Unable to connect to Kerberized NFS after reboot
by Darac Marjal
Hello all,
I have a server running Proxmox, on which I have a virtual machine
running FreeIPA. I did have this set up running Kerberized NFS, but a
while ago, I rebooted the Proxmox host and now I always get "Permission
Denied" when trying to mount the NFS server.
To give more detail, the Proxmox server (Debian Based) is running
proxmox 5.3-8 (latest version) and is joined to the FreeIPA domain:
# realm list
ghibli.darac.org.uk
type: kerberos
realm-name: GHIBLI.DARAC.ORG.UK
domain-name: ghibli.darac.org.uk
configured: kerberos-member
server-software: ipa
client-software: sssd
required-package: freeipa-client
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
login-formats: %U(a)ghibli.darac.org.uk
login-policy: allow-realm-logins
The NFS server is configured as follows:
# for i in /etc/default/nfs-* /etc/exports; do echo "---- $i"; grep
"^[^#]" $i; done
---- /etc/default/nfs-common
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=yes
NEED_GSSD=yes
---- /etc/default/nfs-kernel-server
RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS="--manage-gids -N 2 -N 3 -d all"
NEED_SVCGSSD="yes"
RPCSVCGSSDOPTS=" -v -v -v"
RPCNFSDOPTS=" -d 3"
---- /etc/exports
/tank
192.0.0.0/24(rw,sec=sys:krb5:krb5i:krb5p,no_subtree_check,no_root_squash)
The server has keys, too (I have tried refreshing these with
`ipa-getkeytab -r -s ipaserver -p nfs/gusteau.darac.org.uk -k
/etc/krb5.keytab`)
# klist -ke /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
9 host/gusteau.darac.org.uk(a)GHIBLI.DARAC.ORG.UK (aes256-cts-hmac-sha1-96)
9 host/gusteau.darac.org.uk(a)GHIBLI.DARAC.ORG.UK (aes128-cts-hmac-sha1-96)
9 nfs/gusteau.darac.org.uk(a)GHIBLI.DARAC.ORG.UK (aes256-cts-hmac-sha1-96)
9 nfs/gusteau.darac.org.uk(a)GHIBLI.DARAC.ORG.UK (aes128-cts-hmac-sha1-96)
The client is, for example, my laptop running Debian. It, too, is joined
to the domain:
# realm list
ghibli.darac.org.uk
type: kerberos
realm-name: GHIBLI.DARAC.ORG.UK
domain-name: ghibli.darac.org.uk
configured: kerberos-member
server-software: ipa
client-software: sssd
required-package: freeipa-client
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
login-formats: %U(a)ghibli.darac.org.uk
login-policy: allow-realm-logins
It, too, has these keys:
# klist -ke /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
4 host/toothless.darac.org.uk(a)GHIBLI.DARAC.ORG.UK
(aes256-cts-hmac-sha1-96)
4 host/toothless.darac.org.uk(a)GHIBLI.DARAC.ORG.UK
(aes128-cts-hmac-sha1-96)
2 nfs/toothless.darac.org.uk(a)GHIBLI.DARAC.ORG.UK
(aes256-cts-hmac-sha1-96)
2 nfs/toothless.darac.org.uk(a)GHIBLI.DARAC.ORG.UK
(aes128-cts-hmac-sha1-96)
And the user has a valid ticket:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: darac(a)GHIBLI.DARAC.ORG.UK
Valid starting Expires Service principal
03/02/19 19:31:44 04/02/19 19:31:38
krbtgt/GHIBLI.DARAC.ORG.UK(a)GHIBLI.DARAC.ORG.UK
However, when I try to mount the server:
# mount -v -t nfs4 -o sec=krb5 gusteau.darac.org.uk:/tank mnt
mount.nfs4: timeout set for Sun Feb 3 19:34:49 2019
mount.nfs4: trying text-based options
'sec=krb5,vers=4.2,addr=192.0.2.100,clientaddr=192.0.2.187'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting
gusteau.darac.org.uk:/tank
My problem is that I've run out of places to look for errors. I've tried
enabling NFS debugging, but I don't see anything obvious there. I've
also looking in /var/log/krb5kdc.log on the FreeIPA server, but I don't
see any log messages there when the mount is attempted.
Apologies if this isn't the right place to ask about this, but it's one
of these questions of "Is it FreeIPA at fault? Is it Kerberos? Is it my
setup?" and I've got to start somewhere. Many thanks.
5 years, 2 months
FreeIPA-Client now in Debian Buster
by Jochen Hein
Hello,
today freeipa-client migrated from sid to buster - thanks a lot for
this!
Jochen
--
This space is intentionally left blank.
5 years, 2 months
FreeIPA FreeRADIUS and WiFi (EAP-TLS) not working
by Nick Dawson
Hey folks,
I've been banging my head against trying to get FreeRADIUS to work with FreeIPA for WiFi Auth. The good news is that I've learned a ton, the bad news is that I'm quite lost still :)
My main goal is a secure way to do user-based (user/pass) auth on a WiFi network. I've been trying to wrap my head around the differences between EAP-TLS and EAP-TTLS and how different inner and outer tunnels interact with FreeIPA.
I've followed literally every guide, mailing list post, and blog that comes up in the top 20 google results. There's a surprising few, and all seem to share the same genesis. That makes me wonder, is this stuff easy and obvious to most? Or is it rarely done and not really supported?
First question: I think I understand that the most commonly used option is EAP-TLS and PEAP with mschapv2. And that required ntmhashes (I've done the AD trust steps).
Is there a more secure way? Could I do EAP-TTLS with user certs and keep the passwords encrypted end to end to the ldap server? Is there a way that doesn't require the ntmhashes?
Here's what I've done:
1. I've created a radius/host.... service account.
2. I've assigned It a password and can kinit against it
3. That principal and pass are in /mods-enabled/ldap as:
identity = krbprincipalname=radius/ipa.secure.nsnet.us(a)SECURE.MYDOMAIN.US,cn=serv
ices,cn=accounts,dc=secure,dc=mydomain,dc=us
password = HDdkr%rkd094D!@ekd
(Not my actual pass, but representative of the complexity and characters)
And here's what I get:
>rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind credentials incorrect: Invalid credentials
>rlm_ldap (ldap): Opening connection failed (0)
>rlm_ldap (ldap): Removing connection pool
>/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
I've also tried creating a user account and assigning it access rights to the radius server role and I assigned it rights to read the ntmhashes. That works (binds and radtest works) and can bind, but EAP fails.
Anyone have any tips on getting up and running with FreeRADIUS and WiFi?
5 years, 2 months
need to rebuild replica agreement between 2 locations
by Kat
Hi all,
Things have been going along smoothly and no issues with FreeIPA until
recently. Consider the following:
Original Config:
ipa-1 <---> ipa-2 <-|-> ipa-3 <---> ipa-4
Stage | Prod
Yes, this was not a perfect design because exactly what I feared
happened. The connection between 2 and 3 got broken and ipa-2 actually
failed an Upgrade and the only way to get it working again was to
re-install ipa-server and make it a replica with ipa-1
The problem is - now I have 2 "separate" environments instead of a
shared one because I cannot figure out a way to get ipa-3 to reconnect
to ipa-2 as a replica agreement.
This is all with latest RHEL 7.6 and 4.6.4-10.el7_6.2 version of IPA on
all 4 nodes. Prior to the upgrade, everything was fine and replication
was running across all 4 nodes. During the upgrade (patching) process
ipa-2 got a database error and it was not detected for 2 days. When you
tried to restart it - it wanted to upgrade the database, the same as all
the other 3 but failed with errors and there seemed to be no way to get
them to sync up. It has been 4 days now. I would love to get all 4
talking again, but because ipa-2 was rebuilt using ipa-1 as the master
it connected to, it won't talk to ipa-3. I was trying several of the new
"topology" commands to try to get them connected, but no luck.
Any ideas on how I might accomplish getting the 2 environments
re-connected?
Thanks
K
5 years, 2 months
Add a picture to freeipa user
by Rufa Rufa
Hello,
Can someone please help me to add a picture to the freeipa user, i did the following steps:
1- Create a new file with ldif extension:
$vi test.ldif
2- copy the following lines:
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 2.25.28639311321113238241701611583088740684.14.2.2
NAME 'UsersPicture'
EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN 'Extending FreeIPA' )
dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: ( 2.25.28639311321113238241701611583088740684.14.2.1 (Not sure if it should be the same than attribute and change 2 by 1 at the end)
NAME 'customPerson' SUP person
STRUCTURAL
MAY ( UsersPicture )
X-ORIGIN 'Extending FreeIPA' )
3- Get kerberos ticket:
$kinit admin
4- add the attribute and objectclass to the ldap with the following command (joined webpage About the IDM client tools):
$ldapmodify -D "cn=Directory Manager" -W -p 389 -h ipaserver.example.com -f test.ldif -v
5- Restart freeipa server:
$ipactl restart
6- ipa config-mod --addattr=ipaUserObjectClasses=object_class_name_added_above
7- Add the attribute to a user
$ ipa user-mod ttest1 --addattr=UsersPicture=path_to_the_picture
8- Verify if the user has the new attribute:
$ipa user-show --all loginname | grep UsersPicture
$userspictures: L2hvbw....uanBn
How to add this attribute to the GUI users to check if the picture is working ?
Thanks,
5 years, 2 months
AD Trust: Add "mail" user attribute to AD -> IPA transfer
by Lenhardt, Matthias
Hi,
we have an IPA 4.6.4 environment with an AD Trust configured and everything's working perfectly.
My question is: Is it possible to configure, that extra AD user attributes are transfered? I would need the AD user attribute "mail" with the users email address.
This question came up, after I tried to connect GitLab to IPA and authentication with an AD users fails, because IPA doesn't have the "mail" attribute of the user, so logging is denied. (Authentication on Linux systems is working).
Thanks in advance!
Regards
Matthias Lenhardt
System Administrator
BITMARCK
*****************************************************************
Die Information in dieser E-Mail ist vertraulich und ausschließlich für
den/die benannten Adressaten bestimmt. Ein Zugriff auf diese E-Mail
durch andere Personen als den/die benannten Adressaten ist nicht
gestattet. Sollten Sie nicht der benannte Adressat sein, löschen Sie bitte
diese E-Mail.
5 years, 2 months
Failed to start 389 Directory Server
by Zarko D
Hi there, this is ipa-server-4.4.0-12.0.1 with 389-ds-base-1.3.5.10-11 and suddenly daily backup has started to fail with messages:
2019-01-28T04:10:04Z INFO Backing up ipaca in REALM-COM to LDIF
2019-01-28T04:10:04Z INFO Waiting for LDIF to finish
2019-01-28T04:10:05Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_backup.py", line 300, in run
self.db2ldif(instance, 'ipaca', online=options.online)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_backup.py", line 425, in db2ldif
shutil.move(ldiffile, os.path.join(self.dir, ldifname))
File "/usr/lib64/python2.7/shutil.py", line 301, in move
copy2(src, real_dst)
File "/usr/lib64/python2.7/shutil.py", line 130, in copy2
copyfile(src, dst)
File "/usr/lib64/python2.7/shutil.py", line 82, in copyfile
with open(src, 'rb') as fsrc:
2019-01-28T04:10:05Z DEBUG The ipa-backup command failed, exception: IOError: [Errno 2] No such file or directory: u'/var/
lib/dirsrv/slapd-REALM-COM/ldif/REALM-COM-ipaca.ldif'
2019-01-28T04:10:05Z ERROR [Errno 2] No such file or directory: u'/var/lib/dirsrv/slapd-REALM-COM/ldif/REALM-COM-ipaca.ldif'
2019-01-28T04:10:05Z ERROR The ipa-backup command failed. See /var/log/ipabackup.log for more information
And service start fails with messages:
[02/Feb/2019:22:47:37.889779410 -0800] 389-Directory/1.3.5.10 B2016.309.1527 starting up
[02/Feb/2019:22:47:37.906422534 -0800] default_mr_indexer_create: warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match
[02/Feb/2019:22:47:37.921288555 -0800] WARNING: userRoot: entry cache size 10485760 B is less than db size 16932864 B; We recommend to increase the entry cache size nsslapd-cachememsize.
[02/Feb/2019:22:47:37.921943984 -0800] WARNING: ipaca: entry cache size 10485760 B is less than db size 1757741056 B; We recommend to increase the entry cache size nsslapd-cachememsize.
[02/Feb/2019:22:47:37.922701343 -0800] WARNING: changelog: entry cache size 2097152 B is less than db size 82935808 B; We recommend to increase the entry cache size nsslapd-cachememsize.
[02/Feb/2019:22:47:37.925215059 -0800] Detected Disorderly Shutdown last time Directory Server was running, recovering database.
[02/Feb/2019:22:47:37.926177620 -0800] libdb: BDB1546 unable to join the environment
thanks in advance for any help, Zarko
5 years, 2 months
Possible to ignore all AD groups?
by Charles Ulrich
Hello,
Hopefully this might be a straightforward question.
I have testing instance of FreeIPA version 4.6.4 installed on CentOS 7 from the distro's default repos. I have it configured for a one-way trust to an Active Directory deployment. On the client side, I have installed and configured the freeipa-client package version 4.7.0 on Ubuntu 18.04. This is all basically working as advertised according to the docs.
However, when I log into the client with an AD account and run the `id` command, I'm seeing all of my AD groups listed. Is there a way to have FreeIPA completely ignore all groups from AD when dealing with external users? The ultimate goal (and let me know if this is beyond FreeIPA's capabiltiies) is to ignore/discard all groups in AD and manage users instead by groups in FreeIPA.
One thing I did try was adding these options to the domain section of `sssd.conf` on the FreeIPA server, but they didn't have any effect and I suspect I don't fully understand what they are for:
ignore_group_members = True
subdomain_inherit = ignore_group_members
Thanks for any advice, even if it's "hey, don't do that".
Charles
5 years, 2 months
Upgrading from V3 on Fedora to V4 on CentOS, CA promotion steps?
by Jernej Jakob
Hi,
I'm tasked with upgrading our current setup of 3.3.5 on F19 to something more recent and stable (CentOS 7 or CentOS 8).
There were instructions at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...
which is now 404 so I've searched around and found a thread on freeipa-users: https://www.redhat.com/archives/freeipa-users/2016-April/msg00260.html
This thread also points to the above 404 link and another thread: https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html
When I was reading up on this a year or two ago, there were some guides still up, and I recall there were some commands to check master/replica CA status and promote/demote tha CAs in V3. I can't find these any more.
There is a section "Procedure in FreeIPA < 4.0" here: https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
But I do not have a /var/lib/pki-ca, only /var/lib/pki/pki-tomcat so that doesn't work.
This was originally a 2-server setup with master-replica, CA and DNS, but due to a firewall misconfiguration after a system upgrade the replication was disconnected for some time. When the split was detected due to us editing the configuration on the master and it not being propagated, we reestablished the connection but things never got back to fully working (I recall we could only edit the configuration on the master, any changes on the replica got lost). We then unenrolled the replica which left us with only the master that is running currently. Everything including enrolling new clients works so IMO this means we're left with the CA master, so we'd want to upgrade this to V4 and have at least 2 replicas back ASAP.
If I understand things correctly, first we need to check if all the certificates are valid and if not renew them, then install a V3 replica, promote/demote the CAs, check if things are working correctly, unenroll the old V3 master, upgrade the replica (now master) to V4 and install additional replicas.
Since this is our production system with ~20 clients, DNS with custom zones, HBAC, etc I'd not like to experiment a lot with it (we do have backups just in case).
I'd highly appreciate if anyone has any suggestions, instructions or an archived upgrade guide somewhere...
Thanks.
Jernej
5 years, 2 months
Re: CA no certs being tracked?
by Chris Mohler
I have not been able to renew the expired certificates yet. I would
appreciate help if possible.
> Followup summary:
>
> Q: Seems like part of the problem is that the KDC was not running. Had
> you
> done ipactl stop prior to the upgrade?
>
> A: I could not get the KDC to stay running. So yes it was off during
> the upgrade.
>
> Q: Did it end up creating the tracking? Are there expired certs?
>
> A: I was able to get the upgrade to finish successfully, after
> restoring the server from VM snapshot, rolling back the system date,
> and trying the update again. It did create the cert tracking!!! Yes
> there are expired certs.
>
> Q: As an aside, I'd have suggest deferring the package upgrade until
> after
> the other things were sorted. It just adds another moving part. Water
> under the bridge now.
>
> A: Yes sorry.
>
>
>> On 2/5/2019 11:18 AM, Rob Crittenden wrote:
>>> Chris Mohler wrote:
>>>> Well... That was a mess.
>>>>
>>>> The ipa-server-upgrade didn't go so well. It failed and now my
>>>> ca-replication master is broken. Here are the details. Any hope?
>>>>
>>>>> Upgrading IPA:. Estimated time: 1 minute 30 seconds
>>>>> [1/11]: stopping directory server
>>>>> [2/11]: saving configuration
>>>>> [3/11]: disabling listeners
>>>>> [4/11]: enabling DS global lock
>>>>> [5/11]: disabling Schema Compat
>>>>> [6/11]: starting directory server
>>>>> [7/11]: updating schema
>>>>> [8/11]: upgrading server
>>>>> [9/11]: stopping directory server
>>>>> [10/11]: restoring configuration
>>>>> [11/11]: starting directory server
>>>>> Done.
>>>>> Update complete
>>>>> Upgrading IPA services
>>>>> Upgrading the configuration of the IPA services
>>>>> [Verifying that root certificate is published]
>>>>> [Migrate CRL publish directory]
>>>>> CRL tree already moved
>>>>> [Verifying that CA proxy configuration is correct]
>>>>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
>>>>> command ipa-server-upgrade manually.
>>>>> CA did not start in 300.0s
>>>>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log
>>>>> for
>>>>> more information
>>> Seems like part of the problem is that the KDC was not running. Had you
>>> done ipactl stop prior to the upgrade?
>>>
>>> Did it end up creating the tracking? Are there expired certs?
>>>
>>> As an aside, I'd have suggest deferring the package upgrade until after
>>> the other things were sorted. It just adds another moving part. Water
>>> under the bridge now.
>>>
>>> rob
>>>
>>>> Here is a wall of errors from my /var/log/ipaupgrade.log
>>>>> Feb 4 17:47:33 ipa2 ns-slapd: [04/Feb/2019:17:47:33.947136504 -0500]
>>>>> - ERR - set_krb5_creds - Could not get initial credentials for
>>>>> principal [ldap/ipa2.domain.com(a)domain.com] in keytab
>>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
>>>>> requested realm)
>>>>> Feb 4 17:47:33 ipa2 ns-slapd: [04/Feb/2019:17:47:33.953577522 -0500]
>>>>> - ERR - slapi_ldap_bind - Error: could not send startTLS request:
>>>>> error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is
>>>>> not connected)
>>>>> Feb 4 17:47:33 ipa2 ns-slapd: [04/Feb/2019:17:47:33.958062514 -0500]
>>>>> - ERR - set_krb5_creds - Could not get initial credentials for
>>>>> principal [ldap/ipa2.domain.com(a)domain.com] in keytab
>>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
>>>>> requested realm)
>>>>> Feb 4 17:47:33 ipa2 ns-slapd: GSSAPI Error: Unspecified GSS failure.
>>>>> Minor code may provide more information (No Kerberos credentials
>>>>> available (default cache: /tmp/krb5cc_389))
>>>>> Feb 4 17:47:33 ipa2 ns-slapd: [04/Feb/2019:17:47:33.965496432 -0500]
>>>>> - ERR - slapi_ldap_bind - Error: could not bind id [cn=Replication
>>>>> Manager
>>>>> masterAgreement1-ipa2.domain.com-pki-tomcat,ou=csusers,cn=config]
>>>>> authentication mechanism [SIMPLE]: error 32 (No such object)
>>>>> Feb 4 17:47:40 ipa2 server: WARNING: Exception processing realm
>>>>> com.netscape.cms.tomcat.ProxyRealm@3badc78b background process
>>>>> Feb 4 17:47:40 ipa2 server: javax.ws.rs.ServiceUnavailableException:
>>>>> Subsystem unavailable
>>>>> Feb 4 17:47:40 ipa2 server: at
>>>>> com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
>>>>>
>>>>> Feb 4 17:47:40 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
>>>>>
>>>>>
>>>>> Feb 4 17:47:40 ipa2 server: at
>>>>> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
>>>>>
>>>>>
>>>>> Feb 4 17:47:40 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
>>>>>
>>>>>
>>>>> Feb 4 17:47:40 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>>>>>
>>>>>
>>>>> Feb 4 17:47:40 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>>>>>
>>>>>
>>>>> Feb 4 17:47:40 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
>>>>>
>>>>>
>>>>> Feb 4 17:47:40 ipa2 server: at java.lang.Thread.run(Thread.java:748)
>>>>> Feb 4 17:47:41 ipa2 dhclient[598]: DHCPREQUEST on eth0 to
>>>>> 132.162.1.131 port 67 (xid=0x27e7db13)
>>>>> Feb 4 17:47:50 ipa2 server: WARNING: Exception processing realm
>>>>> com.netscape.cms.tomcat.ProxyRealm@3badc78b background process
>>>>> Feb 4 17:47:50 ipa2 server: javax.ws.rs.ServiceUnavailableException:
>>>>> Subsystem unavailable
>>>>> Feb 4 17:47:50 ipa2 server: at
>>>>> com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
>>>>>
>>>>> Feb 4 17:47:50 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
>>>>>
>>>>>
>>>>> Feb 4 17:47:50 ipa2 server: at
>>>>> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
>>>>>
>>>>>
>>>>> Feb 4 17:47:50 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
>>>>>
>>>>>
>>>>> Feb 4 17:47:50 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>>>>>
>>>>>
>>>>> Feb 4 17:47:50 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>>>>>
>>>>>
>>>>> Feb 4 17:47:50 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
>>>>>
>>>>>
>>>>> Feb 4 17:47:50 ipa2 server: at java.lang.Thread.run(Thread.java:748)
>>>>> Feb 4 17:47:52 ipa2 dhclient[598]: DHCPREQUEST on eth0 to
>>>>> 132.162.1.131 port 67 (xid=0x27e7db13)
>>>>> Feb 4 17:48:00 ipa2 server: WARNING: Exception processing realm
>>>>> com.netscape.cms.tomcat.ProxyRealm@3badc78b background process
>>>>> Feb 4 17:48:00 ipa2 server: javax.ws.rs.ServiceUnavailableException:
>>>>> Subsystem unavailable
>>>>> Feb 4 17:48:00 ipa2 server: at
>>>>> com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
>>>>>
>>>>> Feb 4 17:48:00 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
>>>>>
>>>>>
>>>>> Feb 4 17:48:00 ipa2 server: at
>>>>> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
>>>>>
>>>>>
>>>>> Feb 4 17:48:00 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
>>>>>
>>>>>
>>>>> Feb 4 17:48:00 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>>>>>
>>>>>
>>>>> Feb 4 17:48:00 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>>>>>
>>>>>
>>>>> Feb 4 17:48:00 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
>>>>>
>>>>>
>>>>> Feb 4 17:48:00 ipa2 server: at java.lang.Thread.run(Thread.java:748)
>>>>> Feb 4 17:48:02 ipa2 dhclient[598]: DHCPREQUEST on eth0 to
>>>>> 132.162.1.131 port 67 (xid=0x27e7db13)
>>>>> Feb 4 17:48:10 ipa2 server: WARNING: Exception processing realm
>>>>> com.netscape.cms.tomcat.ProxyRealm@3badc78b background process
>>>>> Feb 4 17:48:10 ipa2 server: javax.ws.rs.ServiceUnavailableException:
>>>>> Subsystem unavailable
>>>>> Feb 4 17:48:10 ipa2 server: at
>>>>> com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
>>>>>
>>>>> Feb 4 17:48:10 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
>>>>>
>>>>>
>>>>> Feb 4 17:48:10 ipa2 server: at
>>>>> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
>>>>>
>>>>>
>>>>> Feb 4 17:48:10 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
>>>>>
>>>>>
>>>>> Feb 4 17:48:10 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>>>>>
>>>>>
>>>>> Feb 4 17:48:10 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>>>>>
>>>>>
>>>>> Feb 4 17:48:10 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
>>>>>
>>>>>
>>>>> Feb 4 17:48:10 ipa2 server: at java.lang.Thread.run(Thread.java:748)
>>>>> Feb 4 17:48:12 ipa2 [sssd[ldap_child[2284]]]: Failed to initialize
>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Cannot contact
>>>>> any
>>>>> KDC for realm 'domain.com'. Unable to create GSSAPI-encrypted LDAP
>>>>> connection.
>>>>> Feb 4 17:48:12 ipa2 [sssd[ldap_child[2285]]]: Failed to initialize
>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Cannot contact
>>>>> any
>>>>> KDC for realm 'domain.com'. Unable to create GSSAPI-encrypted LDAP
>>>>> connection.
>>>>> Feb 4 17:48:20 ipa2 server: WARNING: Exception processing realm
>>>>> com.netscape.cms.tomcat.ProxyRealm@3badc78b background process
>>>>> Feb 4 17:48:20 ipa2 server: javax.ws.rs.ServiceUnavailableException:
>>>>> Subsystem unavailable
>>>>> Feb 4 17:48:20 ipa2 server: at
>>>>> com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
>>>>>
>>>>> Feb 4 17:48:20 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
>>>>>
>>>>>
>>>>> Feb 4 17:48:20 ipa2 server: at
>>>>> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
>>>>>
>>>>>
>>>>> Feb 4 17:48:20 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
>>>>>
>>>>>
>>>>> Feb 4 17:48:20 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>>>>>
>>>>>
>>>>> Feb 4 17:48:20 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>>>>>
>>>>>
>>>>> Feb 4 17:48:20 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
>>>>>
>>>>>
>>>>> Feb 4 17:48:20 ipa2 server: at java.lang.Thread.run(Thread.java:748)
>>>>> Feb 4 17:48:22 ipa2 dhclient[598]: DHCPREQUEST on eth0 to
>>>>> 132.162.1.131 port 67 (xid=0x27e7db13)
>>>>> Feb 4 17:48:30 ipa2 server: WARNING: Exception processing realm
>>>>> com.netscape.cms.tomcat.ProxyRealm@3badc78b background process
>>>>> Feb 4 17:48:30 ipa2 server: javax.ws.rs.ServiceUnavailableException:
>>>>> Subsystem unavailable
>>>>> Feb 4 17:48:30 ipa2 server: at
>>>>> com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
>>>>>
>>>>> Feb 4 17:48:30 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
>>>>>
>>>>>
>>>>> Feb 4 17:48:30 ipa2 server: at
>>>>> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
>>>>>
>>>>>
>>>>> Feb 4 17:48:30 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
>>>>>
>>>>>
>>>>> Feb 4 17:48:30 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>>>>>
>>>>>
>>>>> Feb 4 17:48:30 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
>>>>>
>>>>>
>>>>> Feb 4 17:48:30 ipa2 server: at
>>>>> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
>>>>>
>>>>>
>>>>> Feb 4 17:48:30 ipa2 server: at java.lang.Thread.run(Thread.java:748)
>>>>> Feb 4 17:48:31 ipa2 dhclient[598]: DHCPREQUEST on eth0 to
>>>>> 132.162.1.131 port 67 (xid=0x27e7db13)
>>>>> ^C
>>>>> [root@ipa2 log]# less /var/log/ipaupgrade.log
>>>>> <p><b>note</b> <u>The full stack trace of the root cause is available
>>>>> in the Apache Tomcat/7.0.76 logs.</u></p><HR size="1"
>>>>> noshade="noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>'
>>>>> 2019-02-04T22:46:13Z DEBUG The CA status is: check interrupted due to
>>>>> error: Retrieving CA status failed with status 500
>>>>> 2019-02-04T22:46:13Z DEBUG Waiting for CA to start...
>>>>> 2019-02-04T22:46:14Z DEBUG request POST
>>>>> http://ipa2.domain.com:8080/ca/admin/ca/getStatus
>>>>> 2019-02-04T22:46:14Z DEBUG request body ''
>>>>> 2019-02-04T22:46:14Z DEBUG response status 500
>>>>> 2019-02-04T22:46:14Z DEBUG response headers Server: Apache-Coyote/1.1
>>>>> Content-Type: text/html;charset=utf-8
>>>>> Content-Language: en
>>>>> Content-Length: 2208
>>>>> Date: Mon, 04 Feb 2019 22:46:14 GMT
>>>>> Connection: close
>>>>>
>>>>> 2019-02-04T22:46:14Z DEBUG response body '<html><head><title>Apache
>>>>> Tomcat/7.0.76 - Error report</title><style><!--H1
>>>>> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
>>>>>
>>>>> H2
>>>>> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
>>>>>
>>>>> H3
>>>>> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
>>>>>
>>>>> BODY
>>>>> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}
>>>>>
>>>>> B
>>>>> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
>>>>>
>>>>> P
>>>>> {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
>>>>>
>>>>> {color : black;}A.name {color : black;}HR {color :
>>>>> #525D76;}--></style> </head><body><h1>HTTP Status 500 - Subsystem
>>>>> unavailable</h1><HR size="1" noshade="noshade"><p><b>type</b>
>>>>> Exception report</p><p><b>message</b> <u>Subsystem
>>>>> unavailable</u></p><p><b>description</b> <u>The server encountered an
>>>>> internal error that prevented it from fulfilling this
>>>>> request.</u></p><p><b>exception</b>
>>>>> <pre>javax.ws.rs.ServiceUnavailableException: Subsystem
>>>>> unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre></p><p><b>note</b>
>>>>>
>>>>> <u>The full stack trace of the root cause is available in the Apache
>>>>> Tomcat/7.0.76 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache
>>>>> Tomcat/7.0.76</h3></body></html>'
>>>>> 2019-02-04T22:46:14Z DEBUG The CA status is: check interrupted due to
>>>>> error: Retrieving CA status failed with status 500
>>>>> 2019-02-04T22:46:14Z DEBUG Waiting for CA to start...
>>>>> 2019-02-04T22:46:15Z DEBUG request POST
>>>>> http://ipa2.domain.com:8080/ca/admin/ca/getStatus
>>>>> 2019-02-04T22:46:15Z DEBUG request body ''
>>>>> 2019-02-04T22:46:15Z DEBUG response status 500
>>>>> 2019-02-04T22:46:15Z DEBUG response headers Server: Apache-Coyote/1.1
>>>>> Content-Type: text/html;charset=utf-8
>>>>> Content-Language: en
>>>>> Content-Length: 2208
>>>>> Date: Mon, 04 Feb 2019 22:46:15 GMT
>>>>> Connection: close
>>>>>
>>>>> 2019-02-04T22:46:15Z DEBUG response body '<html><head><title>Apache
>>>>> Tomcat/7.0.76 - Error report</title><style><!--H1
>>>>> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
>>>>>
>>>>> H2
>>>>> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
>>>>>
>>>>> H3
>>>>> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
>>>>>
>>>>> BODY
>>>>> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}
>>>>>
>>>>> B
>>>>> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
>>>>>
>>>>> P
>>>>> {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
>>>>>
>>>>> {color : black;}A.name {color : black;}HR {color :
>>>>> #525D76;}--></style> </head><body><h1>HTTP Status 500 - Subsystem
>>>>> unavailable</h1><HR size="1" noshade="noshade"><p><b>type</b>
>>>>> Exception report</p><p><b>message</b> <u>Subsystem
>>>>> unavailable</u></p><p><b>description</b> <u>The server encountered an
>>>>> internal error that prevented it from fulfilling this
>>>>> request.</u></p><p><b>exception</b>
>>>>> <pre>javax.ws.rs.ServiceUnavailableException: Subsystem
>>>>> unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre></p><p><b>note</b>
>>>>>
>>>>> <u>The full stack trace of the root cause is available in the Apache
>>>>> Tomcat/7.0.76 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache
>>>>> Tomcat/7.0.76</h3></body></html>'
>>>>> 2019-02-04T22:46:15Z DEBUG The CA status is: check interrupted due to
>>>>> error: Retrieving CA status failed with status 500
>>>>> 2019-02-04T22:46:15Z DEBUG Waiting for CA to start...
>>>>> 2019-02-04T22:46:16Z ERROR IPA server upgrade failed: Inspect
>>>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>>>>> 2019-02-04T22:46:16Z DEBUG File
>>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178,
>>>>> in execute
>>>>> return_value = self.run()
>>>>> File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
>>>>>
>>>>> line 56, in run
>>>>> raise admintool.ScriptError(str(e))
>>>>>
>>>>> 2019-02-04T22:46:16Z DEBUG The ipa-server-upgrade command failed,
>>>>> exception: ScriptError: CA did not start in 300.0s
>>>>> 2019-02-04T22:46:16Z ERROR CA did not start in 300.0s
>>>>> 2019-02-04T22:46:16Z ERROR The ipa-server-upgrade command failed. See
>>>>> /var/log/ipaupgrade.log for more information
>>>> Thanks,
>>>> -Chris
>>>>
>>>>> Rob,
>>>>>
>>>>> I'll be honest. I think you are suggesting an ldapsearch with this
>>>>>
>>>>> Check to see which masteris the renewal master. Look in
>>>>> cn=CA,cn=$(hostname),cn=masters,cn=ipa,cn=etc,$SUFFIX for
>>>>> ipaConfigString=caRenewalMaster
>>>>>
>>>>> sorry I've not figured out how to successfully ldapsearch
>>>>>
>>>>> Instead I did this:
>>>>> ipa config-show |grep 'CA renewal master'
>>>>>
>>>>> It came up blank. I suspect I didn't have a renewal master somehow.
>>>>>
>>>>> Then I did This:
>>>>> ipa-csreplica-manage set-renewal-master ipa2 (hostname of working IPA
>>>>> server)
>>>>>
>>>>> Next is a "yum update" to be safe, and lastly "ipa-server-upgrade" on
>>>>> ipa2. When that's all done I'll try "yum update" and
>>>>> "ipa-server-upgrade" on my broken IPA system ipa1
>>>>>
>>>>> I'll report back here when finished.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -Chris
>>>>>
>>>>>> Check to see which masteris the renewal master. Look in
>>>>>> cn=CA,cn=$(hostname),cn=masters,cn=ipa,cn=etc,$SUFFIX for
>>>>>> ipaConfigString=caRenewalMaster
>>>>>>
>>>>>> You want to run the script on that master first to get the certs
>>>>>> renewed.
>>>>>>
>>>>>> I'd start by re-running ipa-server-upgrade. It is idempotent so
>>>>>> there
>>>>>> should be no risk. It may repair the tracking for you.
>>>>>>
>>>>>> rob
>>>>> On 2/4/2019 3:30 PM, Rob Crittenden wrote:
>>>>>> Chris Mohler via FreeIPA-users wrote:
>>>>>>> Thanks for looking at my issue!
>>>>>>>
>>>>>>> There have been no recent updates on my system. Actually I was
>>>>>>> getting
>>>>>>> ready to update when I noticed things weren't good.
>>>>>>>
>>>>>>> Here is the output from the log of the most recent update. Looks
>>>>>>> like it
>>>>>>> was completed successfully. The lines you asked about are in
>>>>>>> Bold/underlined.
>>>>>>>
>>>>>>>> 2018-07-18T16:55:21Z INFO [Update certmonger certificate renewal
>>>>>>>> configuration]
>>>>>>>> 2018-07-18T16:55:21Z DEBUG Loading Index file from
>>>>>>>> '/var/lib/ipa/sysrestore/sysrestore.index'
>>>>>>>> 2018-07-18T16:55:21Z DEBUG Starting external process
>>>>>>>> 2018-07-18T16:55:21Z DEBUG args=/usr/bin/certutil -d
>>>>>>>> /etc/pki/pki-tomcat/alias -L -f
>>>>>>>> /etc/pki/pki-tomcat/alias/pwdfile.txt
>>>>>>>> 2018-07-18T16:55:21Z DEBUG Process finished, return code=0
>>>>>>>> 2018-07-18T16:55:21Z DEBUG stdout=
>>>>>>>> Certificate Nickname Trust
>>>>>>>> Attributes
>>>>>>>> SSL,S/MIME,JAR/XPI
>>>>>>>>
>>>>>>>> caSigningCert cert-pki-ca CTu,Cu,Cu
>>>>>>>> subsystemCert cert-pki-ca u,u,u
>>>>>>>> ocspSigningCert cert-pki-ca u,u,u
>>>>>>>> auditSigningCert cert-pki-ca u,u,Pu
>>>>>>>> Server-Cert cert-pki-ca u,u,u
>>>>>>>>
>>>>>>>> 2018-07-18T16:55:21Z DEBUG stderr=
>>>>>>>> _*2018-07-18T16:55:21Z DEBUG Configuring certmonger to stop
>>>>>>>> tracking
>>>>>>>> system certificates for CA*_
>>>>>>>> 2018-07-18T16:55:21Z DEBUG Starting external process
>>>>>>>> 2018-07-18T16:55:21Z DEBUG args=/bin/systemctl start
>>>>>>>> messagebus.service
>>>>>>>> 2018-07-18T16:55:21Z DEBUG Process finished, return code=0
>>>>>>>> 2018-07-18T16:55:21Z DEBUG stdout=
>>>>>>>> 2018-07-18T16:55:21Z DEBUG stderr=
>>>>>>>> 2018-07-18T16:55:21Z DEBUG Starting external process
>>>>>>>> 2018-07-18T16:55:21Z DEBUG args=/bin/systemctl is-active
>>>>>>>> messagebus.service
>>>>>>>> 2018-07-18T16:55:21Z DEBUG Process finished, return code=0
>>>>>>>> 2018-07-18T16:55:21Z DEBUG stdout=active
>>>>>>>>
>>>>>>>> 2018-07-18T16:55:21Z DEBUG stderr=
>>>>>>>> 2018-07-18T16:55:21Z DEBUG Starting external process
>>>>>>>> 2018-07-18T16:55:21Z DEBUG args=/bin/systemctl start
>>>>>>>> certmonger.service
>>>>>>>> 2018-07-18T16:55:21Z DEBUG Process finished, return code=0
>>>>>>>> 2018-07-18T16:55:21Z DEBUG stdout=
>>>>>>>> 2018-07-18T16:55:21Z DEBUG stderr=
>>>>>>>> 2018-07-18T16:55:21Z DEBUG Starting external process
>>>>>>>> 2018-07-18T16:55:21Z DEBUG args=/bin/systemctl is-active
>>>>>>>> certmonger.service
>>>>>>>> 2018-07-18T16:55:21Z DEBUG Process finished, return code=0
>>>>>>>> 2018-07-18T16:55:21Z DEBUG stdout=active
>>>>>>>>
>>>>>>> -snip- a few more lines like the section above.
>>>>>>>> 2018-07-18T16:55:25Z DEBUG stderr=
>>>>>>>> 2018-07-18T16:55:30Z DEBUG Loading Index file from
>>>>>>>> '/var/lib/ipa/sysrestore/sysrestore.index'
>>>>>>>> 2018-07-18T16:55:30Z DEBUG Starting external process
>>>>>>>> 2018-07-18T16:55:30Z DEBUG args=/usr/bin/certutil -d
>>>>>>>> /etc/dirsrv/DOMAINNAMEHERE -L -n Server-Cert -a -f
>>>>>>>> /etc/dirsrv/DOMAINNAMEHERE/pwdfile.txt
>>>>>>>> 2018-07-18T16:55:30Z DEBUG Process finished, return code=0
>>>>>>>> 2018-07-18T16:55:30Z DEBUG stdout=-----BEGIN CERTIFICATE-----
>>>>>>> -Snip- Cert and Key stuff goes here-
>>>>>>>> 2018-07-18T16:55:34Z DEBUG stderr=
>>>>>>>> _*2018-07-18T16:55:35Z INFO Certmonger certificate renewal
>>>>>>>> configuration updated*_
>>>>>> Check to see which masteris the renewal master. Look in
>>>>>> cn=CA,cn=$(hostname),cn=masters,cn=ipa,cn=etc,$SUFFIX for
>>>>>> ipaConfigString=caRenewalMaster
>>>>>>
>>>>>> You want to run the script on that master first to get the certs
>>>>>> renewed.
>>>>>>
>>>>>> I'd start by re-running ipa-server-upgrade. It is idempotent so
>>>>>> there
>>>>>> should be no risk. It may repair the tracking for you.
>>>>>>
>>>>>> rob
>>>>>>
>>>>>>> On 2/4/2019 1:44 PM, Florence Blanc-Renaud wrote:
>>>>>>>> On 2/4/19 5:59 PM, Chris Mohler via FreeIPA-users wrote:
>>>>>>>>> Hi Everyone,
>>>>>>>>>
>>>>>>>>> I'm looking for some help. I'm having trouble with everything
>>>>>>>>> basically.
>>>>>>>>>
>>>>>>>>> I think one of my CA's certs expired or something. I can't kinit
>>>>>>>>> admin, I can't login via the WebGui. If I "getcert list" it
>>>>>>>>> returns
>>>>>>>>> "Number of certificates and requests being tracked: 0."
>>>>>>>>>
>>>>>>>>> This all started happening a few days ago and I am at a loss
>>>>>>>>> as to
>>>>>>>>> what happened. On a whim I set the system date and time back a
>>>>>>>>> few
>>>>>>>>> months to see if my certs were expired and like magic I can
>>>>>>>>> login to
>>>>>>>>> the Webgui but I'm still not tracking anything with "getcert
>>>>>>>>> list" I
>>>>>>>>> suspect the cert has expired but without tracking it I can't
>>>>>>>>> tell, or
>>>>>>>>> renew it.
>>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> can you check if an upgrade happened recently (have a look at
>>>>>>>> /var/log/ipaupgrade.log)? The upgrade stop tracking certs and
>>>>>>>> re-configures certmonger, so if it failed in the middle you may be
>>>>>>>> left without any tracking.
>>>>>>>> You should be able to find lines like the following if the
>>>>>>>> untracking/tracking went fine:
>>>>>>>> ---
>>>>>>>> [Update certmonger certificate renewal configuration]
>>>>>>>> Configuring certmonger to stop tracking system certificates for CA
>>>>>>>> Certmonger certificate renewal configuration updated
>>>>>>>> ---
>>>>>>>>
>>>>>>>> HTH,
>>>>>>>> flo
>>>>>>>>
>>>>>>>>> Please help
>>>>>>>>>
>>>>>>>>> I'm running Centos 7, FreeIPA 4.5.4
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>> -Chris
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> FreeIPA-users mailing list --
>>>>>>>>> freeipa-users(a)lists.fedorahosted.org
>>>>>>>>> To unsubscribe send an email to
>>>>>>>>> freeipa-users-leave(a)lists.fedorahosted.org
>>>>>>>>> Fedora Code of Conduct:
>>>>>>>>> https://getfedora.org/code-of-conduct.html
>>>>>>>>> List Guidelines:
>>>>>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>>>>>> List Archives:
>>>>>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>>>>> To unsubscribe send an email to
>>>>>>> freeipa-users-leave(a)lists.fedorahosted.org
>>>>>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>>>>>> List Guidelines:
>>>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>>>> List Archives:
>>>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>>>>>
>>>>>>>
>>>>>>>
>
>
5 years, 2 months