Along with the logs listed below, searching through the certificates is
not possible. A message is returned:
Certificate operation cannot be completed: Unable to communicate with
CMS (Internal Server Error)
Certmonger is running and pki-tomcatd is not. "journalctl -u
pki-tomcatd@pki-tomcat.service" shows certificates are not being
matched. What am I missing?
Server Logs:
conn=23 fd=85 slot=85 SSL connection from XXX.XXX.XXX.91 to XXX.XXX.XXX.91
conn=23 TLS1.2 256-bit AES; client CN=CA Subsystem,O=<REALM>; issuer
CN=Certificate Authority,O=<REALM>
conn=23 TLS1.2 failed to map client certificate to LDAP DN (Could not
matching certificate in User's LDAP entry)
conn=23 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
conn=23 op=0 RESULT err=49 tag=97 nentries=0 etime=0.0022754084 -
Client certificate mapping failed
conn=73 fd=123 slot=123 connection from XXX.XXX.XXX.241 to XXX.XXX.XXX.91
[09/May/2018:08:18:50.038802503 -0500] conn=73 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="start_tls_plugin"
[09/May/2018:08:18:50.038845419 -0500] conn=73 op=0 RESULT err=0
tag=120 nentries=0 etime=0.0000382164
[09/May/2018:08:18:50.046139659 -0500] conn=73 TLS1.2 256-bit AES-GCM
[09/May/2018:08:18:50.046531729 -0500] conn=73 op=1 BIND
dn="cn=Replication Manager
cloneAgreement1-fitch.<domain>-pki-tomcat,ou=csusers,cn=config"
method=128 version=3
[09/May/2018:08:18:50.046882326 -0500] conn=73 op=1 RESULT err=49
tag=97 nentries=0 etime=0.0007732885
[09/May/2018:08:18:50.085596219 -0500] conn=73 op=2 UNBIND
[09/May/2018:08:18:50.085625301 -0500] conn=73 op=2 fd=123 closed - U1
*Michael Rainey*
Network Representative
Naval Research Laboratory, Code 7320
Building 1009, Room C156
Stennis Space Center, MS 39529
On 05/09/2018 03:46 PM, Mark Reynolds via FreeIPA-users wrote:
On 05/09/2018 04:23 PM, Michael Rainey (Contractor, Code 7320) via
FreeIPA-users wrote:
Rob,
A big thank you for showing me howto bringthe service back. You are
correct the doesn't resolve the cause. I suspect I'm in a bit of
certificate hades. The first sign of problems start with pki-tomcatd
failing to start. Testing of the https:<server_name> url says the
connection is refused. I haven't been able to track down the cause.
However, I do have other systems exibiting the same problem.
Could not connect to LDAP server host fitch.<domain> port 636 Error
netscape.ldap.LDAPException: Authentication failed (49)
From here, I'm not certain where to look. Is this an issue with
certmonger, pki-tomcatd, or something else?
You need to look at the Directory Server access log to find what BIND
DN is having problems:
/var/log/dirsrv/slapd-YOUR_INSTANCE/access
Then grep for "err=49". It should say if it's a bad password or if
the bind dn is missing (no such object)
Any suggestions?
*Michael Rainey*
Network Representative
Naval Research Laboratory, Code 7320
Building 1009, Room C156
Stennis Space Center, MS 39529
On 05/09/2018 02:41 PM, Rob Crittenden via FreeIPA-users wrote:
Michael Rainey (Contractor, Code 7320) via FreeIPA-users wrote:
Greetings community,
I'm having some major issues with my IPA servers and myself
activating the bat signal seeking some help. We recently upgraded
this system to SL7.5 and ran the ipa-server-upgrade command.
During the upgrade the process failed and access to the LDAP
service is nolonger possible. Running the "ipactl restart" command
results in:
Failed to get service list from file: Unknown error when
retrieving list of services from file: [Errno 2] No such file or
directory: '/var/run/ipa/services.list'
I have tried running the "ipa-replica-manage re-initialize" command
in an attempt resync the servers to noavail. I have also been
reviewing certificates and no certificates appear to be expired. I
believe the main cause of this problem has been the pki-tomcatd
service would not start.
I'm guessing the first step in this process is to get the LDAP
server running again. Are there any steps that someone could
recommend to revive LDAP? I'm able to start and stop the service
mainually, but the listening port 636 is not active.
Shut down dirsrv then edit dse.ldif and set:
nsslapd-port = 389
nsslapd-security = on
That should get things running but doesn't address the cause of the
upgarde failure.
rob
ERR - slapi_ldap_bind - Error: could not send startTLS request:
error -1 (Can't contact LDAP server) errno 107 (Transport endpoint
is not connected)
Your help is greatly appreciated.
--
*Michael Rainey*
Network Representative
Naval Research Laboratory, Code 7320
Building 1009, Room C156
Stennis Space Center, MS 39529
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email tofreeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org