Hello,
I ran into this issue which was compounded when I ran a yum update and IPA needed to run
an upgrade. I rolled back the update to get it to stop requesting an upgrade. I see two
issues here and not sure if they are related. Note I removed our domain name and replaced
it with DOMAIN.
1) Running "getcert list | egrep -e status -e expire -e certificate" I see one
cert which has expired but two are showing a status of CA_UNREACHABLE
getcert list | egrep -e status -e expire -e certificate
Number of certificates and requests being tracked: 8.
status: MONITORING
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS
Certificate DB'
expires: 2023-10-09 05:38:11 UTC
status: MONITORING
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
expires: 2023-10-09 05:40:10 UTC
status: MONITORING
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
expires: 2024-05-06 15:43:26 UTC
status: MONITORING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2024-05-06 15:44:27 UTC
status: CA_UNREACHABLE
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2022-06-14 06:59:34 UTC
status: CA_UNREACHABLE
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2036-09-08 13:37:52 UTC
status: MONITORING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
expires: 2023-09-23 05:38:11 UTC
status: MONITORING
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
expires: 2023-06-08 15:43:24 UTC
certificate template/profile: KDCs_PKINIT_Certs
I think this could be what is throwing this error in my messages
Sep 27 11:55:38 hlipa03 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call
last):#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit",
line 515, in <module>#012
sys.exit(main())#012 File
"/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 489, in
main#012 kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)#012 File
"/us
r/lib/python2.7/site-packages/ipalib/install/kinit.py", line 47, in kinit_keytab#012
cred = gssapi.Credentials(name=name, store=store, usage='initiate')#012 File
"/usr/lib64/python2.7/s
ite-packages/gssapi/creds.py", line 64, in __new__#012 store=store)#012 File
"/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire#012
usage)#012 File "ext_cred
_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from
(gssapi/raw/ext_cred_store.c:1732)#012GSSError: Major (851968): Unspecified GSS failure.
Minor code may provide more i
nformation, Minor (2529639068): Cannot contact any KDC for realm 'DOMAIN.COM'
So what I tried to do is roll back the date to Dec 25,2021 and try to restart everything
but LDAP is still not starting and here are a few errors I am seeing
Dec 25 12:50:06 hlipa03 systemd: Starting 389 Directory Server DOMAIN-COM....
Dec 25 12:50:06 hlipa03 ns-slapd: [25/Dec/2021:12:50:06.472160613 -0500] - NOTICE -
config_set_port - Non-Secure Port Disabled
Dec 25 12:50:06 hlipa03 ns-slapd: [25/Dec/2021:12:50:06.568296397 -0500] - INFO - main -
389-Directory/1.3.10.2 B2022.179.1321 starting up
Dec 25 12:50:06 hlipa03 ns-slapd: [25/Dec/2021:12:50:06.570071317 -0500] - INFO - main -
Setting the maximum file descriptor limit to: 16384
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.267883144 -0500] - INFO -
ldbm_instance_config_cachememsize_set - force a minimal value 512000
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.282267183 -0500] - WARN -
default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.287484618 -0500] - INFO -
ldbm_instance_config_cachememsize_set - force a minimal value 512000
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.303941493 -0500] - INFO -
ldbm_instance_config_cachememsize_set - force a minimal value 512000
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.320417322 -0500] - NOTICE -
ldbm_back_start - found 30613432k physical memory
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.321743123 -0500] - NOTICE -
ldbm_back_start - found 29044884k available
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.322958961 -0500] - NOTICE -
ldbm_back_start - cache autosizing: db cache: 765335k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.324023640 -0500] - NOTICE -
ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 720896k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.328954216 -0500] - NOTICE -
ldbm_back_start - cache autosizing: userRoot dn cache (3 total): 131072k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.330907096 -0500] - NOTICE -
ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 720896k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.336102686 -0500] - NOTICE -
ldbm_back_start - cache autosizing: ipaca dn cache (3 total): 131072k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.337870481 -0500] - NOTICE -
ldbm_back_start - cache autosizing: changelog entry cache (3 total): 720896k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.342750894 -0500] - NOTICE -
ldbm_back_start - cache autosizing: changelog dn cache (3 total): 131072k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.344621870 -0500] - NOTICE -
ldbm_back_start - total cache size: 3400949555 B;
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.467376898 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.468965116 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=DOMAIN,dc=com does not
exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.470221810 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.471510458 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.472703756 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=DOMAIN,dc=com does not
exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.473949469 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=DOMAIN,dc=com does not
exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.475191460 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.476506914 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.477702221 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=DOMAIN,dc=com does not
exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.478971257 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.480144620 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
18516,1
99%
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.478971257 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.480144620 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.481346463 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.482548595 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.483735174 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.484936731 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.486290254 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.487505855 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.488679941 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.489957510 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.491180117 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.492446197 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.499046420 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.502451715 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=domain,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.504012530 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=domain,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.639427471 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=automember rebuild
membership,cn=tasks,cn=config does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.688774307 -0500] - ERR -
set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.691560843 -0500] - ERR -
NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meTohlipa06.domain.com"
(hlipa06:389) - Repl
ication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.693497359 -0500] - ERR -
set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
Dec 25 12:50:11 hlipa03 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (No Kerberos credentials available (default cache:
/tmp/krb5cc_389))
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.721198701 -0500] - INFO -
slapd_daemon - slapd started. Listening on /var/run/slapd-DOMAIN-COM.socket for LDAPI
requests
Dec 25 12:50:11 hlipa03 systemd: Started 389 Directory Server DOMAIN-COM..
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.723579661 -0500] - ERR -
slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP
server) errno 107 (Tr
ansport endpoint is not connected)
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.724902033 -0500] - ERR -
NSMMReplicationPlugin - bind_and_check_pwp -
agmt="cn=cloneAgreement1-hlipa03.domain.com-pki-tomca
t" (hlipa01:389) - Replication bind with SIMPLE auth failed: LDAP error -1 (Can't
contact LDAP server) ()
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.728132510 -0500] - ERR -
set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.731080779 -0500] - ERR -
set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
Dec 25 12:50:14 hlipa03 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (No Kerberos credentials available (default cache:
/tmp/krb5cc_389))
Dec 25 12:50:20 hlipa03 ns-slapd: [25/Dec/2021:12:50:20.735789980 -0500] - ERR -
set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
Dec 25 12:50:20 hlipa03 ns-slapd: [25/Dec/2021:12:50:20.738768442 -0500] - ERR -
set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
Dec 25 12:50:20 hlipa03 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (No Kerberos credentials available (default cache:
/tmp/krb5cc_389))
Dec 25 12:50:20 hlipa03 ns-slapd: [25/Dec/2021:12:50:20.747472483 -0500] - ERR -
slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP
server) errno 107 (Transport endpoint is not connected)
Does anyone know what could be happening here?
Thanks