Ben Schofield via FreeIPA-users wrote:
Yep, all services are running. This is from the Apache error log, right after login and trying to load the Users page:
[Mon Jul 22 10:12:35.083278 2019] [:error] [pid 14474] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Mon Jul 22 10:12:35.083381 2019] [:error] [pid 14474] ipa: DEBUG: WSGI login_password.__call__: [Mon Jul 22 10:12:35.083996 2019] [:error] [pid 14474] ipa: DEBUG: Obtaining armor in ccache /var/run/ipa/ccaches/armor_14474 [Mon Jul 22 10:12:35.084074 2019] [:error] [pid 14474] ipa: DEBUG: Initializing anonymous ccache [Mon Jul 22 10:12:35.084211 2019] [:error] [pid 14474] ipa: DEBUG: Starting external process [Mon Jul 22 10:12:35.084261 2019] [:error] [pid 14474] ipa: DEBUG: args=/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_14474 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem [Mon Jul 22 10:12:35.135499 2019] [:error] [pid 14474] ipa: DEBUG: Process finished, return code=0 [Mon Jul 22 10:12:35.135593 2019] [:error] [pid 14474] ipa: DEBUG: stdout= [Mon Jul 22 10:12:35.135638 2019] [:error] [pid 14474] ipa: DEBUG: stderr= [Mon Jul 22 10:12:35.135866 2019] [:error] [pid 14474] ipa: DEBUG: Initializing principal admin using password [Mon Jul 22 10:12:35.135925 2019] [:error] [pid 14474] ipa: DEBUG: Using armor ccache /var/run/ipa/ccaches/armor_14474 for FAST webauth [Mon Jul 22 10:12:35.135968 2019] [:error] [pid 14474] ipa: DEBUG: Using enterprise principal [Mon Jul 22 10:12:35.136067 2019] [:error] [pid 14474] ipa: DEBUG: Starting external process [Mon Jul 22 10:12:35.136112 2019] [:error] [pid 14474] ipa: DEBUG: args=/usr/bin/kinit admin -c /var/run/ipa/ccaches/kinit_14474 -T /var/run/ipa/ccaches/armor_14474 -E [Mon Jul 22 10:12:35.163806 2019] [:error] [pid 14474] ipa: DEBUG: Process finished, return code=0 [Mon Jul 22 10:12:35.163895 2019] [:error] [pid 14474] ipa: DEBUG: stdout=Password for admin@DOMAIN.NZ: [Mon Jul 22 10:12:35.163903 2019] [:error] [pid 14474] [Mon Jul 22 10:12:35.163942 2019] [:error] [pid 14474] ipa: DEBUG: stderr= [Mon Jul 22 10:12:35.164042 2019] [:error] [pid 14474] ipa: DEBUG: Cleanup the armor ccache [Mon Jul 22 10:12:35.164154 2019] [:error] [pid 14474] ipa: DEBUG: Starting external process [Mon Jul 22 10:12:35.164198 2019] [:error] [pid 14474] ipa: DEBUG: args=/usr/bin/kdestroy -A -c /var/run/ipa/ccaches/armor_14474 [Mon Jul 22 10:12:35.172420 2019] [:error] [pid 14474] ipa: DEBUG: Process finished, return code=0 [Mon Jul 22 10:12:35.172516 2019] [:error] [pid 14474] ipa: DEBUG: stdout= [Mon Jul 22 10:12:35.172565 2019] [:error] [pid 14474] ipa: DEBUG: stderr= [Mon Jul 22 10:12:35.189068 2019] [:error] [pid 14474] ipa: INFO: Starting new HTTP connection (1): intauth-e.domain.nz [Mon Jul 22 10:12:35.190276 2019] [:error] [pid 14474] ipa: DEBUG: "GET /ipa/session/cookie HTTP/1.1" 301 259 [Mon Jul 22 10:12:35.192124 2019] [:error] [pid 14474] ipa: INFO: Starting new HTTPS connection (1): intauth-e.domain.nz [Mon Jul 22 10:12:35.214459 2019] [:error] [pid 14474] ipa: DEBUG: "GET /ipa/session/cookie HTTP/1.1" 200 0 [Mon Jul 22 10:12:35.708087 2019] [:error] [pid 14475] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Mon Jul 22 10:12:35.708190 2019] [:error] [pid 14475] ipa: DEBUG: WSGI jsonserver_session.__call__: [Mon Jul 22 10:12:35.722673 2019] [:error] [pid 14475] ipa: DEBUG: Created connection context.ldap2_140655759869968 [Mon Jul 22 10:12:35.722743 2019] [:error] [pid 14475] ipa: DEBUG: WSGI jsonserver.__call__: [Mon Jul 22 10:12:35.722798 2019] [:error] [pid 14475] ipa: DEBUG: WSGI WSGIExecutioner.__call__: [Mon Jul 22 10:12:35.732842 2019] [:error] [pid 14475] ipa: DEBUG: raw: user_find(u'', sizelimit=0, version=u'2.230', pkey_only=True) [Mon Jul 22 10:12:35.733197 2019] [:error] [pid 14475] ipa: DEBUG: user_find(None, sizelimit=0, whoami=False, all=False, raw=False, version=u'2.230', no_members=True, pkey_only=True) [Mon Jul 22 10:12:35.735792 2019] [:error] [pid 14475] ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-NZ.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fecf7febcb0> [Mon Jul 22 10:12:35.963886 2019] [:warn] [pid 14478] [client 10.0.201.253:18606] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@DOMAIN.NZ)!, referer: https://intauth-e.domain.nz/ipa/ui/ [Mon Jul 22 10:12:35.964864 2019] [:error] [pid 14473] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Mon Jul 22 10:12:35.964951 2019] [:error] [pid 14473] ipa: DEBUG: WSGI jsonserver_session.__call__: [Mon Jul 22 10:12:35.975471 2019] [:error] [pid 14473] ipa: DEBUG: Created connection context.ldap2_140655759869968 [Mon Jul 22 10:12:35.975538 2019] [:error] [pid 14473] ipa: DEBUG: WSGI jsonserver.__call__: [Mon Jul 22 10:12:35.975597 2019] [:error] [pid 14473] ipa: DEBUG: WSGI WSGIExecutioner.__call__: [Mon Jul 22 10:12:35.985387 2019] [:error] [pid 14473] ipa: DEBUG: raw: user_find(u'', sizelimit=0, version=u'2.230', pkey_only=True) [Mon Jul 22 10:12:35.985762 2019] [:error] [pid 14473] ipa: DEBUG: user_find(None, sizelimit=0, whoami=False, all=False, raw=False, version=u'2.230', no_members=True, pkey_only=True) [Mon Jul 22 10:12:35.988056 2019] [:error] [pid 14473] ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-NZ.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fecf7febcb0> [Mon Jul 22 10:12:36.021489 2019] [:error] [pid 14475] ipa: INFO: [jsonserver_session] admin@DOMAIN.NZ: user_find(u'', sizelimit=0, version=u'2.230', pkey_only=True): SUCCESS [Mon Jul 22 10:12:36.022673 2019] [:error] [pid 14475] ipa: DEBUG: Destroyed connection context.ldap2_140655759869968 [Mon Jul 22 10:12:36.272817 2019] [:error] [pid 14473] ipa: INFO: [jsonserver_session] admin@DOMAIN.NZ: user_find(u'', sizelimit=0, version=u'2.230', pkey_only=True): SUCCESS [Mon Jul 22 10:12:36.273918 2019] [:error] [pid 14473] ipa: DEBUG: Destroyed connection context.ldap2_140655759869968 [Mon Jul 22 10:14:03.993422 2019] [:error] [pid 14477] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate
The certificate is same self-signed certificate that was created during installation by the installer.
Though it's only a warning, I temporarily set 777 perms on this file "/var/run/ipa/ccaches/admin@DOMAIN.NZ" to see if it would help. It didn't. The file is updated frequently anyway (owned by ipaapi) so I think that warning is a red herring.
I think the certificate error might be a red herring. The other requests look like they are working fine. You could double-check this by trying again on a quiet system to confirm that no errors are thrown.
I looked at the client side you had provided earlier and it failed with a CCacheError. Had you done a kinit beforehand? The above shows requests coming in, can you show the client-side for this?
rob