I have a similar issue (see my recent list post), and I was wondering if this was ever fixed? CA appears to work one system (master/replica) but not the other.
On Mon, Jun 13, 2016 at 4:41 AM, Petr Vobornik <pvobo...@redhat.com> wrote: > On 06/12/2016 07:05 PM, dan.finkelst...@high5games.com wrote: >> The restore I was referring to was a red herring; we ended up wiping the >> server >> and saving ipa-backup files, which was the only way we could successfully >> reconfigure/reinitialize IPA on the host. >> > > As Rob wrote, please check PKI logs. The most important ones here are: > > /var/log/pki/pki-tomcat/ca/selftests.log > /var/log/pki/pki-tomcat/ca/debug > > Debug log usually has additional info for possible cause logged in > selftest log. > > >> *From: *Rob Crittenden <rcrit...@redhat.com> >> *Date: *Friday, June 10, 2016 at 17:17 >> *To: *Daniel Finkestein <dan.finkelst...@high5games.com>, >> "freeipa-users@redhat.com" <freeipa-users@redhat.com> >> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA >> Error >> 4301: CertificateOperationError) >> >> dan.finkelst...@high5games.com <mailto:dan.finkelst...@high5games.com> wrote: >> >> And, from the 'ipactl -d --ignore-service-failures restart' we get this: >> >> ipa: DEBUG: stderr= >> >> ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 300 >> >> ipa: DEBUG: Waiting until the CA is running >> >> ipa: DEBUG: Starting external process >> >> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' >> >> '--no-check-certificate' >> >> 'https://ipa.example.com:8443/ca/admin/ca/getStatus' >> >> ipa: DEBUG: Process finished, return code=4 >> >> ipa: DEBUG: stdout= >> >> ipa: DEBUG: stderr=--2016-06-10 15:29:38-- >> >> https://ipa.example.com:8443/ca/admin/ca/getStatus >> >> Resolving ipa.example.com (ipa.example.com)... 10.55.10.31 >> >> Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443... >> >> connected. >> >> Unable to establish SSL connection. >> >> ipa: DEBUG: The CA status is: check interrupted due to error: Command >> >> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' >> >> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero >> >> exit status 4 >> >> ipa: DEBUG: Waiting for CA to start... >> >> ipa: DEBUG: Starting external process >> >> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' >> >> '--no-check-certificate' >> >> 'https://ipa.example.com:8443/ca/admin/ca/getStatus' >> >> ipa: DEBUG: Process finished, return code=4 >> >> ipa: DEBUG: stdout= >> >> ipa: DEBUG: stderr=--2016-06-10 15:29:43-- >> >> https://ipa.example.com:8443/ca/admin/ca/getStatus >> >> Resolving ipa.example.com (ipa.example.com)... 10.55.10.31 >> >> Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443... >> >> connected. >> >> Unable to establish SSL connection. >> >> ipa: DEBUG: The CA status is: check interrupted due to error: Command >> >> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' >> >> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero >> >> exit status 4 >> >> ipa: DEBUG: Waiting for CA to start... >> >> ipa: DEBUG: Starting external process >> >> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' >> >> '--no-check-certificate' >> >> 'https://ipa.example.com:8443/ca/admin/ca/getStatus' >> >> Which leads me to believe that tomcat doesn't have the right >> certificate(s). >> >> I don't think that's the problem. I'd check the pki logs to see if it >> >> started and if not, why. Note that it is quite possible for tomcat to >> >> start and the CA to fail because tomcat is just a container. >> >> In a previous e-mail you said something about a restore, what was that? >> >> rob >> >> <http://www.high5games.com/> >> >> *Daniel Alex Finkelstein*| Lead Dev Ops Engineer >> >> _dan.finkelst...@h5g.com <mailto:_dan.finkelst...@h5g.com> >> <mailto:dan.finkelst...@h5g.com>_| <mailto:dan.finkelst...@h5g.com%3E_|> >> 212.604.3447 >> >> One World Trade Center, New York, NY 10007 >> >> www.high5games.com <http://www.high5games.com/> >> >> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake >> >> the Sky <https://apps.facebook.com/shakethesky/> >> >> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter >> >> <https://twitter.com/High5Games>, YouTube >> >> <http://www.youtube.com/High5Games>, Linkedin >> >> <http://www.linkedin.com/company/1072533?trk=tyah> >> >> // >> >> /This message and any attachments may contain confidential or privileged >> >> information and are only for the use of the intended recipient of this >> >> message. If you are not the intended recipient, please notify the sender >> >> by return email, and delete or destroy this and all copies of this >> >> message and all attachments. Any unauthorized disclosure, use, >> >> distribution, or reproduction of this message or any attachments is >> >> prohibited and may be unlawful./ >> >> *From: *<freeipa-users-boun...@redhat.com >> <mailto:freeipa-users-boun...@redhat.com>> on behalf of Daniel >> >> Finkestein <dan.finkelst...@high5games.com >> <mailto:dan.finkelst...@high5games.com>> >> >> *Date: *Friday, June 10, 2016 at 14:52 >> >> *To: *"freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>" >> <freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>> >> >> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA >> >> Error 4301: CertificateOperationError) >> >> That’s exactly right, and we got the files and links back to serviceable >> >> order. Now we're (merely) facing issues with our restored certificate >> >> store, which the pki-tomcatd process is not happy with. All IPA services >> >> start normally except for tomcat, which spits out SSL errors (and we're >> >> pretty sure must be related to bad certs… somewhere). >> >> Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) >> >> Internal Database Error encountered: Could not connect to LDAP server >> >> host ipa.example.com port 636 Error netscape.ldap.LDAPException: IO >> >> Error creating JSS SSL Socket (-1) >> >> at >> >> com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:673) >> >> at >> >> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107) >> >> at >> >> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013) >> >> at >> >> com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510) >> >> at com.netscape.certsrv.apps.CMS.init(CMS.java:187) >> >> at com.netscape.certsrv.apps.CMS.start(CMS.java:1601) >> >> at >> >> >> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) >> >> at >> >> javax.servlet.GenericServlet.init(GenericServlet.java:158) >> >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native >> >> Method) >> >> at >> >> >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >> >> at >> >> >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> >> at java.lang.reflect.Method.invoke(Method.java:606) >> >> at >> >> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) >> >> at >> >> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) >> >> at java.security.AccessController.doPrivileged(Native >> >> Method) >> >> at >> >> javax.security.auth.Subject.doAsPrivileged(Subject.java:536) >> >> at >> >> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) >> >> at >> >> >> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) >> >> at >> >> >> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) >> >> at >> >> >> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) >> >> at >> >> >> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) >> >> at >> >> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) >> >> at >> >> >> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) >> >> at >> >> >> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) >> >> at >> >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) >> >> at >> >> >> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) >> >> at >> >> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) >> >> at >> >> >> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) >> >> at >> >> >> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) >> >> at java.security.AccessController.doPrivileged(Native >> >> Method) >> >> at >> >> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) >> >> at >> >> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) >> >> at >> >> >> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) >> >> at >> >> >> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) >> >> at >> >> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) >> >> at >> java.util.concurrent.FutureTask.run(FutureTask.java:262) >> >> at >> >> >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >> >> at >> >> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >> >> at java.lang.Thread.run(Thread.java:745) >> >> I think we might be willing to toss out the existing certificate store >> >> and start anew, which fortunately should preserve the DNS, user, group, >> >> etc., data already in LDAP. If we wanted to create a new trust and >> >> self-signed cert for the server, how are those steps different from >> >> promoting a replica to a cert-signing master? >> >> Thanks, >> >> Dan > >> >> /This message and any attachments may contain confidential or privileged >> >> information and are only for the use of the intended recipient of this >> >> message. If you are not the intended recipient, please notify the sender >> >> by return email, and delete or destroy this and all copies of this >> >> message and all attachments. Any unauthorized disclosure, use, >> >> distribution, or reproduction of this message or any attachments is >> >> prohibited and may be unlawful./ >> >> *From: *Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> >> >> *Date: *Friday, June 10, 2016 at 14:48 >> >> *To: *Daniel Finkestein <dan.finkelst...@high5games.com >> <mailto:dan.finkelst...@high5games.com>>, >> >> "freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>" >> <freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>> >> >> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA >> >> Error 4301: CertificateOperationError) >> >> I'd reinstall some rpms to properly create these: >> >> tomcat >> >> pki-base >> >> pki-server >> >> I'm not positive it will fix permissions, rpm -V on the same may point >> >> out problems as well. >> >> rob >> >> >> > > > -- > Petr Vobornik > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project