On 06/12/2016 07:05 PM, dan.finkelst...@high5games.com wrote: > The restore I was referring to was a red herring; we ended up wiping the > server > and saving ipa-backup files, which was the only way we could successfully > reconfigure/reinitialize IPA on the host. >
As Rob wrote, please check PKI logs. The most important ones here are: /var/log/pki/pki-tomcat/ca/selftests.log /var/log/pki/pki-tomcat/ca/debug Debug log usually has additional info for possible cause logged in selftest log. > *From: *Rob Crittenden <rcrit...@redhat.com> > *Date: *Friday, June 10, 2016 at 17:17 > *To: *Daniel Finkestein <dan.finkelst...@high5games.com>, > "freeipa-users@redhat.com" <freeipa-users@redhat.com> > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA > Error > 4301: CertificateOperationError) > > dan.finkelst...@high5games.com <mailto:dan.finkelst...@high5games.com> wrote: > > And, from the 'ipactl -d --ignore-service-failures restart' we get this: > > ipa: DEBUG: stderr= > > ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 300 > > ipa: DEBUG: Waiting until the CA is running > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' > > '--no-check-certificate' > > 'https://ipa.example.com:8443/ca/admin/ca/getStatus' > > ipa: DEBUG: Process finished, return code=4 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr=--2016-06-10 15:29:38-- > > https://ipa.example.com:8443/ca/admin/ca/getStatus > > Resolving ipa.example.com (ipa.example.com)... 10.55.10.31 > > Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443... > > connected. > > Unable to establish SSL connection. > > ipa: DEBUG: The CA status is: check interrupted due to error: Command > > ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' > > 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero > > exit status 4 > > ipa: DEBUG: Waiting for CA to start... > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' > > '--no-check-certificate' > > 'https://ipa.example.com:8443/ca/admin/ca/getStatus' > > ipa: DEBUG: Process finished, return code=4 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr=--2016-06-10 15:29:43-- > > https://ipa.example.com:8443/ca/admin/ca/getStatus > > Resolving ipa.example.com (ipa.example.com)... 10.55.10.31 > > Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443... > > connected. > > Unable to establish SSL connection. > > ipa: DEBUG: The CA status is: check interrupted due to error: Command > > ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' > > 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero > > exit status 4 > > ipa: DEBUG: Waiting for CA to start... > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' > > '--no-check-certificate' > > 'https://ipa.example.com:8443/ca/admin/ca/getStatus' > > Which leads me to believe that tomcat doesn't have the right > certificate(s). > > I don't think that's the problem. I'd check the pki logs to see if it > > started and if not, why. Note that it is quite possible for tomcat to > > start and the CA to fail because tomcat is just a container. > > In a previous e-mail you said something about a restore, what was that? > > rob > > <http://www.high5games.com/> > > *Daniel Alex Finkelstein*| Lead Dev Ops Engineer > > _dan.finkelst...@h5g.com <mailto:_dan.finkelst...@h5g.com> > <mailto:dan.finkelst...@h5g.com>_| <mailto:dan.finkelst...@h5g.com%3E_|> > 212.604.3447 > > One World Trade Center, New York, NY 10007 > > www.high5games.com <http://www.high5games.com/> > > Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake > > the Sky <https://apps.facebook.com/shakethesky/> > > Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter > > <https://twitter.com/High5Games>, YouTube > > <http://www.youtube.com/High5Games>, Linkedin > > <http://www.linkedin.com/company/1072533?trk=tyah> > > // > > /This message and any attachments may contain confidential or privileged > > information and are only for the use of the intended recipient of this > > message. If you are not the intended recipient, please notify the sender > > by return email, and delete or destroy this and all copies of this > > message and all attachments. Any unauthorized disclosure, use, > > distribution, or reproduction of this message or any attachments is > > prohibited and may be unlawful./ > > *From: *<freeipa-users-boun...@redhat.com > <mailto:freeipa-users-boun...@redhat.com>> on behalf of Daniel > > Finkestein <dan.finkelst...@high5games.com > <mailto:dan.finkelst...@high5games.com>> > > *Date: *Friday, June 10, 2016 at 14:52 > > *To: *"freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>" > <freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>> > > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA > > Error 4301: CertificateOperationError) > > That’s exactly right, and we got the files and links back to serviceable > > order. Now we're (merely) facing issues with our restored certificate > > store, which the pki-tomcatd process is not happy with. All IPA services > > start normally except for tomcat, which spits out SSL errors (and we're > > pretty sure must be related to bad certs… somewhere). > > Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) > > Internal Database Error encountered: Could not connect to LDAP server > > host ipa.example.com port 636 Error netscape.ldap.LDAPException: IO > > Error creating JSS SSL Socket (-1) > > at > > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:673) > > at > > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107) > > at > > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013) > > at > > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510) > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1601) > > at > > > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > at > > javax.servlet.GenericServlet.init(GenericServlet.java:158) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > > Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:606) > > at > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > > at > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > > at java.security.AccessController.doPrivileged(Native > > Method) > > at > > javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > > at > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > > at > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > > at > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) > > at > > > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) > > at > > > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) > > at > > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) > > at > > > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) > > at > > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) > > at > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > at > > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) > > at > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > > at > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > at > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > at java.security.AccessController.doPrivileged(Native > > Method) > > at > > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) > > at > > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > > at > > > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) > > at > > > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) > > at > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > > at > java.util.concurrent.FutureTask.run(FutureTask.java:262) > > at > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > at java.lang.Thread.run(Thread.java:745) > > I think we might be willing to toss out the existing certificate store > > and start anew, which fortunately should preserve the DNS, user, group, > > etc., data already in LDAP. If we wanted to create a new trust and > > self-signed cert for the server, how are those steps different from > > promoting a replica to a cert-signing master? > > Thanks, > > Dan > > /This message and any attachments may contain confidential or privileged > > information and are only for the use of the intended recipient of this > > message. If you are not the intended recipient, please notify the sender > > by return email, and delete or destroy this and all copies of this > > message and all attachments. Any unauthorized disclosure, use, > > distribution, or reproduction of this message or any attachments is > > prohibited and may be unlawful./ > > *From: *Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > *Date: *Friday, June 10, 2016 at 14:48 > > *To: *Daniel Finkestein <dan.finkelst...@high5games.com > <mailto:dan.finkelst...@high5games.com>>, > > "freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>" > <freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>> > > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA > > Error 4301: CertificateOperationError) > > I'd reinstall some rpms to properly create these: > > tomcat > > pki-base > > pki-server > > I'm not positive it will fix permissions, rpm -V on the same may point > > out problems as well. > > rob > > > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project