Rob/Florence, do you have any pointers on how to troubleshoot, reinstall/configure, update or fix the PKI server to function properly? Also if you know of any documentation or video that could be helpful. I researched the typical suspects youtube and freeipa.org without luck.
Daniel 2016-12-22 18:08 GMT-06:00 Daniel Schimpfoessl <[email protected]>: > I do not believe I changed the DM password. I know I had to update the > admin passwords regularly. > > Only during the startup using ipactl start --force I am able to connect to > the service using the password for DM and it returns: > > # extended LDIF > # > # LDAPv3 > # base <> with scope baseObject > # filter: (objectclass=*) > # requesting: ALL > # > > # > dn: > objectClass: top > namingContexts: cn=changelog > namingContexts: dc=myorg,dc=com > namingContexts: o=ipaca > defaultnamingcontext: dc=myorg,dc=com > supportedExtension: 2.16.840.1.113730.3.5.7 > supportedExtension: 2.16.840.1.113730.3.5.8 > supportedExtension: 2.16.840.1.113730.3.5.10 > supportedExtension: 2.16.840.1.113730.3.8.10.3 > supportedExtension: 2.16.840.1.113730.3.8.10.4 > supportedExtension: 2.16.840.1.113730.3.8.10.4.1 > supportedExtension: 1.3.6.1.4.1.4203.1.11.1 > supportedExtension: 2.16.840.1.113730.3.8.10.1 > supportedExtension: 2.16.840.1.113730.3.8.10.5 > supportedExtension: 2.16.840.1.113730.3.5.3 > supportedExtension: 2.16.840.1.113730.3.5.12 > supportedExtension: 2.16.840.1.113730.3.5.5 > supportedExtension: 2.16.840.1.113730.3.5.6 > supportedExtension: 2.16.840.1.113730.3.5.9 > supportedExtension: 2.16.840.1.113730.3.5.4 > supportedExtension: 2.16.840.1.113730.3.6.5 > supportedExtension: 2.16.840.1.113730.3.6.6 > supportedExtension: 2.16.840.1.113730.3.6.7 > supportedExtension: 2.16.840.1.113730.3.6.8 > supportedExtension: 1.3.6.1.4.1.1466.20037 > supportedControl: 2.16.840.1.113730.3.4.2 > supportedControl: 2.16.840.1.113730.3.4.3 > supportedControl: 2.16.840.1.113730.3.4.4 > supportedControl: 2.16.840.1.113730.3.4.5 > supportedControl: 1.2.840.113556.1.4.473 > supportedControl: 2.16.840.1.113730.3.4.9 > supportedControl: 2.16.840.1.113730.3.4.16 > supportedControl: 2.16.840.1.113730.3.4.15 > supportedControl: 2.16.840.1.113730.3.4.17 > supportedControl: 2.16.840.1.113730.3.4.19 > supportedControl: 1.3.6.1.1.13.1 > supportedControl: 1.3.6.1.1.13.2 > supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1 > supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2 > supportedControl: 1.2.840.113556.1.4.319 > supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8 > supportedControl: 1.3.6.1.4.1.4203.666.5.16 > supportedControl: 2.16.840.1.113730.3.8.10.6 > supportedControl: 2.16.840.1.113730.3.4.14 > supportedControl: 2.16.840.1.113730.3.4.20 > supportedControl: 1.3.6.1.4.1.1466.29539.12 > supportedControl: 2.16.840.1.113730.3.4.12 > supportedControl: 2.16.840.1.113730.3.4.18 > supportedControl: 2.16.840.1.113730.3.4.13 > supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 > supportedSASLMechanisms: EXTERNAL > supportedSASLMechanisms: GSS-SPNEGO > supportedSASLMechanisms: GSSAPI > supportedSASLMechanisms: DIGEST-MD5 > supportedSASLMechanisms: CRAM-MD5 > supportedSASLMechanisms: ANONYMOUS > supportedLDAPVersion: 2 > supportedLDAPVersion: 3 > vendorName: 389 Project > vendorVersion: 389-Directory/1.3.4.0 B2016.215.1556 > dataversion: 020161222235947020161222235947020161222235947 > netscapemdsuffix: cn=ldap://dc=wwgwho01,dc=myorg,dc=com:389 > lastusn: 8690425 > changeLog: cn=changelog > firstchangenumber: 2752153 > lastchangenumber: 2752346 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > 2016-12-21 9:27 GMT-06:00 Rob Crittenden <[email protected]>: > >> Daniel Schimpfoessl wrote: >> > Thanks for getting back to me. >> > >> > getcert list | grep expires shows dates years in the future for all >> > certificates >> > Inline-Bild 1 >> > >> > ipactl start --force >> > >> > Eventually the system started with: >> > Forced start, ignoring pki-tomcatd Service, continuing normal >> > operations. >> > >> > systemctl status ipa shows: failed >> >> I don't think this is a certificate problem at all. I think the timing >> with your renewal is just coincidence. >> >> Did you change your Directory Manager password at some point? >> >> > >> > ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w >> > password -b "" -s base >> > ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w >> > *********** -b "" -s base >> > Inline-Bild 2 >> >> You need the -x flag to indicate simple bind. >> >> rob >> >> > The logs have thousands of lines like it, what am I looking for >> > specifically? >> > >> > Daniel >> > >> > >> > 2016-12-20 4:18 GMT-06:00 Florence Blanc-Renaud <[email protected] >> > <mailto:[email protected]>>: >> > >> > On 12/19/2016 07:15 PM, Daniel Schimpfoessl wrote: >> > >> > Good day and happy holidays, >> > >> > I have been running a freeIPA instance for a few years and been >> very >> > happy. Recently the certificate expired and I updated it using >> the >> > documented methods. At first all seemed fine. Added a Nagios >> > monitor for >> > the certificate expiration and restarted the server (single >> > server). I >> > have weekly snapshots, daily backups (using Amanda on the entire >> > disk). >> > >> > One day the services relying on IPA failed to authenticate. >> > Looking at >> > the server the ipa service had stopped. Restarting the service >> > fails. >> > Restoring a few weeks old snapshot does not start either. >> > Resetting the >> > date to a few month back does not work either as httpd fails to >> > start . >> > >> > I am at a loss. >> > >> > Here a few details: >> > # ipa --version >> > VERSION: 4.4.0, API_VERSION: 2.213 >> > >> > >> > # /usr/sbin/ipactl start >> > ... >> > out -> Failed to start pki-tomcatd Service >> > /var/log/pki/pki-tomcat/ca/debug -> Could not connect to LDAP >> server >> > host ipa.myorg.com <http://ipa.myorg.com> <http://ipa.myorg.com >> > >> > port 636 Error >> > netscape.ldap.LDAPException: Authentication failed (48) >> > 2016-12-19T03:02:16Z DEBUG The CA status is: check interrupted >> > due to >> > error: Retrieving CA status failed with status 500 >> > >> > Any help would be appreciated as all connected services are now >> > down. >> > >> > Thanks, >> > >> > Daniel >> > >> > >> > >> > >> > Hi Daniel, >> > >> > more information would be required to understand what is going on. >> > First of all, which certificate did you renew? Can you check with >> > $ getcert list >> > if other certificates also expired? >> > >> > PKI fails to start and the error seems linked to the SSL connection >> > with the LDAP server. You may want to check if the LDAP server is >> > listening on the LDAPs port: >> > - start the stack with >> > $ ipactl start --force >> > - check the LDAPs port with >> > $ ldapsearch -H ldaps://localhost:636 -D "cn=directory manager" -w >> > password -b "" -s base >> > >> > The communication between PKI and the LDAP server is authenticated >> > with the certificate 'subsystemCert cert-pki-ca' located in >> > /etc/pki/pki-tomcat/alias, so you may also want to check if it is >> > still valid. >> > The directory server access logs (in >> > /var/log/dirsrv/slapd-DOMAIN-COM/access) would also show the >> > connection with logs similar to: >> > >> > [...] conn=47 fd=84 slot=84 SSL connection from 10.34.58.150 to >> > 10.34.58.150 >> > [...] conn=47 TLS1.2 128-bit AES; client CN=CA >> > Subsystem,O=DOMAIN.COM <http://DOMAIN.COM>; issuer CN=Certificate >> > Authority,O=DOMAIN.COM <http://DOMAIN.COM> >> > [...] conn=47 TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipac >> a >> > [...] conn=47 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL >> > [...] conn=47 op=0 RESULT err=0 tag=97 nentries=0 etime=0 >> > dn="uid=pkidbuser,ou=people,o=ipaca" >> > >> > >> > >> > HTH, >> > Flo >> > >> > >> > >> > >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
