Re: [Freeipa-users] Unable to communicate with CMS (Service Unavailable)
>On Thu, Nov 12, 2015 at 08:55:25PM +0100, Martin Kosek wrote: >> On 11/12/2015 04:51 PM, Terry John wrote: >> > >> >I got a core dump of certmonger failing user abrt but it's huge. Is there >> >any particular part that would be useful. >> >> CCing Nalin and David for the core dump. More below. >My initial guess is that it's the same as the one reported in bug #1260871. >There's a fix for a problem that might be the cause in 0.77.6 and 0.78.5. If >you can try a 0.77.6 build from the COPR system >[1], it'll help us figure out >if we've correctly identified the cause, or if the problem you're running into >is a different one. >Nalin >[1] https://copr.fedoraproject.org/coprs/nalin/certmonger/build/139854/ I'm not sure updating certmonger would help us in this case. The problem was that the CMS service was not running which was a Java version issue. The Java installation in /usr/java/default/bin was version 1.6. Currently certmonger is and everything else is running fine. # yum list installed certmonger Installed Packages certmonger.x86_64 0.77.5-1.el6 @base # service certmonger status certmonger (pid 2288) is running... # ls -l /usr/java/default/bin/java lrwxrwxrwx. 1 root root 22 Nov 13 14:14 /usr/java/default/bin/java -> /etc/alternatives/java # ls -l /etc/alternatives/java lrwxrwxrwx. 1 root root 46 Nov 13 14:13 /etc/alternatives/java -> /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java The Manheim group of companies within the UK comprises: Manheim Europe Limited (registered number: 03183918), Manheim Auctions Limited (registered number: 00448761), Manheim Retail Services Limited (registered number: 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time Communications Limited (registered number: 04277845) and Complete Automotive Solutions Limited (registered number: 05302535). Each of these companies is registered in England and Wales with the registered office address of Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies operates under various brand/trading names including Manheim Inspection Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim Aftersales Solutions. V:0CF72C13B2AC -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to communicate with CMS (Service Unavailable) (Solved)
On Fri, Nov 13, 2015 at 12:00:16PM +0100, Martin Kosek wrote: > On 11/13/2015 11:14 AM, Terry John wrote: > >>On 11/12/2015 04:51 PM, Terry John wrote: > >>>I got a core dump of certmonger failing user abrt but it's huge. Is there > >>>any particular part that would be useful. > > > >>CCing Nalin and David for the core dump. More below. > > > >>On 11/12/2015 02:17 PM, Terry John wrote: > I had a working freeipa setup on a CentOS release 6.7 machine. All was > well until I did a yum update. Now I have multiple issue apparently based > around the CMS (Service Unavailable) issue. > My current version of ipa-server is 3.0.0-47 Certmonger crashes with > a segmentation fault at boot time and crashes every time I try to restart > it when ipa is running. > >> > > > > > ># ipa cert-status > >Request id: 20140417164153 > >ipa: ERROR: Certificate operation cannot be completed: Unable to > >communicate with CMS (Service Unavailable) # service certmonger > >status certmonger (pid 3030) is running... > >>> > It looks like PKI cannot be contacted. I would recommend checking > /var/log/httpd/error_log, it may have more details. I would also > recommend checking "ipa cert-show 1", it will probably fail with the same > bug. > >>>Yes ipa cert-show 1 does show the same thing # ipa cert-show 1 > >>>ipa: ERROR: Certificate operation cannot be completed: Unable to > >>>communicate with CMS (Service Unavailable) > >>> > Next steps may include checking that dogtag service really runs, there is > no SELinux AVC. If neither of this helps, you can check PKI logs > /var/log/pki... to see what went wrong. > >>>I'm pretty certain the dogtag service is not running > > > >Then you have your lucky winner! :-) > > > Some pointers to logs are for example here: > http://www.freeipa.org/page/Troubleshooting#Server_Installation > >> > >>>/var/log/pki-ca/catalina.out contains the lines at boot time: > > > > > >>>SEVERE: Error deploying web application directory ca > >>>java.lang.UnsupportedClassVersionError: > >>>com/netscape/cms/servlet/filter/AgentRequestFilter : Unsupported > >>>major.minor version 51.0 (unable to load class > >>>com.netscape.cms.servlet.filter.AgentRequestFilter) at > >>>org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappC> > >>>lassLoader.java:2334) lots of traceback > >>> > >>>/var/log/pki-ca/system is empty > >>>/var/log/pki-ca/debug has nothing new for 2 days > > > >>CCing Fraser. This is a wild guess, but maybe you updated your java to > >>java-1.8.0-openjdk? PKI does not work on it on RHEL/CentOS: > > > >>https://bugzilla.redhat.com/show_bug.cgi?id=1262516 > > > >>java would need to be switched with "alternate" to pre-1.8.0 version if > >>this is the case. > > > >The java version was the problem. > > Good! Fraser, can we improve anything in pki-core, so that wrong java > version issue like this one does not occur? IIRC, pki-core in RHEL-6.x was > updated to somehow deal with java 1.8.0 (conflict), not sure if lower > versions are also covered. > AFAICT there is no such protection. It seems to be more of an unspoken "don't do that". I guess the right approach when an unsupported alternative is selected is to explicitly use a supported one. I'm not sure what's involved in making that change or whether it is worth the effort. Adding pki-devel for comment from those with packaging experience. Cheers, Fraser > >Luckily I have a java expert to hand and explained that major.minor version > >51.0 corresponds to java 7 > >http://stackoverflow.com/questions/9170832/list-of-java-class-file-format-major-version-numbers > >When I did > ># ps ax | grep java I got" > >1460 ? Sl 1:21 /usr/java/default/bin/java -Djavax.sql.Da... > ># /usr/java/default/bin/java -version > >java version "1.6.0_31" > >Java(TM) SE Runtime Environment (build 1.6.0_31-b04) > >Java HotSpot(TM) 64-Bit Server VM (build 20.6-b01, mixed mode) > > > >I have both java-1.6.0-openjdk and java-1.7.0-openjdk installed but the > >/usr/java/default/bin is all from java-1.6.0-openjdk > > > >I have renamed /usr/java/default/bin/java to javaold and done > ># ln -s /usr/bin/java /usr/java/default/bin/java > ># /usr/java/default/bin/java -version > >java version "1.7.0_91" > >OpenJDK Runtime Environment (rhel-2.6.2.2.el6_7-x86_64 u91-b00) > >OpenJDK 64-Bit Server VM (build 24.91-b01, mixed mode) > > This may work, but looks a bit hacky. I think the right way is to use > "alternate" program I mentioned earlier to let you choose the right version > of the java executable and/or libraries. > > >After a reboot FreeIPA works properly which is great but I'm wondering if > >there is a better fix though since all the other executables in are from the > >1.6 version. I can't find a corresponding location for 1.7 executables. > > The "alternate" approach should "just work". I am glad you made the instance > working again! > > > > >Thanks
Re: [Freeipa-users] Unable to communicate with CMS (Service Unavailable)
On Thu, Nov 12, 2015 at 08:55:25PM +0100, Martin Kosek wrote: > On 11/12/2015 04:51 PM, Terry John wrote: > > > >I got a core dump of certmonger failing user abrt but it's huge. Is there > >any particular part that would be useful. > > CCing Nalin and David for the core dump. More below. My initial guess is that it's the same as the one reported in bug #1260871. There's a fix for a problem that might be the cause in 0.77.6 and 0.78.5. If you can try a 0.77.6 build from the COPR system [1], it'll help us figure out if we've correctly identified the cause, or if the problem you're running into is a different one. Thanks, Nalin [1] https://copr.fedoraproject.org/coprs/nalin/certmonger/build/139854/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to communicate with CMS (Service Unavailable) (Solved)
On 11/13/2015 11:14 AM, Terry John wrote: On 11/12/2015 04:51 PM, Terry John wrote: I got a core dump of certmonger failing user abrt but it's huge. Is there any particular part that would be useful. CCing Nalin and David for the core dump. More below. On 11/12/2015 02:17 PM, Terry John wrote: I had a working freeipa setup on a CentOS release 6.7 machine. All was well until I did a yum update. Now I have multiple issue apparently based around the CMS (Service Unavailable) issue. My current version of ipa-server is 3.0.0-47 Certmonger crashes with a segmentation fault at boot time and crashes every time I try to restart it when ipa is running. # ipa cert-status Request id: 20140417164153 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Unavailable) # service certmonger status certmonger (pid 3030) is running... It looks like PKI cannot be contacted. I would recommend checking /var/log/httpd/error_log, it may have more details. I would also recommend checking "ipa cert-show 1", it will probably fail with the same bug. Yes ipa cert-show 1 does show the same thing # ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Unavailable) Next steps may include checking that dogtag service really runs, there is no SELinux AVC. If neither of this helps, you can check PKI logs /var/log/pki... to see what went wrong. I'm pretty certain the dogtag service is not running Then you have your lucky winner! :-) Some pointers to logs are for example here: http://www.freeipa.org/page/Troubleshooting#Server_Installation /var/log/pki-ca/catalina.out contains the lines at boot time: SEVERE: Error deploying web application directory ca java.lang.UnsupportedClassVersionError: com/netscape/cms/servlet/filter/AgentRequestFilter : Unsupported major.minor version 51.0 (unable to load class com.netscape.cms.servlet.filter.AgentRequestFilter) at org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappC> lassLoader.java:2334) lots of traceback /var/log/pki-ca/system is empty /var/log/pki-ca/debug has nothing new for 2 days CCing Fraser. This is a wild guess, but maybe you updated your java to java-1.8.0-openjdk? PKI does not work on it on RHEL/CentOS: https://bugzilla.redhat.com/show_bug.cgi?id=1262516 java would need to be switched with "alternate" to pre-1.8.0 version if this is the case. The java version was the problem. Good! Fraser, can we improve anything in pki-core, so that wrong java version issue like this one does not occur? IIRC, pki-core in RHEL-6.x was updated to somehow deal with java 1.8.0 (conflict), not sure if lower versions are also covered. Luckily I have a java expert to hand and explained that major.minor version 51.0 corresponds to java 7 http://stackoverflow.com/questions/9170832/list-of-java-class-file-format-major-version-numbers When I did # ps ax | grep java I got" 1460 ? Sl 1:21 /usr/java/default/bin/java -Djavax.sql.Da... # /usr/java/default/bin/java -version java version "1.6.0_31" Java(TM) SE Runtime Environment (build 1.6.0_31-b04) Java HotSpot(TM) 64-Bit Server VM (build 20.6-b01, mixed mode) I have both java-1.6.0-openjdk and java-1.7.0-openjdk installed but the /usr/java/default/bin is all from java-1.6.0-openjdk I have renamed /usr/java/default/bin/java to javaold and done # ln -s /usr/bin/java /usr/java/default/bin/java # /usr/java/default/bin/java -version java version "1.7.0_91" OpenJDK Runtime Environment (rhel-2.6.2.2.el6_7-x86_64 u91-b00) OpenJDK 64-Bit Server VM (build 24.91-b01, mixed mode) This may work, but looks a bit hacky. I think the right way is to use "alternate" program I mentioned earlier to let you choose the right version of the java executable and/or libraries. After a reboot FreeIPA works properly which is great but I'm wondering if there is a better fix though since all the other executables in are from the 1.6 version. I can't find a corresponding location for 1.7 executables. The "alternate" approach should "just work". I am glad you made the instance working again! Thanks very much The Manheim group of companies within the UK comprises: Manheim Europe Limited (registered number: 03183918), Manheim Auctions Limited (registered number: 00448761), Manheim Retail Services Limited (registered number: 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time Communications Limited (registered number: 04277845) and Complete Automotive Solutions Limited (registered number: 05302535). Each of these companies is registered in England and Wales with the registered office address of Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies operates under various brand/trading names including Manheim Inspection Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim Aftersales Solutions.
Re: [Freeipa-users] Unable to communicate with CMS (Service Unavailable)
On 11/12/2015 04:51 PM, Terry John wrote:
I got a core dump of certmonger failing user abrt but it's huge. Is there any
particular part that would be useful.
CCing Nalin and David for the core dump. More below.
On 11/12/2015 02:17 PM, Terry John wrote:
I had a working freeipa setup on a CentOS release 6.7 machine. All was well
until I did a yum update. Now I have multiple issue apparently based around the
CMS (Service Unavailable) issue.
My current version of ipa-server is 3.0.0-47
Certmonger crashes with a segmentation fault at boot time and crashes every
time I try to restart it when ipa is running.
It of course should not crash, it would be useful to have a backtrace from the
core file that was generated.
Here is the backtrace of the core file:
{ "signal": 11
, "executable": "/usr/sbin/certmonger"
, "stacktrace":
[ { "crash_thread": true
, "frames":
[ { "address": 140527158519285
, "build_id": "87a19a61dc011579f3e25de3ca9778c6fd9e4547"
, "build_id_offset": 1222133
, "function_name": "__strstr_sse42"
, "file_name": "/lib64/libc.so.6"
}
, { "address": 140527209363149
, "build_id": "3a90011aabc8c2612ed5fe7e1249bec8438c72b3"
, "build_id_offset": 141005
, "file_name": "/usr/sbin/certmonger"
}
, { "address": 140527209301676
, "build_id": "3a90011aabc8c2612ed5fe7e1249bec8438c72b3"
, "build_id_offset": 79532
, "file_name": "/usr/sbin/certmonger"
}
, { "address": 140527209287550
, "build_id": "3a90011aabc8c2612ed5fe7e1249bec8438c72b3"
, "build_id_offset": 65406
, "file_name": "/usr/sbin/certmonger"
}
, { "address": 140527209291166
, "build_id": "3a90011aabc8c2612ed5fe7e1249bec8438c72b3"
, "build_id_offset": 69022
, "file_name": "/usr/sbin/certmonger"
}
, { "address": 140527196303038
, "build_id": "4135efbfc51bb80e4945275a6e6ba10e9d8a2a11"
, "build_id_offset": 36542
, "file_name": "/usr/lib64/libtevent.so.0"
}
, { "address": 140527196295910
, "build_id": "4135efbfc51bb80e4945275a6e6ba10e9d8a2a11"
, "build_id_offset": 29414
, "file_name": "/usr/lib64/libtevent.so.0"
}
, { "address": 140527196279965
, "build_id": "4135efbfc51bb80e4945275a6e6ba10e9d8a2a11"
, "build_id_offset": 13469
, "function_name": "_tevent_loop_once"
, "file_name": "/usr/lib64/libtevent.so.0"
}
, { "address": 140527209278079
, "build_id": "3a90011aabc8c2612ed5fe7e1249bec8438c72b3"
, "build_id_offset": 55935
, "function_name": "main"
, "file_name": "/usr/sbin/certmonger"
} ]
} ]
}
In /var/log/messages I get
freeipasvr kernel: certmonger[2611] general protection ip:7fb487fed5f5
sp:7ffd9df46898 error:0 in libc-2.12.so[7fb487ec3000+18a000]
This is the first error I get in /var/log/httpd/error_log when I try to delete
a host
[error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to
communicate with CMS (Service Unavailable)
If I stop ipa the start certmonger it starts ok and continues to run when I start ipa
again but as soon as any requests are made like "getcert list" then it crashes
again.
With certmonger still running I can do a request
# ipa cert-status
Request id: 20140417164153
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Service Unavailable) # service certmonger status
certmonger (pid 3030) is running...
It looks like PKI cannot be contacted. I would recommend checking
/var/log/httpd/error_log, it may have more details. I would also recommend checking
"ipa cert-show 1", it will probably fail with the same bug.
Yes ipa cert-show 1 does show the same thing
# ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate
with CMS (Service Unavailable)
Next steps may include checking that dogtag service really runs, there is no
SELinux AVC. If neither of this helps, you can check PKI logs /var/log/pki...
to see what went wrong.
I'm sure SELinux is not an issue. There are no AVC errors in
/var/log/audit/audit.log and it fails the same way in 'Enforcing' and
'Permissive' modes
I'm pretty certain the dogtag service is not running
Then you have your lucky winner! :-)
Some pointers to logs are for example here:
[Freeipa-users] Unable to communicate with CMS (Service Unavailable)
I had a working freeipa setup on a CentOS release 6.7 machine. All was well until I did a yum update. Now I have multiple issue apparently based around the CMS (Service Unavailable) issue. My current version of ipa-server is 3.0.0-47 Certmonger crashes with a segmentation fault at boot time and crashes every time I try to restart it when ipa is running. If I stop ipa the start certmonger it starts ok and continues to run when I start ipa again but as soon as any requests are made like "getcert list" then it crashes again. With certmonger still running I can do a request # ipa cert-status Request id: 20140417164153 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Unavailable) # service certmonger status certmonger (pid 3030) is running... This fault with the "Service Unavailable" originally came up when I tried to delete a host from the freeip gui In the file /var/log/dirsrv/slapd-PKI-IPA/errors file there was a Warning about nsslapd-cachememsize not being big enough but I don't know how to change it if, indeed this is anything to do with it. Any pointers of where to look next would be much appreciated. The Manheim group of companies within the UK comprises: Manheim Europe Limited (registered number: 03183918), Manheim Auctions Limited (registered number: 00448761), Manheim Retail Services Limited (registered number: 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time Communications Limited (registered number: 04277845) and Complete Automotive Solutions Limited (registered number: 05302535). Each of these companies is registered in England and Wales with the registered office address of Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies operates under various brand/trading names including Manheim Inspection Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim Aftersales Solutions. V:0CF72C13B2AC -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to communicate with CMS (Service Unavailable)
On 11/12/2015 02:17 PM, Terry John wrote: > I had a working freeipa setup on a CentOS release 6.7 machine. All was well > until I did a yum update. Now I have multiple issue apparently based around > the CMS (Service Unavailable) issue. > > My current version of ipa-server is 3.0.0-47 > > Certmonger crashes with a segmentation fault at boot time and crashes every > time I try to restart it when ipa is running. It of course should not crash, it would be useful to have a backtrace from the core file that was generated. > If I stop ipa the start certmonger it starts ok and continues to run when I > start ipa again but as soon as any requests are made like "getcert list" then > it crashes again. > > With certmonger still running I can do a request > > # ipa cert-status > Request id: 20140417164153 > ipa: ERROR: Certificate operation cannot be completed: Unable to communicate > with CMS (Service Unavailable) > # service certmonger status > certmonger (pid 3030) is running... It looks like PKI cannot be contacted. I would recommend checking /var/log/httpd/error_log, it may have more details. I would also recommend checking "ipa cert-show 1", it will probably fail with the same bug. Next steps may include checking that dogtag service really runs, there is no SELinux AVC. If neither of this helps, you can check PKI logs /var/log/pki... to see what went wrong. Some pointers to logs are for example here: http://www.freeipa.org/page/Troubleshooting#Server_Installation > > This fault with the "Service Unavailable" originally came up when I tried to > delete a host from the freeip gui > > In the file /var/log/dirsrv/slapd-PKI-IPA/errors file there was a Warning > about nsslapd-cachememsize not being big enough but I don't know how to > change it if, indeed this is anything to do with it. This should not cause this error, it is more about performance tuning, AFAIK. > > Any pointers of where to look next would be much appreciated. > > > > > > The Manheim group of companies within the UK comprises: Manheim Europe > Limited (registered number: 03183918), Manheim Auctions Limited (registered > number: 00448761), Manheim Retail Services Limited (registered number: > 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time > Communications Limited (registered number: 04277845) and Complete Automotive > Solutions Limited (registered number: 05302535). Each of these companies is > registered in England and Wales with the registered office address of Central > House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies > operates under various brand/trading names including Manheim Inspection > Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim > Aftersales Solutions. > > V:0CF72C13B2AC > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to communicate with CMS (Service Unavailable)
I got a core dump of certmonger failing user abrt but it's huge. Is there any
particular part that would be useful.
On 11/12/2015 02:17 PM, Terry John wrote:
>> I had a working freeipa setup on a CentOS release 6.7 machine. All was well
>> until I did a yum update. Now I have multiple issue apparently based around
>> the CMS (Service Unavailable) issue.
>> My current version of ipa-server is 3.0.0-47
>> Certmonger crashes with a segmentation fault at boot time and crashes every
>> time I try to restart it when ipa is running.
>It of course should not crash, it would be useful to have a backtrace from the
>core file that was generated.
Here is the backtrace of the core file:
{ "signal": 11
, "executable": "/usr/sbin/certmonger"
, "stacktrace":
[ { "crash_thread": true
, "frames":
[ { "address": 140527158519285
, "build_id": "87a19a61dc011579f3e25de3ca9778c6fd9e4547"
, "build_id_offset": 1222133
, "function_name": "__strstr_sse42"
, "file_name": "/lib64/libc.so.6"
}
, { "address": 140527209363149
, "build_id": "3a90011aabc8c2612ed5fe7e1249bec8438c72b3"
, "build_id_offset": 141005
, "file_name": "/usr/sbin/certmonger"
}
, { "address": 140527209301676
, "build_id": "3a90011aabc8c2612ed5fe7e1249bec8438c72b3"
, "build_id_offset": 79532
, "file_name": "/usr/sbin/certmonger"
}
, { "address": 140527209287550
, "build_id": "3a90011aabc8c2612ed5fe7e1249bec8438c72b3"
, "build_id_offset": 65406
, "file_name": "/usr/sbin/certmonger"
}
, { "address": 140527209291166
, "build_id": "3a90011aabc8c2612ed5fe7e1249bec8438c72b3"
, "build_id_offset": 69022
, "file_name": "/usr/sbin/certmonger"
}
, { "address": 140527196303038
, "build_id": "4135efbfc51bb80e4945275a6e6ba10e9d8a2a11"
, "build_id_offset": 36542
, "file_name": "/usr/lib64/libtevent.so.0"
}
, { "address": 140527196295910
, "build_id": "4135efbfc51bb80e4945275a6e6ba10e9d8a2a11"
, "build_id_offset": 29414
, "file_name": "/usr/lib64/libtevent.so.0"
}
, { "address": 140527196279965
, "build_id": "4135efbfc51bb80e4945275a6e6ba10e9d8a2a11"
, "build_id_offset": 13469
, "function_name": "_tevent_loop_once"
, "file_name": "/usr/lib64/libtevent.so.0"
}
, { "address": 140527209278079
, "build_id": "3a90011aabc8c2612ed5fe7e1249bec8438c72b3"
, "build_id_offset": 55935
, "function_name": "main"
, "file_name": "/usr/sbin/certmonger"
} ]
} ]
}
In /var/log/messages I get
freeipasvr kernel: certmonger[2611] general protection ip:7fb487fed5f5
sp:7ffd9df46898 error:0 in libc-2.12.so[7fb487ec3000+18a000]
This is the first error I get in /var/log/httpd/error_log when I try to delete
a host
[error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to
communicate with CMS (Service Unavailable)
>> If I stop ipa the start certmonger it starts ok and continues to run when I
>> start ipa again but as soon as any requests are made like "getcert list"
>> then it crashes again.
>> With certmonger still running I can do a request
>
>> # ipa cert-status
> >Request id: 20140417164153
> >ipa: ERROR: Certificate operation cannot be completed: Unable to
>> communicate with CMS (Service Unavailable) # service certmonger status
> >certmonger (pid 3030) is running...
>It looks like PKI cannot be contacted. I would recommend checking
>/var/log/httpd/error_log, it may have more details. I would also recommend
>checking "ipa cert-show 1", it will probably fail with the same bug.
Yes ipa cert-show 1 does show the same thing
# ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate
with CMS (Service Unavailable)
>Next steps may include checking that dogtag service really runs, there is no
>SELinux AVC. If neither of this helps, you can check PKI logs /var/log/pki...
>to see what went wrong.
I'm sure SELinux is not an issue. There are no AVC errors in
/var/log/audit/audit.log and it fails the same way in 'Enforcing' and
'Permissive' modes
I'm pretty certain the dogtag service is not running
>Some pointers to logs are for example here:
>http://www.freeipa.org/page/Troubleshooting#Server_Installation
/var/log/pki-ca/catalina.out contains the lines at boot time:
INFO: Deploying web
