It is contacting the correct machine. I tried again by IP with the same
results.
/etc/httpd/conf.d/ipa-pki-proxy.conf is dated May 20 2014.
Web UI won't load. CLI won't respond either. Commands just hang.
# netstat -ln | grep 443
tcp6 0 0 :::8443 :::* LISTEN
tcp6 2 0 :::443 :::* LISTEN
# netstat -ln | grep 8009
tcp6 0 0 127.0.0.1:8009 :::* LISTEN
# curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus
* Hostname was NOT found in DNS cache
* Trying 192.168.208.53...
* Connected to zsipa.private.net (192.168.208.53) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
(long hang at this point, so I ^C-ed)
# openssl s_client -connect zsipa.private.net:443 -CAfile
/etc/ipa/ca.crt -verify 10
verify depth is 10
CONNECTED(00000003)
(long hang at this point, aborted again)
For the other (longer) logs, see http://pastebin.com/esBBKyGZ
Also, answering Christian's questions:
mod_ssl has not been installed.
# ss -tpln | grep 443
LISTEN 0 100 :::8443 :::*
users:(("java",pid=26522,fd=84))
LISTEN 13 128 :::443 :::*
users:(("httpd",pid=26323,fd=6))
#
On 04/29/2016 10:08 AM, Petr Vobornik wrote:
On 04/29/2016 02:53 PM, Bret Wortman wrote:
Despite "ipactl status" indicating that all processes were running after
step 1, step 2 produces "Unable to establish SSL connection."
Full terminal session is at http://pastebin.com/ZuNBHPy0
Hm, it doesn't help me much.
Does it contact the correct machine? I.e., is IP address OK?
What is the result of:
netstat -ln | grep 443
netstat -ln | grep 8009
Have you modified by any chance: /etc/httpd/conf.d/ipa-pki-proxy.conf
Try to run curl, maybe it will be more verbose, but probably not:
# curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus
Christian(CCd), do you have any ideas?
Could you look into /var/log/httpd/error_log or syslog(would try
/var/log/message and journalctl), There might be more information about the:
"""
status: NEED_TO_SUBMIT
ca-error: Internal error
"""
Which may help us with root culprit.
Do web ui or CLI work?
On 04/29/2016 07:29 AM, Petr Vobornik wrote:
On 04/29/2016 12:03 PM, Bret Wortman wrote:
The date change was due (I think) to me changing the date back to 4/1
yesterday, though I left it there and haven't updated it again until
this morning, when I went back to 4/1 again.
I put the results of the commands you requested at
https://pastebin.com/s7cHAh6R. Thanks for your help, Petr. I really
appreciate it.
Bret
If I combine this and the previous output, it seems that:
- PKI starts normally
- ipactl has troubles with determining that PKI started and after 5mins
of failed attempts it stops whole IPA (expected behavior when a service
doesn't start)
The failed attempt is:
"""
ipa: DEBUG: Waiting until the CA is running
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
'--no-check-certificate'
'https://zsipa.private.net:443/ca/admin/ca/getStatus'
ipa: DEBUG: Process finished, return code=4
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=--2016-04-01 09:39:50--
https://zsipa.private.net/ca/admin/ca/getStatus
Resolving zsipa.private.net (zsipa.private.net)... 192.168.208.53
Connecting to zsipa.private.net
(zsipa.private.net)|192.168.208.53|:443... connected.
Unable to establish SSL connection.
ipa: DEBUG: The CA status is: check interrupted due to error: Command
''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
'https://zsipa.private.net:443/ca/admin/ca/getStatus'' returned non-zero
exit status 4
"""
It says "Unable to establish SSL connection", it would be good to get
more details.
Also given that the CA cert was renewed on April 3rd and that all certs
expires after that date, we should rather use date April 4th when moving
the date back.
So first start IPA again (date April 4th) but force it to not stop
services
1. ipactl start --force
wait until all is started
2. wget -v -d -S -O - --timeout=30 --no-check-certificate
https://zsipa.private.net:443/ca/admin/ca/getStatus
optionally (assuming that CA won't be turned of)
3. getcert list
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
