Hi, if you start the services with
ipactl --ignore-service-failures start then it will ignore the failure that happens when starting PKI but it won't solve the initial issue (CertificateOperationError) because the framework still won't be able to communicate with PKI. I would focus first on the kinit admin issue, as Kerberos is used by all the IPA stack. flo On Tue, Mar 8, 2022 at 7:29 PM Alessandro Minonzio < [email protected]> wrote: > Hi Florence, > > I had examinate the logs on the tomcat. > Seem to be have issue. > Do you think that the command > > ipactl --ignore-service-failures start > > Should it solve the problem? or I need to investigate the logs? > > Thanks and regards, > > > AM > > > On Thu, 24 Feb 2022 at 08:23, Florence Blanc-Renaud <[email protected]> > wrote: > >> Hi, >> >> so there are at least 2 issues to fix: >> - kinit admin fails >> - pki-tomcatd service and ipa-otpd service are stopped. >> >> For the first issue, can you run: >> # KRB5_TRACE=/dev/stderr kinit admin >> This will print more details (if DNS resolution is used etc...) >> >> For the 2nd issue, you need to have a look at the logs in >> /var/log/pki/pki-tomcat/, and check for errors with >> # systemctl status pki-tomcatd@pki-tomcat >> and in the journal: >> # journalctl -u pki-tomcatd@pki-tomcat >> >> flo >> >> On Wed, Feb 23, 2022 at 10:35 AM Alessandro Minonzio < >> [email protected]> wrote: >> >>> Hi Florence, >>> >>> thanks for the support report the status of FreeIPA: >>> >>> [root@adv ~]# ipactl status >>> Directory Service: RUNNING >>> krb5kdc Service: RUNNING >>> kadmin Service: RUNNING >>> httpd Service: RUNNING >>> ipa-custodia Service: RUNNING >>> ntpd Service: RUNNING >>> pki-tomcatd Service: STOPPED >>> ipa-otpd Service: STOPPED >>> ipa: INFO: The ipactl command was successful >>> >>> pki-tomcatd and ipa otpd seem to be stopped. >>> >>> >>> >>> >>> On Wed, 23 Feb 2022 at 10:00, Florence Blanc-Renaud <[email protected]> >>> wrote: >>> >>>> Hi, >>>> are all the IPA services up and running on the replica (the kinit error >>>> suggests that either krb5.conf is badly configured or the kerberos server >>>> isn't running on the replica)? >>>> Please report the output of "ipactl status". >>>> >>>> flo >>>> >>>> On Wed, Feb 23, 2022 at 9:05 AM Alessandro Minonzio via FreeIPA-users < >>>> [email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> I report this issue about FreeIPA server: >>>>> >>>>> >>>>> ------------------------------------------------------------------------------------------------------------------ >>>>> >>>>> Request for enhancement >>>>> >>>>> A strange error is occurring when I try to access my FreeIPA. >>>>> Issue >>>>> >>>>> The problem occurs when I try to access the FreeIPA portal. >>>>> >>>>> "The message occurs saying IPA Error 4301: CertificateOperationError" >>>>> "Certificate operation cannot be completed: Unable to communicate with >>>>> CMS (500)" >>>>> >>>>> in Certificate Authority appear: >>>>> >>>>> "cannot connect to 'https://xyz.xxxxxhq.it:443/ca/rest/account/login': >>>>> <https://xyz.xxxxxhq.it/ca/rest/account/login':> [SSL: >>>>> SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1826)" >>>>> >>>>> and if I try to connect with KINIT ADMIN command on the console appear >>>>> this error: >>>>> >>>>> "kinit: Cannot contact any KDC for realm 'SUBITOHQ.IT' while getting >>>>> initial credentials" >>>>> Actual behavior >>>>> >>>>> Serverweb and console with kinit admin doesn't work. LDAPADMIN tool >>>>> too. >>>>> Version/Release/Distribution >>>>> >>>>> package freeipa-server is not installed >>>>> package freeipa-client is not installed >>>>> ipa-server-4.6.5-11.el7.centos.3.x86_64 >>>>> ipa-client-4.6.5-11.el7.centos.3.x86_64 >>>>> 389-ds-base-1.3.9.1-12.el7_7.x86_64 >>>>> pki-ca-10.5.16-5.el7_7.noarch >>>>> krb5-server-1.15.1-37.el7_7.2.x86_64 >>>>> Additional info: >>>>> >>>>> maybe it's a problem with CA but how is the process to solve that >>>>> issue? The fact is that this behavior it's on a replica FreeIPA server >>>>> with >>>>> CA and DOMAIN. There is a resolution or a command to solve that? >>>>> >>>>> >>>>> ------------------------------------------------------------------------------------------------------------------ >>>>> >>>>> could you help me please? >>>>> >>>>> Best regards, >>>>> >>>>> AM >>>>> _______________________________________________ >>>>> FreeIPA-users mailing list -- [email protected] >>>>> To unsubscribe send an email to >>>>> [email protected] >>>>> Fedora Code of Conduct: >>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>> List Guidelines: >>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> List Archives: >>>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>>> Do not reply to spam on the list, report it: >>>>> https://pagure.io/fedora-infrastructure >>>>> >>>>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
