Okay. I got hung up on the first link doing some checking using
pki-server. I don't see any reference to ldapsearch in either message,
but I'll do what I can.
On 04/28/2016 12:04 PM, Petr Vobornik wrote:
On 04/28/2016 05:49 PM, Bret Wortman wrote:
My system shows pki-server is installed and V10.2.1-3.fc21, but I don't
have the pki-server binary itself. Will reinstalling this rpm hurt me in
any way? Without it, I'm not sure how to check my system against the
messages you provided below.
Not sure what you mean. Running doesn't require any additional packages.
It is just to get additional logs.
systemctl status pki-tomcatd@pki-tomcat.service
journalctl -u pki-tomcatd@pki-tomcat.service
And the links below are about checking if CA users have correctly mapped
certificates in LDAP database in ou=people,o=ipaca for that you need
only ldapsearch command and start directory server:
systemctl start dirsrv@YOUR-REALM-TEST.service
Proper name for dirsrv@YOUR-REALM-TEST.service can be found using:
systemctl | grep dirsrv@
On 04/28/2016 11:07 AM, Petr Vobornik wrote:
On 04/28/2016 04:07 PM, Bret Wortman wrote:
Okay. This morning, I turned back time to 4/1 and started up IPA. It
didn't
work, but I got something new and interesting in the debug log, which
I've
posted to http://pastebin.com/M9VGCS8A. Lots of garbled junk came
pouring out
which doesn't happen when I'm set to real time. Is /this/ significant?
Anything in
systemctl status pki-tomcatd@pki-tomcat.service
or rather:
journalctl -u pki-tomcatd@pki-tomcat.service
?
Just to be sure, it might be also worth to check if CA subsystem users
have correct certs assigned:
*
https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html
*
https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html
On 04/27/2016 02:24 PM, Bret Wortman wrote:
I put excerpts from the ca logs in http://pastebin.com/gYgskU79. It
looks
logical to me, but I can't spot anything that looks like a root
cause error.
The selftests are all okay, I think. The debug log might have
something, but
it might also just be complaining about ldap not being up because
it's not.
On 04/27/2016 01:11 PM, Rob Crittenden wrote:
Bret Wortman wrote:
So in lieu of fixing these certs, is there an acceptable way to dump
them all and start over /without losing the contents of the IPA
database/? Or otherwise really screwing ourselves?
I don't believe there is a way.
We have a replica that's still up and running and we've switched
everyone over to talking to it, but we're at risk with just the one.
I'd ignore the two unknown certs for now. They look like someone was
experimenting with issuing a cert and didn't quite get things working.
The CA seems to be throwing an error. I'd check the syslog for
messages from
certmonger and look at the CA debug log and selftest log.
rob
[snip]
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
