Daniel Schimpfoessl wrote: > Thanks for getting back to me. > > getcert list | grep expires shows dates years in the future for all > certificates > Inline-Bild 1 > > ipactl start --force > > Eventually the system started with: > Forced start, ignoring pki-tomcatd Service, continuing normal > operations. > > systemctl status ipa shows: failed
I don't think this is a certificate problem at all. I think the timing with your renewal is just coincidence. Did you change your Directory Manager password at some point? > > ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w > password -b "" -s base > ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w > *********** -b "" -s base > Inline-Bild 2 You need the -x flag to indicate simple bind. rob > The logs have thousands of lines like it, what am I looking for > specifically? > > Daniel > > > 2016-12-20 4:18 GMT-06:00 Florence Blanc-Renaud <[email protected] > <mailto:[email protected]>>: > > On 12/19/2016 07:15 PM, Daniel Schimpfoessl wrote: > > Good day and happy holidays, > > I have been running a freeIPA instance for a few years and been very > happy. Recently the certificate expired and I updated it using the > documented methods. At first all seemed fine. Added a Nagios > monitor for > the certificate expiration and restarted the server (single > server). I > have weekly snapshots, daily backups (using Amanda on the entire > disk). > > One day the services relying on IPA failed to authenticate. > Looking at > the server the ipa service had stopped. Restarting the service > fails. > Restoring a few weeks old snapshot does not start either. > Resetting the > date to a few month back does not work either as httpd fails to > start . > > I am at a loss. > > Here a few details: > # ipa --version > VERSION: 4.4.0, API_VERSION: 2.213 > > > # /usr/sbin/ipactl start > ... > out -> Failed to start pki-tomcatd Service > /var/log/pki/pki-tomcat/ca/debug -> Could not connect to LDAP server > host ipa.myorg.com <http://ipa.myorg.com> <http://ipa.myorg.com> > port 636 Error > netscape.ldap.LDAPException: Authentication failed (48) > 2016-12-19T03:02:16Z DEBUG The CA status is: check interrupted > due to > error: Retrieving CA status failed with status 500 > > Any help would be appreciated as all connected services are now > down. > > Thanks, > > Daniel > > > > > Hi Daniel, > > more information would be required to understand what is going on. > First of all, which certificate did you renew? Can you check with > $ getcert list > if other certificates also expired? > > PKI fails to start and the error seems linked to the SSL connection > with the LDAP server. You may want to check if the LDAP server is > listening on the LDAPs port: > - start the stack with > $ ipactl start --force > - check the LDAPs port with > $ ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w > password -b "" -s base > > The communication between PKI and the LDAP server is authenticated > with the certificate 'subsystemCert cert-pki-ca' located in > /etc/pki/pki-tomcat/alias, so you may also want to check if it is > still valid. > The directory server access logs (in > /var/log/dirsrv/slapd-DOMAIN-COM/access) would also show the > connection with logs similar to: > > [...] conn=47 fd=84 slot=84 SSL connection from 10.34.58.150 to > 10.34.58.150 > [...] conn=47 TLS1.2 128-bit AES; client CN=CA > Subsystem,O=DOMAIN.COM <http://DOMAIN.COM>; issuer CN=Certificate > Authority,O=DOMAIN.COM <http://DOMAIN.COM> > [...] conn=47 TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipaca > [...] conn=47 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL > [...] conn=47 op=0 RESULT err=0 tag=97 nentries=0 etime=0 > dn="uid=pkidbuser,ou=people,o=ipaca" > > > > HTH, > Flo > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
