On Wed, Aug 02, 2017 at 08:34:59AM -0400, Mark Haney wrote:
> On 08/02/2017 07:25 AM, Fraser Tweedale wrote:
> > On Tue, Aug 01, 2017 at 02:55:26PM -0400, Rob Crittenden wrote:
> > > 
> > > Providing the dogtag debug log might be helpful. The replica install log
> > > shows that the GoDaddy CA chain was imported and trusted reasonably
> > > (C,,) but the installer later claims it can't find them by nickname. I
> > > think we need Fraser to take a closer look as he's a dogtag developer.
> > > 
> > > rob
> > > 
> > Hi Mark,
> > 
> > Thank you for reporting your issue, for the information you have
> > provided and for bearing with us as we investigate it.  The CA is a
> > complex part of the FreeIPA system with many moving parts so it can
> > take a while to get to the bottom of things.
> > 
> > I am travelling this week though I hope to find some time to start
> > looking into this tomorrow.  Realistically I will not have a lot of
> > time to focus on this issue until next week.
> > 
> > Thanks,
> > Fraser
> 
> Apologies for the harshness of my previous reply.  It was a long and
> frustrating day on a lot of fronts for me.  That's not really an excuse,
> however.
> 
> As I'm not at all familiar with FreeIPA's layout, nor which server I should
> pull the logs from, can you provide me with what additional log files you
> need and which server to pull from? Note: ipa0 is the primary and ipa1 the
> replica I'm banging my head against.
> 
> I appreciate you taking a look at this in depth and I'll offer all the help
> I can.
> 

- /var/log/ipareplica-install.log from replica
- /etc/pki/pki-tomcat/ca/debug from both master and replica

Those logs should do for a start.

I'd also like to see your /etc/pki/pki-tomcat/ca/CS.cfg from both
master and replica.  Depending on where investigation goes I might
ask for some LDAP entries too, but I'm not up to that point yet.

Feel free to send logs directly to me and/or redact them as you see
fit.

Cheers,
Fraser
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to