Thank you for your reply. I just retried with debug enabled but I cannot
say I see anything useful.


I was wondering if I somehow can debug the kerberos procedure more...or get
rid of memcache for debug purposes.

Best regards,

Dimitrios


On Mon, Jan 15, 2018 at 8:49 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Dimitris Zilaskos via FreeIPA-users wrote:
> > Hello,
> >
> > I have been asked to look into an ipa server running in CentOS 6. The
> > server was missbehaving for some time, with some certificates expiring
> > back in October. Also / was full. I have cleaned up some space, set the
> > date back before the certificates expired, restarted/rebooted but
> > renewal of certs fails:
> >
> > [Wed Oct 25 00:00:21 2017] [info] Connection to child 0 established
> > (server portal.cloud.local, client 10.142.20.10)
> > [Wed Oct 25 00:00:21 2017] [debug] nss_engine_init.c(1948): SNI: Found
> > nickname Server-Cert for vhost: portal.cloud.local
> > [Wed Oct 25 00:00:21 2017] [debug] nss_engine_init.c(1970): SNI:
> > Successfully paired vhost portal.cloud.local with nickname: Server-Cert
> > [Wed Oct 25 00:00:21 2017] [debug] nss_engine_kernel.c(93): SNI request
> > for portal.cloud.local
> > [Wed Oct 25 00:00:21 2017] [info] Initial (No.1) HTTPS request received
> > for child 0 (server portal.cloud.local:443)
> > [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: WSGI
> wsgi_dispatch.__call__:
> > [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: WSGI xmlserver.__call__:
> > [Wed Oct 25 00:00:21 2017] [error] ipa: ERROR: 500 Internal Server
> > Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request
> > environment
> > [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: response: CCacheError:
> > did not receive Kerberos credentials
> > [Wed Oct 25 00:00:21 2017] [info] Connection to child 0 closed (server
> > portal.cloud.local:443, client 10.142.20.10)
> >
> > I can do kinit admin without problems. Please any hints how can I
> > resoleve this?
> >
>
> This isn't much to go on.
>
> You might create /etc/ipa/server.conf with the contents:
>
> [global]
> debug = True
>
> and restart IPA. It should provide more information on the incmoing
> request.
>
> certmonger logs to syslog so I'd check there for details from the renewal.
>
> Knowing the state of the certs tracked by certmonger would be helpful
> too (be sure to redact any PIN that might be in the getcert list output).
>
> rob
>

Attachment: certmonger.log
Description: Binary data

Attachment: getcertlist.log
Description: Binary data

Attachment: httperror.log
Description: Binary data

Attachment: krb5kdc.log
Description: Binary data

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to