Daniel Schimpfoessl wrote:
> Thanks for getting back to me. 
> 
> getcert list | grep expires shows dates years in the future for all
> certificates
> Inline-Bild 1
> 
> ipactl start --force
> 
> Eventually the system started with:
>      Forced start, ignoring pki-tomcatd Service, continuing normal
> operations.
> 
> systemctl status ipa shows: failed

I don't think this is a certificate problem at all. I think the timing
with your renewal is just coincidence.

Did you change your Directory Manager password at some point?

> 
> ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w
> password -b "" -s base
> ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w
> *********** -b "" -s base
> Inline-Bild 2

You need the -x flag to indicate simple bind.

rob

> The logs have thousands of lines like it, what am I looking for
> specifically?
> 
> Daniel
> 
> 
> 2016-12-20 4:18 GMT-06:00 Florence Blanc-Renaud <f...@redhat.com
> <mailto:f...@redhat.com>>:
> 
>     On 12/19/2016 07:15 PM, Daniel Schimpfoessl wrote:
> 
>         Good day and happy holidays,
> 
>         I have been running a freeIPA instance for a few years and been very
>         happy. Recently the certificate expired and I updated it using the
>         documented methods. At first all seemed fine. Added a Nagios
>         monitor for
>         the certificate expiration and restarted the server (single
>         server). I
>         have weekly snapshots, daily backups (using Amanda on the entire
>         disk).
> 
>         One day the services relying on IPA failed to authenticate.
>         Looking at
>         the server the ipa service had stopped. Restarting the service
>         fails.
>         Restoring a few weeks old snapshot does not start either.
>         Resetting the
>         date to a few month back does not work either as httpd fails to
>         start .
> 
>         I am at a loss.
> 
>         Here a few details:
>         # ipa --version
>         VERSION: 4.4.0, API_VERSION: 2.213
> 
> 
>         # /usr/sbin/ipactl start
>         ...
>         out -> Failed to start pki-tomcatd Service
>         /var/log/pki/pki-tomcat/ca/debug -> Could not connect to LDAP server
>         host ipa.myorg.com <http://ipa.myorg.com> <http://ipa.myorg.com>
>         port 636 Error
>         netscape.ldap.LDAPException: Authentication failed (48)
>         2016-12-19T03:02:16Z DEBUG The CA status is: check interrupted
>         due to
>         error: Retrieving CA status failed with status 500
> 
>         Any help would be appreciated as all connected services are now
>         down.
> 
>         Thanks,
> 
>         Daniel
> 
> 
> 
> 
>     Hi Daniel,
> 
>     more information would be required to understand what is going on.
>     First of all, which certificate did you renew? Can you check with
>     $ getcert list
>     if other certificates also expired?
> 
>     PKI fails to start and the error seems linked to the SSL connection
>     with the LDAP server. You may want to check if the LDAP server is
>     listening on the LDAPs port:
>     - start the stack with
>     $ ipactl start --force
>     - check the LDAPs port with
>     $ ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w
>     password -b "" -s base
> 
>     The communication between PKI and the LDAP server is authenticated
>     with the certificate 'subsystemCert cert-pki-ca' located in
>     /etc/pki/pki-tomcat/alias, so you may also want to check if it is
>     still valid.
>     The directory server access logs (in
>     /var/log/dirsrv/slapd-DOMAIN-COM/access) would also show the
>     connection with logs similar to:
> 
>     [...] conn=47 fd=84 slot=84 SSL connection from 10.34.58.150 to
>     10.34.58.150
>     [...] conn=47 TLS1.2 128-bit AES; client CN=CA
>     Subsystem,O=DOMAIN.COM <http://DOMAIN.COM>; issuer CN=Certificate
>     Authority,O=DOMAIN.COM <http://DOMAIN.COM>
>     [...] conn=47 TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipaca
>     [...] conn=47 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
>     [...] conn=47 op=0 RESULT err=0 tag=97 nentries=0 etime=0
>     dn="uid=pkidbuser,ou=people,o=ipaca"
> 
> 
> 
>     HTH,
>     Flo
> 
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to