I install FreeIPA with my usual options, but when it's done the web interface is not available with the usual.
Service status:
[xadministrator@idm log]$ sudo systemctl enable tomcat.service -l [xadministrator@idm log]$ sudo systemctl start tomcat.service -l [xadministrator@idm log]$ sudo systemctl status tomcat.service -l \u25cf tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/usr/lib/systemd/system/tomcat.service; enabled; vendor preset: disabled) Active: inactive (dead) since Tue 2020-01-21 14:42:52 EST; 3s ago Process: 15192 ExecStart=/usr/libexec/tomcat/server start (code=exited, status=0/SUCCESS) Main PID: 15192 (code=exited, status=0/SUCCESS)
Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.catalina.core.StandardService stopInternal Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Stopping service Catalina Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.coyote.AbstractProtocol stop Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Stopping ProtocolHandler ["http-bio-8080"] Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.coyote.AbstractProtocol destroy Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Destroying ProtocolHandler ["http-bio-8080"] Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.coyote.AbstractProtocol stop Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Stopping ProtocolHandler ["ajp-bio-8009"] Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.coyote.AbstractProtocol destroy Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Destroying ProtocolHandler ["ajp-bio-8009"] [xadministrator@idm log]$
[xadministrator@idm log]$ sudo systemctl status httpd -l [sudo] password for xadministrator: \u25cf httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Drop-In: /etc/systemd/system/httpd.service.d \u2514\u2500ipa.conf Active: active (running) since Tue 2020-01-21 14:18:35 EST; 1 day 2h ago Docs: man:httpd(8) man:apachectl(8) Main PID: 13471 (httpd) Status: "Total requests: 4; Current requests/sec: 0; Current traffic: 0 B/sec" Tasks: 61 CGroup: /system.slice/httpd.service \u251c\u250013471 /usr/sbin/httpd -DFOREGROUND \u251c\u250013472 /usr/libexec/nss_pcache 688130 off \u251c\u250013475 (wsgi:kdcproxy) -DFOREGROUND \u251c\u250013476 (wsgi:kdcproxy) -DFOREGROUND \u251c\u250013477 (wsgi:ipa) -DFOREGROUND \u251c\u250013478 (wsgi:ipa) -DFOREGROUND \u251c\u250013479 (wsgi:ipa) -DFOREGROUND \u251c\u250013480 (wsgi:ipa) -DFOREGROUND \u251c\u250013481 /usr/sbin/httpd -DFOREGROUND \u251c\u250013482 /usr/sbin/httpd -DFOREGROUND \u251c\u250013483 /usr/sbin/httpd -DFOREGROUND \u251c\u250013484 /usr/sbin/httpd -DFOREGROUND \u251c\u250013485 /usr/sbin/httpd -DFOREGROUND \u2514\u250013747 /usr/sbin/httpd -DFOREGROUND
Jan 21 14:18:35 idm.cs.xxxx systemd[1]: Started The Apache HTTP Server. Jan 21 14:18:40 idm.cs.xxxx [13477]: GSSAPI client step 1 Jan 21 14:18:40 idm.cs.xxxx [13477]: GSSAPI client step 1 Jan 21 14:18:40 idm.cs.xxxx [13477]: GSSAPI client step 1 Jan 21 14:18:40 idm.cs.xxxx [13478]: GSSAPI client step 1 Jan 21 14:18:40 idm.cs.xxxx [13478]: GSSAPI client step 1 Jan 21 14:18:40 idm.cs.xxxx [13478]: GSSAPI client step 1 Jan 21 14:18:42 idm.cs.xxxx [13479]: GSSAPI client step 1 Jan 21 14:18:42 idm.cs.xxxx [13479]: GSSAPI client step 1 Jan 21 14:18:42 idm.cs.xxxx [13479]: GSSAPI client step 1
The url that I'm trying is: https://idm.cs.xxxx/ipa/ui/
Any help would be appreciated.
Scott Reed via FreeIPA-users wrote:
I install FreeIPA with my usual options, but when it's done the web interface is not available with the usual.
Service status:
[xadministrator@idm log]$ sudo systemctl enable tomcat.service -l [xadministrator@idm log]$ sudo systemctl start tomcat.service -l [xadministrator@idm log]$ sudo systemctl status tomcat.service -l \u25cf tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/usr/lib/systemd/system/tomcat.service; enabled; vendor preset: disabled) Active: inactive (dead) since Tue 2020-01-21 14:42:52 EST; 3s ago Process: 15192 ExecStart=/usr/libexec/tomcat/server start (code=exited, status=0/SUCCESS) Main PID: 15192 (code=exited, status=0/SUCCESS)
Why are you touching the services enabled? This should not be done. The ipa service will start the things needed.
Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.catalina.core.StandardService stopInternal Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Stopping service Catalina Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.coyote.AbstractProtocol stop Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Stopping ProtocolHandler ["http-bio-8080"] Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.coyote.AbstractProtocol destroy Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Destroying ProtocolHandler ["http-bio-8080"] Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.coyote.AbstractProtocol stop Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Stopping ProtocolHandler ["ajp-bio-8009"] Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.coyote.AbstractProtocol destroy Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Destroying ProtocolHandler ["ajp-bio-8009"] [xadministrator@idm log]$
[xadministrator@idm log]$ sudo systemctl status httpd -l [sudo] password for xadministrator: \u25cf httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Drop-In: /etc/systemd/system/httpd.service.d \u2514\u2500ipa.conf Active: active (running) since Tue 2020-01-21 14:18:35 EST; 1 day 2h ago Docs: man:httpd(8) man:apachectl(8) Main PID: 13471 (httpd) Status: "Total requests: 4; Current requests/sec: 0; Current traffic: 0 B/sec" Tasks: 61 CGroup: /system.slice/httpd.service \u251c\u250013471 /usr/sbin/httpd -DFOREGROUND \u251c\u250013472 /usr/libexec/nss_pcache 688130 off \u251c\u250013475 (wsgi:kdcproxy) -DFOREGROUND \u251c\u250013476 (wsgi:kdcproxy) -DFOREGROUND \u251c\u250013477 (wsgi:ipa) -DFOREGROUND \u251c\u250013478 (wsgi:ipa) -DFOREGROUND \u251c\u250013479 (wsgi:ipa) -DFOREGROUND \u251c\u250013480 (wsgi:ipa) -DFOREGROUND \u251c\u250013481 /usr/sbin/httpd -DFOREGROUND \u251c\u250013482 /usr/sbin/httpd -DFOREGROUND \u251c\u250013483 /usr/sbin/httpd -DFOREGROUND \u251c\u250013484 /usr/sbin/httpd -DFOREGROUND \u251c\u250013485 /usr/sbin/httpd -DFOREGROUND \u2514\u250013747 /usr/sbin/httpd -DFOREGROUND
Jan 21 14:18:35 idm.cs.xxxx systemd[1]: Started The Apache HTTP Server. Jan 21 14:18:40 idm.cs.xxxx [13477]: GSSAPI client step 1 Jan 21 14:18:40 idm.cs.xxxx [13477]: GSSAPI client step 1 Jan 21 14:18:40 idm.cs.xxxx [13477]: GSSAPI client step 1 Jan 21 14:18:40 idm.cs.xxxx [13478]: GSSAPI client step 1 Jan 21 14:18:40 idm.cs.xxxx [13478]: GSSAPI client step 1 Jan 21 14:18:40 idm.cs.xxxx [13478]: GSSAPI client step 1 Jan 21 14:18:42 idm.cs.xxxx [13479]: GSSAPI client step 1 Jan 21 14:18:42 idm.cs.xxxx [13479]: GSSAPI client step 1 Jan 21 14:18:42 idm.cs.xxxx [13479]: GSSAPI client step 1
The url that I'm trying is: https://idm.cs.xxxx/ipa/ui/
Any help would be appreciated.
What does "not available" mean? What do you see? Does curl work?
$ kinit admin $ curl --negotiate -u : https://ipa.example.test/ipa/ui/
I'd try on whatever your client machine is as well as the web server to see if behavior differs.
rob
Scott Reed via FreeIPA-users wrote:
Why are you touching the services enabled? This should not be done. The ipa service will start the things needed.
I know that tomcat is used, and it seemed like a weird state to be in.
What does "not available" mean? What do you see? Does curl work?
$ kinit admin $ curl --negotiate -u : https://ipa.example.test/ipa/ui/
Here is what I got:
Secure Connection Failed
An error occurred during a connection to idm.cs.xxxx. You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. Error code: SEC_ERROR_REUSED_ISSUER_AND_SERIAL
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
My previous installations of FreeIPA did not have any problems in connecting to the web interface.
I'd try on whatever your client machine is as well as the web server to see if behavior differs.
rob
Rob,
Thanks for your help. It was a problem with the certificates from this server. I can at least at this point get to the web interface. I used these instructions and skipped the part about deleting the authority.
Scott Reed via FreeIPA-users wrote:
Rob,
Thanks for your help. It was a problem with the certificates from this server. I can at least at this point get to the web interface. I used these instructions and skipped the part about deleting the authority.
Great, glad you have things working again.
rob
freeipa-users@lists.fedorahosted.org
-
Rob Crittenden -
Scott Reed