[Freeipa-users] (no subject)

Jimmy Caldwell g17jimmy at gmail.com
Thu Mar 15 23:04:36 UTC 2012 

I'll check that in the morning.

Sent from my mobile device

On Mar 15, 2012, at 17:38, Rob Crittenden <rcritten at redhat.com> wrote:

> Jimmy wrote:
>> error log: http://fpaste.org/efyf/
>>
>> CA debug: http://fpaste.org/LemM/
>>
>> CA localhost log: http://fpaste.org/q4MU/
>>
>> That's all I can find the correspond to the time I ran the getcert.
>
> I'd look at the catalina.log, is dogtag coming up ok?
>
> rob
>
>>
>> Jimmy
>> On Thu, Mar 15, 2012 at 4:47 PM, Rob Crittenden<rcritten at redhat.com>  wrote:
>>> Jimmy wrote:
>>>>
>>>> Still shows status: CA_UNREACHABLE
>>>>
>>>> http://fpaste.org/UrTJ/
>>>
>>>
>>> If there was an Internal Server Error there should be an error in the Apache
>>> error log or something in the CA debug/transaction log (or both). Can you
>>> check those?
>>>
>>> rob
>>>
>>>>
>>>> On Thu, Mar 15, 2012 at 3:22 PM, Rob Crittenden<rcritten at redhat.com>
>>>>  wrote:
>>>>>
>>>>> Jimmy wrote:
>>>>>>
>>>>>>
>>>>>> I used yum to upgrade cert monger now the access_log has nothing new
>>>>>> when I run the ipa-getcert, but error_log shows this:
>>>>>>
>>>>>> [Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
>>>>>> 'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
>>>>>> [Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
>>>>>> host/xyz-ipa.abc.xyz at ABC.XYZ:
>>>>>>
>>>>>>
>>>>>> cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2tsp0K
> zH
>>>
>>> IM
>>>>>
>>>>>
>>>>>
>>>>> cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',
>>>>>>
>>>>>>
>>>>>> principal=u'ldap/xyz-ipa.abc.xyz at ABC.XYZ', add=True):
>>>>>> CertificateOperationError
>>>>>
>>>>>
>>>>>
>>>>> What does ipa-getcert list show?
>>>>>
>>>>> You may now have something in the CA logs too.
>>>>>
>>>>>
>>>>> rob
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, Mar 15, 2012 at 2:07 PM, Rob Crittenden<rcritten at redhat.com>
>>>>>>  wrote:
>>>>>>>
>>>>>>>
>>>>>>> Jimmy wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Which error log? the pki-ca error log has nothing and the httpd error
>>>>>>>> log has nothing, and the httpd access log has this: (yes, the dates
>>>>>>>> are set back a few days, bc the current cert expires on 3/11)
>>>>>>>>
>>>>>>>> 192.168.201.102 - - [10/Mar/2012:21:27:24 +0000] "POST /ipa/xml
>>>>>>>> HTTP/1.1" 401 1775
>>>>>>>> 192.168.201.102 - host/abc-ipa.abc.xyz at ABC.XYZ [10/Mar/2012:21:27:25
>>>>>>>> +0000] "POST /ipa/xml HTTP/1.1" 200 314
>>>>>>>>
>>>>>>>> here is the ipa-getcert list:
>>>>>>>>
>>>>>>>> http://fpaste.org/Dzr3/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> You need to update certmonger, it isn't setting a Referer HTTP header
>>>>>>> in
>>>>>>> its
>>>>>>> request. That is now required by IPA.
>>>>>>>
>>>>>>>
>>>>>>> rob
>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Mar 15, 2012 at 1:33 PM, Rob Crittenden<rcritten at redhat.com>
>>>>>>>>  wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jimmy wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Restarted IPA and now the interface loads, but resubmitting the cert
>>>>>>>>>> has this result -
>>>>>>>>>>
>>>>>>>>>> ipa-getcert resubmit -i 20110913154233
>>>>>>>>>> 192.168.201.102 - - [10/Mar/2012:20:53:13 +0000] "POST /ipa/xml
>>>>>>>>>> HTTP/1.1" 401 1775
>>>>>>>>>> 192.168.201.102 - host/abc-ipa.abc.xyz at ABC.XYZ [10/Mar/2012:20:53:13
>>>>>>>>>> +0000] "POST /ipa/xml HTTP/1.1" 200 314
>>>>>>>>>>
>>>>>>>>>> but the cert still shows these dates-
>>>>>>>>>>
>>>>>>>>>>  Not Before: Tue Sep 13 15:43:37 2011
>>>>>>>>>>             Not After : Sun Mar 11 15:43:37 2012
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The error log will contain more interesting information.
>>>>>>>>>
>>>>>>>>> What does the status show in the output of ipa-getcert list?
>>>>>>>>>
>>>>>>>>> rob
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Thu, Mar 15, 2012 at 1:06 PM, Jimmy<g17jimmy at gmail.com>
>>>>>>>>>>  wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I can now start the upgraded IPA, but now going to the IPA admin
>>>>>>>>>>> page
>>>>>>>>>>> I get this:
>>>>>>>>>>>
>>>>>>>>>>> ====
>>>>>>>>>>>
>>>>>>>>>>> Not Found
>>>>>>>>>>>
>>>>>>>>>>> The requested URL /ipa was not found on this server.
>>>>>>>>>>>
>>>>>>>>>>> ====
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Freeipa-users mailing list
>>>>>>>>>> Freeipa-users at redhat.com
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>>
>

More information about the Freeipa-users mailing list