On 04/28/2016 05:49 PM, Bret Wortman wrote: > My system shows pki-server is installed and V10.2.1-3.fc21, but I don't > have the pki-server binary itself. Will reinstalling this rpm hurt me in > any way? Without it, I'm not sure how to check my system against the > messages you provided below.
Not sure what you mean. Running doesn't require any additional packages. It is just to get additional logs. systemctl status [email protected] journalctl -u [email protected] And the links below are about checking if CA users have correctly mapped certificates in LDAP database in ou=people,o=ipaca for that you need only ldapsearch command and start directory server: systemctl start [email protected] Proper name for [email protected] can be found using: systemctl | grep dirsrv@ > > On 04/28/2016 11:07 AM, Petr Vobornik wrote: >> On 04/28/2016 04:07 PM, Bret Wortman wrote: >>> Okay. This morning, I turned back time to 4/1 and started up IPA. It >>> didn't >>> work, but I got something new and interesting in the debug log, which >>> I've >>> posted to http://pastebin.com/M9VGCS8A. Lots of garbled junk came >>> pouring out >>> which doesn't happen when I'm set to real time. Is /this/ significant? >> Anything in >> systemctl status [email protected] >> or rather: >> journalctl -u [email protected] >> ? >> >> Just to be sure, it might be also worth to check if CA subsystem users >> have correct certs assigned: >> * >> https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html >> * >> https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html >> >>> >>> On 04/27/2016 02:24 PM, Bret Wortman wrote: >>>> I put excerpts from the ca logs in http://pastebin.com/gYgskU79. It >>>> looks >>>> logical to me, but I can't spot anything that looks like a root >>>> cause error. >>>> The selftests are all okay, I think. The debug log might have >>>> something, but >>>> it might also just be complaining about ldap not being up because >>>> it's not. >>>> >>>> >>>> On 04/27/2016 01:11 PM, Rob Crittenden wrote: >>>>> Bret Wortman wrote: >>>>>> So in lieu of fixing these certs, is there an acceptable way to dump >>>>>> them all and start over /without losing the contents of the IPA >>>>>> database/? Or otherwise really screwing ourselves? >>>>> I don't believe there is a way. >>>>> >>>>>> We have a replica that's still up and running and we've switched >>>>>> everyone over to talking to it, but we're at risk with just the one. >>>>> I'd ignore the two unknown certs for now. They look like someone was >>>>> experimenting with issuing a cert and didn't quite get things working. >>>>> >>>>> The CA seems to be throwing an error. I'd check the syslog for >>>>> messages from >>>>> certmonger and look at the CA debug log and selftest log. >>>>> >>>>> rob >>>>> >>>> [snip] >>>> >>> >>> >> > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
