<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mv="http://macVmlSchemaUri" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:Calibri;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:Calibri;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">An update: The journalctl command has some really interesting output:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING: Symbolic link '/var/lib/pki/pki-tomcat/alias' does NOT exist!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO: Attempting to create '/var/lib/pki/pki-tomcat/alias' -> '/etc/pki/pki-tomcat/aliJun 10 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create
symbolic link ‘/var/lib/pki/pki-tomcat/alias’: Permission denied<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR: Failed to create '/var/lib/pki/pki-tomcat/alias' -> '/etc/pki/pki-tomcat/alias'Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING: Symbolic
link '/var/lib/pki/pki-tomcat/logs' does NOT exist!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO: Attempting to create '/var/lib/pki/pki-tomcat/logs' -> '/var/log/pki/pki-tomcat'Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create
symbolic link ‘/var/lib/pki/pki-tomcat/logs’: Permission denied<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR: Failed to create '/var/lib/pki/pki-tomcat/logs' -> '/var/log/pki/pki-tomcat'!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING: Symbolic link '/var/lib/pki/pki-tomcat/bin' does NOT exist!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO: Attempting to create '/var/lib/pki/pki-tomcat/bin' -> '/usr/share/tomcat/bin' . Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create
symbolic link ‘/var/lib/pki/pki-tomcat/bin’: Permission denied<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR: Failed to create '/var/lib/pki/pki-tomcat/bin' -> '/usr/share/tomcat/bin'!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING: Symbolic link '/var/lib/pki/pki-tomcat/conf' does NOT exist!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO: Attempting to create '/var/lib/pki/pki-tomcat/conf' -> '/etc/pki/pki-tomcat' . .Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create
symbolic link ‘/var/lib/pki/pki-tomcat/conf’: Permission denied<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR: Failed to create '/var/lib/pki/pki-tomcat/conf' -> '/etc/pki/pki-tomcat'!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 10 11:16:23 ipa.example.com systemd[1]: pki-tomcatd@pki-tomcat.service: control process exited, code=exited status=1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Jun 10 11:16:23 ipa.example.com systemd[1]: Failed to start PKI Tomcat Server pki-tomcat.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Which makes me think All we have to do is create the right directory structures/links and/or change the file permissions? But which ones and to whom?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">—Dan<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="text-autospace:none"><a href="http://www.high5games.com/"><span style="font-size:18.0pt;font-family:"Times New Roman";color:blue;text-decoration:none"><img border="0" width="220" height="50" id="_x0000_i1026" src="cid:image001.jpg@01D1C30A.B174B4C0"></span></a><span style="font-size:15.0pt"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b>Daniel Alex Finkelstein</b>| Lead Dev Ops Engineer<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><u><span style="color:blue"><a href="mailto:Dan.Finkelstein@h5g.com"><span style="color:blue">Dan.Finkelstein@h5g.com</span></a></span></u> | 212.604.3447<span style="font-size:15.0pt"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt">One World Trade Center, New York, NY 10007<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt"><a href="http://www.high5games.com/"><span style="color:blue">www.high5games.com</span></a><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt">Play
<a href="https://apps.facebook.com/highfivecasino/"><span style="color:blue">High 5 Casino</span></a> and
<a href="https://apps.facebook.com/shakethesky/"><span style="color:blue">Shake the Sky</span></a><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt">Follow us on: <a href="http://www.facebook.com/high5games"><span style="color:blue">Facebook</span></a>, <a href="https://twitter.com/High5Games"><span style="color:blue">Twitter</span></a>, <a href="http://www.youtube.com/High5Games"><span style="color:blue">YouTube</span></a>, <a href="http://www.linkedin.com/company/1072533?trk=tyah"><span style="color:blue">Linkedin</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"><o:p> </o:p></span></i></p>
</div>
<p class="MsoNormal"><i><span style="font-size:10.0pt">This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify
the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.</span></i><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:black">From: </span></b><span style="color:black"><freeipa-users-bounces@redhat.com> on behalf of Daniel Finkestein <Dan.Finkelstein@high5games.com><br>
<b>Date: </b>Wednesday, June 8, 2016 at 17:11<br>
<b>To: </b>"freeipa-users@redhat.com" <freeipa-users@redhat.com><br>
<b>Subject: </b>[Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Times New Roman""><o:p> </o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">I have a promoted CA master/FreeIPA 4.2.0 instance on CentOS 7 that emits this error in the httpd logs whenever the WebUI tries to see the certificates page:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt">[Wed Jun 08 16:56:27.052106 2016] [:error] [pid 2863] ipa: ERROR: ipaserver.plugins.dogtag.ra.find(): Unable to communicate with CMS ([Errno 111] Connection refused)</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt">[Wed Jun 08 16:56:27.052401 2016] [:error] [pid 2863] ipa: INFO: [jsonserver_session] dfinkelstein@EXAMPLE.COM: cert_find(version=u'2.156'): CertificateOperationError</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">The certificates appear as follows:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt">[root@ipa httpd]# certutil -L -d /etc/httpd/alias/</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt">Certificate Nickname Trust Attributes</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt"> SSL,S/MIME,JAR/XPI</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt">Server-Cert u,u,u</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt">auditSigningCert cert-pki-ca u,u,u</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt">EXAMPLE.COM IPA CA CTu,u,Cu</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt">ipaCert u,u,u</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt">ocspSigningCert cert-pki-ca u,u,u</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt">subsystemCert cert-pki-ca u,u,u</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Upon reboot, httpd fails to start with the error: Failed to start Identity, Policy, Audit. But it can be started later with `ipactl restart`. Finally, the two last IPA services don't appear to start:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">[root@ipa]# ipactl status</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Directory Service: RUNNING</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">krb5kdc Service: RUNNING</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">kadmin Service: RUNNING</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">named Service: RUNNING</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">ipa_memcached Service: RUNNING</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">httpd Service: RUNNING</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">pki-tomcatd Service: RUNNING</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">ipa-otpd Service: STOPPED</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">ipa-dnskeysyncd Service: STOPPED</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">ipa: INFO: The ipactl command was successful</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I'd appreciate any guidance or suggestions.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dan</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><a href="http://www.high5games.com/"><span style="font-size:18.0pt;font-family:"Times New Roman";color:blue;text-decoration:none"><img border="0" width="220" height="50" id="_x0000_i1025" src="cid:image002.jpg@01D1C30A.B174B4C0"></span></a><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b>Daniel Alex Finkelstein</b>| Senior Dev Ops Engineer<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><u><span style="color:blue"><a href="mailto:Dan.Finkelstein@h5g.com"><span style="color:blue">Dan.Finkelstein@h5g.com</span></a></span></u> | 212.604.3447<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt">One World Trade Center, New York, NY 10007</span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt"><a href="http://www.high5games.com/"><span style="color:blue">www.high5games.com</span></a></span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt">Play
<a href="https://apps.facebook.com/highfivecasino/"><span style="color:blue">High 5 Casino</span></a> and
<a href="https://apps.facebook.com/shakethesky/"><span style="color:blue">Shake the Sky</span></a></span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt">Follow us on: <a href="http://www.facebook.com/high5games"><span style="color:blue">Facebook</span></a>, <a href="https://twitter.com/High5Games"><span style="color:blue">Twitter</span></a>, <a href="http://www.youtube.com/High5Games"><span style="color:blue">YouTube</span></a>, <a href="http://www.linkedin.com/company/1072533?trk=tyah"><span style="color:blue">Linkedin</span></a></span><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt"> </span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt">This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify
the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful.</span></i><o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>