I have a similar issue (see my recent list post), and I was wondering
if this was ever fixed?  CA appears to work one system
(master/replica) but not the other.

On Mon, Jun 13, 2016 at 4:41 AM, Petr Vobornik <pvobo...@redhat.com> wrote:
> On 06/12/2016 07:05 PM, dan.finkelst...@high5games.com wrote:
>> The restore I was referring to was a red herring; we ended up wiping the 
>> server
>> and saving ipa-backup files, which was the only way we could successfully
>> reconfigure/reinitialize IPA on the host.
>>
>
> As Rob wrote, please check PKI logs. The most important ones here are:
>
> /var/log/pki/pki-tomcat/ca/selftests.log
> /var/log/pki/pki-tomcat/ca/debug
>
> Debug log usually has additional info for possible cause logged in
> selftest log.
>
>
>> *From: *Rob Crittenden <rcrit...@redhat.com>
>> *Date: *Friday, June 10, 2016 at 17:17
>> *To: *Daniel Finkestein <dan.finkelst...@high5games.com>,
>> "freeipa-users@redhat.com" <freeipa-users@redhat.com>
>> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA 
>> Error
>> 4301: CertificateOperationError)
>>
>> dan.finkelst...@high5games.com <mailto:dan.finkelst...@high5games.com> wrote:
>>
>>     And, from the 'ipactl -d --ignore-service-failures restart' we get this:
>>
>>     ipa: DEBUG: stderr=
>>
>>     ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 300
>>
>>     ipa: DEBUG: Waiting until the CA is running
>>
>>     ipa: DEBUG: Starting external process
>>
>>     ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>>
>>     '--no-check-certificate'
>>
>>     'https://ipa.example.com:8443/ca/admin/ca/getStatus'
>>
>>     ipa: DEBUG: Process finished, return code=4
>>
>>     ipa: DEBUG: stdout=
>>
>>     ipa: DEBUG: stderr=--2016-06-10 15:29:38--
>>
>>     https://ipa.example.com:8443/ca/admin/ca/getStatus
>>
>>     Resolving ipa.example.com (ipa.example.com)... 10.55.10.31
>>
>>     Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443...
>>
>>     connected.
>>
>>     Unable to establish SSL connection.
>>
>>     ipa: DEBUG: The CA status is: check interrupted due to error: Command
>>
>>     ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
>>
>>     'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero
>>
>>     exit status 4
>>
>>     ipa: DEBUG: Waiting for CA to start...
>>
>>     ipa: DEBUG: Starting external process
>>
>>     ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>>
>>     '--no-check-certificate'
>>
>>     'https://ipa.example.com:8443/ca/admin/ca/getStatus'
>>
>>     ipa: DEBUG: Process finished, return code=4
>>
>>     ipa: DEBUG: stdout=
>>
>>     ipa: DEBUG: stderr=--2016-06-10 15:29:43--
>>
>>     https://ipa.example.com:8443/ca/admin/ca/getStatus
>>
>>     Resolving ipa.example.com (ipa.example.com)... 10.55.10.31
>>
>>     Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443...
>>
>>     connected.
>>
>>     Unable to establish SSL connection.
>>
>>     ipa: DEBUG: The CA status is: check interrupted due to error: Command
>>
>>     ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
>>
>>     'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero
>>
>>     exit status 4
>>
>>     ipa: DEBUG: Waiting for CA to start...
>>
>>     ipa: DEBUG: Starting external process
>>
>>     ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>>
>>     '--no-check-certificate'
>>
>>     'https://ipa.example.com:8443/ca/admin/ca/getStatus'
>>
>>     Which leads me to believe that tomcat doesn't have the right 
>> certificate(s).
>>
>> I don't think that's the problem. I'd check the pki logs to see if it
>>
>> started and if not, why. Note that it is quite possible for tomcat to
>>
>> start and the CA to fail because tomcat is just a container.
>>
>> In a previous e-mail you said something about a restore, what was that?
>>
>> rob
>>
>>     <http://www.high5games.com/>
>>
>>     *Daniel Alex Finkelstein*| Lead Dev Ops Engineer
>>
>>     _dan.finkelst...@h5g.com <mailto:_dan.finkelst...@h5g.com>
>>     <mailto:dan.finkelst...@h5g.com>_| <mailto:dan.finkelst...@h5g.com%3E_|>
>>     212.604.3447
>>
>>     One World Trade Center, New York, NY 10007
>>
>>     www.high5games.com <http://www.high5games.com/>
>>
>>     Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
>>
>>     the Sky <https://apps.facebook.com/shakethesky/>
>>
>>     Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
>>
>>     <https://twitter.com/High5Games>, YouTube
>>
>>     <http://www.youtube.com/High5Games>, Linkedin
>>
>>     <http://www.linkedin.com/company/1072533?trk=tyah>
>>
>>     //
>>
>>     /This message and any attachments may contain confidential or privileged
>>
>>     information and are only for the use of the intended recipient of this
>>
>>     message. If you are not the intended recipient, please notify the sender
>>
>>     by return email, and delete or destroy this and all copies of this
>>
>>     message and all attachments. Any unauthorized disclosure, use,
>>
>>     distribution, or reproduction of this message or any attachments is
>>
>>     prohibited and may be unlawful./
>>
>>     *From: *<freeipa-users-boun...@redhat.com
>>     <mailto:freeipa-users-boun...@redhat.com>> on behalf of Daniel
>>
>>     Finkestein <dan.finkelst...@high5games.com
>>     <mailto:dan.finkelst...@high5games.com>>
>>
>>     *Date: *Friday, June 10, 2016 at 14:52
>>
>>     *To: *"freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>"
>>     <freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>
>>
>>     *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA
>>
>>     Error 4301: CertificateOperationError)
>>
>>     That’s exactly right, and we got the files and links back to serviceable
>>
>>     order. Now we're (merely) facing issues with our restored certificate
>>
>>     store, which the pki-tomcatd process is not happy with. All IPA services
>>
>>     start normally except for tomcat, which spits out SSL errors (and we're
>>
>>     pretty sure must be related to bad certs… somewhere).
>>
>>     Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
>>
>>     Internal Database Error encountered: Could not connect to LDAP server
>>
>>     host ipa.example.com port 636 Error netscape.ldap.LDAPException: IO
>>
>>     Error creating JSS SSL Socket (-1)
>>
>>                        at
>>
>>     com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:673)
>>
>>                        at
>>
>>     com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107)
>>
>>                        at
>>
>>     com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013)
>>
>>                        at
>>
>>     com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510)
>>
>>                        at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>>
>>                        at com.netscape.certsrv.apps.CMS.start(CMS.java:1601)
>>
>>                        at
>>
>>     
>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
>>
>>                        at
>>
>>     javax.servlet.GenericServlet.init(GenericServlet.java:158)
>>
>>                        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>
>>     Method)
>>
>>                        at
>>
>>     
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>
>>                        at
>>
>>     
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>
>>                        at java.lang.reflect.Method.invoke(Method.java:606)
>>
>>                        at
>>
>>     org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
>>
>>                        at
>>
>>     org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
>>
>>                        at java.security.AccessController.doPrivileged(Native
>>
>>     Method)
>>
>>                        at
>>
>>     javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
>>
>>                        at
>>
>>     org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
>>
>>                        at
>>
>>     
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
>>
>>                        at
>>
>>     
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
>>
>>                        at
>>
>>     
>> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
>>
>>                        at
>>
>>     
>> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
>>
>>                        at
>>
>>     org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
>>
>>                        at
>>
>>     
>> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
>>
>>                        at
>>
>>     
>> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
>>
>>                        at
>>
>>     org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
>>
>>                        at
>>
>>     
>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
>>
>>                        at
>>
>>     org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
>>
>>                        at
>>
>>     
>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
>>
>>                        at
>>
>>     
>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
>>
>>                        at java.security.AccessController.doPrivileged(Native
>>
>>     Method)
>>
>>                        at
>>
>>     org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
>>
>>                        at
>>
>>     org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
>>
>>                        at
>>
>>     
>> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
>>
>>                        at
>>
>>     
>> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
>>
>>                        at
>>
>>     java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>>
>>                        at 
>> java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>
>>                        at
>>
>>     
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>
>>                        at
>>
>>     
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>
>>                        at java.lang.Thread.run(Thread.java:745)
>>
>>     I think we might be willing to toss out the existing certificate store
>>
>>     and start anew, which fortunately should preserve the DNS, user, group,
>>
>>     etc., data already in LDAP. If we wanted to create a new trust and
>>
>>     self-signed cert for the server, how are those steps different from
>>
>>     promoting a replica to a cert-signing master?
>>
>>     Thanks,
>>
>>     Dan
>
>>
>>     /This message and any attachments may contain confidential or privileged
>>
>>     information and are only for the use of the intended recipient of this
>>
>>     message. If you are not the intended recipient, please notify the sender
>>
>>     by return email, and delete or destroy this and all copies of this
>>
>>     message and all attachments. Any unauthorized disclosure, use,
>>
>>     distribution, or reproduction of this message or any attachments is
>>
>>     prohibited and may be unlawful./
>>
>>     *From: *Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
>>
>>     *Date: *Friday, June 10, 2016 at 14:48
>>
>>     *To: *Daniel Finkestein <dan.finkelst...@high5games.com
>>     <mailto:dan.finkelst...@high5games.com>>,
>>
>>     "freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>"
>>     <freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>
>>
>>     *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA
>>
>>     Error 4301: CertificateOperationError)
>>
>>     I'd reinstall some rpms to properly create these:
>>
>>     tomcat
>>
>>     pki-base
>>
>>     pki-server
>>
>>     I'm not positive it will fix permissions, rpm -V on the same may point
>>
>>     out problems as well.
>>
>>     rob
>>
>>
>>
>
>
> --
> Petr Vobornik
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to