11:35 a.m.
Hello,
I ran into this issue which was compounded when I ran a yum update and IPA needed to run
an upgrade. I rolled back the update to get it to stop requesting an upgrade. I see two
issues here and not sure if they are related. Note I removed our domain name and replaced
it with DOMAIN.
1) Running "getcert list | egrep -e status -e expire -e certificate" I see one
cert which has expired but two are showing a status of CA_UNREACHABLE
getcert list | egrep -e status -e expire -e certificate
Number of certificates and requests being tracked: 8.
status: MONITORING
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS
Certificate DB'
expires: 2023-10-09 05:38:11 UTC
status: MONITORING
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
expires: 2023-10-09 05:40:10 UTC
status: MONITORING
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
expires: 2024-05-06 15:43:26 UTC
status: MONITORING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2024-05-06 15:44:27 UTC
status: CA_UNREACHABLE
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2022-06-14 06:59:34 UTC
status: CA_UNREACHABLE
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2036-09-08 13:37:52 UTC
status: MONITORING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
expires: 2023-09-23 05:38:11 UTC
status: MONITORING
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
expires: 2023-06-08 15:43:24 UTC
certificate template/profile: KDCs_PKINIT_Certs
I think this could be what is throwing this error in my messages
Sep 27 11:55:38 hlipa03 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call
last):#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit",
line 515, in <module>#012
sys.exit(main())#012 File
"/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 489, in
main#012 kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)#012 File
"/us
r/lib/python2.7/site-packages/ipalib/install/kinit.py", line 47, in kinit_keytab#012
cred = gssapi.Credentials(name=name, store=store, usage='initiate')#012 File
"/usr/lib64/python2.7/s
ite-packages/gssapi/creds.py", line 64, in __new__#012 store=store)#012 File
"/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire#012
usage)#012 File "ext_cred
_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from
(gssapi/raw/ext_cred_store.c:1732)#012GSSError: Major (851968): Unspecified GSS failure.
Minor code may provide more i
nformation, Minor (2529639068): Cannot contact any KDC for realm 'DOMAIN.COM'
So what I tried to do is roll back the date to Dec 25,2021 and try to restart everything
but LDAP is still not starting and here are a few errors I am seeing
Dec 25 12:50:06 hlipa03 systemd: Starting 389 Directory Server DOMAIN-COM....
Dec 25 12:50:06 hlipa03 ns-slapd: [25/Dec/2021:12:50:06.472160613 -0500] - NOTICE -
config_set_port - Non-Secure Port Disabled
Dec 25 12:50:06 hlipa03 ns-slapd: [25/Dec/2021:12:50:06.568296397 -0500] - INFO - main -
389-Directory/1.3.10.2 B2022.179.1321 starting up
Dec 25 12:50:06 hlipa03 ns-slapd: [25/Dec/2021:12:50:06.570071317 -0500] - INFO - main -
Setting the maximum file descriptor limit to: 16384
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.267883144 -0500] - INFO -
ldbm_instance_config_cachememsize_set - force a minimal value 512000
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.282267183 -0500] - WARN -
default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.287484618 -0500] - INFO -
ldbm_instance_config_cachememsize_set - force a minimal value 512000
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.303941493 -0500] - INFO -
ldbm_instance_config_cachememsize_set - force a minimal value 512000
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.320417322 -0500] - NOTICE -
ldbm_back_start - found 30613432k physical memory
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.321743123 -0500] - NOTICE -
ldbm_back_start - found 29044884k available
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.322958961 -0500] - NOTICE -
ldbm_back_start - cache autosizing: db cache: 765335k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.324023640 -0500] - NOTICE -
ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 720896k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.328954216 -0500] - NOTICE -
ldbm_back_start - cache autosizing: userRoot dn cache (3 total): 131072k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.330907096 -0500] - NOTICE -
ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 720896k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.336102686 -0500] - NOTICE -
ldbm_back_start - cache autosizing: ipaca dn cache (3 total): 131072k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.337870481 -0500] - NOTICE -
ldbm_back_start - cache autosizing: changelog entry cache (3 total): 720896k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.342750894 -0500] - NOTICE -
ldbm_back_start - cache autosizing: changelog dn cache (3 total): 131072k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.344621870 -0500] - NOTICE -
ldbm_back_start - total cache size: 3400949555 B;
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.467376898 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.468965116 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=DOMAIN,dc=com does not
exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.470221810 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.471510458 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.472703756 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=DOMAIN,dc=com does not
exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.473949469 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=DOMAIN,dc=com does not
exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.475191460 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.476506914 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.477702221 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=DOMAIN,dc=com does not
exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.478971257 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.480144620 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
18516,1
99%
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.478971257 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.480144620 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.481346463 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.482548595 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.483735174 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.484936731 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.486290254 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.487505855 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.488679941 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.489957510 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.491180117 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.492446197 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.499046420 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.502451715 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=domain,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.504012530 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=domain,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.639427471 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=automember rebuild
membership,cn=tasks,cn=config does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.688774307 -0500] - ERR -
set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.691560843 -0500] - ERR -
NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meTohlipa06.domain.com"
(hlipa06:389) - Repl
ication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.693497359 -0500] - ERR -
set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
Dec 25 12:50:11 hlipa03 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (No Kerberos credentials available (default cache:
/tmp/krb5cc_389))
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.721198701 -0500] - INFO -
slapd_daemon - slapd started. Listening on /var/run/slapd-DOMAIN-COM.socket for LDAPI
requests
Dec 25 12:50:11 hlipa03 systemd: Started 389 Directory Server DOMAIN-COM..
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.723579661 -0500] - ERR -
slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP
server) errno 107 (Tr
ansport endpoint is not connected)
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.724902033 -0500] - ERR -
NSMMReplicationPlugin - bind_and_check_pwp -
agmt="cn=cloneAgreement1-hlipa03.domain.com-pki-tomca
t" (hlipa01:389) - Replication bind with SIMPLE auth failed: LDAP error -1 (Can't
contact LDAP server) ()
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.728132510 -0500] - ERR -
set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.731080779 -0500] - ERR -
set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
Dec 25 12:50:14 hlipa03 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (No Kerberos credentials available (default cache:
/tmp/krb5cc_389))
Dec 25 12:50:20 hlipa03 ns-slapd: [25/Dec/2021:12:50:20.735789980 -0500] - ERR -
set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
Dec 25 12:50:20 hlipa03 ns-slapd: [25/Dec/2021:12:50:20.738768442 -0500] - ERR -
set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
Dec 25 12:50:20 hlipa03 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (No Kerberos credentials available (default cache:
/tmp/krb5cc_389))
Dec 25 12:50:20 hlipa03 ns-slapd: [25/Dec/2021:12:50:20.747472483 -0500] - ERR -
slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP
server) errno 107 (Transport endpoint is not connected)
Does anyone know what could be happening here?
Thanks
1:41 p.m.
Nick Polites via FreeIPA-users wrote:
Hello,
I ran into this issue which was compounded when I ran a yum update and IPA needed to run
an upgrade. I rolled back the update to get it to stop requesting an upgrade. I see two
issues here and not sure if they are related. Note I removed our domain name and replaced
it with DOMAIN.
1) Running "getcert list | egrep -e status -e expire -e certificate" I see one
cert which has expired but two are showing a status of CA_UNREACHABLE
getcert list | egrep -e status -e expire -e certificate
Number of certificates and requests being tracked: 8.
status: MONITORING
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS
Certificate DB'
expires: 2023-10-09 05:38:11 UTC
status: MONITORING
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
expires: 2023-10-09 05:40:10 UTC
status: MONITORING
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
expires: 2024-05-06 15:43:26 UTC
status: MONITORING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2024-05-06 15:44:27 UTC
status: CA_UNREACHABLE
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2022-06-14 06:59:34 UTC
status: CA_UNREACHABLE
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2036-09-08 13:37:52 UTC
status: MONITORING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
expires: 2023-09-23 05:38:11 UTC
status: MONITORING
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
expires: 2023-06-08 15:43:24 UTC
certificate template/profile: KDCs_PKINIT_Certs
I think this could be what is throwing this error in my messages
Sep 27 11:55:38 hlipa03 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call
last):#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit",
line 515, in <module>#012
sys.exit(main())#012 File
"/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 489, in
main#012 kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)#012 File
"/us
r/lib/python2.7/site-packages/ipalib/install/kinit.py", line 47, in kinit_keytab#012
cred = gssapi.Credentials(name=name, store=store, usage='initiate')#012 File
"/usr/lib64/python2.7/s
ite-packages/gssapi/creds.py", line 64, in __new__#012 store=store)#012 File
"/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire#012
usage)#012 File "ext_cred
_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from
(gssapi/raw/ext_cred_store.c:1732)#012GSSError: Major (851968): Unspecified GSS failure.
Minor code may provide more i
nformation, Minor (2529639068): Cannot contact any KDC for realm 'DOMAIN.COM'
So what I tried to do is roll back the date to Dec 25,2021 and try to restart everything
but LDAP is still not starting and here are a few errors I am seeing
Dec 25 12:50:06 hlipa03 systemd: Starting 389 Directory Server DOMAIN-COM....
Dec 25 12:50:06 hlipa03 ns-slapd: [25/Dec/2021:12:50:06.472160613 -0500] - NOTICE -
config_set_port - Non-Secure Port Disabled
Dec 25 12:50:06 hlipa03 ns-slapd: [25/Dec/2021:12:50:06.568296397 -0500] - INFO - main -
389-Directory/1.3.10.2 B2022.179.1321 starting up
Dec 25 12:50:06 hlipa03 ns-slapd: [25/Dec/2021:12:50:06.570071317 -0500] - INFO - main -
Setting the maximum file descriptor limit to: 16384
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.267883144 -0500] - INFO -
ldbm_instance_config_cachememsize_set - force a minimal value 512000
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.282267183 -0500] - WARN -
default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.287484618 -0500] - INFO -
ldbm_instance_config_cachememsize_set - force a minimal value 512000
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.303941493 -0500] - INFO -
ldbm_instance_config_cachememsize_set - force a minimal value 512000
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.320417322 -0500] - NOTICE -
ldbm_back_start - found 30613432k physical memory
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.321743123 -0500] - NOTICE -
ldbm_back_start - found 29044884k available
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.322958961 -0500] - NOTICE -
ldbm_back_start - cache autosizing: db cache: 765335k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.324023640 -0500] - NOTICE -
ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 720896k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.328954216 -0500] - NOTICE -
ldbm_back_start - cache autosizing: userRoot dn cache (3 total): 131072k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.330907096 -0500] - NOTICE -
ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 720896k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.336102686 -0500] - NOTICE -
ldbm_back_start - cache autosizing: ipaca dn cache (3 total): 131072k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.337870481 -0500] - NOTICE -
ldbm_back_start - cache autosizing: changelog entry cache (3 total): 720896k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.342750894 -0500] - NOTICE -
ldbm_back_start - cache autosizing: changelog dn cache (3 total): 131072k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.344621870 -0500] - NOTICE -
ldbm_back_start - total cache size: 3400949555 B;
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.467376898 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.468965116 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=DOMAIN,dc=com does not
exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.470221810 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.471510458 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.472703756 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=DOMAIN,dc=com does not
exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.473949469 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=DOMAIN,dc=com does not
exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.475191460 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.476506914 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.477702221 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=DOMAIN,dc=com does not
exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.478971257 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.480144620 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
18516,1
99%
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.478971257 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.480144620 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.481346463 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.482548595 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.483735174 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.484936731 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.486290254 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.487505855 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.488679941 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.489957510 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.491180117 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.492446197 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.499046420 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.502451715 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=domain,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.504012530 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=domain,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.639427471 -0500] - WARN -
NSACLPlugin - acl_parse - The ACL target cn=automember rebuild
membership,cn=tasks,cn=config does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.688774307 -0500] - ERR -
set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.691560843 -0500] - ERR -
NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meTohlipa06.domain.com"
(hlipa06:389) - Repl
ication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.693497359 -0500] - ERR -
set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
Dec 25 12:50:11 hlipa03 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (No Kerberos credentials available (default cache:
/tmp/krb5cc_389))
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.721198701 -0500] - INFO -
slapd_daemon - slapd started. Listening on /var/run/slapd-DOMAIN-COM.socket for LDAPI
requests
Dec 25 12:50:11 hlipa03 systemd: Started 389 Directory Server DOMAIN-COM..
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.723579661 -0500] - ERR -
slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP
server) errno 107 (Tr
ansport endpoint is not connected)
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.724902033 -0500] - ERR -
NSMMReplicationPlugin - bind_and_check_pwp -
agmt="cn=cloneAgreement1-hlipa03.domain.com-pki-tomca
t" (hlipa01:389) - Replication bind with SIMPLE auth failed: LDAP error -1
(Can't contact LDAP server) ()
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.728132510 -0500] - ERR -
set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.731080779 -0500] - ERR -
set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
Dec 25 12:50:14 hlipa03 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (No Kerberos credentials available (default cache:
/tmp/krb5cc_389))
Dec 25 12:50:20 hlipa03 ns-slapd: [25/Dec/2021:12:50:20.735789980 -0500] - ERR -
set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
Dec 25 12:50:20 hlipa03 ns-slapd: [25/Dec/2021:12:50:20.738768442 -0500] - ERR -
set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
Dec 25 12:50:20 hlipa03 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (No Kerberos credentials available (default cache:
/tmp/krb5cc_389))
Dec 25 12:50:20 hlipa03 ns-slapd: [25/Dec/2021:12:50:20.747472483 -0500] - ERR -
slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP
server) errno 107 (Transport endpoint is not connected)
Does anyone know what could be happening here?
You don't say what version of IPA you're running, but here is a guess.
Look in /etc/dirsrv/slapd-REALM/dse.ldif for:
nsslapd-port and nsslapd-securePort. They should be set to 389 and 636
respectively. If not stop 389-ds, manually make the change, then restart.
I have the feeling there are no listeners configured.
rob
2:22 p.m.
Hi Rob,
Thanks for the reply. I am not able to find a nsslapd-securePort in the dse.ldif file, but
the nsslapd-port is set to 0. When I update that and reboot it is reset back to 0.
IPA Server is ipa-server-4.6.5-11.0.1.el7_7.3.x86_64
And just to be sure for now I want to just test starting LDAP with systemctl start
dirsrv(a)DOMAIN.COM correct?
2:35 p.m.
If you are editing dse.ldif manually while dirsrv is running, do not do
that. Stop the service first and then edit the file.
The service loads dse.ldif into ram upon startup and writes changes made
using ldapmodify out upon being shut down or restarted.
On 9/27/22 15:33, Nick Polites via FreeIPA-users wrote:
The nsslapd-port keeps resetting to 0 when I restart the dirsrv.
_______________________________________________
FreeIPA-users mailing list --freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email tofreeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List
Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists...
Do not reply to spam, report it:https://pagure.io/fedora-infrastructure/new_issue
2:38 p.m.
Hi Rob,
It is now working! Thanks for your help. What I did was re-run the ipa-server-upgrade
while in another window editing the dse.ldif file and updating the nsslapd-port manually.
I ran through the update, rebooted and now 389 is listening as well as the IPA web UI.
I appreciate the help and I guess something must have broke in the upgrade process. I am
going to snapshot this VM and re-try the upgrade process again.
3:36 p.m.
I added the nsslapd-securePort: 636 but port 636 is not listening. 389 is working. Do I
need to do something else to get 636 working?
3:58 p.m.
On 9/27/22 4:36 PM, Nick Polites via FreeIPA-users wrote:
I added the nsslapd-securePort: 636 but port 636 is not listening.
389 is working. Do I need to do something else to get 636 working?
nsslapd-security needs to be "on" for the secure port to be activated.
This does require as server restart to take effect.
HTH,
Mark
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Directory Server Development Team
4:44 p.m.
Hi Mark,
Thank you so much. Hopefully everything will stay up now. It is crazy how much the
configuration file breaks if the upgrade fails. I'll report back tomorrow hopefully we
are in business.
11:33 a.m.
Nick Polites via FreeIPA-users wrote:
Hi Mark,
Thank you so much. Hopefully everything will stay up now. It is crazy how much the
configuration file breaks if the upgrade fails. I'll report back tomorrow hopefully we
are in business.
For the record, it's IPA that changes those listener values, not 389-ds.
During the upgrade process we want the LDAP server as quiet as possible
so disable the listeners, which also stops replication. After the
upgrade completes the values are restored.
It was the case in some versions where if the upgrade was killed (e.g. a
series of ^C) the values wouldn't be restored.
This was addressed in IPA 4.9.0.
rob
7:39 p.m.
While everything starts up correctly, it stops working after a while. I see the following
error in the logs
Sep 27 20:34:46 hlipa03 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call
last):#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit",
line 515, in <module>#012
sys.exit(main())#012 File
"/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 489, in
main#012 kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)#012 File
"/us
r/lib/python2.7/site-packages/ipalib/install/kinit.py", line 47, in kinit_keytab#012
cred = gssapi.Credentials(name=name, store=store, usage='initiate')#012 File
"/usr/lib64/python2.7/s
ite-packages/gssapi/creds.py", line 64, in __new__#012 store=store)#012 File
"/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire#012
usage)#012 File "ext_cred
_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from
(gssapi/raw/ext_cred_store.c:1732)#012GSSError: Major (851968): Unspecified GSS failure.
Minor code may provide more i
nformation, Minor (2529639068): Cannot contact any KDC for realm 'DOMAIN.COM'
Sep 27 20:34:46 hlipa03 certmonger: 2022-09-27 20:34:46 [1772] Internal error
8:58 a.m.
All,
I had enough time to run an ipa-backup --data to get the users exported out before it shut
down. I created a new VM and after setting IPA on the same version was able to import the
backup from the broken VM. The users are all showing now. Thanks to everyone's help
with this.
11:31 a.m.
Apologies for jumping the gun here, I tried to run a full backup and now I am seeing the
following error:
Sep 28 09:12:38 hlipa03 sssd[ldap_child[12778]]: Failed to initialize credentials using
keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create
GSSAPI-encrypted LDAP connection.
Now seeing some posts I see the following
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/hlipa03.acme.com@DOMAIN..COM
2 host/hlipa03.acme.com@DOMAIN..COM
2 host/hlipa03.acme.com@DOMAIN..COM
2 host/hlipa03.acme.com@DOMAIN..COM
2 host/hlipa03.acme.com@DOMAIN..COM
2 host/hlipa03.acme.com@DOMAIN..COM
kvno host/hlipa03.acme.com@DOMAIN..COM
host/hlipa03.acme.com@DOMAIN..COM: kvno = 1
So I have a sync issue (probably from the backup/restore)
When I try to sync though I get an error
ipa-getkeytab -s hlipa03.acme.com -p host/hlipa03.acme.com(a)DOMAIN.COM -k /etc/krb5.keytab
SASL Bind failed Invalid credentials (49) !
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
SASL Bind failed Invalid credentials (49) !
Failed to bind to server!
Failed to get keytab
2:26 p.m.
One other error I see is this and I think this is the one related to tomcat not working
server: Internal Database Error encountered: Could not connect to LDAP server host
hlipa03.acme.com port 636 Error netscape.ldap.LDAPException: Authentication failed (49)
2:30 p.m.
Nick Polites via FreeIPA-users wrote:
Apologies for jumping the gun here, I tried to run a full backup and
now I am seeing the following error:
Sep 28 09:12:38 hlipa03 sssd[ldap_child[12778]]: Failed to initialize credentials using
keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create
GSSAPI-encrypted LDAP connection.
Now seeing some posts I see the following
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/hlipa03.acme.com@DOMAIN..COM
2 host/hlipa03.acme.com@DOMAIN..COM
2 host/hlipa03.acme.com@DOMAIN..COM
2 host/hlipa03.acme.com@DOMAIN..COM
2 host/hlipa03.acme.com@DOMAIN..COM
2 host/hlipa03.acme.com@DOMAIN..COM
kvno host/hlipa03.acme.com@DOMAIN..COM
host/hlipa03.acme.com@DOMAIN..COM: kvno = 1
So I have a sync issue (probably from the backup/restore)
When I try to sync though I get an error
ipa-getkeytab -s hlipa03.acme.com -p host/hlipa03.acme.com(a)DOMAIN.COM -k
/etc/krb5.keytab
SASL Bind failed Invalid credentials (49) !
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
SASL Bind failed Invalid credentials (49) !
Failed to bind to server!
Failed to get keytab
I think we need more context on what you've done. What is hlipa03? Is it
the restored IPA server or something else? Did you have any other IPA
servers? When doing a full restore you must reinitialize any replicas
from the restored server.
rob
3:03 p.m.
Hi Rob,
This server hlipa03 was the hostname and IP of the server I had the issues with yesterday.
I thought if I got the backup it would be best to create a new VM and import the backup. I
still have the original boot image of the broken one I can bring back if I need to.
When I run a ipa-replica-manage list it is showing me servers which were used as tests but
should not be considered masters
hlipa01.acme.com: master
hlipa03.acme.com: master
hlipa04.acme.com: master
hlipa02.acme.com: master
hlipa06.acme: master
hlipa07.acme: master
hlmon01.acme: master
I can delete all but the hlipa03 as this is the only IPA server that should be active. I
hope this helps. My issue looks like it is now in tomcat still not starting properly.
Something from the import breaks it as it worked prior to the import of the backup.
8:54 a.m.
Is it possible to export the users/passwords/groups and polices from my other IPA server
which is working and import them into here? I guess I could use a data only backup from
there and import it here.
Are there any additional steps that I need to do?
12:51 p.m.
Nick Polites via FreeIPA-users wrote:
Is it possible to export the users/passwords/groups and polices from
my other IPA server which is working and import them into here? I guess I could use a data
only backup from there and import it here.
Are there any additional steps that I need to do?
ipa-replica-manage --re-initialize --from <host-with-good-data>
See the man page for more details.
rob
9:38 a.m.
UPDATE:
I have resolved the issue. The problem all stemmed from the
$getcert list
Having expired certificates. I had to startup IPA using
ipactl start --ignore-service-failures
and then issue the
getcert resubmit -i <<request id>>
One certificate came up as CA_UNREACHABLE but had a valid expiration date in the future. I
rebooted the VM and everything is working now.
Thanks for all of the help but it is concerning that these do seem to break. I have added
a login warning prior to an O/S upgrade or reboot to check that the certs are all valid.
9:40 a.m.
I compounded the issue by running a yum upgrade and updating IPA. Every time IPA started
it wanted to upgrade but being in a broken state due to the invalid certs from the current
version it could not upgrade.
9:41 a.m.
On 30/09/2022 15:38, Nick Polites via FreeIPA-users wrote:
UPDATE:
I have resolved the issue. The problem all stemmed from the
$getcert list
Having expired certificates. I had to startup IPA using
ipactl start --ignore-service-failures
and then issue the
getcert resubmit -i <<request id>>
One certificate came up as CA_UNREACHABLE but had a valid expiration date in the future.
I rebooted the VM and everything is working now.
Thanks for all of the help but it is concerning that these do seem to break. I have added
a login warning prior to an O/S upgrade or reboot to check that the certs are all valid.
Check out ipa-healthcheck - it can warn you about these sorts of
breakages before they actaully cause an outage.
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
9:56 a.m.
Nick Polites via FreeIPA-users wrote:
UPDATE:
I have resolved the issue. The problem all stemmed from the
$getcert list
Having expired certificates. I had to startup IPA using
ipactl start --ignore-service-failures
and then issue the
getcert resubmit -i <<request id>>
One certificate came up as CA_UNREACHABLE but had a valid expiration date in the future.
I rebooted the VM and everything is working now.
Thanks for all of the help but it is concerning that these do seem to break. I have added
a login warning prior to an O/S upgrade or reboot to check that the certs are all valid.
Glad you got it working again.
You'd have to read the journal to know for sure what certmonger did or
didn't do.
ipa-cert-fix is one way to repair expired certificates.
ipa-healthcheck can be used to warn about a number of common issues with
an IPA server configureation.
rob
574
days inactive
577
days old
freeipa-users@lists.fedorahosted.org
22 comments
5 participants
participants (5)
-
Mark Reynolds -
Nick Polites -
Rob Crittenden -
Sam Morris -
Striker Leggette