Restarting ipa didnt create the logs.
Please, what else can i do?
On Mon, Mar 4, 2019 at 8:47 PM Sina Owolabi <notify.sina(a)gmail.com> wrote:
>
> Hi!
>
> getcert list | grep -i expires
> expires: 2019-04-13 12:08:20 UTC
> expires: 2019-04-13 12:08:06 UTC
> expires: 2019-04-13 12:07:50 UTC
> expires: 2035-06-01 08:33:01 UTC
> expires: 2019-04-13 12:07:41 UTC
> expires: 2019-04-13 12:06:55 UTC
> expires: 2019-05-05 12:06:41 UTC
> expires: 2019-05-05 12:06:56 UTC
> expires: 2020-01-17 19:56:03 UTC
>
> I didnt find a /var/log/pki/pki-tomcat/ca/debug directory, but I am
> creating one and running "ipactl restart".
>
> On Mon, Mar 4, 2019 at 8:10 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
> >
> > Sina Owolabi via FreeIPA-users wrote:
> > > Hi!
> > >
> > > I am running a small IPA domain (CentOS 7 servers, ipa version 4.5.4,
> > > api version 2.228), with one master, and two replicas, and I noticed
> > > that pki-tomcatd no longer works on the master, after attempting a
> > > reboot.
> > > pki-tomcatd works fine on the slaves.
> > > I noticed if I try to run IPA functions (dns record removal, hosts
> > > management, user passwords, etc), I receive responses like this:
> > >
> > > ipa: ERROR: Certificate operation cannot be completed: Unable to
> > > communicate with CMS (Internal Server Error)
> > > But on the replicas, functions work fine.
> > > Please can someone guide me on how to fix this?
> >
> > The CA log is in /var/log/pki/pki-tomcat/ca/debug. That may have some
> > pointers. I'd look at selftests.log first.
> >
> > My guess is that some of the CA certificates have failed to renew.
> >
> > getcert list | grep -i expires
> >
> > rob