Thanks for getting back to me.

getcert list | grep expires shows dates years in the future for all
[image: Inline-Bild 1]

ipactl start --force

Eventually the system started with:
     Forced start, ignoring pki-tomcatd Service, continuing normal

systemctl status ipa shows: failed

ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w password
-b "" -s base
ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w
*********** -b "" -s base
[image: Inline-Bild 2]

The logs have thousands of lines like it, what am I looking for


2016-12-20 4:18 GMT-06:00 Florence Blanc-Renaud <>:

> On 12/19/2016 07:15 PM, Daniel Schimpfoessl wrote:
>> Good day and happy holidays,
>> I have been running a freeIPA instance for a few years and been very
>> happy. Recently the certificate expired and I updated it using the
>> documented methods. At first all seemed fine. Added a Nagios monitor for
>> the certificate expiration and restarted the server (single server). I
>> have weekly snapshots, daily backups (using Amanda on the entire disk).
>> One day the services relying on IPA failed to authenticate. Looking at
>> the server the ipa service had stopped. Restarting the service fails.
>> Restoring a few weeks old snapshot does not start either. Resetting the
>> date to a few month back does not work either as httpd fails to start .
>> I am at a loss.
>> Here a few details:
>> # ipa --version
>> VERSION: 4.4.0, API_VERSION: 2.213
>> # /usr/sbin/ipactl start
>> ...
>> out -> Failed to start pki-tomcatd Service
>> /var/log/pki/pki-tomcat/ca/debug -> Could not connect to LDAP server
>> host <> port 636 Error
>> netscape.ldap.LDAPException: Authentication failed (48)
>> 2016-12-19T03:02:16Z DEBUG The CA status is: check interrupted due to
>> error: Retrieving CA status failed with status 500
>> Any help would be appreciated as all connected services are now down.
>> Thanks,
>> Daniel
>> Hi Daniel,
> more information would be required to understand what is going on. First
> of all, which certificate did you renew? Can you check with
> $ getcert list
> if other certificates also expired?
> PKI fails to start and the error seems linked to the SSL connection with
> the LDAP server. You may want to check if the LDAP server is listening on
> the LDAPs port:
> - start the stack with
> $ ipactl start --force
> - check the LDAPs port with
> $ ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w
> password -b "" -s base
> The communication between PKI and the LDAP server is authenticated with
> the certificate 'subsystemCert cert-pki-ca' located in
> /etc/pki/pki-tomcat/alias, so you may also want to check if it is still
> valid.
> The directory server access logs (in /var/log/dirsrv/slapd-DOMAIN-COM/access)
> would also show the connection with logs similar to:
> [...] conn=47 fd=84 slot=84 SSL connection from to
> [...] conn=47 TLS1.2 128-bit AES; client CN=CA Subsystem,O=DOMAIN.COM;
> issuer CN=Certificate Authority,O=DOMAIN.COM
> [...] conn=47 TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipaca
> [...] conn=47 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
> [...] conn=47 op=0 RESULT err=0 tag=97 nentries=0 etime=0
> dn="uid=pkidbuser,ou=people,o=ipaca"
> HTH,
> Flo
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to