Re: [Freeipa-users] FreeIPA 4.2 CA issues

2017-01-26 Thread Gendy Tartovsky 
Hi Petr,

# getcert list showed that allcertificates are valid for 10 more months.

Server is listening on both ports 389 and 636 and external service are able
to use them.

Also port 8009 is active, I was able to do a telnet on it from localhost.


On Thu, Jan 26, 2017 at 1:31 PM, Petr Vobornik  wrote:

> On 01/25/2017 02:30 PM, Gendy Tartovsky wrote:
> >   Hi,
> >
> > I'm having a PKI-tomcat issue that started after upgrade.
> > My configuration has 4 servers with CA, where servers 2, 3 and 4 are
> replicated
> > from the first one.
> > At first it didn't cause much trouble since all the issue came down to
> > pki-tomcat getting to start about 2 minutes.
> > But it seems that problem is progressed a lot and is causing issues in
> multiple
> > parts of the system.
> >
> > After upgrading FreeIPA from 4.1 to 4.2  ipactl would not on the first
> node
> > start without the --ignore-service-failures.
> >
> >   I found that in the menu Authentication-->Certificates
> >   I have multiple certificates for same hosts in some cases there were
> up to 30
> > duplicates per host and it is unclear what is generating them.
> >
> > Next issue is that if I try to add a new replica with
> ipa-replica-prepare utility
> > I get an error: "Failed to generate certificate"
> >
> > And the last problem I found is that I am unable to restore a backup.
> > The ipa-restore utility is able to unpack the backup but once I try to
> start
> > FreeIPA on a new node
> > the pki-tomcat fails to start. And I see this message in debug:
> >
> > ipa: DEBUG: Waiting for CA to start...
> > ipa: DEBUG: Starting external process
> > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> > '--no-check-certificate' 'https://:8443/ca/admin/ca/getStatus'
> > ipa: DEBUG: Process finished, return code=8
> >
> >
> > In the /var/log/dirsrv/slapd-XXX/errors I see a lot of these
> >   NSMMReplicationPlugin - process_postop: Failed to apply update
> > (57c3cc550002000d) error (-1).  Aborting replication
> session(conn=272420 op=6)
> >
> >   but I'm not sure if it is directly related to the problem.
> >
> >   In /var/log/pki/pki-tomcat/ca/debug I see a lot of these messages:
> > Can't create master connection in LdapBoundConnFactory::getConn! Could
> not
> > connect to LDAP server host bos-admin1.hq.datarobot.com
> >  port 636 Error
> netscape.ldap.LDAPException:
> > IO Error creating JSS SSL Socket
> >
> > My guess was that the CA certificate got expired, so I tried to run
> > 'ipa-cacert-manage renew'
> > but it failed with this message:
> >
> > Resubmitting certmonger request '20151222031110' timed out, please check
> the
> > request manually
> >
> >
> > Don't really know what else to try right now.
> >
>
> Could you check:
>
> Is directory server listening on ports 389 and 636?
>
> Is PKI server listening on port 8009 i.e. if you are hitting bug
> https://fedorahosted.org/freeipa/ticket/6575
>
> You can verify if certs are expired by running
>
> # getcert list
>
> And check expiration date.
> --
> Petr Vobornik
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.2 CA issues

2017-01-26 Thread Petr Vobornik 
On 01/25/2017 02:30 PM, Gendy Tartovsky wrote:
>   Hi,
> 
> I'm having a PKI-tomcat issue that started after upgrade.
> My configuration has 4 servers with CA, where servers 2, 3 and 4 are 
> replicated 
> from the first one.
> At first it didn't cause much trouble since all the issue came down to 
> pki-tomcat getting to start about 2 minutes.
> But it seems that problem is progressed a lot and is causing issues in 
> multiple 
> parts of the system.
> 
> After upgrading FreeIPA from 4.1 to 4.2  ipactl would not on the first node 
> start without the --ignore-service-failures.
> 
>   I found that in the menu Authentication-->Certificates
>   I have multiple certificates for same hosts in some cases there were up to 
> 30 
> duplicates per host and it is unclear what is generating them.
> 
> Next issue is that if I try to add a new replica with ipa-replica-prepare 
> utility
> I get an error: "Failed to generate certificate"
> 
> And the last problem I found is that I am unable to restore a backup.
> The ipa-restore utility is able to unpack the backup but once I try to start 
> FreeIPA on a new node
> the pki-tomcat fails to start. And I see this message in debug:
> 
> ipa: DEBUG: Waiting for CA to start...
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' 
> '--no-check-certificate' 'https://:8443/ca/admin/ca/getStatus'
> ipa: DEBUG: Process finished, return code=8
> 
> 
> In the /var/log/dirsrv/slapd-XXX/errors I see a lot of these
>   NSMMReplicationPlugin - process_postop: Failed to apply update 
> (57c3cc550002000d) error (-1).  Aborting replication session(conn=272420 
> op=6)
> 
>   but I'm not sure if it is directly related to the problem.
> 
>   In /var/log/pki/pki-tomcat/ca/debug I see a lot of these messages:
> Can't create master connection in LdapBoundConnFactory::getConn! Could not 
> connect to LDAP server host bos-admin1.hq.datarobot.com 
>  port 636 Error 
> netscape.ldap.LDAPException: 
> IO Error creating JSS SSL Socket
> 
> My guess was that the CA certificate got expired, so I tried to run 
> 'ipa-cacert-manage renew'
> but it failed with this message:
> 
> Resubmitting certmonger request '20151222031110' timed out, please check the 
> request manually
> 
> 
> Don't really know what else to try right now.
> 

Could you check:

Is directory server listening on ports 389 and 636?

Is PKI server listening on port 8009 i.e. if you are hitting bug
https://fedorahosted.org/freeipa/ticket/6575

You can verify if certs are expired by running

# getcert list

And check expiration date.
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA 4.2 CA issues

2017-01-25 Thread Gendy Tartovsky 
 Hi,

I'm having a PKI-tomcat issue that started after upgrade.
My configuration has 4 servers with CA, where servers 2, 3 and 4 are
replicated from the first one.
At first it didn't cause much trouble since all the issue came down to
pki-tomcat getting to start about 2 minutes.
But it seems that problem is progressed a lot and is causing issues in
multiple parts of the system.

After upgrading FreeIPA from 4.1 to 4.2  ipactl would not on the first node
start without the --ignore-service-failures.

 I found that in the menu Authentication-->Certificates
 I have multiple certificates for same hosts in some cases there were up to
30 duplicates per host and it is unclear what is generating them.

Next issue is that if I try to add a new replica with ipa-replica-prepare
utility
I get an error: "Failed to generate certificate"

And the last problem I found is that I am unable to restore a backup.
The ipa-restore utility is able to unpack the backup but once I try to
start FreeIPA on a new node
the pki-tomcat fails to start. And I see this message in debug:

ipa: DEBUG: Waiting for CA to start...
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
'--no-check-certificate' 'https://:8443/ca/admin/ca/getStatus'
ipa: DEBUG: Process finished, return code=8


In the /var/log/dirsrv/slapd-XXX/errors I see a lot of these
 NSMMReplicationPlugin - process_postop: Failed to apply update
(57c3cc550002000d) error (-1).  Aborting replication
session(conn=272420 op=6)

 but I'm not sure if it is directly related to the problem.

 In /var/log/pki/pki-tomcat/ca/debug I see a lot of these messages:
Can't create master connection in LdapBoundConnFactory::getConn! Could not
connect to LDAP server host bos-admin1.hq.datarobot.com port 636 Error
netscape.ldap.LDAPException: IO Error creating JSS SSL Socket

My guess was that the CA certificate got expired, so I tried to run
'ipa-cacert-manage renew'
but it failed with this message:

Resubmitting certmonger request '20151222031110' timed out, please check
the request manually


Don't really know what else to try right now.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project