[Freeipa-users] Re: Strange CA error during FreeIPA connection

2022-03-09 Thread Florence Blanc-Renaud via FreeIPA-users 
Hi,

if you start the services with

ipactl --ignore-service-failures start

then it will ignore the failure that happens when starting PKI but it won't
solve the initial issue (CertificateOperationError) because the framework
still won't be able to communicate with PKI.

I would focus first on the kinit admin issue, as Kerberos is used by all
the IPA stack.
flo

On Tue, Mar 8, 2022 at 7:29 PM Alessandro Minonzio <
alessandro.minon...@adevinta.com> wrote:

> Hi Florence,
>
> I had examinate the logs on the tomcat.
> Seem to be have issue.
> Do you think that the command
>
> ipactl --ignore-service-failures start
>
> Should it solve the problem? or I need to investigate the logs?
>
> Thanks and regards,
>
>
> AM
>
>
> On Thu, 24 Feb 2022 at 08:23, Florence Blanc-Renaud 
> wrote:
>
>> Hi,
>>
>> so there are at least 2 issues to fix:
>> - kinit admin fails
>> - pki-tomcatd service and ipa-otpd service are stopped.
>>
>> For the first issue, can you run:
>> # KRB5_TRACE=/dev/stderr kinit admin
>> This will print more details (if DNS resolution is used etc...)
>>
>> For the 2nd issue, you need to have a look at the logs in
>> /var/log/pki/pki-tomcat/, and check for errors with
>> # systemctl status pki-tomcatd@pki-tomcat
>> and in the journal:
>> # journalctl -u pki-tomcatd@pki-tomcat
>>
>> flo
>>
>> On Wed, Feb 23, 2022 at 10:35 AM Alessandro Minonzio <
>> alessandro.minon...@adevinta.com> wrote:
>>
>>> Hi Florence,
>>>
>>> thanks for the support report the status of FreeIPA:
>>>
>>> [root@adv ~]# ipactl status
>>> Directory Service: RUNNING
>>> krb5kdc Service: RUNNING
>>> kadmin Service: RUNNING
>>> httpd Service: RUNNING
>>> ipa-custodia Service: RUNNING
>>> ntpd Service: RUNNING
>>> pki-tomcatd Service: STOPPED
>>> ipa-otpd Service: STOPPED
>>> ipa: INFO: The ipactl command was successful
>>>
>>> pki-tomcatd and ipa otpd seem to be stopped.
>>>
>>>
>>>
>>>
>>> On Wed, 23 Feb 2022 at 10:00, Florence Blanc-Renaud 
>>> wrote:
>>>
 Hi,
 are all the IPA services up and running on the replica (the kinit error
 suggests that either krb5.conf is badly configured or the kerberos server
 isn't running on the replica)?
 Please report the output of "ipactl status".

 flo

 On Wed, Feb 23, 2022 at 9:05 AM Alessandro Minonzio via FreeIPA-users <
 freeipa-users@lists.fedorahosted.org> wrote:

> Hi,
>
> I report this issue about FreeIPA server:
>
>
> --
>
> Request for enhancement
>
> A strange error is occurring when I try to access my FreeIPA.
> Issue
>
> The problem occurs when I try to access the FreeIPA portal.
>
> "The message occurs saying IPA Error 4301: CertificateOperationError"
> "Certificate operation cannot be completed: Unable to communicate with
> CMS (500)"
>
> in Certificate Authority appear:
>
> "cannot connect to 'https://xyz.xhq.it:443/ca/rest/account/login':
>  [SSL:
> SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1826)"
>
> and if I try to connect with KINIT ADMIN command on the console appear
> this error:
>
> "kinit: Cannot contact any KDC for realm 'SUBITOHQ.IT' while getting
> initial credentials"
> Actual behavior
>
> Serverweb and console with kinit admin doesn't work. LDAPADMIN tool
> too.
> Version/Release/Distribution
>
> package freeipa-server is not installed
> package freeipa-client is not installed
> ipa-server-4.6.5-11.el7.centos.3.x86_64
> ipa-client-4.6.5-11.el7.centos.3.x86_64
> 389-ds-base-1.3.9.1-12.el7_7.x86_64
> pki-ca-10.5.16-5.el7_7.noarch
> krb5-server-1.15.1-37.el7_7.2.x86_64
> Additional info:
>
> maybe it's a problem with CA but how is the process to solve that
> issue? The fact is that this behavior it's on a replica FreeIPA server 
> with
> CA and DOMAIN. There is a resolution or a command to solve that?
>
>
> --
>
> could you help me please?
>
> Best regards,
>
> AM
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>

___

[Freeipa-users] Re: Strange CA error during FreeIPA connection

2022-03-08 Thread Alessandro Minonzio via FreeIPA-users 
Hi Florence,

I had examinate the logs on the tomcat.
Seem to be have issue.
Do you think that the command

ipactl --ignore-service-failures start

Should it solve the problem? or I need to investigate the logs?

Thanks and regards,


AM


On Thu, 24 Feb 2022 at 08:23, Florence Blanc-Renaud  wrote:

> Hi,
>
> so there are at least 2 issues to fix:
> - kinit admin fails
> - pki-tomcatd service and ipa-otpd service are stopped.
>
> For the first issue, can you run:
> # KRB5_TRACE=/dev/stderr kinit admin
> This will print more details (if DNS resolution is used etc...)
>
> For the 2nd issue, you need to have a look at the logs in
> /var/log/pki/pki-tomcat/, and check for errors with
> # systemctl status pki-tomcatd@pki-tomcat
> and in the journal:
> # journalctl -u pki-tomcatd@pki-tomcat
>
> flo
>
> On Wed, Feb 23, 2022 at 10:35 AM Alessandro Minonzio <
> alessandro.minon...@adevinta.com> wrote:
>
>> Hi Florence,
>>
>> thanks for the support report the status of FreeIPA:
>>
>> [root@adv ~]# ipactl status
>> Directory Service: RUNNING
>> krb5kdc Service: RUNNING
>> kadmin Service: RUNNING
>> httpd Service: RUNNING
>> ipa-custodia Service: RUNNING
>> ntpd Service: RUNNING
>> pki-tomcatd Service: STOPPED
>> ipa-otpd Service: STOPPED
>> ipa: INFO: The ipactl command was successful
>>
>> pki-tomcatd and ipa otpd seem to be stopped.
>>
>>
>>
>>
>> On Wed, 23 Feb 2022 at 10:00, Florence Blanc-Renaud 
>> wrote:
>>
>>> Hi,
>>> are all the IPA services up and running on the replica (the kinit error
>>> suggests that either krb5.conf is badly configured or the kerberos server
>>> isn't running on the replica)?
>>> Please report the output of "ipactl status".
>>>
>>> flo
>>>
>>> On Wed, Feb 23, 2022 at 9:05 AM Alessandro Minonzio via FreeIPA-users <
>>> freeipa-users@lists.fedorahosted.org> wrote:
>>>
 Hi,

 I report this issue about FreeIPA server:


 --

 Request for enhancement

 A strange error is occurring when I try to access my FreeIPA.
 Issue

 The problem occurs when I try to access the FreeIPA portal.

 "The message occurs saying IPA Error 4301: CertificateOperationError"
 "Certificate operation cannot be completed: Unable to communicate with
 CMS (500)"

 in Certificate Authority appear:

 "cannot connect to 'https://xyz.xhq.it:443/ca/rest/account/login':
  [SSL:
 SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1826)"

 and if I try to connect with KINIT ADMIN command on the console appear
 this error:

 "kinit: Cannot contact any KDC for realm 'SUBITOHQ.IT' while getting
 initial credentials"
 Actual behavior

 Serverweb and console with kinit admin doesn't work. LDAPADMIN tool too.
 Version/Release/Distribution

 package freeipa-server is not installed
 package freeipa-client is not installed
 ipa-server-4.6.5-11.el7.centos.3.x86_64
 ipa-client-4.6.5-11.el7.centos.3.x86_64
 389-ds-base-1.3.9.1-12.el7_7.x86_64
 pki-ca-10.5.16-5.el7_7.noarch
 krb5-server-1.15.1-37.el7_7.2.x86_64
 Additional info:

 maybe it's a problem with CA but how is the process to solve that
 issue? The fact is that this behavior it's on a replica FreeIPA server with
 CA and DOMAIN. There is a resolution or a command to solve that?


 --

 could you help me please?

 Best regards,

 AM
 ___
 FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
 To unsubscribe send an email to
 freeipa-users-le...@lists.fedorahosted.org
 Fedora Code of Conduct:
 https://docs.fedoraproject.org/en-US/project/code-of-conduct/
 List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
 List Archives:
 https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
 Do not reply to spam on the list, report it:
 https://pagure.io/fedora-infrastructure

>>>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Strange CA error during FreeIPA connection

2022-02-23 Thread Florence Blanc-Renaud via FreeIPA-users 
Hi,

so there are at least 2 issues to fix:
- kinit admin fails
- pki-tomcatd service and ipa-otpd service are stopped.

For the first issue, can you run:
# KRB5_TRACE=/dev/stderr kinit admin
This will print more details (if DNS resolution is used etc...)

For the 2nd issue, you need to have a look at the logs in
/var/log/pki/pki-tomcat/, and check for errors with
# systemctl status pki-tomcatd@pki-tomcat
and in the journal:
# journalctl -u pki-tomcatd@pki-tomcat

flo

On Wed, Feb 23, 2022 at 10:35 AM Alessandro Minonzio <
alessandro.minon...@adevinta.com> wrote:

> Hi Florence,
>
> thanks for the support report the status of FreeIPA:
>
> [root@adv ~]# ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> ntpd Service: RUNNING
> pki-tomcatd Service: STOPPED
> ipa-otpd Service: STOPPED
> ipa: INFO: The ipactl command was successful
>
> pki-tomcatd and ipa otpd seem to be stopped.
>
>
>
>
> On Wed, 23 Feb 2022 at 10:00, Florence Blanc-Renaud 
> wrote:
>
>> Hi,
>> are all the IPA services up and running on the replica (the kinit error
>> suggests that either krb5.conf is badly configured or the kerberos server
>> isn't running on the replica)?
>> Please report the output of "ipactl status".
>>
>> flo
>>
>> On Wed, Feb 23, 2022 at 9:05 AM Alessandro Minonzio via FreeIPA-users <
>> freeipa-users@lists.fedorahosted.org> wrote:
>>
>>> Hi,
>>>
>>> I report this issue about FreeIPA server:
>>>
>>>
>>> --
>>>
>>> Request for enhancement
>>>
>>> A strange error is occurring when I try to access my FreeIPA.
>>> Issue
>>>
>>> The problem occurs when I try to access the FreeIPA portal.
>>>
>>> "The message occurs saying IPA Error 4301: CertificateOperationError"
>>> "Certificate operation cannot be completed: Unable to communicate with
>>> CMS (500)"
>>>
>>> in Certificate Authority appear:
>>>
>>> "cannot connect to 'https://xyz.xhq.it:443/ca/rest/account/login':
>>>  [SSL:
>>> SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1826)"
>>>
>>> and if I try to connect with KINIT ADMIN command on the console appear
>>> this error:
>>>
>>> "kinit: Cannot contact any KDC for realm 'SUBITOHQ.IT' while getting
>>> initial credentials"
>>> Actual behavior
>>>
>>> Serverweb and console with kinit admin doesn't work. LDAPADMIN tool too.
>>> Version/Release/Distribution
>>>
>>> package freeipa-server is not installed
>>> package freeipa-client is not installed
>>> ipa-server-4.6.5-11.el7.centos.3.x86_64
>>> ipa-client-4.6.5-11.el7.centos.3.x86_64
>>> 389-ds-base-1.3.9.1-12.el7_7.x86_64
>>> pki-ca-10.5.16-5.el7_7.noarch
>>> krb5-server-1.15.1-37.el7_7.2.x86_64
>>> Additional info:
>>>
>>> maybe it's a problem with CA but how is the process to solve that issue?
>>> The fact is that this behavior it's on a replica FreeIPA server with CA and
>>> DOMAIN. There is a resolution or a command to solve that?
>>>
>>>
>>> --
>>>
>>> could you help me please?
>>>
>>> Best regards,
>>>
>>> AM
>>> ___
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-le...@lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>> Do not reply to spam on the list, report it:
>>> https://pagure.io/fedora-infrastructure
>>>
>>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Strange CA error during FreeIPA connection

2022-02-23 Thread Alessandro Minonzio via FreeIPA-users 
Hi Florence,

thanks for the support report the status of FreeIPA:

[root@adv ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: STOPPED
ipa: INFO: The ipactl command was successful

pki-tomcatd and ipa otpd seem to be stopped.




On Wed, 23 Feb 2022 at 10:00, Florence Blanc-Renaud  wrote:

> Hi,
> are all the IPA services up and running on the replica (the kinit error
> suggests that either krb5.conf is badly configured or the kerberos server
> isn't running on the replica)?
> Please report the output of "ipactl status".
>
> flo
>
> On Wed, Feb 23, 2022 at 9:05 AM Alessandro Minonzio via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Hi,
>>
>> I report this issue about FreeIPA server:
>>
>>
>> --
>>
>> Request for enhancement
>>
>> A strange error is occurring when I try to access my FreeIPA.
>> Issue
>>
>> The problem occurs when I try to access the FreeIPA portal.
>>
>> "The message occurs saying IPA Error 4301: CertificateOperationError"
>> "Certificate operation cannot be completed: Unable to communicate with
>> CMS (500)"
>>
>> in Certificate Authority appear:
>>
>> "cannot connect to 'https://xyz.xhq.it:443/ca/rest/account/login':
>>  [SSL:
>> SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1826)"
>>
>> and if I try to connect with KINIT ADMIN command on the console appear
>> this error:
>>
>> "kinit: Cannot contact any KDC for realm 'SUBITOHQ.IT' while getting
>> initial credentials"
>> Actual behavior
>>
>> Serverweb and console with kinit admin doesn't work. LDAPADMIN tool too.
>> Version/Release/Distribution
>>
>> package freeipa-server is not installed
>> package freeipa-client is not installed
>> ipa-server-4.6.5-11.el7.centos.3.x86_64
>> ipa-client-4.6.5-11.el7.centos.3.x86_64
>> 389-ds-base-1.3.9.1-12.el7_7.x86_64
>> pki-ca-10.5.16-5.el7_7.noarch
>> krb5-server-1.15.1-37.el7_7.2.x86_64
>> Additional info:
>>
>> maybe it's a problem with CA but how is the process to solve that issue?
>> The fact is that this behavior it's on a replica FreeIPA server with CA and
>> DOMAIN. There is a resolution or a command to solve that?
>>
>>
>> --
>>
>> could you help me please?
>>
>> Best regards,
>>
>> AM
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> Do not reply to spam on the list, report it:
>> https://pagure.io/fedora-infrastructure
>>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Strange CA error during FreeIPA connection

2022-02-23 Thread Florence Blanc-Renaud via FreeIPA-users 
Hi,
are all the IPA services up and running on the replica (the kinit error
suggests that either krb5.conf is badly configured or the kerberos server
isn't running on the replica)?
Please report the output of "ipactl status".

flo

On Wed, Feb 23, 2022 at 9:05 AM Alessandro Minonzio via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi,
>
> I report this issue about FreeIPA server:
>
>
> --
>
> Request for enhancement
>
> A strange error is occurring when I try to access my FreeIPA.
> Issue
>
> The problem occurs when I try to access the FreeIPA portal.
>
> "The message occurs saying IPA Error 4301: CertificateOperationError"
> "Certificate operation cannot be completed: Unable to communicate with CMS
> (500)"
>
> in Certificate Authority appear:
>
> "cannot connect to 'https://xyz.xhq.it:443/ca/rest/account/login':
>  [SSL:
> SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1826)"
>
> and if I try to connect with KINIT ADMIN command on the console appear
> this error:
>
> "kinit: Cannot contact any KDC for realm 'SUBITOHQ.IT' while getting
> initial credentials"
> Actual behavior
>
> Serverweb and console with kinit admin doesn't work. LDAPADMIN tool too.
> Version/Release/Distribution
>
> package freeipa-server is not installed
> package freeipa-client is not installed
> ipa-server-4.6.5-11.el7.centos.3.x86_64
> ipa-client-4.6.5-11.el7.centos.3.x86_64
> 389-ds-base-1.3.9.1-12.el7_7.x86_64
> pki-ca-10.5.16-5.el7_7.noarch
> krb5-server-1.15.1-37.el7_7.2.x86_64
> Additional info:
>
> maybe it's a problem with CA but how is the process to solve that issue?
> The fact is that this behavior it's on a replica FreeIPA server with CA and
> DOMAIN. There is a resolution or a command to solve that?
>
>
> --
>
> could you help me please?
>
> Best regards,
>
> AM
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure