dan.finkelst...@high5games.com wrote:
An update: The journalctl command has some really interesting output:

Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING:  Symbolic
link '/var/lib/pki/pki-tomcat/alias' does NOT exist!

Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to
create '/var/lib/pki/pki-tomcat/alias' -> '/etc/pki/pki-tomcat/aliJun 10
11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic
link ‘/var/lib/pki/pki-tomcat/alias’: Permission denied

Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to
create '/var/lib/pki/pki-tomcat/alias' -> '/etc/pki/pki-tomcat/alias'Jun
10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING:  Symbolic link
'/var/lib/pki/pki-tomcat/logs' does NOT exist!

Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to
create '/var/lib/pki/pki-tomcat/logs' -> '/var/log/pki/pki-tomcat'Jun 10
11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic
link ‘/var/lib/pki/pki-tomcat/logs’: Permission denied

Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to
create '/var/lib/pki/pki-tomcat/logs' -> '/var/log/pki/pki-tomcat'!

Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING:  Symbolic
link '/var/lib/pki/pki-tomcat/bin' does NOT exist!

Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to
create '/var/lib/pki/pki-tomcat/bin' -> '/usr/share/tomcat/bin' . Jun 10
11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic
link ‘/var/lib/pki/pki-tomcat/bin’: Permission denied

Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to
create '/var/lib/pki/pki-tomcat/bin' -> '/usr/share/tomcat/bin'!

Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING:  Symbolic
link '/var/lib/pki/pki-tomcat/conf' does NOT exist!

Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to
create '/var/lib/pki/pki-tomcat/conf' -> '/etc/pki/pki-tomcat' . .Jun 10
11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic
link ‘/var/lib/pki/pki-tomcat/conf’: Permission denied

Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to
create '/var/lib/pki/pki-tomcat/conf' -> '/etc/pki/pki-tomcat'!

Jun 10 11:16:23 ipa.example.com systemd[1]:
pki-tomcatd@pki-tomcat.service: control process exited, code=exited status=1

Jun 10 11:16:23 ipa.example.com systemd[1]: Failed to start PKI Tomcat
Server pki-tomcat.

Which makes me think All we have to do is create the right directory
structures/links and/or change the file permissions? But which ones and
to whom?

I'd reinstall some rpms to properly create these:

tomcat
pki-base
pki-server

I'm not positive it will fix permissions, rpm -V on the same may point out problems as well.

rob


—Dan

<http://www.high5games.com/>

*Daniel Alex Finkelstein*| Lead Dev Ops Engineer

_dan.finkelst...@h5g.com <mailto:dan.finkelst...@h5g.com>_ | 212.604.3447

One World Trade Center, New York, NY 10007

www.high5games.com <http://www.high5games.com/>

Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
the Sky <https://apps.facebook.com/shakethesky/>

Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
<https://twitter.com/High5Games>, YouTube
<http://www.youtube.com/High5Games>, Linkedin
<http://www.linkedin.com/company/1072533?trk=tyah>

//

/This message and any attachments may contain confidential or privileged
information and are only for the use of the intended recipient of this
message. If you are not the intended recipient, please notify the sender
by return email, and delete or destroy this and all copies of this
message and all attachments. Any unauthorized disclosure, use,
distribution, or reproduction of this message or any attachments is
prohibited and may be unlawful./

*From: *<freeipa-users-boun...@redhat.com> on behalf of Daniel
Finkestein <dan.finkelst...@high5games.com>
*Date: *Wednesday, June 8, 2016 at 17:11
*To: *"freeipa-users@redhat.com" <freeipa-users@redhat.com>
*Subject: *[Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA
Error 4301: CertificateOperationError)

I have a promoted CA master/FreeIPA 4.2.0 instance on CentOS 7 that
emits this error in the httpd logs whenever the WebUI tries to see the
certificates page:

[Wed Jun 08 16:56:27.052106 2016] [:error] [pid 2863] ipa: ERROR:
ipaserver.plugins.dogtag.ra.find(): Unable to communicate with CMS
([Errno 111] Connection refused)

[Wed Jun 08 16:56:27.052401 2016] [:error] [pid 2863] ipa: INFO:
[jsonserver_session] dfinkelst...@example.com:
cert_find(version=u'2.156'): CertificateOperationError

The certificates appear as follows:

[root@ipa httpd]# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust
Attributes


SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u

auditSigningCert cert-pki-ca                                 u,u,u

EXAMPLE.COM IPA CA                                             CTu,u,Cu

ipaCert                                                      u,u,u

ocspSigningCert cert-pki-ca                                  u,u,u

subsystemCert cert-pki-ca                                    u,u,u

Upon reboot, httpd fails to start with the error: Failed to start
Identity, Policy, Audit. But it can be started later with `ipactl
restart`. Finally, the two last IPA services don't appear to start:

[root@ipa]# ipactl status

Directory Service: RUNNING

krb5kdc Service: RUNNING

kadmin Service: RUNNING

named Service: RUNNING

ipa_memcached Service: RUNNING

httpd Service: RUNNING

pki-tomcatd Service: RUNNING

ipa-otpd Service: STOPPED

ipa-dnskeysyncd Service: STOPPED

ipa: INFO: The ipactl command was successful

I'd appreciate any guidance or suggestions.

Thanks,

Dan

<http://www.high5games.com/>

*Daniel Alex Finkelstein*| Senior Dev Ops Engineer

_dan.finkelst...@h5g.com <mailto:dan.finkelst...@h5g.com>_ | 212.604.3447

One World Trade Center, New York, NY 10007

www.high5games.com <http://www.high5games.com/>

Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
the Sky <https://apps.facebook.com/shakethesky/>

Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
<https://twitter.com/High5Games>, YouTube
<http://www.youtube.com/High5Games>, Linkedin
<http://www.linkedin.com/company/1072533?trk=tyah>

//

/This message and any attachments may contain confidential or privileged
information and are only for the use of the intended recipient of this
message. If you are not the intended recipient, please notify the sender
by return email, and delete or destroy this and all copies of this
message and all attachments. Any unauthorized disclosure, use,
distribution, or reproduction of this message or any attachments is
prohibited and may be unlawful./




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to