On 06/03/2016 11:11 AM, seli irithyl wrote:
> Sorry Martin,
> I rebooted the IdM server:
> [root@lead sssd]# ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> ipa_memcached Service: RUNNING
> httpd Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa: INFO: The ipactl command was successful
> 
> I checked DNS and it is ok
> 
> I can login from any host.
> 
> Unfortunately when trying to run any ipa command:
> [root@lead ~]# ipa service-find lead.bioinf.local
> ipa: ERROR: cert validation failed for 
> "E=root@lead.bioinf.local,CN=lead.bioinf.local,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--"
>  
> ((SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.)
> ipa: ERROR: cannot connect to 'https://lead.bioinf.local/ipa/json': 
> (SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.
> 
> Is anybody has an idea on where and what to check next ?
> Thx,
> 
> Seli
> 

does
 # getcert list

show any expired certificate?

Do you use IPA with externally signed CA cert? Are they valid?

> 
> 
> On Tue, May 31, 2016 at 8:33 AM, Martin Kosek <mko...@redhat.com 
> <mailto:mko...@redhat.com>> wrote:
> 
>     Hello Seli,
> 
>     Please reply to mailing list directly so that others can benefit from the
>     thread as well.
> 
>     Thanks,
>     Martin
> 
>     On 05/30/2016 06:17 PM, seli irithyl wrote:
>      > Freeipa version : 4.2.0-15.0.1.el7.centos.6.1
>      > FF: 45.1.1
>      > Could this problem be related to mod_ssl and mod_nss for httpd ?
>      > Looking the logs, it seems there are lots of problems, here are some
>     parts that
>      > look strange to me (and are probably unrelated) :
>      > 1 sssd:
>      >      1.1 krb5_child.log
>      >          (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]]
>     [unpack_buffer]
>      > (0x0100): cmd [249] uid [1713400053] gid [1713400053] validate [true]
>     enterprise
>      > principal [false] offline [false] UPN [koto@BIOINF.LOCAL]
>      >          (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]]
>     [k5c_setup_fast]
>      > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
>     [host/lead.bioinf.local@BIOINF.LOCAL]
>      >          (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]]
>      > [check_fast_ccache] (0x0200): FAST TGT is still valid.
>      >          (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] 
> [become_user]
>      > (0x0200): Trying to become user [1713400053][1713400053].
>      >          (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]]
>      > [set_lifetime_options] (0x0100): SSSD_KRB5_RENEWABLE_LIFETIME is set 
> to [7d]
>      >          (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]]
>      > [set_lifetime_options] (0x0100): SSSD_KRB5_LIFETIME is set to [1d]
>      >          (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]]
>      > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to 
> [true]
>      >          (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]]
>      > [sss_krb5_prompter] (0x0020): Cannot handle password prompts.
>      >          (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]]
>     [k5c_send_data]
>      > (0x0200): Received error code 0
>      >      1.2 sssd_bioinf.local.log
>      >          (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]]
>      > [check_ccache_files] (0x0200): Failed to check ccache file
>      > [KEYRING:persistent:1713400031].
>      >          (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]]
>      > [check_ccache_files] (0x0200): Failed to check ccache file
>      > [KEYRING:persistent:1713400053].
>      >          ...
>      >          (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]]
>      > [check_and_export_options] (0x0100): No KDC explicitly configured, 
> using
>     defaults.
>      >          (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]]
>      > [check_and_export_options] (0x0100): No kpasswd server explicitly 
> configured,
>      > using the KDC or defaults.
>      >          (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]]
>      > [parse_krb5_map_user] (0x0200): Warning: krb5_map_user is empty!
>      >          (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]]
>      > [load_backend_module] (0x0200): no module name found in confdb, using 
> [ipa].
>      >          (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]]
>      > [common_parse_search_base] (0x0100): Search base added:
>      > [SUDO][ou=SUDOers,dc=bioinf,dc=local][SUBTREE][]
>      >          (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]]
>     [check_ipv4_addr]
>      > (0x0200): Loopback IPv4 address 127.0.0.1
>      >          (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]]
>     [check_ipv6_addr]
>      > (0x0200): Loopback IPv6 address ::1
>      >          (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]]
>      > [load_backend_module] (0x0200): no module name found in confdb, using 
> [ipa].
>      >          (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]]
>      > [common_parse_search_base] (0x0100): Search base added:
>      > [AUTOFS][cn=default,cn=automount,dc=bioinf,dc=local][SUBTREE][]
>      >          (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]]
>      > [load_backend_module] (0x0200): no module name found in confdb, using 
> [ipa].
>      >          ...
>      >          (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]]
>      > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
>     domain SID
>      > from [(null)]
>      >          (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]]
>      > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
>     domain SID
>      > from [(null)]
>      >          (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]]
>      > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
>     domain SID
>      > from [(null)]
>      >          ...
>      >          (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]]
>      > [sdap_process_group_send] (0x0040): No Members. Done!
>      >          (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]]
>      > [sdap_process_group_send] (0x0040): No Members. Done!
>      >          (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]]
>      > [sdap_process_group_send] (0x0040): No Members. Done!
>      >          ...
>      >      1.3 sssd_nss.log
>      >          (Mon May 30 17:18:07 2016) [sssd[nss]] [calc_flat_name]
>     (0x0080): Flat
>      > name requested but domain has noflat name set, falling back to domain 
> name
>      >          (Mon May 30 17:20:01 2016) [sssd[nss]] [sss_cmd_get_version]
>     (0x0200):
>      > Received client version [1].
>      >          (Mon May 30 17:20:01 2016) [sssd[nss]] [sss_cmd_get_version]
>     (0x0200):
>      > Offered version [1].
>      >          (Mon May 30 17:20:01 2016) [sssd[nss]] [sss_cmd_get_version]
>     (0x0200):
>      > Received client version [1].
>      >          (Mon May 30 17:20:01 2016) [sssd[nss]] [sss_cmd_get_version]
>     (0x0200):
>      > Offered version [1].
>      >          (Mon May 30 17:20:01 2016) [sssd[nss]] 
> [sss_parse_name_for_domains]
>      > (0x0200): name 'root' matched without domain, user is root
>      >          (Mon May 30 17:20:01 2016) [sssd[nss]] [nss_cmd_getbynam] 
> (0x0100):
>      > Requesting info for [root] from [<ALL>]
>      >          (Mon May 30 17:20:01 2016) [sssd[nss]] 
> [nss_cmd_initgroups_search]
>      > (0x0080): No matching domain found for [root], fail!
>      >          (Mon May 30 17:20:01 2016) [sssd[nss]] 
> [sss_parse_name_for_domains]
>      > (0x0200): name 'root' matched without domain, user is root
>      >          (Mon May 30 17:20:01 2016) [sssd[nss]] [nss_cmd_getbynam] 
> (0x0100):
>      > Requesting info for [root] from [<ALL>]
>      >          (Mon May 30 17:20:01 2016) [sssd[nss]] 
> [nss_cmd_initgroups_search]
>      > (0x0080): No matching domain found for [root], fail!
>      >          (Mon May 30 17:20:01 2016) [sssd[nss]] [client_recv] (0x0200):
>     Client
>      > disconnected!
>      >          (Mon May 30 17:20:01 2016) [sssd[nss]] [client_recv] (0x0200):
>     Client
>      > disconnected!
>      >
>      > 2 pki : catalina.2016-05-30.log
>      >      May 30, 2016 2:18:10 PM org.apache.coyote.AbstractProtocol init
>      >      SEVERE: Failed to initialize end point associated with 
> ProtocolHandler
>      > ["http-bio-8443"]
>      >      java.net.BindException: Could not bind to address: (-5982) Local 
> Network
>      > address is in use. <null>:8443
>      >          at 
> org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:411)
>      >          at
>      > 
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
>      >          at
>     org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
>      >          at
>      >
>     
> org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
>      >          at
>     org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
>      >          at
>     org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>      >          at
>      >
>     
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
>      >          at
>     org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>      >          at
>      > 
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813)
>      >          at
>     org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>      >          at 
> org.apache.catalina.startup.Catalina.load(Catalina.java:638)
>      >          at 
> org.apache.catalina.startup.Catalina.load(Catalina.java:663)
>      >          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>      >          at
>      > 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>      >          at
>      >
>     
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>      >          at java.lang.reflect.Method.invoke(Method.java:497)
>      >          at 
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
>      >          at 
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
>      >      Caused by: java.net.BindException: Could not bind to address:
>     (-5982) Local
>      > Network address is in use.
>      >          at org.mozilla.jss.ssl.SocketBase.socketBind(Native Method)
>      >          at
>     org.mozilla.jss.ssl.SSLServerSocket.<init>(SSLServerSocket.java:159)
>      >          at
>      >
>     
> org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:937)
>      >          at
>      >
>     
> org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:929)
>      >          at
>      >
>     
> org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:924)
>      >          at 
> org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:398)
>      >          ... 17 more
>      >      May 30, 2016 2:18:10 PM org.apache.catalina.core.StandardService
>     initInternal
>      >      SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
>      >      org.apache.catalina.LifecycleException: Failed to initialize 
> component
>      > [Connector[HTTP/1.1-8443]]
>      >          at
>     org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
>      >          at
>      >
>     
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
>      >          at
>     org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>      >          at
>      > 
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813)
>      >          at
>     org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>      >          at 
> org.apache.catalina.startup.Catalina.load(Catalina.java:638)
>      >          at 
> org.apache.catalina.startup.Catalina.load(Catalina.java:663)
>      >          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>      >          at
>      > 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>      >          at
>      >
>     
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>      >          at java.lang.reflect.Method.invoke(Method.java:497)
>      >          at 
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
>      >          at 
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
>      >      Caused by: org.apache.catalina.LifecycleException: Protocol 
> handler
>      > initialization failed
>      >          at
>     org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
>      >          at
>     org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>      >          ... 12 more
>      >      Caused by: java.net.BindException: Could not bind to address:
>     (-5982) Local
>      > Network address is in use. <null>:8443
>      >          at 
> org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:411)
>      >          at
>      > 
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
>      >          at
>     org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
>      >          at
>      >
>     
> org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
>      >          at
>     org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
>      >          ... 13 more
>      >      Caused by: java.net.BindException: Could not bind to address:
>     (-5982) Local
>      > Network address is in use.
>      >          at org.mozilla.jss.ssl.SocketBase.socketBind(Native Method)
>      >          at
>     org.mozilla.jss.ssl.SSLServerSocket.<init>(SSLServerSocket.java:159)
>      >          at
>      >
>     
> org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:937)
>      >          at
>      >
>     
> org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:929)
>      >          at
>      >
>     
> org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:924)
>      >          at 
> org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:398)
>      >          ... 17 more
>      >
>      > 3. dirsrv
>      >      [26/May/2016:12:14:10 +0200] - WARNING: userRoot: entry cache size
>     512000B
>      > is less than db size 1163264B; We recommend to increase the entry 
> cache size
>      > nsslapd-cachememsize.
>      >      [26/May/2016:12:14:10 +0200] - WARNING: ipaca: entry cache size
>     512000B is
>      > less than db size 1015808B; We recommend to increase the entry cache 
> size
>      > nsslapd-cachememsize.
>      >      [26/May/2016:12:14:10 +0200] - WARNING: changelog: entry cache 
> size
>     512000B
>      > is less than db size 10100736B; We recommend to increase the entry 
> cache size
>      > nsslapd-cachememsize.
>      >      [26/May/2016:12:14:10 +0200] schema-compat-plugin - scheduled
>      > schema-compat-plugin tree scan in about 5 seconds after the server 
> startup!
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=dns,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=dns,dc=bioinf,dc=local does not exist
>      >          [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=keys,cn=sec,cn=dns,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=dns,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=dns,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=groups,cn=compat,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=computers,cn=compat,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=ng,cn=compat,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > ou=sudoers,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=users,cn=compat,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>      > cn=ad,cn=etc,dc=bioinf,dc=local does not exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>     cn=casigningcert
>      > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=bioinf,dc=local does not 
> exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target
>     cn=casigningcert
>      > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=bioinf,dc=local does not 
> exist
>      >      [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target 
> cn=automember
>      > rebuild membership,cn=tasks,cn=config does not exist
>      >      [26/May/2016:12:14:10 +0200] - Skipping CoS Definition cn=Password
>      > Policy,cn=accounts,dc=bioinf,dc=local--no CoS Templates found, which
>     should be
>      > added before the CoS Definition.
>      >      [26/May/2016:12:14:10 +0200] schema-compat-plugin - 
> schema-compat-plugin
>      > tree scan will start in about 5 seconds!
>      >      [26/May/2016:12:14:10 +0200] - slapd started.  Listening on All
>     Interfaces
>      > port 389 for LDAP requests
>      >      [26/May/2016:12:14:10 +0200] - Listening on All Interfaces port 
> 636 for
>      > LDAPS requests
>      >      [26/May/2016:12:14:10 +0200] - Listening on
>      > /var/run/slapd-BIOINF-LOCAL.socket for LDAPI requests
>      >      [26/May/2016:12:14:15 +0200] schema-compat-plugin - warning: no
>     entries set
>      > up under ou=sudoers,dc=bioinf,dc=local
>      >      [26/May/2016:12:14:15 +0200] schema-compat-plugin - warning: no
>     entries set
>      > up under cn=ng, cn=compat,dc=bioinf,dc=local
>      >      [26/May/2016:12:14:15 +0200] schema-compat-plugin - Finished 
> plugin
>      > initialization.
>      >
>      >
>      > On Mon, May 30, 2016 at 4:46 PM, Martin Kosek <mko...@redhat.com
>     <mailto:mko...@redhat.com>
>      > <mailto:mko...@redhat.com <mailto:mko...@redhat.com>>> wrote:
>      >
>      >     On 05/30/2016 04:36 PM, Martin Basti wrote:
>      >     >
>      >     >
>      >     > On 30.05.2016 14:20, seli irithyl wrote:
>      >     >> Hi,
>      >     >>
>      >     >> Since last update, I'am unable to log in to web ui with FF (e.g.
>     blank page)
>      >     >> Any idea where too look for ?
>      >     >>
>      >     >> Best regards,
>      >     >>
>      >     >> Seli
>      >     >>
>      >     >>
>      >     >>
>      >     >>
>      >     >>
>      >     > Hello,
>      >     >
>      >     > can you provide version of the freeIPA, firefox. Does it work 
> from
>     different
>      >     > browser? does it work from private mode?
>      >
>      >     + does [CTRL]+F5 helps? Do advise in
>      > http://www.freeipa.org/page/Troubleshooting#Web_UI
>      >     help?
>      >
>      >
> 
> 
> 
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to