Not sure I'm sending this to the right place, but here it goes. I inherited a
FreeIPA/Identity Manager setup in an enclave (no internet access) environment that is
running into problems. There are at least 3 different IdM servers running in the
environment spread out across different geographical areas. One of those areas suffered
an unschedule power outage recently, and ever since we brought everything back up, the IdM
server for this region is having an issue. Please bear with me as I have zero formal
experience, training, or real knowledge with IdM.
Logging in to the serverv (it's a VM server, running Centos 7.5), I run "ipactl
status" and it shows "Directory Service: STOPPED". I then run "ipactl
restart", and things go fine until it gets to "Starting pki-tomcatd
Service", where it hangs for quite some time before failing to start and killing all
the other services. I check the log at /var/log/pki/pki-tomcat/ca/debug and I see various
errors such as (forgive any mistypings, I have to manually type these in as I can't
import or screen capure the logs and put them in this message):
"java.lang.Exception: Certificate Server-Cert cert-pki-ca is invalid: Invalid
certificate: (-8181) Peer's Certificate has expired"
And slightly further down in the same log:
"Cannot reset factory: connections not all returned"
"CertificateAuthority.shutdown: failed to reset dbFactory: Cannot reset LDAP
connection factory because some connections are still outstanding"
... still further down"
"returnConn:mNumConns now 3 Invalid class name repositorytop"
Assuming I have some weird certificate issue with this server in particular, I try to run
a few more commands:
"certutil -L -d /etc/httpd/alias" --> returns a Server-Cert listing with
u,u,u as it's trust attributes, and <IDM.domain> IPA CA with CT,C,C for it's
attributes. Comparing to a second IdM server in this environment, it seems to be missing
a "Signing-Cert"?
I also did a "getcert list", and all certs it has show that they expire in the
future (nothing shows as bein currently expired).
I'm confused; it seems to that it is seeing an expired cert *somewhere*, but how do I
track down which 'peer' the log file is talking about that has an expired cert?
Meanwhile none of the linux clients that point to this IdM server are allowing people to
log in/authenticate.
Many thanks for any help!
Scott
Show replies by date