The ca_audit problem was caused by me accidentally moving the
directory to a backup location. I was cleaning up the logs to make
reading easier. When I moved the directory back that issue went away.
No changes were made in the NSS database(s) or any other internal
workings of IPA. This system is used for very basic user
authentication, DNS, etc.

I can do the ldif export/import for dogtag. Just from comparing
everything, it looks like the dogtag db is in
/var/lib/dirsrv/slapd-PKI-IPA/db/userRoot, is that correct?

-J

On Fri, Mar 16, 2012 at 12:51 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Jimmy wrote:
>>
>> Here are the latest logs and info. Thanks. Jimmy
>
>
> What did you change to fix the ca_audit problem?
>
> There are two problems that I can see:
>
> 1. certmonger is failing because of SSL trust issues. Have you changed the
> NSS database(s) recently for Apache or 389-ds, or /etc/pki/nssdb?
>
> 2. Looks like there is some corruption in the dogtag LDAP instance based on
> all the entries not found.
>
> rob
>
>
>>
>> ipagetcert list output- http://fpaste.org/OAra/
>>
>> pki-ca system log -- http://fpaste.org/Uomy/
>> catalina.out -- http://fpaste.org/5MR1/
>> selftests -- http://fpaste.org/CwDF/
>> debug -- http://fpaste.org/Wy0o/
>>
>> On Fri, Mar 16, 2012 at 11:08 AM, Rob Crittenden<rcrit...@redhat.com>
>>  wrote:
>>>
>>> Jimmy wrote:
>>>>
>>>>
>>>> I didn't see a catalina.log on my system, but there is a catalina.out:
>>>>
>>>> http://fpaste.org/KgJn/
>>>
>>>
>>>
>>> That's the one. Looks like the CA isn't starting.
>>>
>>> Does /var/lib/pki-ca/logs/signedAudit/ca_audit exist? If so, what is the
>>> SELinux context (ls -lZ)?
>>>
>>> rob
>>>
>>>>
>>>> -J
>>>>
>>>> On Thu, Mar 15, 2012 at 5:37 PM, Rob Crittenden<rcrit...@redhat.com>
>>>>  wrote:
>>>>>
>>>>>
>>>>> Jimmy wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> error log: http://fpaste.org/efyf/
>>>>>>
>>>>>> CA debug: http://fpaste.org/LemM/
>>>>>>
>>>>>> CA localhost log: http://fpaste.org/q4MU/
>>>>>>
>>>>>> That's all I can find the correspond to the time I ran the getcert.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> I'd look at the catalina.log, is dogtag coming up ok?
>>>>>
>>>>> rob
>>>>>
>>>>>
>>>>>>
>>>>>> Jimmy
>>>>>> On Thu, Mar 15, 2012 at 4:47 PM, Rob Crittenden<rcrit...@redhat.com>
>>>>>>  wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Jimmy wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Still shows status: CA_UNREACHABLE
>>>>>>>>
>>>>>>>> http://fpaste.org/UrTJ/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> If there was an Internal Server Error there should be an error in the
>>>>>>> Apache
>>>>>>> error log or something in the CA debug/transaction log (or both). Can
>>>>>>> you
>>>>>>> check those?
>>>>>>>
>>>>>>> rob
>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Mar 15, 2012 at 3:22 PM, Rob Crittenden<rcrit...@redhat.com>
>>>>>>>>  wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jimmy wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I used yum to upgrade cert monger now the access_log has nothing
>>>>>>>>>> new
>>>>>>>>>> when I run the ipa-getcert, but error_log shows this:
>>>>>>>>>>
>>>>>>>>>> [Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
>>>>>>>>>> 'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
>>>>>>>>>> [Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
>>>>>>>>>> host/xyz-ipa.abc....@abc.xyz:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2t
>
> sp
>>>
>>>
>>> 0K
>>>>>
>>>>>
>>>>>
>>>>> zH
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> IM
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> principal=u'ldap/xyz-ipa.abc....@abc.xyz', add=True):
>>>>>>>>>> CertificateOperationError
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> What does ipa-getcert list show?
>>>>>>>>>
>>>>>>>>> You may now have something in the CA logs too.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> rob
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Thu, Mar 15, 2012 at 2:07 PM, Rob
>>>>>>>>>> Crittenden<rcrit...@redhat.com>
>>>>>>>>>>  wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Jimmy wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Which error log? the pki-ca error log has nothing and the httpd
>>>>>>>>>>>> error
>>>>>>>>>>>> log has nothing, and the httpd access log has this: (yes, the
>>>>>>>>>>>> dates
>>>>>>>>>>>> are set back a few days, bc the current cert expires on 3/11)
>>>>>>>>>>>>
>>>>>>>>>>>> 192.168.201.102 - - [10/Mar/2012:21:27:24 +0000] "POST /ipa/xml
>>>>>>>>>>>> HTTP/1.1" 401 1775
>>>>>>>>>>>> 192.168.201.102 - host/abc-ipa.abc....@abc.xyz
>>>>>>>>>>>> [10/Mar/2012:21:27:25
>>>>>>>>>>>> +0000] "POST /ipa/xml HTTP/1.1" 200 314
>>>>>>>>>>>>
>>>>>>>>>>>> here is the ipa-getcert list:
>>>>>>>>>>>>
>>>>>>>>>>>> http://fpaste.org/Dzr3/
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> You need to update certmonger, it isn't setting a Referer HTTP
>>>>>>>>>>> header
>>>>>>>>>>> in
>>>>>>>>>>> its
>>>>>>>>>>> request. That is now required by IPA.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> rob
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Thu, Mar 15, 2012 at 1:33 PM, Rob
>>>>>>>>>>>> Crittenden<rcrit...@redhat.com>
>>>>>>>>>>>>  wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jimmy wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Restarted IPA and now the interface loads, but resubmitting
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> cert
>>>>>>>>>>>>>> has this result -
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ipa-getcert resubmit -i 20110913154233
>>>>>>>>>>>>>> 192.168.201.102 - - [10/Mar/2012:20:53:13 +0000] "POST
>>>>>>>>>>>>>> /ipa/xml
>>>>>>>>>>>>>> HTTP/1.1" 401 1775
>>>>>>>>>>>>>> 192.168.201.102 - host/abc-ipa.abc....@abc.xyz
>>>>>>>>>>>>>> [10/Mar/2012:20:53:13
>>>>>>>>>>>>>> +0000] "POST /ipa/xml HTTP/1.1" 200 314
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> but the cert still shows these dates-
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>  Not Before: Tue Sep 13 15:43:37 2011
>>>>>>>>>>>>>>             Not After : Sun Mar 11 15:43:37 2012
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> The error log will contain more interesting information.
>>>>>>>>>>>>>
>>>>>>>>>>>>> What does the status show in the output of ipa-getcert list?
>>>>>>>>>>>>>
>>>>>>>>>>>>> rob
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Thu, Mar 15, 2012 at 1:06 PM, Jimmy<g17ji...@gmail.com>
>>>>>>>>>>>>>>  wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I can now start the upgraded IPA, but now going to the IPA
>>>>>>>>>>>>>>> admin
>>>>>>>>>>>>>>> page
>>>>>>>>>>>>>>> I get this:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ====
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Not Found
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The requested URL /ipa was not found on this server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ====
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> Freeipa-users mailing list
>>>>>>>>>>>>>> Freeipa-users@redhat.com
>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>>
>

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to