<div dir="ltr"><div><div>Hi Petr,<br><br># getcert list showed that allcertificates are valid for 10 more months.<br><br></div>Server is listening on both ports 389 and 636 and external service are able to use them.<br><br></div>Also port 8009 is active, I was able to do a telnet on it from localhost.<br><div><div><div><br></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jan 26, 2017 at 1:31 PM, Petr Vobornik <span dir="ltr"><<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On 01/25/2017 02:30 PM, Gendy Tartovsky wrote:<br> > Hi,<br> ><br> > I'm having a PKI-tomcat issue that started after upgrade.<br> > My configuration has 4 servers with CA, where servers 2, 3 and 4 are replicated<br> > from the first one.<br> > At first it didn't cause much trouble since all the issue came down to<br> > pki-tomcat getting to start about 2 minutes.<br> > But it seems that problem is progressed a lot and is causing issues in multiple<br> > parts of the system.<br> ><br> > After upgrading FreeIPA from 4.1 to 4.2 ipactl would not on the first node<br> > start without the --ignore-service-failures.<br> ><br> > I found that in the menu Authentication-->Certificates<br> > I have multiple certificates for same hosts in some cases there were up to 30<br> > duplicates per host and it is unclear what is generating them.<br> ><br> > Next issue is that if I try to add a new replica with ipa-replica-prepare utility<br> > I get an error: "Failed to generate certificate"<br> ><br> > And the last problem I found is that I am unable to restore a backup.<br> > The ipa-restore utility is able to unpack the backup but once I try to start<br> > FreeIPA on a new node<br> > the pki-tomcat fails to start. And I see this message in debug:<br> ><br> > ipa: DEBUG: Waiting for CA to start...<br> > ipa: DEBUG: Starting external process<br> > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'<br> > '--no-check-certificate' '<a href="https://XXXX:8443/ca/admin/ca/getStatus" rel="noreferrer" target="_blank">https://XXXX:8443/ca/admin/<wbr>ca/getStatus</a>'<br> > ipa: DEBUG: Process finished, return code=8<br> ><br> ><br> > In the /var/log/dirsrv/slapd-XXX/<wbr>errors I see a lot of these<br> > NSMMReplicationPlugin - process_postop: Failed to apply update<br> > (57c3cc550002000d0000) error (-1). Aborting replication session(conn=272420 op=6)<br> ><br> > but I'm not sure if it is directly related to the problem.<br> ><br> > In /var/log/pki/pki-tomcat/ca/<wbr>debug I see a lot of these messages:<br> > Can't create master connection in LdapBoundConnFactory::getConn! Could not<br> > connect to LDAP server host <a href="http://bos-admin1.hq.datarobot.com" rel="noreferrer" target="_blank">bos-admin1.hq.datarobot.com</a><br> </div></div>> <<a href="http://bos-admin1.hq.datarobot.com" rel="noreferrer" target="_blank">http://bos-admin1.hq.<wbr>datarobot.com</a>> port 636 Error netscape.ldap.LDAPException:<br> <span class="">> IO Error creating JSS SSL Socket<br> ><br> > My guess was that the CA certificate got expired, so I tried to run<br> > 'ipa-cacert-manage renew'<br> > but it failed with this message:<br> ><br> > Resubmitting certmonger request '20151222031110' timed out, please check the<br> > request manually<br> ><br> ><br> > Don't really know what else to try right now.<br> ><br> <br> </span>Could you check:<br> <br> Is directory server listening on ports 389 and 636?<br> <br> Is PKI server listening on port 8009 i.e. if you are hitting bug<br> <a href="https://fedorahosted.org/freeipa/ticket/6575" rel="noreferrer" target="_blank">https://fedorahosted.org/<wbr>freeipa/ticket/6575</a><br> <br> You can verify if certs are expired by running<br> <br> # getcert list<br> <br> And check expiration date.<br> <span class="HOEnZb"><font color="#888888">--<br> Petr Vobornik<br> </font></span></blockquote></div><br></div>