weird.  Can you try putting selinux in permissive mode, and then
restarting ipa?

On Wed, 2012-09-05 at 08:21 -0700, george he wrote:
> This is a newly installed system. It does most of the things, but I
> just cannot del the host that I have uninstalled ipa-client, which
> prvents me from re-installing ipa-client.
> Here are the versions:
> 
> pki-ca.noarch                    9.0.3-24.el6
> pki-common.noarch          9.0.3-24.el6
> jss.x86_64                         4.2.6-22.el6
> nss.x86_64                        3.13.5-1.el6_3
> tomcat6.noarch                  6.0.24-45.el6
> java-1.5.0-gcj.x86_64           1.5.0.0-29.1.el6 
> java-1.6.0-openjdk.x86_64   1:1.6.0.0-1.48.1.11.3.el6_2
> java_cup.x86_64                  1:0.10k-5.el6
> Thanks for your help.
> George
> 
>         
>         ______________________________________________________________
>         From: Ade Lee <a...@redhat.com>
>         To: george he <george_...@yahoo.com> 
>         Cc: Rob Crittenden <rcrit...@redhat.com>;
>         "freeipa-users@redhat.com" <freeipa-users@redhat.com> 
>         Sent: Wednesday, September 5, 2012 10:46 AM
>         Subject: Re: [Freeipa-users] ipa host-del
>         
>         
>         The logs seem to show that the CA cannot find JSS.
>         
>         What versions of the following are on your system?
>         pki-ca, pki-common, jss, nss, tomcat6, tomcat, java
>         
>         Is this a system that was working and now fails to work?  Or
>         is this a
>         new instance?
>         
>         Ade
>         On Wed, 2012-09-05 at 06:41 -0700, george he wrote:
>         > there are somethign like these:
>         > 
>         > type=AVC msg=audit(1346710042.243:56): avc:  denied
>         { execute } for
>         > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
>         > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>         > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
>         > type=AVC msg=audit(1346710042.243:57): avc:  denied
>         { execute } for
>         > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
>         > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>         > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
>         > 
>         > 
>         > 
>         > and some others like these:
>         > type=AVC msg=audit(1346838993.154:2567): avc:  denied
>         { search } for
>         > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
>         > scontext=unconfined_u:system_r:pki_ca_t:s0
>         > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
>         > type=AVC msg=audit(1346838993.154:2568): avc:  denied
>         { search } for
>         > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
>         > scontext=unconfined_u:system_r:pki_ca_t:s0
>         > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
>         > 
>         > 
>         > 
>         > And yes, I did yum update recently.
>         > Where else should I look?
>         > Thanks,
>         > George
>         > 
>         >        
>         >
>         ______________________________________________________________
>         >        From: Rob Crittenden <rcrit...@redhat.com>
>         >        To: george he <george_...@yahoo.com> 
>         >        Cc: Ade Lee <a...@redhat.com>;
>         "freeipa-users@redhat.com"
>         >        <freeipa-users@redhat.com> 
>         >        Sent: Wednesday, September 5, 2012 8:40 AM
>         >        Subject: Re: [Freeipa-users] ipa host-del
>         >        
>         >        
>         >        george he wrote:
>         >        > here are the new errors:
>         >        > # rm /var/log/pki-ca/*
>         >        > # service dirsrv restart
>         >        > # service pki-cad restart
>         >        > # grep -i error /var/log/pki-ca/*
>         >        > /var/log/pki-ca/catalina.2012-09-05.log:WARNING:
>         Error while
>         >        removing
>         >        > context [/ca]
>         >        > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE:
>         Error
>         >        initializing
>         >        > socket factory
>         >
>         > 
> /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: 
> Error
>         >        > loading SSL Implementation
>         >        > org.apache.tomcat.util.net.jss.JSSImplementation
>         >        > :java.lang.ClassNotFoundException:
>         >        org.mozilla.jss.ssl.SSLSocket
>         >
>         > /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException:
>         >        Protocol
>         >        > handler initialization failed:
>         >        java.lang.ClassNotFoundException: Error
>         >        > loading SSL Implementation
>         >        > org.apache.tomcat.util.net.jss.JSSImplementation
>         >        > :java.lang.ClassNotFoundException:
>         >        org.mozilla.jss.ssl.SSLSocket
>         >        > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE:
>         Error
>         >        deploying web
>         >        > application directory ca
>         >        > /var/log/pki-ca/catalina.out:SEVERE: Error
>         initializing
>         >        socket factory
>         >
>         > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
>         >        > loading SSL Implementation
>         >        > org.apache.tomcat.util.net.jss.JSSImplementation
>         >        > :java.lang.ClassNotFoundException:
>         >        org.mozilla.jss.ssl.SSLSocket
>         >        > /var/log/pki-ca/catalina.out:LifecycleException:
>         Protocol
>         >        handler
>         >        > initialization failed:
>         java.lang.ClassNotFoundException:
>         >        Error loading
>         >        > SSL Implementation
>         >        org.apache.tomcat.util.net.jss.JSSImplementation
>         >        > :java.lang.ClassNotFoundException:
>         >        org.mozilla.jss.ssl.SSLSocket
>         >        > /var/log/pki-ca/catalina.out:SEVERE: Error
>         deploying web
>         >        application
>         >        > directory ca
>         >        > /var/log/pki-ca/catalina.out:SEVERE: Error
>         initializing
>         >        socket factory
>         >
>         > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
>         >        > loading SSL Implementation
>         >        > org.apache.tomcat.util.net.jss.JSSImplementation
>         >        > :java.lang.ClassNotFoundException:
>         >        org.mozilla.jss.ssl.SSLSocket
>         >        > /var/log/pki-ca/catalina.out:LifecycleException:
>         Protocol
>         >        handler
>         >        > initialization failed:
>         java.lang.ClassNotFoundException:
>         >        Error loading
>         >        > SSL Implementation
>         >        org.apache.tomcat.util.net.jss.JSSImplementation
>         >        > :java.lang.ClassNotFoundException:
>         >        org.mozilla.jss.ssl.SSLSocket
>         >        
>         >        Hmm. Is there any additional information in the debug
>         log? Any
>         >        AVCs in 
>         >        /var/log/audit/audit.log?
>         >        
>         >        Have you updated any packages recently? I'm not sure
>         why
>         >        dogtag would be 
>         >        throwing this exception.
>         >        
>         >        rob
>         >        
>         >        >
>         >        >
>         >
>         
> ------------------------------------------------------------------------
>         >        >    *From:* Rob Crittenden <rcrit...@redhat.com>
>         >        >    *To:* george he <george_...@yahoo.com>
>         >        >    *Cc:* John Dennis <jden...@redhat.com>;
>         >        "freeipa-users@redhat.com"
>         >        >    <freeipa-users@redhat.com>
>         >        >    *Sent:* Tuesday, September 4, 2012 9:49 PM
>         >        >    *Subject:* Re: [Freeipa-users] ipa host-del
>         >        >
>         >        >    george he wrote:
>         >        >      > both of the commands "service dirsrv
>         restart" and
>         >        "service pki-cad
>         >        >      > restart" reported:
>         >        >      > stopping ... OK
>         >        >      > starting ... OK
>         >        >      > but host-del still has the same error.
>         >        >      > More suggestions?
>         >        >
>         >        >    Check the logs again. The service starting does
>         not mean
>         >        it kept
>         >        >    running.
>         >        >
>         >        >    rob
>         >        >
>         >        >      > Thanks,
>         >        >      > George
>         >        >      >
>         >        >      >
>         >        >
>         >
>         
> ------------------------------------------------------------------------
>         >        >      >    *From:* Rob Crittenden
>         <rcrit...@redhat.com
>         >        >    <mailto:rcrit...@redhat.com>>
>         >        >      >    *To:* george he <george_...@yahoo.com
>         >        >    <mailto:george_...@yahoo.com>>
>         >        >      >    *Cc:* John Dennis <jden...@redhat.com
>         >        >    <mailto:jden...@redhat.com>>;
>         "freeipa-users@redhat.com
>         >        >    <mailto:freeipa-users@redhat.com>"
>         >        >      >    <freeipa-users@redhat.com
>         >        <mailto:freeipa-users@redhat.com>>
>         >        >      >    *Sent:* Tuesday, September 4, 2012 4:20
>         PM
>         >        >      >    *Subject:* Re: [Freeipa-users] ipa
>         host-del
>         >        >      >
>         >        >      >    george he wrote:
>         >        >      >      > I'm running centos 6.3
>         >        >      >      > # uname -r
>         >        >      >      > 2.6.32-279.5.2.el6.x86_64
>         >        >      >    >
>         >        >      >      > pki-ca: unrecognized service
>         >        >      >      >
>         >        >      >      > There are tons of errors
>         in /var/log/pki-ca/*,
>         >        some of
>         >        >    them are:
>         >        >      >      > /var/log/pki-ca/system:11605.main -
>         >        [30/Aug/2012:16:34:56 EDT]
>         >        >      >    [3] [3]
>         >        >      >      > Cannot build CA chain. Error
>         >        >    java.security.cert.CertificateException:
>         >        >      >      > Certificate is not a PKCS #11
>         certificate
>         >        >      >      > /var/log/pki-ca/system:11605.main -
>         >        [30/Aug/2012:16:34:56 EDT]
>         >        >      >    [13] [3]
>         >        >      >      > authz instance DirAclAuthz
>         initialization
>         >        failed and skipped,
>         >        >      >      > error=Property
>         internaldb.ldapconn.port
>         >        missing value
>         >        >      >
>         > /var/log/pki-ca/system:11605.http-9445-1 -
>         >        >    [30/Aug/2012:16:35:01 EDT]
>         >        >      >      > [3] [3] Cannot build CA chain. Error
>         >        >      >      >
>         java.security.cert.CertificateException:
>         >        Certificate is not a
>         >        >      >    PKCS #11
>         >        >      >      > certificate
>         >        >      >
>         > /var/log/pki-ca/system:11605.http-9445-1 -
>         >        >    [30/Aug/2012:16:35:10 EDT]
>         >        >      >      > [3] [3] CASigningUnit: Object
>         certificate not
>         >        found. Error
>         >        >      >      >
>         org.mozilla.jss.crypto.ObjectNotFoundException
>         >        >      >      > /var/log/pki-ca/system:3281.main -
>         >        [31/Aug/2012:17:54:28
>         >        >    EDT] [8]
>         >        >      >    [3] In
>         >        >      >      > Ldap (bound) connection pool to host
>         >        >    cushing.psych.yale.edu port
>         >        >      >    7389,
>         >        >      >      > Cannot connect to LDAP server. Error:
>         >        >    netscape.ldap.LDAPException:
>         >        >      >      > failed to connect to server
>         >        >    ldap://cushing.psych.yale.edu:7389 (91)
>         >        >      > >
>         >        >      >
>         >        > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE:
>         Error
>         >        >    initializing
>         >        >      >      > socket factory
>         >        >      >      >
>         >        >      >
>         >        >
>         >
>           
> /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException:
>         >        >      >    Error
>         >        >      >      > loading SSL Implementation
>         >        >      >      >
>         >        org.apache.tomcat.util.net.jss.JSSImplementation
>         >        >      >      > :java.lang.ClassNotFoundException:
>         >        >    org.mozilla.jss.ssl.SSLSocket
>         >        >      >      >
>         >        >
>         >
>           /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException:
>         >        Protocol
>         >        >      >      > handler initialization failed:
>         >        >    java.lang.ClassNotFoundException:
>         >        >      >    Error
>         >        >      >      > loading SSL Implementation
>         >        >      >      >
>         >        org.apache.tomcat.util.net.jss.JSSImplementation
>         >        >      >      > :java.lang.ClassNotFoundException:
>         >        >    org.mozilla.jss.ssl.SSLSocket
>         >        >      >
>         >        > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE:
>         Error
>         >        >    deploying web
>         >        >      >      > application directory ca
>         >        >      >
>         >        >      >    The problem looks to be that the dogtag
>         389-ds
>         >        instance is not
>         >        >    started.
>         >        >      >    I'd try: service dirsrv restart PKI-IPA
>         >        >      >
>         >        >      >    Then service pki-cad restart
>         >        >      >
>         >        >      >    rob
>         >        >      >
>         >        >      >
>         >        >      >
>         >        >      >
>         >        >
>         >        >
>         >        >
>         >        
>         >        
>         >        
>         >        
>         
>         
>         
>         
>         


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to