Winfried de Heiden via FreeIPA-users wrote:
> Hi all,
> 
> /var/lib/ipa/private/httpd.key was in a status "waiting for PIN", but I
> did brong is back to life using "ipa-getcert resubmit -i 20200117075404
> -p /var/lib/ipa/passwds/xxxx-443-RSA. All certss look fine now. 
> "getcert list" works, although it's a bit slow the first time (running
> on a Udoo x86 board with a celeron....)
> 
> Just to be shure about dbus, I restarted the entire machine; no success. :-(
> 
> Timing issue and/or casued by my rather slow Udoo board.....?

It is very possible. I fixed an issue in certmonger where every time it
forked (and it forks a LOT) it closed ALL the fds it knew about. On
containers this was 1M. It took a LONG time. The default is a more
modest 1k but can still take a while given the amount of forks that
certmonger does. This is fixed upstream, and I don't know of a
workaround, but this can definitely lead to timeout issues if certmonger
is being restarted immediately before this failure.

To diagnose it see what the load on the system is and what processes are
running. If you see dozens of certmonger processes with high load then
that's probably it. You'd have to hack the update script to do a sleep
to give things a chance to settle down.

rob

> 
> Winfried
> 
> 
> 
> 
> 
> Rob Crittenden schreef op za 25-01-2020 om 14:53 [-0500]:
>> Winfried de Heiden via FreeIPA-users wrote:
>>> Hi all,
>>>
>>> Using CentOS Linux release 8.1.1911 and the Stream repositories,
>>> upgrading IPA fails:
>>>
>>> (    Upgrade  ipa-server-common-4.8.0-13.module_el8.1.0+265+e1e65be4.noarch
>>> @AppStream
>>>     Upgraded
>>> ipa-server-common-4.8.0-11.module_el8.1.0+253+3b90c921.noarch @@System )
>>>
>>> Running ipa-server-upgrade manually will result in:
>>>
>>> [Upgrading CA schema]
>>> CA schema update complete (no changes)
>>> [Verifying that CA audit signing cert has 2 year validity]
>>> [Update certmonger certificate renewal configuration]
>>> Introspect error on :1.417:/org/fedorahosted/certmonger:
>>> dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did
>>> not receive a reply. Possible causes include: the remote application did
>>> not send a reply, the message bus security policy blocked the reply, the
>>> reply timeout expired, or the network connection was broken.
>>
>> I assume certmonger and dbus services are running?
>>
>> Does `getcert list` work?
>>
>> The dbus service sometimes isn't too fond of being restarted but you
>> could try that.
>>
>> rob
>>
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to