Here are the latest logs and info. Thanks. Jimmy ipagetcert list output- http://fpaste.org/OAra/
pki-ca system log -- http://fpaste.org/Uomy/ catalina.out -- http://fpaste.org/5MR1/ selftests -- http://fpaste.org/CwDF/ debug -- http://fpaste.org/Wy0o/ On Fri, Mar 16, 2012 at 11:08 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Jimmy wrote: >> >> I didn't see a catalina.log on my system, but there is a catalina.out: >> >> http://fpaste.org/KgJn/ > > > That's the one. Looks like the CA isn't starting. > > Does /var/lib/pki-ca/logs/signedAudit/ca_audit exist? If so, what is the > SELinux context (ls -lZ)? > > rob > >> >> -J >> >> On Thu, Mar 15, 2012 at 5:37 PM, Rob Crittenden<rcrit...@redhat.com> >> wrote: >>> >>> Jimmy wrote: >>>> >>>> >>>> error log: http://fpaste.org/efyf/ >>>> >>>> CA debug: http://fpaste.org/LemM/ >>>> >>>> CA localhost log: http://fpaste.org/q4MU/ >>>> >>>> That's all I can find the correspond to the time I ran the getcert. >>> >>> >>> >>> I'd look at the catalina.log, is dogtag coming up ok? >>> >>> rob >>> >>> >>>> >>>> Jimmy >>>> On Thu, Mar 15, 2012 at 4:47 PM, Rob Crittenden<rcrit...@redhat.com> >>>> wrote: >>>>> >>>>> >>>>> Jimmy wrote: >>>>>> >>>>>> >>>>>> >>>>>> Still shows status: CA_UNREACHABLE >>>>>> >>>>>> http://fpaste.org/UrTJ/ >>>>> >>>>> >>>>> >>>>> >>>>> If there was an Internal Server Error there should be an error in the >>>>> Apache >>>>> error log or something in the CA debug/transaction log (or both). Can >>>>> you >>>>> check those? >>>>> >>>>> rob >>>>> >>>>>> >>>>>> On Thu, Mar 15, 2012 at 3:22 PM, Rob Crittenden<rcrit...@redhat.com> >>>>>> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> Jimmy wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> I used yum to upgrade cert monger now the access_log has nothing new >>>>>>>> when I run the ipa-getcert, but error_log shows this: >>>>>>>> >>>>>>>> [Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget >>>>>>>> 'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial' >>>>>>>> [Sat Mar 10 21:47:21 2012] [error] ipa: INFO: >>>>>>>> host/xyz-ipa.abc....@abc.xyz: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2tsp > > 0K >>> >>> >>> zH >>>>> >>>>> >>>>> >>>>> IM >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=', >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> principal=u'ldap/xyz-ipa.abc....@abc.xyz', add=True): >>>>>>>> CertificateOperationError >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> What does ipa-getcert list show? >>>>>>> >>>>>>> You may now have something in the CA logs too. >>>>>>> >>>>>>> >>>>>>> rob >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Mar 15, 2012 at 2:07 PM, Rob Crittenden<rcrit...@redhat.com> >>>>>>>> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Jimmy wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Which error log? the pki-ca error log has nothing and the httpd >>>>>>>>>> error >>>>>>>>>> log has nothing, and the httpd access log has this: (yes, the >>>>>>>>>> dates >>>>>>>>>> are set back a few days, bc the current cert expires on 3/11) >>>>>>>>>> >>>>>>>>>> 192.168.201.102 - - [10/Mar/2012:21:27:24 +0000] "POST /ipa/xml >>>>>>>>>> HTTP/1.1" 401 1775 >>>>>>>>>> 192.168.201.102 - host/abc-ipa.abc....@abc.xyz >>>>>>>>>> [10/Mar/2012:21:27:25 >>>>>>>>>> +0000] "POST /ipa/xml HTTP/1.1" 200 314 >>>>>>>>>> >>>>>>>>>> here is the ipa-getcert list: >>>>>>>>>> >>>>>>>>>> http://fpaste.org/Dzr3/ >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> You need to update certmonger, it isn't setting a Referer HTTP >>>>>>>>> header >>>>>>>>> in >>>>>>>>> its >>>>>>>>> request. That is now required by IPA. >>>>>>>>> >>>>>>>>> >>>>>>>>> rob >>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Thu, Mar 15, 2012 at 1:33 PM, Rob >>>>>>>>>> Crittenden<rcrit...@redhat.com> >>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Jimmy wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Restarted IPA and now the interface loads, but resubmitting the >>>>>>>>>>>> cert >>>>>>>>>>>> has this result - >>>>>>>>>>>> >>>>>>>>>>>> ipa-getcert resubmit -i 20110913154233 >>>>>>>>>>>> 192.168.201.102 - - [10/Mar/2012:20:53:13 +0000] "POST /ipa/xml >>>>>>>>>>>> HTTP/1.1" 401 1775 >>>>>>>>>>>> 192.168.201.102 - host/abc-ipa.abc....@abc.xyz >>>>>>>>>>>> [10/Mar/2012:20:53:13 >>>>>>>>>>>> +0000] "POST /ipa/xml HTTP/1.1" 200 314 >>>>>>>>>>>> >>>>>>>>>>>> but the cert still shows these dates- >>>>>>>>>>>> >>>>>>>>>>>> Not Before: Tue Sep 13 15:43:37 2011 >>>>>>>>>>>> Not After : Sun Mar 11 15:43:37 2012 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> The error log will contain more interesting information. >>>>>>>>>>> >>>>>>>>>>> What does the status show in the output of ipa-getcert list? >>>>>>>>>>> >>>>>>>>>>> rob >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Thu, Mar 15, 2012 at 1:06 PM, Jimmy<g17ji...@gmail.com> >>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> I can now start the upgraded IPA, but now going to the IPA >>>>>>>>>>>>> admin >>>>>>>>>>>>> page >>>>>>>>>>>>> I get this: >>>>>>>>>>>>> >>>>>>>>>>>>> ==== >>>>>>>>>>>>> >>>>>>>>>>>>> Not Found >>>>>>>>>>>>> >>>>>>>>>>>>> The requested URL /ipa was not found on this server. >>>>>>>>>>>>> >>>>>>>>>>>>> ==== >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Freeipa-users mailing list >>>>>>>>>>>> Freeipa-users@redhat.com >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>> > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users