I'm having a PKI-tomcat issue that started after upgrade.
My configuration has 4 servers with CA, where servers 2, 3 and 4 are
replicated from the first one.
At first it didn't cause much trouble since all the issue came down to
pki-tomcat getting to start about 2 minutes.
But it seems that problem is progressed a lot and is causing issues in
multiple parts of the system.

After upgrading FreeIPA from 4.1 to 4.2  ipactl would not on the first node
start without the --ignore-service-failures.

 I found that in the menu Authentication-->Certificates
 I have multiple certificates for same hosts in some cases there were up to
30 duplicates per host and it is unclear what is generating them.

Next issue is that if I try to add a new replica with ipa-replica-prepare
I get an error: "Failed to generate certificate"

And the last problem I found is that I am unable to restore a backup.
The ipa-restore utility is able to unpack the backup but once I try to
start FreeIPA on a new node
the pki-tomcat fails to start. And I see this message in debug:

ipa: DEBUG: Waiting for CA to start...
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
'--no-check-certificate' 'https://XXXX:8443/ca/admin/ca/getStatus'
ipa: DEBUG: Process finished, return code=8

In the /var/log/dirsrv/slapd-XXX/errors I see a lot of these
 NSMMReplicationPlugin - process_postop: Failed to apply update
(57c3cc550002000d0000) error (-1).  Aborting replication
session(conn=272420 op=6)

 but I'm not sure if it is directly related to the problem.

 In /var/log/pki/pki-tomcat/ca/debug I see a lot of these messages:
Can't create master connection in LdapBoundConnFactory::getConn! Could not
connect to LDAP server host bos-admin1.hq.datarobot.com port 636 Error
netscape.ldap.LDAPException: IO Error creating JSS SSL Socket

My guess was that the CA certificate got expired, so I tried to run
'ipa-cacert-manage renew'
but it failed with this message:

Resubmitting certmonger request '20151222031110' timed out, please check
the request manually

Don't really know what else to try right now.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to