On 04/29/2016 02:53 PM, Bret Wortman wrote: > Despite "ipactl status" indicating that all processes were running after > step 1, step 2 produces "Unable to establish SSL connection." > > Full terminal session is at http://pastebin.com/ZuNBHPy0 > > On 04/29/2016 07:29 AM, Petr Vobornik wrote: >> On 04/29/2016 12:03 PM, Bret Wortman wrote: >>> The date change was due (I think) to me changing the date back to 4/1 >>> yesterday, though I left it there and haven't updated it again until >>> this morning, when I went back to 4/1 again. >>> >>> I put the results of the commands you requested at >>> https://pastebin.com/s7cHAh6R. Thanks for your help, Petr. I really >>> appreciate it.
I cannot view the pastebin: """ This is a private paste. If you created this paste, please login to view it. """ >>> >>> >>> Bret >> If I combine this and the previous output, it seems that: >> >> - PKI starts normally >> - ipactl has troubles with determining that PKI started and after 5mins >> of failed attempts it stops whole IPA (expected behavior when a service >> doesn't start) >> >> The failed attempt is: >> """ >> ipa: DEBUG: Waiting until the CA is running >> ipa: DEBUG: Starting external process >> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' >> '--no-check-certificate' >> 'https://zsipa.private.net:443/ca/admin/ca/getStatus' >> ipa: DEBUG: Process finished, return code=4 >> ipa: DEBUG: stdout= >> ipa: DEBUG: stderr=--2016-04-01 09:39:50-- >> https://zsipa.private.net/ca/admin/ca/getStatus >> Resolving zsipa.private.net (zsipa.private.net)... 192.168.208.53 >> Connecting to zsipa.private.net >> (zsipa.private.net)|192.168.208.53|:443... connected. >> Unable to establish SSL connection. >> >> ipa: DEBUG: The CA status is: check interrupted due to error: Command >> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' >> 'https://zsipa.private.net:443/ca/admin/ca/getStatus'' returned non-zero >> exit status 4 >> """ >> >> It says "Unable to establish SSL connection", it would be good to get >> more details. >> >> Also given that the CA cert was renewed on April 3rd and that all certs >> expires after that date, we should rather use date April 4th when moving >> the date back. >> >> So first start IPA again (date April 4th) but force it to not stop >> services >> >> 1. ipactl start --force >> wait until all is started >> 2. wget -v -d -S -O - --timeout=30 --no-check-certificate >> https://zsipa.private.net:443/ca/admin/ca/getStatus >> >> optionally (assuming that CA won't be turned of) >> 3. getcert list >> > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project