What is the proper way to recover from this? I've been digging and
searching but don't see anything about this in relation to IPA.

On Fri, Mar 16, 2012 at 1:29 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Jimmy wrote:
>>
>> When I try `ipa-getcert resubmit -i 20110913154233` I see this in the CA
>> logs:
>>
>> localhost.2012-03-08.log---
>> Mar 8, 2012 1:54:34 AM org.apache.catalina.core.ApplicationContext log
>> INFO: caDisplayBySerial-agent: Invalid Credential.
>>
>> debug---
>> [08/Mar/2012:01:54:34][TP-Processor3]: In LdapBoundConnFactory::getConn()
>> [08/Mar/2012:01:54:34][TP-Processor3]: masterConn is connected: true
>> [08/Mar/2012:01:54:34][TP-Processor3]: getConn: conn is connected true
>> [08/Mar/2012:01:54:34][TP-Processor3]: getConn: mNumConns now 2
>> [08/Mar/2012:01:54:34][TP-Processor3]: returnConn: mNumConns now 3
>> [08/Mar/2012:01:54:34][TP-Processor3]: Authentication: cannot map
>> certificate to user
>> [08/Mar/2012:01:54:34][TP-Processor3]: SignedAuditEventFactory:
>> create()
>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA
>> RA,O=ABC.XYZ] authentication failure
>
>
> Right, I think your dogtag 389-ds instance is similarly corrupted to your
> IPA instance so it can't find any entries.
>
> rob
>
>
>>
>>
>>
>> On Fri, Mar 16, 2012 at 12:15 PM, Jimmy<g17ji...@gmail.com>  wrote:
>>>
>>> Here are the latest logs and info. Thanks. Jimmy
>>>
>>> ipagetcert list output- http://fpaste.org/OAra/
>>>
>>> pki-ca system log -- http://fpaste.org/Uomy/
>>> catalina.out -- http://fpaste.org/5MR1/
>>> selftests -- http://fpaste.org/CwDF/
>>> debug -- http://fpaste.org/Wy0o/
>>>
>>> On Fri, Mar 16, 2012 at 11:08 AM, Rob Crittenden<rcrit...@redhat.com>
>>>  wrote:
>>>>
>>>> Jimmy wrote:
>>>>>
>>>>>
>>>>> I didn't see a catalina.log on my system, but there is a catalina.out:
>>>>>
>>>>> http://fpaste.org/KgJn/
>>>>
>>>>
>>>>
>>>> That's the one. Looks like the CA isn't starting.
>>>>
>>>> Does /var/lib/pki-ca/logs/signedAudit/ca_audit exist? If so, what is the
>>>> SELinux context (ls -lZ)?
>>>>
>>>> rob
>>>>
>>>>>
>>>>> -J
>>>>>
>>>>> On Thu, Mar 15, 2012 at 5:37 PM, Rob Crittenden<rcrit...@redhat.com>
>>>>>  wrote:
>>>>>>
>>>>>>
>>>>>> Jimmy wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> error log: http://fpaste.org/efyf/
>>>>>>>
>>>>>>> CA debug: http://fpaste.org/LemM/
>>>>>>>
>>>>>>> CA localhost log: http://fpaste.org/q4MU/
>>>>>>>
>>>>>>> That's all I can find the correspond to the time I ran the getcert.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> I'd look at the catalina.log, is dogtag coming up ok?
>>>>>>
>>>>>> rob
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Jimmy
>>>>>>> On Thu, Mar 15, 2012 at 4:47 PM, Rob Crittenden<rcrit...@redhat.com>
>>>>>>>  wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Jimmy wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Still shows status: CA_UNREACHABLE
>>>>>>>>>
>>>>>>>>> http://fpaste.org/UrTJ/
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> If there was an Internal Server Error there should be an error in
>>>>>>>> the
>>>>>>>> Apache
>>>>>>>> error log or something in the CA debug/transaction log (or both).
>>>>>>>> Can
>>>>>>>> you
>>>>>>>> check those?
>>>>>>>>
>>>>>>>> rob
>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, Mar 15, 2012 at 3:22 PM, Rob
>>>>>>>>> Crittenden<rcrit...@redhat.com>
>>>>>>>>>  wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Jimmy wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I used yum to upgrade cert monger now the access_log has nothing
>>>>>>>>>>> new
>>>>>>>>>>> when I run the ipa-getcert, but error_log shows this:
>>>>>>>>>>>
>>>>>>>>>>> [Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
>>>>>>>>>>> 'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
>>>>>>>>>>> [Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
>>>>>>>>>>> host/xyz-ipa.abc....@abc.xyz:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2
>
> tsp
>>>>
>>>>
>>>> 0K
>>>>>>
>>>>>>
>>>>>>
>>>>>> zH
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> IM
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> principal=u'ldap/xyz-ipa.abc....@abc.xyz', add=True):
>>>>>>>>>>> CertificateOperationError
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> What does ipa-getcert list show?
>>>>>>>>>>
>>>>>>>>>> You may now have something in the CA logs too.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> rob
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Thu, Mar 15, 2012 at 2:07 PM, Rob
>>>>>>>>>>> Crittenden<rcrit...@redhat.com>
>>>>>>>>>>>  wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Jimmy wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Which error log? the pki-ca error log has nothing and the httpd
>>>>>>>>>>>>> error
>>>>>>>>>>>>> log has nothing, and the httpd access log has this: (yes, the
>>>>>>>>>>>>> dates
>>>>>>>>>>>>> are set back a few days, bc the current cert expires on 3/11)
>>>>>>>>>>>>>
>>>>>>>>>>>>> 192.168.201.102 - - [10/Mar/2012:21:27:24 +0000] "POST /ipa/xml
>>>>>>>>>>>>> HTTP/1.1" 401 1775
>>>>>>>>>>>>> 192.168.201.102 - host/abc-ipa.abc....@abc.xyz
>>>>>>>>>>>>> [10/Mar/2012:21:27:25
>>>>>>>>>>>>> +0000] "POST /ipa/xml HTTP/1.1" 200 314
>>>>>>>>>>>>>
>>>>>>>>>>>>> here is the ipa-getcert list:
>>>>>>>>>>>>>
>>>>>>>>>>>>> http://fpaste.org/Dzr3/
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> You need to update certmonger, it isn't setting a Referer HTTP
>>>>>>>>>>>> header
>>>>>>>>>>>> in
>>>>>>>>>>>> its
>>>>>>>>>>>> request. That is now required by IPA.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> rob
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Thu, Mar 15, 2012 at 1:33 PM, Rob
>>>>>>>>>>>>> Crittenden<rcrit...@redhat.com>
>>>>>>>>>>>>>  wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jimmy wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Restarted IPA and now the interface loads, but resubmitting
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> cert
>>>>>>>>>>>>>>> has this result -
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ipa-getcert resubmit -i 20110913154233
>>>>>>>>>>>>>>> 192.168.201.102 - - [10/Mar/2012:20:53:13 +0000] "POST
>>>>>>>>>>>>>>> /ipa/xml
>>>>>>>>>>>>>>> HTTP/1.1" 401 1775
>>>>>>>>>>>>>>> 192.168.201.102 - host/abc-ipa.abc....@abc.xyz
>>>>>>>>>>>>>>> [10/Mar/2012:20:53:13
>>>>>>>>>>>>>>> +0000] "POST /ipa/xml HTTP/1.1" 200 314
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> but the cert still shows these dates-
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>  Not Before: Tue Sep 13 15:43:37 2011
>>>>>>>>>>>>>>>             Not After : Sun Mar 11 15:43:37 2012
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The error log will contain more interesting information.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> What does the status show in the output of ipa-getcert list?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> rob
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Thu, Mar 15, 2012 at 1:06 PM, Jimmy<g17ji...@gmail.com>
>>>>>>>>>>>>>>>  wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I can now start the upgraded IPA, but now going to the IPA
>>>>>>>>>>>>>>>> admin
>>>>>>>>>>>>>>>> page
>>>>>>>>>>>>>>>> I get this:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ====
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Not Found
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> The requested URL /ipa was not found on this server.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ====
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>> Freeipa-users mailing list
>>>>>>>>>>>>>>> Freeipa-users@redhat.com
>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to