Some more info:

1. certmonger wasn't running, so I started it.  Then I can execute "ipa-getcert list" but it doesn't return anything.

2. /var/log/ipa/default.log (the only log file in that dir) appears to show the *new* cert being imported successfully (the latest timestamps are from about 1000 seconds ago, or less than 20 minutes):

1295559526.007954   10650   MainThread  INFO    skipping plugin module ipaserver.plugins.selfsign: selfsign is not selected as RA plugin, it is dogtag
1295559526.060926   10650   MainThread  INFO    Mounting ipaserver.rpcserver.xmlserver() at 'xml'
1295559526.064243   10650   MainThread  INFO    Mounting ipaserver.rpcserver.jsonserver() at 'json'
1295559528.905495   10650   MainThread  INFO    args=/usr/bin/certutil -d /etc/dirsrv/slapd-NEBIOGRID-ORG/ -N -f /etc/dirsrv/slapd-NEBIOGRID-ORG//pwdfile.txt
1295559528.906025   10650   MainThread  INFO    stdout=
1295559528.906155   10650   MainThread  INFO    stderr=
1295559528.922699   10650   MainThread  INFO    args=/usr/bin/pk12util -d /etc/dirsrv/slapd-NEBIOGRID-ORG/ -i ldap-selfsigned-to20120120.pkcs12 -k /etc/dirsrv/slapd-NEBIOGRID-ORG//pwdfile.txt -w /tmp/tmpglOV1H
1295559528.923025   10650   MainThread  INFO    stdout=pk12util: PKCS12 IMPORT SUCCESSFUL

1295559528.923120   10650   MainThread  INFO    stderr=
1295559528.932131   10650   MainThread  INFO    args=/usr/bin/pk12util -d /etc/dirsrv/slapd-NEBIOGRID-ORG/ -l ldap-selfsigned-to20120120.pkcs12 -k /tmp/tmpglOV1H -w /tmp/tmpglOV1H
1295559528.932373   10650   MainThread  INFO    stdout=Certificate(has private key):
    Data:
        Version: 3 (0x2)
        Serial Number:
            00:a2:6f:63:17:17:c3:28:60
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=nebio-directory.in.hwlab,O=IPA"
        Validity:
            Not Before: Thu Jan 20 16:46:31 2011
            Not After : Fri Jan 20 16:46:31 2012
        Subject: "CN=nebio-directory.in.hwlab,O=IPA"

3. dirsrv errors has this as its last log entries: /var/log/dirsrv/slapd-NEBIOGRID-ORG/errors:

[20/Jan/2011:16:55:22 -0500] - SSL alert: Security Initialization: Can't find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.)
[20/Jan/2011:16:55:22 -0500] - SSL alert: Security Initialization: Unable to retrieve private key for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.)
[20/Jan/2011:16:55:22 -0500] - SSL failure: None of the cipher are valid
[20/Jan/2011:16:55:22 -0500] - ERROR: SSL Initialization phase 2 Failed.

4. httpd reports lots of errors: /var/log/httpd/error_log

[Thu Jan 20 17:05:43 2011] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Thu Jan 20 17:05:43 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Jan 20 17:05:44 2011] [error] Certificate not verified: 'Server-Cert'
[Thu Jan 20 17:05:44 2011] [error] SSL Library Error: -8181 Certificate has expired
[Thu Jan 20 17:05:44 2011] [error] Server certificate is expired: 'Server-Cert'
[Thu Jan 20 17:05:44 2011] [notice] Digest: generating secret for digest authentication ...
[Thu Jan 20 17:05:44 2011] [notice] Digest: done
[Thu Jan 20 17:05:44 2011] [error] python_init: Python version mismatch, expected '2.6', found '2.6.4'.
[Thu Jan 20 17:05:44 2011] [error] python_init: Python executable found '/usr/bin/python'.
[Thu Jan 20 17:05:44 2011] [error] python_init: Python path being used '/usr/lib64/python26.zip:/usr/lib64/python2.6/:/usr/lib64/python2.6/plat-linux2:/usr/lib64/python2.6/lib-tk:/usr/lib64/python2.6/lib-old:/usr/lib64/python2.6/lib-dynload'.
[Thu Jan 20 17:05:44 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Thu Jan 20 17:05:44 2011] [notice] mod_python: using mutex_directory /tmp
[Thu Jan 20 17:05:44 2011] [notice] Apache/2.2.16 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.6.2 mod_python/3.3.1 Python/2.6.4 mod_wsgi/3.1 configured -- resuming normal operations
[Thu Jan 20 17:05:44 2011] [error] Certificate not verified: 'Server-Cert'
[Thu Jan 20 17:05:44 2011] [error] SSL Library Error: -8181 Certificate has expired
[Thu Jan 20 17:05:44 2011] [error] Server certificate is expired: 'Server-Cert'
...
[Thu Jan 20 17:05:45 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema. Error initializing principal HTTP/nebio-directory.in.hw...@nebiogrid.org in /etc/httpd/conf/ipa.keytab: (-1765328324, 'Generic error (see e-text)')
[Thu Jan 20 17:06:15 2011] [error] Unable to read from pin store for slot: internal APR err: 70007


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to