date:20210907

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

2021-09-07 Thread Jeremy Tourville via FreeIPA-users

/var/lib/ipa/certs/httpd.crt
looks valid and has a 3 year validity date starting from Nov 23, 2020

/etc/ipa/ca.crt
looks valid and has a 20 year validity date starting from Nov 23, 2020



From: Florence Renaud 
Sent: Tuesday, September 7, 2021 11:38 AM
To: Jeremy Tourville 
Cc: FreeIPA users list 
Subject: Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running 
ipa-dns-install? (Was - Unable to start directory server after updates)

Hi Jeremy,

to enable debugging you can simply create /etc/ipa/server.conf if the file does 
not exist:
# cat /etc/ipa/server.conf
[global]
debug=True
# systemctl restart httpd

The HTTPd certificate is stored in /var/lib/ipa/certs/httpd.crt, you can 
examine its content with
# openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt
If the IPA deployment includes an embedded CA, the CA that issued the httpd 
cert is stored in /etc/ipa/ca.crt and can also be checked with openssl command.

flo

On Tue, Sep 7, 2021 at 6:09 PM Jeremy Tourville 
mailto:jeremy_tourvi...@hotmail.com>> wrote:
I think I see the issue but I am unsure what to do to fix it.  See below.

To answer your question, yes I did accept the security exception.

Also, I don't see a server.conf file at /etc/ipa so that I may enable 
debugging.  What can you suggest for this issue?


[root@utility ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

[root@utility ~]# kinit admin
Password for ad...@idm.nac-issa.org:

[root@utility ~]# klist
Ticket cache: KCM:0:43616
Default principal: ad...@idm.nac-issa.org

Valid starting   Expires  Service principal
09/07/2021 10:59:23  09/08/2021 10:09:04  
krbtgt/idm.nac-issa@idm.nac-issa.org

[root@utility ~]# ipa config-show
ipa: ERROR: cannot connect to 'https://utility.idm.nac-issa.org/ipa/json': 
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)



From: Florence Renaud mailto:f...@redhat.com>>
Sent: Tuesday, September 7, 2021 10:47 AM
To: FreeIPA users list 
mailto:freeipa-users@lists.fedorahosted.org>>
Cc: Jeremy Tourville 
mailto:jeremy_tourvi...@hotmail.com>>
Subject: Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running 
ipa-dns-install? (Was - Unable to start directory server after updates)

Hi Jeremy,
Did you accept the security exception displayed by the browser (I'm trying to 
eliminate obvious issues)?
If nothing is displayed, can you check if ipa command-line is working as 
expected (for instance do "kinit admin; ipa config-show")?
You may want to enable debug logs (add debug=True to the [global] section of 
/etc/ipa/server.conf and restart httpd service), retry WebUI authentication and 
check the generated logs in /var/log/http/error_log

flo

On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users 
mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:
OK,
Why don't I see anything on the initial login page?
All I see is the URL and the fact that the certificate is not trusted.  The 
certificate is not expired yet.  Not until Nov 2021.
The login in page is mostly solid white with no login or password field.
___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: dogtag-ipa-ca-renew-agent-submit: Updated certificate not available

2021-09-07 Thread Russell Jones via FreeIPA-users

Thanks!

I compared between a working one and this and the output looked the same. I
did not see anything obvious.

Instead of continuing to spin my wheels I decided to go the route of just
blowing the whole replica away and recreating it - Problem solved!

:-)

On Thu, Sep 2, 2021 at 4:47 PM Rob Crittenden  wrote:

> Russell Jones wrote:
> > Okay, thanks!
> >
> > Pardon my ignorance, but I am not sure what to do still to resolve the
> > issue. I have 2 other replicas that picked up the renewed certificate
> > fine from the renewal master because they were online.
> >
> > What do I need to do to get this guy to pick up the renewed certificate?
>
> The fact that resubmit says there is no update certificate available
> suggests that there may still be a problem with replication. I'd look at
> the LDAP location I provided on a working and non-working server to see
> if they match.
>
> rob
>
> >
> > On Thu, Sep 2, 2021 at 4:03 PM Rob Crittenden  > > wrote:
> >
> > Russell Jones via FreeIPA-users wrote:
> > > Hi all,
> > >
> > > I have a replica that, while offline due to maintenance, some
> > > certificates appear to have been auto renewed. Upon bringing the
> node
> > > back online the ipa-healthcheck script showed several errors that
> were
> > > fixed by re-initializing the replica.
> > >
> > > However, the following errors were not fixed by reinitializing:
> > >
> > >
> > > [root@freeipa4 ~]# ipa-healthcheck --output-type human
> > --failures-only |
> > > grep -v ipahealthcheck.ipa.idns
> > > WARNING:
> > >
> ipahealthcheck.ipa.certs.IPACertmongerExpirationCheck.20200130170451:
> > > Request id 20200130170451 expires in 26 days
> > > WARNING:
> > >
> ipahealthcheck.ipa.certs.IPACertmongerExpirationCheck.20200130170452:
> > > Request id 20200130170452 expires in 26 days
> > > WARNING:
> > >
> ipahealthcheck.ipa.certs.IPACertmongerExpirationCheck.20200130170453:
> > > Request id 20200130170453 expires in 26 days
> > > WARNING:
> > > ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20200130170451:
> > > Request id 20200130170451 expires in 26 days
> > > WARNING:
> > > ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20200130170452:
> > > Request id 20200130170452 expires in 26 days
> > > WARNING:
> > > ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20200130170453:
> > > Request id 20200130170453 expires in 26 days
> > >
> > >
> > > When I try to use getcert resubmit, it shows either:
> > >
> > > freeipa4 dogtag-ipa-ca-renew-agent-submit: Updated certificate not
> > available
> > >
> > > or
> > >
> > > freeipa4 certmonger: 2021-09-02 15:43:15 [1264] Invalid cookie: u''
> > >
> > >
> > > Any ideas on how to get this guy healthy again?
> >
> > The CA's in IPA are in dogtag parlance "clones". They share most of
> the
> > same configuration and certificates.
> >
> > One IPA server is selected, the first installed by default, as the
> > renewal master. It is responsible for renewing the shared
> certificates
> > and placing the updated contents into LDAP which will then be
> replicated
> > to the other servers and picked up when renewal is needed.
> >
> > The first message means that an updated certificate is not available.
> > The second message was fixed in IPA 4.9.0 in ticket
> > https://pagure.io/freeipa/issue/8164
> >
> > What this means is that the updated certificates are not available in
> > LDAP for certmonger to retrieve. They can be found in
> > cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX under the nickname for each
> > certificate.
> >
> > rob
> >
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

2021-09-07 Thread Florence Renaud via FreeIPA-users

Hi Jeremy,

to enable debugging you can simply create /etc/ipa/server.conf if the file
does not exist:
# cat /etc/ipa/server.conf
[global]
debug=True
# systemctl restart httpd

The HTTPd certificate is stored in /var/lib/ipa/certs/httpd.crt, you can
examine its content with
# openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt
If the IPA deployment includes an embedded CA, the CA that issued the httpd
cert is stored in /etc/ipa/ca.crt and can also be checked with openssl
command.

flo

On Tue, Sep 7, 2021 at 6:09 PM Jeremy Tourville <
jeremy_tourvi...@hotmail.com> wrote:

> I think I see the issue but I am unsure what to do to fix it.  See below.
>
> To answer your question, yes I did accept the security exception.
>
> Also, I don't see a server.conf file at /etc/ipa so that I may enable
> debugging.  What can you suggest for this issue?
>
>
> [root@utility ~]# ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> pki-tomcatd Service: RUNNING
> smb Service: RUNNING
> winbind Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-ods-exporter Service: STOPPED
> ods-enforcerd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
> [root@utility ~]# kinit admin
> Password for ad...@idm.nac-issa.org:
>
> [root@utility ~]# klist
> Ticket cache: KCM:0:43616
> Default principal: ad...@idm.nac-issa.org
>
> Valid starting   Expires  Service principal
> 09/07/2021 10:59:23  09/08/2021 10:09:04  krbtgt/
> idm.nac-issa@idm.nac-issa.org
>
> [root@utility ~]# ipa config-show
> ipa: ERROR: cannot connect to 'https://utility.idm.nac-issa.org/ipa/json':
> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
>
>
> --
> *From:* Florence Renaud 
> *Sent:* Tuesday, September 7, 2021 10:47 AM
> *To:* FreeIPA users list 
> *Cc:* Jeremy Tourville 
> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
> running ipa-dns-install? (Was - Unable to start directory server after
> updates)
>
> Hi Jeremy,
> Did you accept the security exception displayed by the browser (I'm
> trying to eliminate obvious issues)?
> If nothing is displayed, can you check if ipa command-line is working as
> expected (for instance do "kinit admin; ipa config-show")?
> You may want to enable debug logs (add debug=True to the [global] section
> of /etc/ipa/server.conf and restart httpd service), retry WebUI
> authentication and check the generated logs in /var/log/http/error_log
>
> flo
>
> On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
> OK,
> Why don't I see anything on the initial login page?
> All I see is the URL and the fact that the certificate is not trusted.
> The certificate is not expired yet.  Not until Nov 2021.
> The login in page is mostly solid white with no login or password field.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

2021-09-07 Thread Jeremy Tourville via FreeIPA-users

Disregard this part
>>>Also, I don't see a server.conf file at /etc/ipa so that I may enable 
>>>debugging.  What can you suggest for this issue?
The file is /etc/ipa/default.conf.  I should have looked before replying.
I have uploaded the httpd error_log to pastebin for review.

https://pastebin.com/RpK5EZQr

From: Jeremy Tourville 
Sent: Tuesday, September 7, 2021 11:09 AM
To: FreeIPA users list 
Cc: Florence Renaud 
Subject: Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running 
ipa-dns-install? (Was - Unable to start directory server after updates)

I think I see the issue but I am unsure what to do to fix it.  See below.

To answer your question, yes I did accept the security exception.

Also, I don't see a server.conf file at /etc/ipa so that I may enable 
debugging.  What can you suggest for this issue?

[root@utility ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

[root@utility ~]# kinit admin
Password for ad...@idm.nac-issa.org:

[root@utility ~]# klist
Ticket cache: KCM:0:43616
Default principal: ad...@idm.nac-issa.org

Valid starting   Expires  Service principal
09/07/2021 10:59:23  09/08/2021 10:09:04  
krbtgt/idm.nac-issa@idm.nac-issa.org

[root@utility ~]# ipa config-show
ipa: ERROR: cannot connect to 'https://utility.idm.nac-issa.org/ipa/json': 
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)

From: Florence Renaud 
Sent: Tuesday, September 7, 2021 10:47 AM
To: FreeIPA users list 
Cc: Jeremy Tourville 
Subject: Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running 
ipa-dns-install? (Was - Unable to start directory server after updates)

Hi Jeremy,
Did you accept the security exception displayed by the browser (I'm trying to 
eliminate obvious issues)?
If nothing is displayed, can you check if ipa command-line is working as 
expected (for instance do "kinit admin; ipa config-show")?
You may want to enable debug logs (add debug=True to the [global] section of 
/etc/ipa/server.conf and restart httpd service), retry WebUI authentication and 
check the generated logs in /var/log/http/error_log

flo

On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users 
mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:
OK,
Why don't I see anything on the initial login page?
All I see is the URL and the fact that the certificate is not trusted.  The 
certificate is not expired yet.  Not until Nov 2021.
The login in page is mostly solid white with no login or password field.
___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

2021-09-07 Thread Jeremy Tourville via FreeIPA-users

I think I see the issue but I am unsure what to do to fix it.  See below.

To answer your question, yes I did accept the security exception.

Also, I don't see a server.conf file at /etc/ipa so that I may enable 
debugging.  What can you suggest for this issue?


[root@utility ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

[root@utility ~]# kinit admin
Password for ad...@idm.nac-issa.org:

[root@utility ~]# klist
Ticket cache: KCM:0:43616
Default principal: ad...@idm.nac-issa.org

Valid starting   Expires  Service principal
09/07/2021 10:59:23  09/08/2021 10:09:04  
krbtgt/idm.nac-issa@idm.nac-issa.org

[root@utility ~]# ipa config-show
ipa: ERROR: cannot connect to 'https://utility.idm.nac-issa.org/ipa/json': 
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)



From: Florence Renaud 
Sent: Tuesday, September 7, 2021 10:47 AM
To: FreeIPA users list 
Cc: Jeremy Tourville 
Subject: Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running 
ipa-dns-install? (Was - Unable to start directory server after updates)

Hi Jeremy,
Did you accept the security exception displayed by the browser (I'm trying to 
eliminate obvious issues)?
If nothing is displayed, can you check if ipa command-line is working as 
expected (for instance do "kinit admin; ipa config-show")?
You may want to enable debug logs (add debug=True to the [global] section of 
/etc/ipa/server.conf and restart httpd service), retry WebUI authentication and 
check the generated logs in /var/log/http/error_log

flo

On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users 
mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:
OK,
Why don't I see anything on the initial login page?
All I see is the URL and the fact that the certificate is not trusted.  The 
certificate is not expired yet.  Not until Nov 2021.
The login in page is mostly solid white with no login or password field.
___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

2021-09-07 Thread Florence Renaud via FreeIPA-users

Hi Jeremy,
Did you accept the security exception displayed by the browser (I'm trying
to eliminate obvious issues)?
If nothing is displayed, can you check if ipa command-line is working as
expected (for instance do "kinit admin; ipa config-show")?
You may want to enable debug logs (add debug=True to the [global] section
of /etc/ipa/server.conf and restart httpd service), retry WebUI
authentication and check the generated logs in /var/log/http/error_log

flo

On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> OK,
> Why don't I see anything on the initial login page?
> All I see is the URL and the fact that the certificate is not trusted.
> The certificate is not expired yet.  Not until Nov 2021.
> The login in page is mostly solid white with no login or password field.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

2021-09-07 Thread Jeremy Tourville via FreeIPA-users

OK,
Why don't I see anything on the initial login page?
All I see is the URL and the fact that the certificate is not trusted.  The 
certificate is not expired yet.  Not until Nov 2021.
The login in page is mostly solid white with no login or password field.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

2021-09-07 Thread Florence Renaud via FreeIPA-users

Hi,

ipa-ods-exporter is a socket-activated service, and ipactl status may show
it as STOPPED. That's not an issue (and you can see the status of ipactl as
successful) as the socket is still listening on events and will wake the
service on demand.
If it is started manually without the appropriate message passed through
the socket, it exits on failure with the log:
ipa-ods-exporter: CRITICAL socket activation did not return a readable
socket with a command.

Hope this clarifies,
flo

On Mon, Sep 6, 2021 at 1:06 AM Jeremy Tourville via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Could a ssl cert cause this issue?
>
> References:
>
> #1 https://pagure.io/freeipa/issue/7378
> user comments -  hcoin commented 6 months ago
> >>>"This issue is back as of 3/2021. Freeipa 4.9.2-4.fc33
> SELinux=permissive as well"
>
> Though my system is centos, freeipa version is the same and selinux is
> permissive
>
> #2 https://access.redhat.com/solutions/5527751
>
> Observations:
> 1. Cert on web page UI is not trusted.
> 2. Web page does not fully load.
> 3. My system does contain the java version listed in the kb
> # rpm -q java-1.8.0-openjdk
> java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64
> 4. Trying to uninstall/disable dnssec master producess ssl error
>
> [root@utility ~]# ipa-dns-install --disable-dnssec-master
>
> The log file for this installation can be found in
> /var/log/ipaserver-dns-install.log
>
> ==
> This program will setup DNS for the IPA Server.
>
> This includes:
>   * Configure DNS (bind)
>   * Configure SoftHSM (required by DNSSEC)
>   * Configure ipa-dnskeysyncd (required by DNSSEC)
>   * Unconfigure ipa-ods-exporter
>   * Unconfigure OpenDNSSEC
>
> No new zones will be signed without DNSSEC key master IPA server.
>
> Please copy file from /var/lib/ipa/ipa-kasp.db.backup after
> uninstallation. This file is needed on new DNSSEC key
> master server
>
> NOTE: DNSSEC zone signing is not enabled by default
>
>
> To accept the default shown in brackets, press the Enter key.
>
> Do you want to disable current DNSSEC key master? [no]: yes
> Do you want to configure DNS forwarders? [yes]:
> Following DNS servers are configured in /etc/resolv.conf: 127.0.0.1
> Do you want to configure these servers as DNS forwarders? [yes]: no
> Enter an IP address for a DNS forwarder, or press Enter to skip:
> 172.30.50.10
> DNS forwarder 172.30.50.10 added. You may add another.
> Enter an IP address for a DNS forwarder, or press Enter to skip:
> DNS forwarders: 172.30.50.10
> Checking DNS forwarders, please wait ...
> Do you want to search for missing reverse zones? [yes]:
>
> The following operations may take some minutes to complete.
> Please wait until the prompt is returned.
>
> Configuring DNS (named)
>   [1/8]: generating rndc key file
>   [2/8]: setting up our own record
>   [3/8]: adding NS record to the zones
>   [4/8]: setting up kerberos principal
>   [5/8]: setting up named.conf
>   [6/8]: setting up server configuration
>   [7/8]: configuring named to start on boot
>   [8/8]: changing resolv.conf to point to ourselves
> Done configuring DNS (named).
> Restarting the web server to pick up resolv.conf changes
> Configuring DNS key synchronization service (ipa-dnskeysyncd)
>   [1/7]: checking status
>   [2/7]: setting up bind-dyndb-ldap working directory
>   [3/7]: setting up kerberos principal
>   [4/7]: setting up SoftHSM
>   [5/7]: adding DNSSEC containers
>   [6/7]: creating replica keys
>   [7/7]: configuring ipa-dnskeysyncd to start on boot
> Done configuring DNS key synchronization service (ipa-dnskeysyncd).
> Unconfiguring ods-enforcerd
> Exporting DNSSEC data before uninstallation
> Unconfiguring ipa-ods-exporter
> Unexpected error - see /var/log/ipaserver-dns-install.log for details:
> NetworkError: cannot connect to '
> https://utility.idm.nac-issa.org:443/ca/rest/certs/search?size=2147483647':
> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

[Freeipa-users] Re: dogtag-ipa-ca-renew-agent-submit: Updated certificate not available

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

[Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)

8 matches

Site Navigation

Mail list logo

Footer information