Hello,
I ran into this issue which was compounded when I ran a yum update and IPA
needed to run an upgrade. I rolled back the update to get it to stop requesting
an upgrade. I see two issues here and not sure if they are related. Note I
removed our domain name and replaced it with DOMAIN.
1) Running "getcert list | egrep -e status -e expire -e certificate" I see one
cert which has expired but two are showing a status of CA_UNREACHABLE
getcert list | egrep -e status -e expire -e certificate
Number of certificates and requests being tracked: 8.
status: MONITORING
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS
Certificate DB'
expires: 2023-10-09 05:38:11 UTC
status: MONITORING
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
expires: 2023-10-09 05:40:10 UTC
status: MONITORING
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
expires: 2024-05-06 15:43:26 UTC
status: MONITORING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2024-05-06 15:44:27 UTC
status: CA_UNREACHABLE
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2022-06-14 06:59:34 UTC
status: CA_UNREACHABLE
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2036-09-08 13:37:52 UTC
status: MONITORING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
expires: 2023-09-23 05:38:11 UTC
status: MONITORING
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
expires: 2023-06-08 15:43:24 UTC
certificate template/profile: KDCs_PKINIT_Certs
I think this could be what is throwing this error in my messages
Sep 27 11:55:38 hlipa03 dogtag-ipa-ca-renew-agent-submit: Traceback (most
recent call last):#012 File
"/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 515, in
<module>#012
sys.exit(main())#012 File
"/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 489, in
main#012 kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)#012
File "/us
r/lib/python2.7/site-packages/ipalib/install/kinit.py", line 47, in
kinit_keytab#012 cred = gssapi.Credentials(name=name, store=store,
usage='initiate')#012 File "/usr/lib64/python2.7/s
ite-packages/gssapi/creds.py", line 64, in __new__#012 store=store)#012
File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in
acquire#012 usage)#012 File "ext_cred
_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from
(gssapi/raw/ext_cred_store.c:1732)#012GSSError: Major (851968): Unspecified GSS
failure. Minor code may provide more i
nformation, Minor (2529639068): Cannot contact any KDC for realm 'DOMAIN.COM'
So what I tried to do is roll back the date to Dec 25,2021 and try to restart
everything but LDAP is still not starting and here are a few errors I am seeing
Dec 25 12:50:06 hlipa03 systemd: Starting 389 Directory Server DOMAIN-COM....
Dec 25 12:50:06 hlipa03 ns-slapd: [25/Dec/2021:12:50:06.472160613 -0500] -
NOTICE - config_set_port - Non-Secure Port Disabled
Dec 25 12:50:06 hlipa03 ns-slapd: [25/Dec/2021:12:50:06.568296397 -0500] - INFO
- main - 389-Directory/1.3.10.2 B2022.179.1321 starting up
Dec 25 12:50:06 hlipa03 ns-slapd: [25/Dec/2021:12:50:06.570071317 -0500] - INFO
- main - Setting the maximum file descriptor limit to: 16384
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.267883144 -0500] - INFO
- ldbm_instance_config_cachememsize_set - force a minimal value 512000
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.282267183 -0500] - WARN
- default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle
caseExactIA5Match
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.287484618 -0500] - INFO
- ldbm_instance_config_cachememsize_set - force a minimal value 512000
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.303941493 -0500] - INFO
- ldbm_instance_config_cachememsize_set - force a minimal value 512000
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.320417322 -0500] -
NOTICE - ldbm_back_start - found 30613432k physical memory
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.321743123 -0500] -
NOTICE - ldbm_back_start - found 29044884k available
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.322958961 -0500] -
NOTICE - ldbm_back_start - cache autosizing: db cache: 765335k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.324023640 -0500] -
NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total):
720896k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.328954216 -0500] -
NOTICE - ldbm_back_start - cache autosizing: userRoot dn cache (3 total):
131072k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.330907096 -0500] -
NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total):
720896k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.336102686 -0500] -
NOTICE - ldbm_back_start - cache autosizing: ipaca dn cache (3 total): 131072k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.337870481 -0500] -
NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total):
720896k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.342750894 -0500] -
NOTICE - ldbm_back_start - cache autosizing: changelog dn cache (3 total):
131072k
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.344621870 -0500] -
NOTICE - ldbm_back_start - total cache size: 3400949555 B;
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.467376898 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not
exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.468965116 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target
cn=keys,cn=sec,cn=dns,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.470221810 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not
exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.471510458 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not
exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.472703756 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=DOMAIN,dc=com
does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.473949469 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target
cn=computers,cn=compat,dc=DOMAIN,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.475191460 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=DOMAIN,dc=com
does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.476506914 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=DOMAIN,dc=com does not
exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.477702221 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=DOMAIN,dc=com
does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.478971257 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com
does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.480144620 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com
does not exist
18516,1 99%
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.478971257 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com
does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.480144620 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com
does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.481346463 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com
does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.482548595 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com
does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.483735174 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com
does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.484936731 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com
does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.486290254 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com
does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.487505855 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com
does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.488679941 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com
does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.489957510 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com
does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.491180117 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=DOMAIN,dc=com
does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.492446197 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=dns,dc=DOMAIN,dc=com does not
exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.499046420 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=DOMAIN,dc=com does
not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.502451715 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=domain,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.504012530 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=domain,dc=com does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.639427471 -0500] - WARN
- NSACLPlugin - acl_parse - The ACL target cn=automember rebuild
membership,cn=tasks,cn=config does not exist
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.688774307 -0500] - ERR
- set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact
any KDC for requested realm)
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.691560843 -0500] - ERR
- NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meTohlipa06.domain.com"
(hlipa06:389) - Repl
ication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server)
()
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.693497359 -0500] - ERR
- set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact
any KDC for requested realm)
Dec 25 12:50:11 hlipa03 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (No Kerberos credentials available (default
cache: /tmp/krb5cc_389))
Dec 25 12:50:11 hlipa03 ns-slapd: [25/Dec/2021:12:50:11.721198701 -0500] - INFO
- slapd_daemon - slapd started. Listening on /var/run/slapd-DOMAIN-COM.socket
for LDAPI requests
Dec 25 12:50:11 hlipa03 systemd: Started 389 Directory Server DOMAIN-COM..
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.723579661 -0500] - ERR
- slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't
contact LDAP server) errno 107 (Tr
ansport endpoint is not connected)
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.724902033 -0500] - ERR
- NSMMReplicationPlugin - bind_and_check_pwp -
agmt="cn=cloneAgreement1-hlipa03.domain.com-pki-tomca
t" (hlipa01:389) - Replication bind with SIMPLE auth failed: LDAP error -1
(Can't contact LDAP server) ()
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.728132510 -0500] - ERR
- set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact
any KDC for requested realm)
Dec 25 12:50:14 hlipa03 ns-slapd: [25/Dec/2021:12:50:14.731080779 -0500] - ERR
- set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact
any KDC for requested realm)
Dec 25 12:50:14 hlipa03 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (No Kerberos credentials available (default
cache: /tmp/krb5cc_389))
Dec 25 12:50:20 hlipa03 ns-slapd: [25/Dec/2021:12:50:20.735789980 -0500] - ERR
- set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact
any KDC for requested realm)
Dec 25 12:50:20 hlipa03 ns-slapd: [25/Dec/2021:12:50:20.738768442 -0500] - ERR
- set_krb5_creds - Could not get initial credentials for principal
[ldap/hlipa03.domain.com@DOMAIN
DER.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact
any KDC for requested realm)
Dec 25 12:50:20 hlipa03 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (No Kerberos credentials available (default
cache: /tmp/krb5cc_389))
Dec 25 12:50:20 hlipa03 ns-slapd: [25/Dec/2021:12:50:20.747472483 -0500] - ERR
- slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't
contact LDAP server) errno 107 (Transport endpoint is not connected)
Does anyone know what could be happening here?
Thanks
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
