weird. Can you try putting selinux in permissive mode, and then restarting ipa?
On Wed, 2012-09-05 at 08:21 -0700, george he wrote: > This is a newly installed system. It does most of the things, but I > just cannot del the host that I have uninstalled ipa-client, which > prvents me from re-installing ipa-client. > Here are the versions: > > pki-ca.noarch 9.0.3-24.el6 > pki-common.noarch 9.0.3-24.el6 > jss.x86_64 4.2.6-22.el6 > nss.x86_64 3.13.5-1.el6_3 > tomcat6.noarch 6.0.24-45.el6 > java-1.5.0-gcj.x86_64 1.5.0.0-29.1.el6 > java-1.6.0-openjdk.x86_64 1:1.6.0.0-1.48.1.11.3.el6_2 > java_cup.x86_64 1:0.10k-5.el6 > Thanks for your help. > George > > > ______________________________________________________________ > From: Ade Lee <[email protected]> > To: george he <[email protected]> > Cc: Rob Crittenden <[email protected]>; > "[email protected]" <[email protected]> > Sent: Wednesday, September 5, 2012 10:46 AM > Subject: Re: [Freeipa-users] ipa host-del > > > The logs seem to show that the CA cannot find JSS. > > What versions of the following are on your system? > pki-ca, pki-common, jss, nss, tomcat6, tomcat, java > > Is this a system that was working and now fails to work? Or > is this a > new instance? > > Ade > On Wed, 2012-09-05 at 06:41 -0700, george he wrote: > > there are somethign like these: > > > > type=AVC msg=audit(1346710042.243:56): avc: denied > { execute } for > > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 > > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file > > type=AVC msg=audit(1346710042.243:57): avc: denied > { execute } for > > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 > > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file > > > > > > > > and some others like these: > > type=AVC msg=audit(1346838993.154:2567): avc: denied > { search } for > > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 > > scontext=unconfined_u:system_r:pki_ca_t:s0 > > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir > > type=AVC msg=audit(1346838993.154:2568): avc: denied > { search } for > > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 > > scontext=unconfined_u:system_r:pki_ca_t:s0 > > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir > > > > > > > > And yes, I did yum update recently. > > Where else should I look? > > Thanks, > > George > > > > > > > ______________________________________________________________ > > From: Rob Crittenden <[email protected]> > > To: george he <[email protected]> > > Cc: Ade Lee <[email protected]>; > "[email protected]" > > <[email protected]> > > Sent: Wednesday, September 5, 2012 8:40 AM > > Subject: Re: [Freeipa-users] ipa host-del > > > > > > george he wrote: > > > here are the new errors: > > > # rm /var/log/pki-ca/* > > > # service dirsrv restart > > > # service pki-cad restart > > > # grep -i error /var/log/pki-ca/* > > > /var/log/pki-ca/catalina.2012-09-05.log:WARNING: > Error while > > removing > > > context [/ca] > > > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: > Error > > initializing > > > socket factory > > > > > /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: > Error > > > loading SSL Implementation > > > org.apache.tomcat.util.net.jss.JSSImplementation > > > :java.lang.ClassNotFoundException: > > org.mozilla.jss.ssl.SSLSocket > > > > /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: > > Protocol > > > handler initialization failed: > > java.lang.ClassNotFoundException: Error > > > loading SSL Implementation > > > org.apache.tomcat.util.net.jss.JSSImplementation > > > :java.lang.ClassNotFoundException: > > org.mozilla.jss.ssl.SSLSocket > > > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: > Error > > deploying web > > > application directory ca > > > /var/log/pki-ca/catalina.out:SEVERE: Error > initializing > > socket factory > > > > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error > > > loading SSL Implementation > > > org.apache.tomcat.util.net.jss.JSSImplementation > > > :java.lang.ClassNotFoundException: > > org.mozilla.jss.ssl.SSLSocket > > > /var/log/pki-ca/catalina.out:LifecycleException: > Protocol > > handler > > > initialization failed: > java.lang.ClassNotFoundException: > > Error loading > > > SSL Implementation > > org.apache.tomcat.util.net.jss.JSSImplementation > > > :java.lang.ClassNotFoundException: > > org.mozilla.jss.ssl.SSLSocket > > > /var/log/pki-ca/catalina.out:SEVERE: Error > deploying web > > application > > > directory ca > > > /var/log/pki-ca/catalina.out:SEVERE: Error > initializing > > socket factory > > > > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error > > > loading SSL Implementation > > > org.apache.tomcat.util.net.jss.JSSImplementation > > > :java.lang.ClassNotFoundException: > > org.mozilla.jss.ssl.SSLSocket > > > /var/log/pki-ca/catalina.out:LifecycleException: > Protocol > > handler > > > initialization failed: > java.lang.ClassNotFoundException: > > Error loading > > > SSL Implementation > > org.apache.tomcat.util.net.jss.JSSImplementation > > > :java.lang.ClassNotFoundException: > > org.mozilla.jss.ssl.SSLSocket > > > > Hmm. Is there any additional information in the debug > log? Any > > AVCs in > > /var/log/audit/audit.log? > > > > Have you updated any packages recently? I'm not sure > why > > dogtag would be > > throwing this exception. > > > > rob > > > > > > > > > > > > ------------------------------------------------------------------------ > > > *From:* Rob Crittenden <[email protected]> > > > *To:* george he <[email protected]> > > > *Cc:* John Dennis <[email protected]>; > > "[email protected]" > > > <[email protected]> > > > *Sent:* Tuesday, September 4, 2012 9:49 PM > > > *Subject:* Re: [Freeipa-users] ipa host-del > > > > > > george he wrote: > > > > both of the commands "service dirsrv > restart" and > > "service pki-cad > > > > restart" reported: > > > > stopping ... OK > > > > starting ... OK > > > > but host-del still has the same error. > > > > More suggestions? > > > > > > Check the logs again. The service starting does > not mean > > it kept > > > running. > > > > > > rob > > > > > > > Thanks, > > > > George > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > *From:* Rob Crittenden > <[email protected] > > > <mailto:[email protected]>> > > > > *To:* george he <[email protected] > > > <mailto:[email protected]>> > > > > *Cc:* John Dennis <[email protected] > > > <mailto:[email protected]>>; > "[email protected] > > > <mailto:[email protected]>" > > > > <[email protected] > > <mailto:[email protected]>> > > > > *Sent:* Tuesday, September 4, 2012 4:20 > PM > > > > *Subject:* Re: [Freeipa-users] ipa > host-del > > > > > > > > george he wrote: > > > > > I'm running centos 6.3 > > > > > # uname -r > > > > > 2.6.32-279.5.2.el6.x86_64 > > > > > > > > > > pki-ca: unrecognized service > > > > > > > > > > There are tons of errors > in /var/log/pki-ca/*, > > some of > > > them are: > > > > > /var/log/pki-ca/system:11605.main - > > [30/Aug/2012:16:34:56 EDT] > > > > [3] [3] > > > > > Cannot build CA chain. Error > > > java.security.cert.CertificateException: > > > > > Certificate is not a PKCS #11 > certificate > > > > > /var/log/pki-ca/system:11605.main - > > [30/Aug/2012:16:34:56 EDT] > > > > [13] [3] > > > > > authz instance DirAclAuthz > initialization > > failed and skipped, > > > > > error=Property > internaldb.ldapconn.port > > missing value > > > > > > /var/log/pki-ca/system:11605.http-9445-1 - > > > [30/Aug/2012:16:35:01 EDT] > > > > > [3] [3] Cannot build CA chain. Error > > > > > > java.security.cert.CertificateException: > > Certificate is not a > > > > PKCS #11 > > > > > certificate > > > > > > /var/log/pki-ca/system:11605.http-9445-1 - > > > [30/Aug/2012:16:35:10 EDT] > > > > > [3] [3] CASigningUnit: Object > certificate not > > found. Error > > > > > > org.mozilla.jss.crypto.ObjectNotFoundException > > > > > /var/log/pki-ca/system:3281.main - > > [31/Aug/2012:17:54:28 > > > EDT] [8] > > > > [3] In > > > > > Ldap (bound) connection pool to host > > > cushing.psych.yale.edu port > > > > 7389, > > > > > Cannot connect to LDAP server. Error: > > > netscape.ldap.LDAPException: > > > > > failed to connect to server > > > ldap://cushing.psych.yale.edu:7389 (91) > > > > > > > > > > > > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: > Error > > > initializing > > > > > socket factory > > > > > > > > > > > > > > > > /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: > > > > Error > > > > > loading SSL Implementation > > > > > > > org.apache.tomcat.util.net.jss.JSSImplementation > > > > > :java.lang.ClassNotFoundException: > > > org.mozilla.jss.ssl.SSLSocket > > > > > > > > > > > /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: > > Protocol > > > > > handler initialization failed: > > > java.lang.ClassNotFoundException: > > > > Error > > > > > loading SSL Implementation > > > > > > > org.apache.tomcat.util.net.jss.JSSImplementation > > > > > :java.lang.ClassNotFoundException: > > > org.mozilla.jss.ssl.SSLSocket > > > > > > > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: > Error > > > deploying web > > > > > application directory ca > > > > > > > > The problem looks to be that the dogtag > 389-ds > > instance is not > > > started. > > > > I'd try: service dirsrv restart PKI-IPA > > > > > > > > Then service pki-cad restart > > > > > > > > rob > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
