Hi, ipa-ods-exporter is a socket-activated service, and ipactl status may show it as STOPPED. That's not an issue (and you can see the status of ipactl as successful) as the socket is still listening on events and will wake the service on demand. If it is started manually without the appropriate message passed through the socket, it exits on failure with the log: ipa-ods-exporter: CRITICAL socket activation did not return a readable socket with a command.
Hope this clarifies, flo On Mon, Sep 6, 2021 at 1:06 AM Jeremy Tourville via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Could a ssl cert cause this issue? > > References: > > #1 https://pagure.io/freeipa/issue/7378 > user comments - hcoin commented 6 months ago > >>>"This issue is back as of 3/2021. Freeipa 4.9.2-4.fc33 > SELinux=permissive as well" > > Though my system is centos, freeipa version is the same and selinux is > permissive > > #2 https://access.redhat.com/solutions/5527751 > > Observations: > 1. Cert on web page UI is not trusted. > 2. Web page does not fully load. > 3. My system does contain the java version listed in the kb > # rpm -q java-1.8.0-openjdk > java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64 > 4. Trying to uninstall/disable dnssec master producess ssl error > > [root@utility ~]# ipa-dns-install --disable-dnssec-master > > The log file for this installation can be found in > /var/log/ipaserver-dns-install.log > > ============================================================================== > This program will setup DNS for the IPA Server. > > This includes: > * Configure DNS (bind) > * Configure SoftHSM (required by DNSSEC) > * Configure ipa-dnskeysyncd (required by DNSSEC) > * Unconfigure ipa-ods-exporter > * Unconfigure OpenDNSSEC > > No new zones will be signed without DNSSEC key master IPA server. > > Please copy file from /var/lib/ipa/ipa-kasp.db.backup after > uninstallation. This file is needed on new DNSSEC key > master server > > NOTE: DNSSEC zone signing is not enabled by default > > > To accept the default shown in brackets, press the Enter key. > > Do you want to disable current DNSSEC key master? [no]: yes > Do you want to configure DNS forwarders? [yes]: > Following DNS servers are configured in /etc/resolv.conf: 127.0.0.1 > Do you want to configure these servers as DNS forwarders? [yes]: no > Enter an IP address for a DNS forwarder, or press Enter to skip: > 172.30.50.10 > DNS forwarder 172.30.50.10 added. You may add another. > Enter an IP address for a DNS forwarder, or press Enter to skip: > DNS forwarders: 172.30.50.10 > Checking DNS forwarders, please wait ... > Do you want to search for missing reverse zones? [yes]: > > The following operations may take some minutes to complete. > Please wait until the prompt is returned. > > Configuring DNS (named) > [1/8]: generating rndc key file > [2/8]: setting up our own record > [3/8]: adding NS record to the zones > [4/8]: setting up kerberos principal > [5/8]: setting up named.conf > [6/8]: setting up server configuration > [7/8]: configuring named to start on boot > [8/8]: changing resolv.conf to point to ourselves > Done configuring DNS (named). > Restarting the web server to pick up resolv.conf changes > Configuring DNS key synchronization service (ipa-dnskeysyncd) > [1/7]: checking status > [2/7]: setting up bind-dyndb-ldap working directory > [3/7]: setting up kerberos principal > [4/7]: setting up SoftHSM > [5/7]: adding DNSSEC containers > [6/7]: creating replica keys > [7/7]: configuring ipa-dnskeysyncd to start on boot > Done configuring DNS key synchronization service (ipa-dnskeysyncd). > Unconfiguring ods-enforcerd > Exporting DNSSEC data before uninstallation > Unconfiguring ipa-ods-exporter > Unexpected error - see /var/log/ipaserver-dns-install.log for details: > NetworkError: cannot connect to ' > https://utility.idm.nac-issa.org:443/ca/rest/certs/search?size=2147483647': > [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897) > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
