On 04/29/2016 02:53 PM, Bret Wortman wrote:
> Despite "ipactl status" indicating that all processes were running after
> step 1, step 2 produces "Unable to establish SSL connection."
> 
> Full terminal session is at http://pastebin.com/ZuNBHPy0

Hm, it doesn't help me much.

Does it contact the correct machine? I.e., is IP address OK?

What is the result of:

netstat -ln | grep 443
netstat -ln | grep 8009

Have you modified by any chance: /etc/httpd/conf.d/ipa-pki-proxy.conf

Try to run curl, maybe it will be more verbose, but probably not:

  # curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus

Christian(CCd), do you have any ideas?

Could you look into /var/log/httpd/error_log or syslog(would try
/var/log/message and journalctl), There might be more information about the:
"""
status: NEED_TO_SUBMIT
ca-error: Internal error
"""
Which may help us with root culprit.

Do web ui or CLI work?

> 
> On 04/29/2016 07:29 AM, Petr Vobornik wrote:
>> On 04/29/2016 12:03 PM, Bret Wortman wrote:
>>> The date change was due (I think) to me changing the date back to 4/1
>>> yesterday, though I left it there and haven't updated it again until
>>> this morning, when I went back to 4/1 again.
>>>
>>> I put the results of the commands you requested at
>>> https://pastebin.com/s7cHAh6R. Thanks for your help, Petr. I really
>>> appreciate it.
>>>
>>>
>>> Bret
>> If I combine this and the previous output, it seems that:
>>
>> - PKI starts normally
>> - ipactl has troubles with determining that PKI started and after 5mins
>> of failed attempts it stops whole IPA (expected behavior when a service
>> doesn't start)
>>
>> The failed attempt is:
>> """
>> ipa: DEBUG: Waiting until the CA is running
>> ipa: DEBUG: Starting external process
>> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>> '--no-check-certificate'
>> 'https://zsipa.private.net:443/ca/admin/ca/getStatus'
>> ipa: DEBUG: Process finished, return code=4
>> ipa: DEBUG: stdout=
>> ipa: DEBUG: stderr=--2016-04-01 09:39:50--
>> https://zsipa.private.net/ca/admin/ca/getStatus
>> Resolving zsipa.private.net (zsipa.private.net)... 192.168.208.53
>> Connecting to zsipa.private.net
>> (zsipa.private.net)|192.168.208.53|:443... connected.
>> Unable to establish SSL connection.
>>
>> ipa: DEBUG: The CA status is: check interrupted due to error: Command
>> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
>> 'https://zsipa.private.net:443/ca/admin/ca/getStatus'' returned non-zero
>> exit status 4
>> """
>>
>> It says "Unable to establish SSL connection", it would be good to get
>> more details.
>>
>> Also given that the CA cert was renewed on April 3rd and that all certs
>> expires after that date, we should rather use date April 4th when moving
>> the date back.
>>
>> So first start IPA again (date April 4th) but force it to not stop
>> services
>>
>> 1. ipactl start --force
>> wait until all is started
>> 2. wget -v -d -S -O - --timeout=30 --no-check-certificate
>> https://zsipa.private.net:443/ca/admin/ca/getStatus
>>
>> optionally (assuming that CA won't be turned of)
>> 3. getcert list
>>
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to