On 01/25/2017 02:30 PM, Gendy Tartovsky wrote: > Hi, > > I'm having a PKI-tomcat issue that started after upgrade. > My configuration has 4 servers with CA, where servers 2, 3 and 4 are > replicated > from the first one. > At first it didn't cause much trouble since all the issue came down to > pki-tomcat getting to start about 2 minutes. > But it seems that problem is progressed a lot and is causing issues in > multiple > parts of the system. > > After upgrading FreeIPA from 4.1 to 4.2 ipactl would not on the first node > start without the --ignore-service-failures. > > I found that in the menu Authentication-->Certificates > I have multiple certificates for same hosts in some cases there were up to > 30 > duplicates per host and it is unclear what is generating them. > > Next issue is that if I try to add a new replica with ipa-replica-prepare > utility > I get an error: "Failed to generate certificate" > > And the last problem I found is that I am unable to restore a backup. > The ipa-restore utility is able to unpack the backup but once I try to start > FreeIPA on a new node > the pki-tomcat fails to start. And I see this message in debug: > > ipa: DEBUG: Waiting for CA to start... > ipa: DEBUG: Starting external process > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' > '--no-check-certificate' 'https://XXXX:8443/ca/admin/ca/getStatus' > ipa: DEBUG: Process finished, return code=8 > > > In the /var/log/dirsrv/slapd-XXX/errors I see a lot of these > NSMMReplicationPlugin - process_postop: Failed to apply update > (57c3cc550002000d0000) error (-1). Aborting replication session(conn=272420 > op=6) > > but I'm not sure if it is directly related to the problem. > > In /var/log/pki/pki-tomcat/ca/debug I see a lot of these messages: > Can't create master connection in LdapBoundConnFactory::getConn! Could not > connect to LDAP server host bos-admin1.hq.datarobot.com > <http://bos-admin1.hq.datarobot.com> port 636 Error > netscape.ldap.LDAPException: > IO Error creating JSS SSL Socket > > My guess was that the CA certificate got expired, so I tried to run > 'ipa-cacert-manage renew' > but it failed with this message: > > Resubmitting certmonger request '20151222031110' timed out, please check the > request manually > > > Don't really know what else to try right now. >
Could you check: Is directory server listening on ports 389 and 636? Is PKI server listening on port 8009 i.e. if you are hitting bug https://fedorahosted.org/freeipa/ticket/6575 You can verify if certs are expired by running # getcert list And check expiration date. -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
