Thu, Jan 26, 2017 at 1:31 PM, Petr Vobornik <pvoborni at redhat.com> wrote:
> On 01/25/2017 02:30 PM, Gendy Tartovsky wrote:
> > Hi,
> >
> > I'm having a PKI-tomcat issue that started after upgrade.
> > My configuration has 4 servers with CA, where servers 2, 3 and 4 are
> replicated
> > from the first one.
> > At first it didn't cause much trouble since all the issue came down to
> > pki-tomcat getting to start about 2 minutes.
> > But it seems that problem is progressed a lot and is causing issues in
> multiple
> > parts of the system.
> >
> > After upgrading FreeIPA from 4.1 to 4.2 ipactl would not on the first
> node
> > start without the --ignore-service-failures.
> >
> > I found that in the menu Authentication-->Certificates
> > I have multiple certificates for same hosts in some cases there were
> up to 30
> > duplicates per host and it is unclear what is generating them.
> >
> > Next issue is that if I try to add a new replica with
> ipa-replica-prepare utility
> > I get an error: "Failed to generate certificate"
> >
> > And the last problem I found is that I am unable to restore a backup.
> > The ipa-restore utility is able to unpack the backup but once I try to
> start
> > FreeIPA on a new node
> > the pki-tomcat fails to start. And I see this message in debug:
> >
> > ipa: DEBUG: Waiting for CA to start...
> > ipa: DEBUG: Starting external process
> > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> > '--no-check-certificate' 'https://XXXX:8443/ca/admin/ca/getStatus'
> > ipa: DEBUG: Process finished, return code=8
> >
> >
> > In the /var/log/dirsrv/slapd-XXX/errors I see a lot of these
> > NSMMReplicationPlugin - process_postop: Failed to apply update
> > (57c3cc550002000d0000) error (-1). Aborting replication
> session(conn=272420 op=6)
> >
> > but I'm not sure if it is directly related to the problem.
> >
> > In /var/log/pki/pki-tomcat/ca/debug I see a lot of these messages:
> > Can't create master connection in LdapBoundConnFactory::getConn! Could
> not
> > connect to LDAP server host bos-admin1.hq.datarobot.com
> > <http://bos-admin1.hq.datarobot.com> port 636 Error
> netscape.ldap.LDAPException:
> > IO Error creating JSS SSL Socket
> >
> > My guess was that the CA certificate got expired, so I tried to run
> > 'ipa-cacert-manage renew'
> > but it failed with this message:
> >
> > Resubmitting certmonger request '20151222031110' timed out, please check
> the
> > request manually
> >
> >
> > Don't really know what else to try right now.
> >
>
> Could you check:
>
> Is directory server listening on ports 389 and 636?
>
> Is PKI server listening on port 8009 i.e. if you are hitting bug
> https://fedorahosted.org/freeipa/ticket/6575
>
> You can verify if certs are expired by running
>
> # getcert list
>
> And check expiration date.
> --
> Petr Vobornik
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170126/845c439e/attachment.htm>
More information about the Freeipa-users
mailing list