The restore I was referring to was a red herring; we ended up wiping the server 
and saving ipa-backup files, which was the only way we could successfully 
reconfigure/reinitialize IPA on the host.


[cid:image001.jpg@01D1C4AB.15A2FD70]<http://www.high5games.com/>
Daniel Alex Finkelstein| Lead Dev Ops Engineer
dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the 
Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, 
Twitter<https://twitter.com/High5Games>, 
YouTube<http://www.youtube.com/High5Games>, 
Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.

From: Rob Crittenden <rcrit...@redhat.com>
Date: Friday, June 10, 2016 at 17:17
To: Daniel Finkestein <dan.finkelst...@high5games.com>, 
"freeipa-users@redhat.com" <freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 
4301: CertificateOperationError)

dan.finkelst...@high5games.com<mailto:dan.finkelst...@high5games.com> wrote:
And, from the 'ipactl -d --ignore-service-failures restart' we get this:

ipa: DEBUG: stderr=

ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 300

ipa: DEBUG: Waiting until the CA is running

ipa: DEBUG: Starting external process

ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
'--no-check-certificate'
'https://ipa.example.com:8443/ca/admin/ca/getStatus'

ipa: DEBUG: Process finished, return code=4

ipa: DEBUG: stdout=

ipa: DEBUG: stderr=--2016-06-10 15:29:38--
https://ipa.example.com:8443/ca/admin/ca/getStatus

Resolving ipa.example.com (ipa.example.com)... 10.55.10.31

Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443...
connected.

Unable to establish SSL connection.

ipa: DEBUG: The CA status is: check interrupted due to error: Command
''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero
exit status 4

ipa: DEBUG: Waiting for CA to start...

ipa: DEBUG: Starting external process

ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
'--no-check-certificate'
'https://ipa.example.com:8443/ca/admin/ca/getStatus'

ipa: DEBUG: Process finished, return code=4

ipa: DEBUG: stdout=

ipa: DEBUG: stderr=--2016-06-10 15:29:43--
https://ipa.example.com:8443/ca/admin/ca/getStatus

Resolving ipa.example.com (ipa.example.com)... 10.55.10.31

Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443...
connected.

Unable to establish SSL connection.

ipa: DEBUG: The CA status is: check interrupted due to error: Command
''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero
exit status 4

ipa: DEBUG: Waiting for CA to start...

ipa: DEBUG: Starting external process

ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
'--no-check-certificate'
'https://ipa.example.com:8443/ca/admin/ca/getStatus'

Which leads me to believe that tomcat doesn't have the right certificate(s).

I don't think that's the problem. I'd check the pki logs to see if it
started and if not, why. Note that it is quite possible for tomcat to
start and the CA to fail because tomcat is just a container.

In a previous e-mail you said something about a restore, what was that?

rob


<http://www.high5games.com/>

*Daniel Alex Finkelstein*| Lead Dev Ops Engineer

_dan.finkelst...@h5g.com<mailto:_dan.finkelst...@h5g.com> 
<mailto:dan.finkelst...@h5g.com>_|<mailto:dan.finkelst...@h5g.com%3E_|> 
212.604.3447

One World Trade Center, New York, NY 10007

www.high5games.com <http://www.high5games.com/>

Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
the Sky <https://apps.facebook.com/shakethesky/>

Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
<https://twitter.com/High5Games>, YouTube
<http://www.youtube.com/High5Games>, Linkedin
<http://www.linkedin.com/company/1072533?trk=tyah>

//

/This message and any attachments may contain confidential or privileged
information and are only for the use of the intended recipient of this
message. If you are not the intended recipient, please notify the sender
by return email, and delete or destroy this and all copies of this
message and all attachments. Any unauthorized disclosure, use,
distribution, or reproduction of this message or any attachments is
prohibited and may be unlawful./

*From: 
*<freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>> on 
behalf of Daniel
Finkestein 
<dan.finkelst...@high5games.com<mailto:dan.finkelst...@high5games.com>>
*Date: *Friday, June 10, 2016 at 14:52
*To: *"freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>" 
<freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>>
*Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA
Error 4301: CertificateOperationError)

That’s exactly right, and we got the files and links back to serviceable
order. Now we're (merely) facing issues with our restored certificate
store, which the pki-tomcatd process is not happy with. All IPA services
start normally except for tomcat, which spits out SSL errors (and we're
pretty sure must be related to bad certs… somewhere).

Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)

Internal Database Error encountered: Could not connect to LDAP server
host ipa.example.com port 636 Error netscape.ldap.LDAPException: IO
Error creating JSS SSL Socket (-1)

                  at
com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:673)

                  at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107)

                  at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013)

                  at
com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510)

                  at com.netscape.certsrv.apps.CMS.init(CMS.java:187)

                  at com.netscape.certsrv.apps.CMS.start(CMS.java:1601)

                  at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)

                  at
javax.servlet.GenericServlet.init(GenericServlet.java:158)

                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)

                  at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

                  at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

                  at java.lang.reflect.Method.invoke(Method.java:606)

                  at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)

                  at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)

                  at java.security.AccessController.doPrivileged(Native
Method)

                  at
javax.security.auth.Subject.doAsPrivileged(Subject.java:536)

                  at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)

                  at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)

                  at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)

                  at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)

                  at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)

                  at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)

                  at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)

                  at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)

                  at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)

                  at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)

                  at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)

                  at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)

                  at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)

                  at java.security.AccessController.doPrivileged(Native
Method)

                  at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)

                  at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)

                  at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)

                  at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)

                  at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)

                  at java.util.concurrent.FutureTask.run(FutureTask.java:262)

                  at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

                  at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

                  at java.lang.Thread.run(Thread.java:745)

I think we might be willing to toss out the existing certificate store
and start anew, which fortunately should preserve the DNS, user, group,
etc., data already in LDAP. If we wanted to create a new trust and
self-signed cert for the server, how are those steps different from
promoting a replica to a cert-signing master?

Thanks,

Dan

<http://www.high5games.com/>

*Daniel Alex Finkelstein*| Lead Dev Ops Engineer

_dan.finkelst...@h5g.com<mailto:_dan.finkelst...@h5g.com> 
<mailto:dan.finkelst...@h5g.com>_|<mailto:dan.finkelst...@h5g.com%3E_|> 
212.604.3447

One World Trade Center, New York, NY 10007

www.high5games.com <http://www.high5games.com/>

Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
the Sky <https://apps.facebook.com/shakethesky/>

Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
<https://twitter.com/High5Games>, YouTube
<http://www.youtube.com/High5Games>, Linkedin
<http://www.linkedin.com/company/1072533?trk=tyah>

//

/This message and any attachments may contain confidential or privileged
information and are only for the use of the intended recipient of this
message. If you are not the intended recipient, please notify the sender
by return email, and delete or destroy this and all copies of this
message and all attachments. Any unauthorized disclosure, use,
distribution, or reproduction of this message or any attachments is
prohibited and may be unlawful./

*From: *Rob Crittenden <rcrit...@redhat.com<mailto:rcrit...@redhat.com>>
*Date: *Friday, June 10, 2016 at 14:48
*To: *Daniel Finkestein 
<dan.finkelst...@high5games.com<mailto:dan.finkelst...@high5games.com>>,
"freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>" 
<freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>>
*Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA
Error 4301: CertificateOperationError)

I'd reinstall some rpms to properly create these:

tomcat

pki-base

pki-server

I'm not positive it will fix permissions, rpm -V on the same may point

out problems as well.

rob





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to