[Freeipa-users] ipa host-del
george he
george_he7 at yahoo.com
Wed Sep 5 16:00:00 UTC 2012
I did:
# setenforce 0
# ipactl restart
(here still the same error about worker ajp://localhost:9447/ already used by another worker )
# ipa host-del myclient
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable)
By the way, I can delete other clients with no problem. The only difference of this client is that I once did ipa-getkeytab on it for nfs client (and it turns out I don't need a keytab to be an nfs client).
Thanks,
George
>________________________________
> From: Ade Lee <alee at redhat.com>
>To: george he <george_he7 at yahoo.com>
>Cc: Rob Crittenden <rcritten at redhat.com>; "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>Sent: Wednesday, September 5, 2012 11:38 AM
>Subject: Re: [Freeipa-users] ipa host-del
>
>weird. Can you try putting selinux in permissive mode, and then
>restarting ipa?
>
>On Wed, 2012-09-05 at 08:21 -0700, george he wrote:
>> This is a newly installed system. It does most of the things, but I
>> just cannot del the host that I have uninstalled ipa-client, which
>> prvents me from re-installing ipa-client.
>> Here are the versions:
>>
>> pki-ca.noarch 9.0.3-24.el6
>> pki-common.noarch 9.0.3-24.el6
>> jss.x86_64 4.2.6-22.el6
>> nss.x86_64 3.13.5-1.el6_3
>> tomcat6.noarch 6.0.24-45.el6
>> java-1.5.0-gcj.x86_64 1.5.0.0-29.1.el6
>> java-1.6.0-openjdk.x86_64 1:1.6.0.0-1.48.1.11.3.el6_2
>> java_cup.x86_64 1:0.10k-5.el6
>> Thanks for your help.
>> George
>>
>>
>> ______________________________________________________________
>> From: Ade Lee <alee at redhat.com>
>> To: george he <george_he7 at yahoo.com>
>> Cc: Rob Crittenden <rcritten at redhat.com>;
>> "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>> Sent: Wednesday, September 5, 2012 10:46 AM
>> Subject: Re: [Freeipa-users] ipa host-del
>>
>>
>> The logs seem to show that the CA cannot find JSS.
>>
>> What versions of the following are on your system?
>> pki-ca, pki-common, jss, nss, tomcat6, tomcat, java
>>
>> Is this a system that was working and now fails to work? Or
>> is this a
>> new instance?
>>
>> Ade
>> On Wed, 2012-09-05 at 06:41 -0700, george he wrote:
>> > there are somethign like these:
>> >
>> > type=AVC msg=audit(1346710042.243:56): avc: denied
>> { execute } for
>> > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
>> > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>> > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
>> > type=AVC msg=audit(1346710042.243:57): avc: denied
>> { execute } for
>> > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
>> > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>> > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
>> >
>> >
>> >
>> > and some others like these:
>> > type=AVC msg=audit(1346838993.154:2567): avc: denied
>> { search } for
>> > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
>> > scontext=unconfined_u:system_r:pki_ca_t:s0
>> > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
>> > type=AVC msg=audit(1346838993.154:2568): avc: denied
>> { search } for
>> > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
>> > scontext=unconfined_u:system_r:pki_ca_t:s0
>> > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
>> >
>> >
>> >
>> > And yes, I did yum update recently.
>> > Where else should I look?
>> > Thanks,
>> > George
>> >
>> >
>> >
>> ______________________________________________________________
>> > From: Rob Crittenden <rcritten at redhat.com>
>> > To: george he <george_he7 at yahoo.com>
>> > Cc: Ade Lee <alee at redhat.com>;
>> "freeipa-users at redhat.com"
>> > <freeipa-users at redhat.com>
>> > Sent: Wednesday, September 5, 2012 8:40 AM
>> > Subject: Re: [Freeipa-users] ipa host-del
>> >
>> >
>> > george he wrote:
>> > > here are the new errors:
>> > > # rm /var/log/pki-ca/*
>> > > # service dirsrv restart
>> > > # service pki-cad restart
>> > > # grep -i error /var/log/pki-ca/*
>> > > /var/log/pki-ca/catalina.2012-09-05.log:WARNING:
>> Error while
>> > removing
>> > > context [/ca]
>> > > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE:
>> Error
>> > initializing
>> > > socket factory
>> >
>> > /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error
>> > > loading SSL Implementation
>> > > org.apache.tomcat.util.net.jss.JSSImplementation
>> > > :java.lang.ClassNotFoundException:
>> > org.mozilla.jss.ssl.SSLSocket
>> >
>> > /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException:
>> > Protocol
>> > > handler initialization failed:
>> > java.lang.ClassNotFoundException: Error
>> > > loading SSL Implementation
>> > > org.apache.tomcat.util.net.jss.JSSImplementation
>> > > :java.lang.ClassNotFoundException:
>> > org.mozilla.jss.ssl.SSLSocket
>> > > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE:
>> Error
>> > deploying web
>> > > application directory ca
>> > > /var/log/pki-ca/catalina.out:SEVERE: Error
>> initializing
>> > socket factory
>> >
>> > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
>> > > loading SSL Implementation
>> > > org.apache.tomcat.util.net.jss.JSSImplementation
>> > > :java.lang.ClassNotFoundException:
>> > org.mozilla.jss.ssl.SSLSocket
>> > > /var/log/pki-ca/catalina.out:LifecycleException:
>> Protocol
>> > handler
>> > > initialization failed:
>> java.lang.ClassNotFoundException:
>> > Error loading
>> > > SSL Implementation
>> > org.apache.tomcat.util.net.jss.JSSImplementation
>> > > :java.lang.ClassNotFoundException:
>> > org.mozilla.jss.ssl.SSLSocket
>> > > /var/log/pki-ca/catalina.out:SEVERE: Error
>> deploying web
>> > application
>> > > directory ca
>> > > /var/log/pki-ca/catalina.out:SEVERE: Error
>> initializing
>> > socket factory
>> >
>> > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
>> > > loading SSL Implementation
>> > > org.apache.tomcat.util.net.jss.JSSImplementation
>> > > :java.lang.ClassNotFoundException:
>> > org.mozilla.jss.ssl.SSLSocket
>> > > /var/log/pki-ca/catalina.out:LifecycleException:
>> Protocol
>> > handler
>> > > initialization failed:
>> java.lang.ClassNotFoundException:
>> > Error loading
>> > > SSL Implementation
>> > org.apache.tomcat.util.net.jss.JSSImplementation
>> > > :java.lang.ClassNotFoundException:
>> > org.mozilla.jss.ssl.SSLSocket
>> >
>> > Hmm. Is there any additional information in the debug
>> log? Any
>> > AVCs in
>> > /var/log/audit/audit.log?
>> >
>> > Have you updated any packages recently? I'm not sure
>> why
>> > dogtag would be
>> > throwing this exception.
>> >
>> > rob
>> >
>> > >
>> > >
>> >
>> ------------------------------------------------------------------------
>> > > *From:* Rob Crittenden <rcritten at redhat.com>
>> > > *To:* george he <george_he7 at yahoo.com>
>> > > *Cc:* John Dennis <jdennis at redhat.com>;
>> > "freeipa-users at redhat.com"
>> > > <freeipa-users at redhat.com>
>> > > *Sent:* Tuesday, September 4, 2012 9:49 PM
>> > > *Subject:* Re: [Freeipa-users] ipa host-del
>> > >
>> > > george he wrote:
>> > > > both of the commands "service dirsrv
>> restart" and
>> > "service pki-cad
>> > > > restart" reported:
>> > > > stopping ... OK
>> > > > starting ... OK
>> > > > but host-del still has the same error.
>> > > > More suggestions?
>> > >
>> > > Check the logs again. The service starting does
>> not mean
>> > it kept
>> > > running.
>> > >
>> > > rob
>> > >
>> > > > Thanks,
>> > > > George
>> > > >
>> > > >
>> > >
>> >
>> ------------------------------------------------------------------------
>> > > > *From:* Rob Crittenden
>> <rcritten at redhat.com
>> > > <mailto:rcritten at redhat.com>>
>> > > > *To:* george he <george_he7 at yahoo.com
>> > > <mailto:george_he7 at yahoo.com>>
>> > > > *Cc:* John Dennis <jdennis at redhat.com
>> > > <mailto:jdennis at redhat.com>>;
>> "freeipa-users at redhat.com
>> > > <mailto:freeipa-users at redhat.com>"
>> > > > <freeipa-users at redhat.com
>> > <mailto:freeipa-users at redhat.com>>
>> > > > *Sent:* Tuesday, September 4, 2012 4:20
>> PM
>> > > > *Subject:* Re: [Freeipa-users] ipa
>> host-del
>> > > >
>> > > > george he wrote:
>> > > > > I'm running centos 6.3
>> > > > > # uname -r
>> > > > > 2.6.32-279.5.2.el6.x86_64
>> > > > >
>> > > > > pki-ca: unrecognized service
>> > > > >
>> > > > > There are tons of errors
>> in /var/log/pki-ca/*,
>> > some of
>> > > them are:
>> > > > > /var/log/pki-ca/system:11605.main -
>> > [30/Aug/2012:16:34:56 EDT]
>> > > > [3] [3]
>> > > > > Cannot build CA chain. Error
>> > > java.security.cert.CertificateException:
>> > > > > Certificate is not a PKCS #11
>> certificate
>> > > > > /var/log/pki-ca/system:11605.main -
>> > [30/Aug/2012:16:34:56 EDT]
>> > > > [13] [3]
>> > > > > authz instance DirAclAuthz
>> initialization
>> > failed and skipped,
>> > > > > error=Property
>> internaldb.ldapconn.port
>> > missing value
>> > > >
>> > /var/log/pki-ca/system:11605.http-9445-1 -
>> > > [30/Aug/2012:16:35:01 EDT]
>> > > > > [3] [3] Cannot build CA chain. Error
>> > > > >
>> java.security.cert.CertificateException:
>> > Certificate is not a
>> > > > PKCS #11
>> > > > > certificate
>> > > >
>> > /var/log/pki-ca/system:11605.http-9445-1 -
>> > > [30/Aug/2012:16:35:10 EDT]
>> > > > > [3] [3] CASigningUnit: Object
>> certificate not
>> > found. Error
>> > > > >
>> org.mozilla.jss.crypto.ObjectNotFoundException
>> > > > > /var/log/pki-ca/system:3281.main -
>> > [31/Aug/2012:17:54:28
>> > > EDT] [8]
>> > > > [3] In
>> > > > > Ldap (bound) connection pool to host
>> > > cushing.psych.yale.edu port
>> > > > 7389,
>> > > > > Cannot connect to LDAP server. Error:
>> > > netscape.ldap.LDAPException:
>> > > > > failed to connect to server
>> > > ldap://cushing.psych.yale.edu:7389 (91)
>> > > > >
>> > > >
>> > > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE:
>> Error
>> > > initializing
>> > > > > socket factory
>> > > > >
>> > > >
>> > >
>> >
>> /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException:
>> > > > Error
>> > > > > loading SSL Implementation
>> > > > >
>> > org.apache.tomcat.util.net.jss.JSSImplementation
>> > > > > :java.lang.ClassNotFoundException:
>> > > org.mozilla.jss.ssl.SSLSocket
>> > > > >
>> > >
>> >
>> /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException:
>> > Protocol
>> > > > > handler initialization failed:
>> > > java.lang.ClassNotFoundException:
>> > > > Error
>> > > > > loading SSL Implementation
>> > > > >
>> > org.apache.tomcat.util.net.jss.JSSImplementation
>> > > > > :java.lang.ClassNotFoundException:
>> > > org.mozilla.jss.ssl.SSLSocket
>> > > >
>> > > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE:
>> Error
>> > > deploying web
>> > > > > application directory ca
>> > > >
>> > > > The problem looks to be that the dogtag
>> 389-ds
>> > instance is not
>> > > started.
>> > > > I'd try: service dirsrv restart PKI-IPA
>> > > >
>> > > > Then service pki-cad restart
>> > > >
>> > > > rob
>> > > >
>> > > >
>> > > >
>> > > >
>> > >
>> > >
>> > >
>> >
>> >
>> >
>> >
>>
>>
>>
>>
>>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120905/950a2eb2/attachment.htm>
More information about the Freeipa-users
mailing list