On 09/04/2012 10:23 AM, george he wrote:
First of all, i don't see any java process after ipactl stop.

Then I turned on debug and this is what I get on terminal:
# ipa host-del hnl09.psych.yale.edu
......
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU"
ipa: DEBUG: handshake complete, peer = 130.132.167.68:443
ipa: DEBUG: Caught fault 4301 from server
http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be
completed: Unable to communicate with CMS (Service Temporarily Unavailable)
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Service Temporarily Unavailable)

So there's a "fault 4301" being caught.
And this is at the end of /var/log/httpd/error_log:
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage =
SSLServer intended_usage = SSLServer
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for
"CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU"
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer
= 130.132.167.68:443
[Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP:
attempt to connect to 127.0.0.1:9447 (localhost) failed
[Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling
worker for (localhost)
[Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection
to backend: localhost
[Tue Sep 04 10:17:05 2012] [error] ipa: INFO: ad...@psych.yale.edu:
host_del((u'hnl09.psych.yale.edu',), updatedns=False):
CertificateOperationError
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response:
CertificateOperationError: Certificate operation cannot be completed:
Unable to communicate with CMS (Service Temporarily Unavailable)
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection
context.ldap2

Thanks,
George

It appears as if your CA instance is not running (pki-ca). Depending on which OS you're running on could you verify pki-ca is running via either the service or systemctl command. Do you see any errors in the log files found under /var/log/pki-ca?

--
John Dennis <jden...@redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to