subject:"\[Freeipa\-users\] FreeIPA 4.2.0\: An error has occurred \(IPA Error 4301\: CertificateOperationError\)"

Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

2016-12-16 Thread Christopher Young

I have a similar issue (see my recent list post), and I was wondering
if this was ever fixed?  CA appears to work one system
(master/replica) but not the other.

On Mon, Jun 13, 2016 at 4:41 AM, Petr Vobornik <pvobo...@redhat.com> wrote:
> On 06/12/2016 07:05 PM, dan.finkelst...@high5games.com wrote:
>> The restore I was referring to was a red herring; we ended up wiping the 
>> server
>> and saving ipa-backup files, which was the only way we could successfully
>> reconfigure/reinitialize IPA on the host.
>>
>
> As Rob wrote, please check PKI logs. The most important ones here are:
>
> /var/log/pki/pki-tomcat/ca/selftests.log
> /var/log/pki/pki-tomcat/ca/debug
>
> Debug log usually has additional info for possible cause logged in
> selftest log.
>
>
>> *From: *Rob Crittenden <rcrit...@redhat.com>
>> *Date: *Friday, June 10, 2016 at 17:17
>> *To: *Daniel Finkestein <dan.finkelst...@high5games.com>,
>> "freeipa-users@redhat.com" <freeipa-users@redhat.com>
>> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA 
>> Error
>> 4301: CertificateOperationError)
>>
>> dan.finkelst...@high5games.com <mailto:dan.finkelst...@high5games.com> wrote:
>>
>> And, from the 'ipactl -d --ignore-service-failures restart' we get this:
>>
>> ipa: DEBUG: stderr=
>>
>> ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 300
>>
>> ipa: DEBUG: Waiting until the CA is running
>>
>> ipa: DEBUG: Starting external process
>>
>> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>>
>> '--no-check-certificate'
>>
>> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'
>>
>> ipa: DEBUG: Process finished, return code=4
>>
>> ipa: DEBUG: stdout=
>>
>> ipa: DEBUG: stderr=--2016-06-10 15:29:38--
>>
>> https://ipa.example.com:8443/ca/admin/ca/getStatus
>>
>> Resolving ipa.example.com (ipa.example.com)... 10.55.10.31
>>
>> Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443...
>>
>> connected.
>>
>> Unable to establish SSL connection.
>>
>> ipa: DEBUG: The CA status is: check interrupted due to error: Command
>>
>> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
>>
>> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero
>>
>> exit status 4
>>
>> ipa: DEBUG: Waiting for CA to start...
>>
>> ipa: DEBUG: Starting external process
>>
>> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>>
>> '--no-check-certificate'
>>
>> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'
>>
>> ipa: DEBUG: Process finished, return code=4
>>
>> ipa: DEBUG: stdout=
>>
>> ipa: DEBUG: stderr=--2016-06-10 15:29:43--
>>
>> https://ipa.example.com:8443/ca/admin/ca/getStatus
>>
>> Resolving ipa.example.com (ipa.example.com)... 10.55.10.31
>>
>> Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443...
>>
>> connected.
>>
>> Unable to establish SSL connection.
>>
>> ipa: DEBUG: The CA status is: check interrupted due to error: Command
>>
>> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
>>
>> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero
>>
>> exit status 4
>>
>> ipa: DEBUG: Waiting for CA to start...
>>
>> ipa: DEBUG: Starting external process
>>
>> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>>
>> '--no-check-certificate'
>>
>> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'
>>
>> Which leads me to believe that tomcat doesn't have the right 
>> certificate(s).
>>
>> I don't think that's the problem. I'd check the pki logs to see if it
>>
>> started and if not, why. Note that it is quite possible for tomcat to
>>
>> start and the CA to fail because tomcat is just a container.
>>
>> In a previous e-mail you said something about a restore, what was that?
>>
>> rob
>>
>> <http://www.high5games.com/>
>>
>> *Daniel Alex Finkelstein*| Lead Dev Ops Engineer
>>
>> _dan.finkelst...@h5g.com <mailto:_dan.finkelst...@h5g.com>
>> <mailto:dan.finkelst...@h5g.com>_| <mailto:dan.finkelst...@h5g.com%3E_|>
>>

Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

2016-06-13 Thread Petr Vobornik

On 06/12/2016 07:05 PM, dan.finkelst...@high5games.com wrote:
> The restore I was referring to was a red herring; we ended up wiping the 
> server 
> and saving ipa-backup files, which was the only way we could successfully 
> reconfigure/reinitialize IPA on the host.
> 

As Rob wrote, please check PKI logs. The most important ones here are:

/var/log/pki/pki-tomcat/ca/selftests.log
/var/log/pki/pki-tomcat/ca/debug

Debug log usually has additional info for possible cause logged in
selftest log.


> *From: *Rob Crittenden <rcrit...@redhat.com>
> *Date: *Friday, June 10, 2016 at 17:17
> *To: *Daniel Finkestein <dan.finkelst...@high5games.com>, 
> "freeipa-users@redhat.com" <freeipa-users@redhat.com>
> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA 
> Error 
> 4301: CertificateOperationError)
> 
> dan.finkelst...@high5games.com <mailto:dan.finkelst...@high5games.com> wrote:
> 
> And, from the 'ipactl -d --ignore-service-failures restart' we get this:
> 
> ipa: DEBUG: stderr=
> 
> ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 300
> 
> ipa: DEBUG: Waiting until the CA is running
> 
> ipa: DEBUG: Starting external process
> 
> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> 
> '--no-check-certificate'
> 
> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'
> 
> ipa: DEBUG: Process finished, return code=4
> 
> ipa: DEBUG: stdout=
> 
> ipa: DEBUG: stderr=--2016-06-10 15:29:38--
> 
> https://ipa.example.com:8443/ca/admin/ca/getStatus
> 
> Resolving ipa.example.com (ipa.example.com)... 10.55.10.31
> 
> Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443...
> 
> connected.
> 
> Unable to establish SSL connection.
> 
> ipa: DEBUG: The CA status is: check interrupted due to error: Command
> 
> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
> 
> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero
> 
> exit status 4
> 
> ipa: DEBUG: Waiting for CA to start...
> 
> ipa: DEBUG: Starting external process
> 
> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> 
> '--no-check-certificate'
> 
> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'
> 
> ipa: DEBUG: Process finished, return code=4
> 
> ipa: DEBUG: stdout=
> 
> ipa: DEBUG: stderr=--2016-06-10 15:29:43--
> 
> https://ipa.example.com:8443/ca/admin/ca/getStatus
> 
> Resolving ipa.example.com (ipa.example.com)... 10.55.10.31
> 
> Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443...
> 
> connected.
> 
> Unable to establish SSL connection.
> 
> ipa: DEBUG: The CA status is: check interrupted due to error: Command
> 
> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
> 
> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero
> 
> exit status 4
> 
> ipa: DEBUG: Waiting for CA to start...
> 
> ipa: DEBUG: Starting external process
> 
> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> 
> '--no-check-certificate'
> 
> 'https://ipa.example.com:8443/ca/admin/ca/getStatus'
> 
> Which leads me to believe that tomcat doesn't have the right 
> certificate(s).
> 
> I don't think that's the problem. I'd check the pki logs to see if it
> 
> started and if not, why. Note that it is quite possible for tomcat to
> 
> start and the CA to fail because tomcat is just a container.
> 
> In a previous e-mail you said something about a restore, what was that?
> 
> rob
> 
> <http://www.high5games.com/>
> 
> *Daniel Alex Finkelstein*| Lead Dev Ops Engineer
> 
> _dan.finkelst...@h5g.com <mailto:_dan.finkelst...@h5g.com>
> <mailto:dan.finkelst...@h5g.com>_| <mailto:dan.finkelst...@h5g.com%3E_|>
> 212.604.3447
> 
> One World Trade Center, New York, NY 10007
> 
> www.high5games.com <http://www.high5games.com/>
> 
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
> 
> the Sky <https://apps.facebook.com/shakethesky/>
> 
> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
> 
> <https://twitter.com/High5Games>, YouTube
> 
> <http://www.youtube.com/High5Games>, Linkedin
> 
> <http://www.linkedin.com/company/1072533?trk=tyah>
> 
> //
> 
> /This message and any attachments may contain confidential or privileged
> 
>

Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

2016-06-10 Thread Rob Crittenden


dan.finkelst...@high5games.com wrote:

And, from the 'ipactl -d --ignore-service-failures restart' we get this:

ipa: DEBUG: stderr=

ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 300

ipa: DEBUG: Waiting until the CA is running

ipa: DEBUG: Starting external process

ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
'--no-check-certificate'
'https://ipa.example.com:8443/ca/admin/ca/getStatus'

ipa: DEBUG: Process finished, return code=4

ipa: DEBUG: stdout=

ipa: DEBUG: stderr=--2016-06-10 15:29:38--
https://ipa.example.com:8443/ca/admin/ca/getStatus

Resolving ipa.example.com (ipa.example.com)... 10.55.10.31

Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443...
connected.

Unable to establish SSL connection.

ipa: DEBUG: The CA status is: check interrupted due to error: Command
''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero
exit status 4

ipa: DEBUG: Waiting for CA to start...

ipa: DEBUG: Starting external process

ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
'--no-check-certificate'
'https://ipa.example.com:8443/ca/admin/ca/getStatus'

ipa: DEBUG: Process finished, return code=4

ipa: DEBUG: stdout=

ipa: DEBUG: stderr=--2016-06-10 15:29:43--
https://ipa.example.com:8443/ca/admin/ca/getStatus

Resolving ipa.example.com (ipa.example.com)... 10.55.10.31

Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443...
connected.

Unable to establish SSL connection.

ipa: DEBUG: The CA status is: check interrupted due to error: Command
''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero
exit status 4

ipa: DEBUG: Waiting for CA to start...

ipa: DEBUG: Starting external process

ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
'--no-check-certificate'
'https://ipa.example.com:8443/ca/admin/ca/getStatus'

Which leads me to believe that tomcat doesn't have the right certificate(s).


I don't think that's the problem. I'd check the pki logs to see if it 
started and if not, why. Note that it is quite possible for tomcat to 
start and the CA to fail because tomcat is just a container.


In a previous e-mail you said something about a restore, what was that?

rob



<http://www.high5games.com/>

*Daniel Alex Finkelstein*| Lead Dev Ops Engineer

_dan.finkelst...@h5g.com <mailto:dan.finkelst...@h5g.com>_| 212.604.3447

One World Trade Center, New York, NY 10007

www.high5games.com <http://www.high5games.com/>

Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
the Sky <https://apps.facebook.com/shakethesky/>

Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
<https://twitter.com/High5Games>, YouTube
<http://www.youtube.com/High5Games>, Linkedin
<http://www.linkedin.com/company/1072533?trk=tyah>

//

/This message and any attachments may contain confidential or privileged
information and are only for the use of the intended recipient of this
message. If you are not the intended recipient, please notify the sender
by return email, and delete or destroy this and all copies of this
message and all attachments. Any unauthorized disclosure, use,
distribution, or reproduction of this message or any attachments is
prohibited and may be unlawful./

*From: *<freeipa-users-boun...@redhat.com> on behalf of Daniel
Finkestein <dan.finkelst...@high5games.com>
*Date: *Friday, June 10, 2016 at 14:52
*To: *"freeipa-users@redhat.com" <freeipa-users@redhat.com>
*Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA
Error 4301: CertificateOperationError)

Thats exactly right, and we got the files and links back to serviceable
order. Now we're (merely) facing issues with our restored certificate
store, which the pki-tomcatd process is not happy with. All IPA services
start normally except for tomcat, which spits out SSL errors (and we're
pretty sure must be related to bad certs somewhere).

Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)

Internal Database Error encountered: Could not connect to LDAP server
host ipa.example.com port 636 Error netscape.ldap.LDAPException: IO
Error creating JSS SSL Socket (-1)

 at
com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:673)

 at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107)

 at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013)

 at
com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510)

 at com.netscape.certsrv.apps.CMS.init(CMS.java:187)

 at com.netscape.certsrv.apps.CMS.start(CMS.java:1601)

 at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:1

Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

2016-06-10 Thread Dan.Finkelstein

And, from the 'ipactl -d --ignore-service-failures restart' we get this:

ipa: DEBUG: stderr=
ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 300
ipa: DEBUG: Waiting until the CA is running
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' 
'--no-check-certificate' 'https://ipa.example.com:8443/ca/admin/ca/getStatus'
ipa: DEBUG: Process finished, return code=4
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=--2016-06-10 15:29:38--  
https://ipa.example.com:8443/ca/admin/ca/getStatus
Resolving ipa.example.com (ipa.example.com)... 10.55.10.31
Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443... connected.
Unable to establish SSL connection.

ipa: DEBUG: The CA status is: check interrupted due to error: Command 
''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 
'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero exit 
status 4
ipa: DEBUG: Waiting for CA to start...
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' 
'--no-check-certificate' 'https://ipa.example.com:8443/ca/admin/ca/getStatus'
ipa: DEBUG: Process finished, return code=4
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=--2016-06-10 15:29:43--  
https://ipa.example.com:8443/ca/admin/ca/getStatus
Resolving ipa.example.com (ipa.example.com)... 10.55.10.31
Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443... connected.
Unable to establish SSL connection.

ipa: DEBUG: The CA status is: check interrupted due to error: Command 
''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 
'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero exit 
status 4
ipa: DEBUG: Waiting for CA to start...
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' 
'--no-check-certificate' 'https://ipa.example.com:8443/ca/admin/ca/getStatus'

Which leads me to believe that tomcat doesn't have the right certificate(s).

[cid:image001.jpg@01D1C32D.5D927900]<http://www.high5games.com/>
Daniel Alex Finkelstein| Lead Dev Ops Engineer
dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the 
Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, 
Twitter<https://twitter.com/High5Games>, 
YouTube<http://www.youtube.com/High5Games>, 
Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.

From: <freeipa-users-boun...@redhat.com> on behalf of Daniel Finkestein 
<dan.finkelst...@high5games.com>
Date: Friday, June 10, 2016 at 14:52
To: "freeipa-users@redhat.com" <freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 
4301: CertificateOperationError)

That’s exactly right, and we got the files and links back to serviceable order. 
Now we're (merely) facing issues with our restored certificate store, which the 
pki-tomcatd process is not happy with. All IPA services start normally except 
for tomcat, which spits out SSL errors (and we're pretty sure must be related 
to bad certs… somewhere).

Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
Internal Database Error encountered: Could not connect to LDAP server host 
ipa.example.com port 636 Error netscape.ldap.LDAPException: IO Error creating 
JSS SSL Socket (-1)
at 
com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:673)
at 
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107)
at 
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510)
at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1601)
at 
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(Delega

Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

2016-06-10 Thread Dan.Finkelstein

YouTube<http://www.youtube.com/High5Games>, 
Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.

From: Rob Crittenden <rcrit...@redhat.com>
Date: Friday, June 10, 2016 at 14:48
To: Daniel Finkestein <dan.finkelst...@high5games.com>, 
"freeipa-users@redhat.com" <freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 
4301: CertificateOperationError)

I'd reinstall some rpms to properly create these:

tomcat
pki-base
pki-server

I'm not positive it will fix permissions, rpm -V on the same may point
out problems as well.

rob
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

2016-06-10 Thread Dan.Finkelstein

An update: The journalctl command has some really interesting output:

Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING:  Symbolic link 
'/var/lib/pki/pki-tomcat/alias' does NOT exist!
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to create 
'/var/lib/pki/pki-tomcat/alias' -> '/etc/pki/pki-tomcat/aliJun 10 11:16:23 
ipa.example.com pkidaemon[25032]: ln: failed to create symbolic link 
‘/var/lib/pki/pki-tomcat/alias’: Permission denied
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to create 
'/var/lib/pki/pki-tomcat/alias' -> '/etc/pki/pki-tomcat/alias'Jun 10 11:16:23 
ipa.example.com pkidaemon[25032]: WARNING:  Symbolic link 
'/var/lib/pki/pki-tomcat/logs' does NOT exist!
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to create 
'/var/lib/pki/pki-tomcat/logs' -> '/var/log/pki/pki-tomcat'Jun 10 11:16:23 
ipa.example.com pkidaemon[25032]: ln: failed to create symbolic link 
‘/var/lib/pki/pki-tomcat/logs’: Permission denied
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to create 
'/var/lib/pki/pki-tomcat/logs' -> '/var/log/pki/pki-tomcat'!
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING:  Symbolic link 
'/var/lib/pki/pki-tomcat/bin' does NOT exist!
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to create 
'/var/lib/pki/pki-tomcat/bin' -> '/usr/share/tomcat/bin' . Jun 10 11:16:23 
ipa.example.com pkidaemon[25032]: ln: failed to create symbolic link 
‘/var/lib/pki/pki-tomcat/bin’: Permission denied
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to create 
'/var/lib/pki/pki-tomcat/bin' -> '/usr/share/tomcat/bin'!
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING:  Symbolic link 
'/var/lib/pki/pki-tomcat/conf' does NOT exist!
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO:  Attempting to create 
'/var/lib/pki/pki-tomcat/conf' -> '/etc/pki/pki-tomcat' . .Jun 10 11:16:23 
ipa.example.com pkidaemon[25032]: ln: failed to create symbolic link 
‘/var/lib/pki/pki-tomcat/conf’: Permission denied
Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR:  Failed to create 
'/var/lib/pki/pki-tomcat/conf' -> '/etc/pki/pki-tomcat'!
Jun 10 11:16:23 ipa.example.com systemd[1]: pki-tomcatd@pki-tomcat.service: 
control process exited, code=exited status=1
Jun 10 11:16:23 ipa.example.com systemd[1]: Failed to start PKI Tomcat Server 
pki-tomcat.

Which makes me think All we have to do is create the right directory 
structures/links and/or change the file permissions? But which ones and to whom?

—Dan

[cid:image001.jpg@01D1C30A.B174B4C0]<http://www.high5games.com/>
Daniel Alex Finkelstein| Lead Dev Ops Engineer
dan.finkelst...@h5g.com<mailto:dan.finkelst...@h5g.com> | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com<http://www.high5games.com/>
Play High 5 Casino<https://apps.facebook.com/highfivecasino/> and Shake the 
Sky<https://apps.facebook.com/shakethesky/>
Follow us on: Facebook<http://www.facebook.com/high5games>, 
Twitter<https://twitter.com/High5Games>, 
YouTube<http://www.youtube.com/High5Games>, 
Linkedin<http://www.linkedin.com/company/1072533?trk=tyah>

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.

From: <freeipa-users-boun...@redhat.com> on behalf of Daniel Finkestein 
<dan.finkelst...@high5games.com>
Date: Wednesday, June 8, 2016 at 17:11
To: "freeipa-users@redhat.com" <freeipa-users@redhat.com>
Subject: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: 
CertificateOperationError)

I have a promoted CA master/FreeIPA 4.2.0 instance on CentOS 7 that emits this 
error in the httpd logs whenever the WebUI tries to see the certificates page:

[Wed Jun 08 16:56:27.052106 2016] [:error] [pid 2863] ipa: ERROR: 
ipaserver.plugins.dogtag.ra.find(): Unable to communicate with CMS ([Errno 111] 
Connection refused)
[Wed Jun 08 16:56:27.052401 2016] [:error] [pid 2863] ipa: INFO: 
[jsonserver_session] dfinkelst...@example.com: cert_find(version=u'2.156'): 
CertificateOperationError

The certificates appear as follows:

[root@ipa httpd]# certutil -L -d /etc/httpd/alias/

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

Server-Cert  u,u,u
auditSigningCert cert-pki-ca u,u,u
EXAMPLE.COM IPA CA

[Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

2016-06-08 Thread Dan.Finkelstein

I have a promoted CA master/FreeIPA 4.2.0 instance on CentOS 7 that emits this 
error in the httpd logs whenever the WebUI tries to see the certificates page:

[Wed Jun 08 16:56:27.052106 2016] [:error] [pid 2863] ipa: ERROR: 
ipaserver.plugins.dogtag.ra.find(): Unable to communicate with CMS ([Errno 111] 
Connection refused)
[Wed Jun 08 16:56:27.052401 2016] [:error] [pid 2863] ipa: INFO: 
[jsonserver_session] dfinkelst...@example.com: cert_find(version=u'2.156'): 
CertificateOperationError

The certificates appear as follows:

[root@ipa httpd]# certutil -L -d /etc/httpd/alias/

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

Server-Cert  u,u,u
auditSigningCert cert-pki-ca u,u,u
EXAMPLE.COM IPA CA CTu,u,Cu
ipaCert  u,u,u
ocspSigningCert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u

Upon reboot, httpd fails to start with the error: Failed to start Identity, 
Policy, Audit. But it can be started later with `ipactl restart`. Finally, the 
two last IPA services don't appear to start:

[root@ipa]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: STOPPED
ipa-dnskeysyncd Service: STOPPED
ipa: INFO: The ipactl command was successful

I'd appreciate any guidance or suggestions.

Thanks,
Dan


[cid:image001.jpg@01D1C1A8.C0D33A30]
Daniel Alex Finkelstein| Senior Dev Ops Engineer
dan.finkelst...@h5g.com | 212.604.3447
One World Trade Center, New York, NY 10007
www.high5games.com
Play High 5 Casino and Shake the 
Sky
Follow us on: Facebook, 
Twitter, 
YouTube, 
Linkedin

This message and any attachments may contain confidential or privileged 
information and are only for the use of the intended recipient of this message. 
If you are not the intended recipient, please notify the sender by return 
email, and delete or destroy this and all copies of this message and all 
attachments. Any unauthorized disclosure, use, distribution, or reproduction of 
this message or any attachments is prohibited and may be unlawful.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

[Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

7 matches

Site Navigation

Mail list logo

Footer information