Thank you for your reply. I just retried with debug enabled but I cannot say I see anything useful.I was wondering if I somehow can debug the kerberos procedure more...or get rid of memcache for debug purposes.Best regards,DimitriosOn Mon, Jan 15, 2018 at 8:49 PM, Rob Crittenden <rcritten@redhat.com> wrote:This isn't much to go on.Dimitris Zilaskos via FreeIPA-users wrote:
> Hello,
>
> I have been asked to look into an ipa server running in CentOS 6. The
> server was missbehaving for some time, with some certificates expiring
> back in October. Also / was full. I have cleaned up some space, set the
> date back before the certificates expired, restarted/rebooted but
> renewal of certs fails:
>
> [Wed Oct 25 00:00:21 2017] [info] Connection to child 0 established
> (server portal.cloud.local, client 10.142.20.10)
> [Wed Oct 25 00:00:21 2017] [debug] nss_engine_init.c(1948): SNI: Found
> nickname Server-Cert for vhost: portal.cloud.local
> [Wed Oct 25 00:00:21 2017] [debug] nss_engine_init.c(1970): SNI:
> Successfully paired vhost portal.cloud.local with nickname: Server-Cert
> [Wed Oct 25 00:00:21 2017] [debug] nss_engine_kernel.c(93): SNI request
> for portal.cloud.local
> [Wed Oct 25 00:00:21 2017] [info] Initial (No.1) HTTPS request received
> for child 0 (server portal.cloud.local:443)
> [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
> [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: WSGI xmlserver.__call__:
> [Wed Oct 25 00:00:21 2017] [error] ipa: ERROR: 500 Internal Server
> Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request
> environment
> [Wed Oct 25 00:00:21 2017] [error] ipa: DEBUG: response: CCacheError:
> did not receive Kerberos credentials
> [Wed Oct 25 00:00:21 2017] [info] Connection to child 0 closed (server
> portal.cloud.local:443, client 10.142.20.10)
>
> I can do kinit admin without problems. Please any hints how can I
> resoleve this?
>
You might create /etc/ipa/server.conf with the contents:
[global]
debug = True
and restart IPA. It should provide more information on the incmoing request.
certmonger logs to syslog so I'd check there for details from the renewal.
Knowing the state of the certs tracked by certmonger would be helpful
too (be sure to redact any PIN that might be in the getcert list output).
rob