[Freeipa-users] (no subject)

Rob Crittenden rcritten at redhat.com
Fri Mar 16 16:51:06 UTC 2012 

Jimmy wrote:
> Here are the latest logs and info. Thanks. Jimmy

What did you change to fix the ca_audit problem?

There are two problems that I can see:

1. certmonger is failing because of SSL trust issues. Have you changed 
the NSS database(s) recently for Apache or 389-ds, or /etc/pki/nssdb?

2. Looks like there is some corruption in the dogtag LDAP instance based 
on all the entries not found.

rob

>
> ipagetcert list output- http://fpaste.org/OAra/
>
> pki-ca system log -- http://fpaste.org/Uomy/
> catalina.out -- http://fpaste.org/5MR1/
> selftests -- http://fpaste.org/CwDF/
> debug -- http://fpaste.org/Wy0o/
>
> On Fri, Mar 16, 2012 at 11:08 AM, Rob Crittenden<rcritten at redhat.com>  wrote:
>> Jimmy wrote:
>>>
>>> I didn't see a catalina.log on my system, but there is a catalina.out:
>>>
>>> http://fpaste.org/KgJn/
>>
>>
>> That's the one. Looks like the CA isn't starting.
>>
>> Does /var/lib/pki-ca/logs/signedAudit/ca_audit exist? If so, what is the
>> SELinux context (ls -lZ)?
>>
>> rob
>>
>>>
>>> -J
>>>
>>> On Thu, Mar 15, 2012 at 5:37 PM, Rob Crittenden<rcritten at redhat.com>
>>>   wrote:
>>>>
>>>> Jimmy wrote:
>>>>>
>>>>>
>>>>> error log: http://fpaste.org/efyf/
>>>>>
>>>>> CA debug: http://fpaste.org/LemM/
>>>>>
>>>>> CA localhost log: http://fpaste.org/q4MU/
>>>>>
>>>>> That's all I can find the correspond to the time I ran the getcert.
>>>>
>>>>
>>>>
>>>> I'd look at the catalina.log, is dogtag coming up ok?
>>>>
>>>> rob
>>>>
>>>>
>>>>>
>>>>> Jimmy
>>>>> On Thu, Mar 15, 2012 at 4:47 PM, Rob Crittenden<rcritten at redhat.com>
>>>>>   wrote:
>>>>>>
>>>>>>
>>>>>> Jimmy wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Still shows status: CA_UNREACHABLE
>>>>>>>
>>>>>>> http://fpaste.org/UrTJ/
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> If there was an Internal Server Error there should be an error in the
>>>>>> Apache
>>>>>> error log or something in the CA debug/transaction log (or both). Can
>>>>>> you
>>>>>> check those?
>>>>>>
>>>>>> rob
>>>>>>
>>>>>>>
>>>>>>> On Thu, Mar 15, 2012 at 3:22 PM, Rob Crittenden<rcritten at redhat.com>
>>>>>>>   wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Jimmy wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I used yum to upgrade cert monger now the access_log has nothing new
>>>>>>>>> when I run the ipa-getcert, but error_log shows this:
>>>>>>>>>
>>>>>>>>> [Sat Mar 10 21:47:21 2012] [error] ipa: INFO: sslget
>>>>>>>>> 'https://xyz-ipa.abc.xyz:443/ca/agent/ca/displayBySerial'
>>>>>>>>> [Sat Mar 10 21:47:21 2012] [error] ipa: INFO:
>>>>>>>>> host/xyz-ipa.abc.xyz at ABC.XYZ:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bpc7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbVoa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbgf5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqgdKds2t
sp
>>
>> 0K
>>>>
>>>>
>>>> zH
>>>>>>
>>>>>>
>>>>>>
>>>>>> IM
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> cJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> principal=u'ldap/xyz-ipa.abc.xyz at ABC.XYZ', add=True):
>>>>>>>>> CertificateOperationError
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> What does ipa-getcert list show?
>>>>>>>>
>>>>>>>> You may now have something in the CA logs too.
>>>>>>>>
>>>>>>>>
>>>>>>>> rob
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, Mar 15, 2012 at 2:07 PM, Rob Crittenden<rcritten at redhat.com>
>>>>>>>>>   wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Jimmy wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Which error log? the pki-ca error log has nothing and the httpd
>>>>>>>>>>> error
>>>>>>>>>>> log has nothing, and the httpd access log has this: (yes, the
>>>>>>>>>>> dates
>>>>>>>>>>> are set back a few days, bc the current cert expires on 3/11)
>>>>>>>>>>>
>>>>>>>>>>> 192.168.201.102 - - [10/Mar/2012:21:27:24 +0000] "POST /ipa/xml
>>>>>>>>>>> HTTP/1.1" 401 1775
>>>>>>>>>>> 192.168.201.102 - host/abc-ipa.abc.xyz at ABC.XYZ
>>>>>>>>>>> [10/Mar/2012:21:27:25
>>>>>>>>>>> +0000] "POST /ipa/xml HTTP/1.1" 200 314
>>>>>>>>>>>
>>>>>>>>>>> here is the ipa-getcert list:
>>>>>>>>>>>
>>>>>>>>>>> http://fpaste.org/Dzr3/
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> You need to update certmonger, it isn't setting a Referer HTTP
>>>>>>>>>> header
>>>>>>>>>> in
>>>>>>>>>> its
>>>>>>>>>> request. That is now required by IPA.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> rob
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Thu, Mar 15, 2012 at 1:33 PM, Rob
>>>>>>>>>>> Crittenden<rcritten at redhat.com>
>>>>>>>>>>>   wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Jimmy wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Restarted IPA and now the interface loads, but resubmitting the
>>>>>>>>>>>>> cert
>>>>>>>>>>>>> has this result -
>>>>>>>>>>>>>
>>>>>>>>>>>>> ipa-getcert resubmit -i 20110913154233
>>>>>>>>>>>>> 192.168.201.102 - - [10/Mar/2012:20:53:13 +0000] "POST /ipa/xml
>>>>>>>>>>>>> HTTP/1.1" 401 1775
>>>>>>>>>>>>> 192.168.201.102 - host/abc-ipa.abc.xyz at ABC.XYZ
>>>>>>>>>>>>> [10/Mar/2012:20:53:13
>>>>>>>>>>>>> +0000] "POST /ipa/xml HTTP/1.1" 200 314
>>>>>>>>>>>>>
>>>>>>>>>>>>> but the cert still shows these dates-
>>>>>>>>>>>>>
>>>>>>>>>>>>>   Not Before: Tue Sep 13 15:43:37 2011
>>>>>>>>>>>>>              Not After : Sun Mar 11 15:43:37 2012
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> The error log will contain more interesting information.
>>>>>>>>>>>>
>>>>>>>>>>>> What does the status show in the output of ipa-getcert list?
>>>>>>>>>>>>
>>>>>>>>>>>> rob
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Thu, Mar 15, 2012 at 1:06 PM, Jimmy<g17jimmy at gmail.com>
>>>>>>>>>>>>>   wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I can now start the upgraded IPA, but now going to the IPA
>>>>>>>>>>>>>> admin
>>>>>>>>>>>>>> page
>>>>>>>>>>>>>> I get this:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ====
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Not Found
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The requested URL /ipa was not found on this server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ====
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> Freeipa-users mailing list
>>>>>>>>>>>>> Freeipa-users at redhat.com
>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>>

More information about the Freeipa-users mailing list