Re: [Freeipa-users] ipa host-del not authorised
Hi all Many thanks for the replies here - As it turned out I just needed to run kinit admin and enter the password, as Net Vent suggested, and that resolved the issue. For that matter, I found I could also simply run su - admin and then run the ipa host-del command and also achieve the same result. On 25 September 2014 18:41, Martin Kosek wrote: > On 09/25/2014 04:11 AM, Alex Harvey wrote: > > Hi all > > > > I'm new to IPA and struggling a bit to automate some tasks. > > > > I am unable to delete hosts from the command line although have no > problem > > doing this using the GUI, e.g. > > > > [root@myipaserver ~]# ipa host-del myhost.example.com > > > > ipa: ERROR: Insufficient access: not allowed to perform this command > > > > I guess I need to somehow pass the admin user's username and password? > > However the man page doesn't seem to provide any option for doing this. > > > > Thanks > > Alex > > Hello Alex, > > I assume you created a non-admin user with some permissions allow deleting > a host. > > This error message is thrown when a virtual operation check fails. This is > raised for example when a user is trying to do unathorized operation with > certificates, like if user having host deletion permission does not also > have > permission to revoke certificates for deleted users. > > Does the privileged user has "Revoke Certificate" permission assigned > through > some privilege/role? > > The mismatch of behavior between CLI and UI is strange. They call the same > code, maybe you run it with different users. > > Also, what is your FreeIPA version? > > Martin > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa host-del not authorised
On 09/25/2014 04:11 AM, Alex Harvey wrote: > Hi all > > I'm new to IPA and struggling a bit to automate some tasks. > > I am unable to delete hosts from the command line although have no problem > doing this using the GUI, e.g. > > [root@myipaserver ~]# ipa host-del myhost.example.com > > ipa: ERROR: Insufficient access: not allowed to perform this command > > I guess I need to somehow pass the admin user's username and password? > However the man page doesn't seem to provide any option for doing this. > > Thanks > Alex Hello Alex, I assume you created a non-admin user with some permissions allow deleting a host. This error message is thrown when a virtual operation check fails. This is raised for example when a user is trying to do unathorized operation with certificates, like if user having host deletion permission does not also have permission to revoke certificates for deleted users. Does the privileged user has "Revoke Certificate" permission assigned through some privilege/role? The mismatch of behavior between CLI and UI is strange. They call the same code, maybe you run it with different users. Also, what is your FreeIPA version? Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa host-del not authorised
Did you try executing this first: kinit admin On Sep 24, 2014 8:13 PM, "Alex Harvey" wrote: > Hi all > > I'm new to IPA and struggling a bit to automate some tasks. > > I am unable to delete hosts from the command line although have no problem > doing this using the GUI, e.g. > > [root@myipaserver ~]# ipa host-del myhost.example.com > > ipa: ERROR: Insufficient access: not allowed to perform this command > > I guess I need to somehow pass the admin user's username and password? > However the man page doesn't seem to provide any option for doing this. > > Thanks > Alex > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa host-del
On 09/05/2012 07:47 PM, Alexander Bokovoy wrote: > I did fix this for Fedora with F16 release in past -- in > /usr/libexec/freeipa-systemd-update in Fedora packages there is an elaborate > code to handle these updates of the symlinks. > Perhaps we need to extract that part and add to RHEL6? (RHEL6 does not use > systemd but the code for jss upgrade is the same). https://bugzilla.redhat.com/show_bug.cgi?id=855413 -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
I did fix this for Fedora with F16 release in past -- in /usr/libexec/freeipa-systemd-update in Fedora packages there is an elaborate code to handle these updates of the symlinks. Perhaps we need to extract that part and add to RHEL6? (RHEL6 does not use systemd but the code for jss upgrade is the same). -- / Alexander Bokovoy - Original Message - > From: "george he" > To: "John Dennis" , a...@redhat.com > Cc: freeipa-users@redhat.com > Sent: Wednesday, September 5, 2012 9:40:10 PM > Subject: Re: [Freeipa-users] ipa host-del > > Thanks a lot. It's deleted now! > The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was > pointing to /usr/lib/..., but when I was struggling, I read on the > web there was a post saying they should point to /usr/lib64/..., so > I changed them. The weird thing is I THINK they were pointing to > existing files, but now they are not. > > So I changed the links one more times to make them pointing to > /usr/lib/..., restarted ipa, and host-del worked. > Thanks again, guys. > George > > > > > > > > > From: John Dennis > To: a...@redhat.com > Cc: george he ; "freeipa-users@redhat.com" > > Sent: Wednesday, September 5, 2012 2:04 PM > Subject: Re: [Freeipa-users] ipa host-del > > On 09/05/2012 10:46 AM, Ade Lee wrote: > > Let's verify the link to the jss4.jar is in place. Note this is an > x86_64 system, Mathew did make some adjustments to where native > (i.e. arch specific) jars are located. I think it moved from > /usr/lib/java to /usr/lib64/java. pki-create would have been > modified to set up links to them on a new install but it's possible > the links weren't updated on an existing install. Not sure, guessing > at the moment but I think it's worth pursuing. > > Please do this, it will list all the jars which should be visible to > the CA tomcat instance, the jss4.jar should have a link under > /var/lib/pki-ca/common/lib. > > sudo ls -l /var/lib/pki-ca/common/lib > /var/lib/pki-ca/webapps/ca/WEB-INF/lib > > We want to verify none of the symbolic links listed above are > dangling (point to a non-existent file). Pay particular attention to > /var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing > file that's a valid jar? If not can you locate jss4.jar? Is it now > under /var/lib64/java? If so adjust the symbolic link under > /var/lib/pki-ca/common/lib to point to it. Do thinks work now after > restarting? > > John > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
On Wed, 2012-09-05 at 15:41 -0400, John Dennis wrote: > On 09/05/2012 02:40 PM, george he wrote: > > Thanks a lot. It's deleted now! > > The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing > > to /usr/lib/..., but when I was struggling, I read on the web there was > > a post saying they should point to /usr/lib64/..., so I changed them. > > The weird thing is I THINK they were pointing to existing files, but now > > they are not. > > So I changed the links one more times to make them pointing to > > /usr/lib/..., restarted ipa, and host-del worked. > > Thanks again, guys. > > George > > Glad it's working. Obviously we would like to know how you got into this > situation and perhaps open a bug. But unfortunately since you've > manually changed links it's hard to know if the logic used to update an > existing system is robust or not. I recall when the issue of where to > locate native jars on 64bit came up there was a fair amount of back and > forth over where things would be installed and which links to introduce. > Unfortunately I do not recall the final resolution, it might be that the > tomcat instances were supposed to continue to point to /usr/lib/java and > links would be set up there to point to the 64bit version. In any event > I don't think we can file a bug at this point, but perhaps we need to > pay attention and see if anyone else gets bitten by this. I just recently had to fix this for my 'stable' install too, seem like we need to do better on upgrades going forward. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
On 09/05/2012 02:40 PM, george he wrote: Thanks a lot. It's deleted now! The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing to /usr/lib/..., but when I was struggling, I read on the web there was a post saying they should point to /usr/lib64/..., so I changed them. The weird thing is I THINK they were pointing to existing files, but now they are not. So I changed the links one more times to make them pointing to /usr/lib/..., restarted ipa, and host-del worked. Thanks again, guys. George Glad it's working. Obviously we would like to know how you got into this situation and perhaps open a bug. But unfortunately since you've manually changed links it's hard to know if the logic used to update an existing system is robust or not. I recall when the issue of where to locate native jars on 64bit came up there was a fair amount of back and forth over where things would be installed and which links to introduce. Unfortunately I do not recall the final resolution, it might be that the tomcat instances were supposed to continue to point to /usr/lib/java and links would be set up there to point to the 64bit version. In any event I don't think we can file a bug at this point, but perhaps we need to pay attention and see if anyone else gets bitten by this. John *From:* John Dennis *To:* a...@redhat.com *Cc:* george he ; "freeipa-users@redhat.com" *Sent:* Wednesday, September 5, 2012 2:04 PM *Subject:* Re: [Freeipa-users] ipa host-del On 09/05/2012 10:46 AM, Ade Lee wrote: > The logs seem to show that the CA cannot find JSS. > > What versions of the following are on your system? > pki-ca, pki-common, jss, nss, tomcat6, tomcat, java > > Is this a system that was working and now fails to work? Or is this a > new instance? Let's verify the link to the jss4.jar is in place. Note this is an x86_64 system, Mathew did make some adjustments to where native (i.e. arch specific) jars are located. I think it moved from /usr/lib/java to /usr/lib64/java. pki-create would have been modified to set up links to them on a new install but it's possible the links weren't updated on an existing install. Not sure, guessing at the moment but I think it's worth pursuing. Please do this, it will list all the jars which should be visible to the CA tomcat instance, the jss4.jar should have a link under /var/lib/pki-ca/common/lib. sudo ls -l /var/lib/pki-ca/common/lib /var/lib/pki-ca/webapps/ca/WEB-INF/lib We want to verify none of the symbolic links listed above are dangling (point to a non-existent file). Pay particular attention to /var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing file that's a valid jar? If not can you locate jss4.jar? Is it now under /var/lib64/java? If so adjust the symbolic link under /var/lib/pki-ca/common/lib to point to it. Do thinks work now after restarting? John -- John Dennis mailto:jden...@redhat.com>> Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
george he wrote: Thanks a lot. It's deleted now! The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing to /usr/lib/..., but when I was struggling, I read on the web there was a post saying they should point to /usr/lib64/..., so I changed them. The weird thing is I THINK they were pointing to existing files, but now they are not. So I changed the links one more times to make them pointing to /usr/lib/..., restarted ipa, and host-del worked. Glad it's working. I just wanted to follow up on this though. The host-del failure was just one symptom of the problem. Eventually you'd have hit a harder wall, such as not being able to prepare a new replica. regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
Thanks a lot. It's deleted now! The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing to /usr/lib/..., but when I was struggling, I read on the web there was a post saying they should point to /usr/lib64/..., so I changed them. The weird thing is I THINK they were pointing to existing files, but now they are not. So I changed the links one more times to make them pointing to /usr/lib/..., restarted ipa, and host-del worked. Thanks again, guys. George > > From: John Dennis >To: a...@redhat.com >Cc: george he ; "freeipa-users@redhat.com" > >Sent: Wednesday, September 5, 2012 2:04 PM >Subject: Re: [Freeipa-users] ipa host-del > >On 09/05/2012 10:46 AM, Ade Lee wrote: >> The logs seem to show that the CA cannot find JSS. >> >> What versions of the following are on your system? >> pki-ca, pki-common, jss, nss, tomcat6, tomcat, java >> >> Is this a system that was working and now fails to work? Or is this a >> new instance? > >Let's verify the link to the jss4.jar is in place. Note this is an x86_64 >system, Mathew did make some adjustments to where native (i.e. arch specific) >jars are located. I think it moved from /usr/lib/java to /usr/lib64/java. >pki-create would have been modified to set up links to them on a new install >but it's possible the links weren't updated on an existing install. Not sure, >guessing at the moment but I think it's worth pursuing. > >Please do this, it will list all the jars which should be visible to the CA >tomcat instance, the jss4.jar should have a link under >/var/lib/pki-ca/common/lib. > >sudo ls -l /var/lib/pki-ca/common/lib /var/lib/pki-ca/webapps/ca/WEB-INF/lib > >We want to verify none of the symbolic links listed above are dangling (point >to a non-existent file). Pay particular attention to >/var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing file that's >a valid jar? If not can you locate jss4.jar? Is it now under /var/lib64/java? >If so adjust the symbolic link under /var/lib/pki-ca/common/lib to point to >it. Do thinks work now after restarting? > >John > > >-- John Dennis > >Looking to carve out IT costs? >www.redhat.com/carveoutcosts/ > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
On 09/05/2012 10:46 AM, Ade Lee wrote: The logs seem to show that the CA cannot find JSS. What versions of the following are on your system? pki-ca, pki-common, jss, nss, tomcat6, tomcat, java Is this a system that was working and now fails to work? Or is this a new instance? Let's verify the link to the jss4.jar is in place. Note this is an x86_64 system, Mathew did make some adjustments to where native (i.e. arch specific) jars are located. I think it moved from /usr/lib/java to /usr/lib64/java. pki-create would have been modified to set up links to them on a new install but it's possible the links weren't updated on an existing install. Not sure, guessing at the moment but I think it's worth pursuing. Please do this, it will list all the jars which should be visible to the CA tomcat instance, the jss4.jar should have a link under /var/lib/pki-ca/common/lib. sudo ls -l /var/lib/pki-ca/common/lib /var/lib/pki-ca/webapps/ca/WEB-INF/lib We want to verify none of the symbolic links listed above are dangling (point to a non-existent file). Pay particular attention to /var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing file that's a valid jar? If not can you locate jss4.jar? Is it now under /var/lib64/java? If so adjust the symbolic link under /var/lib/pki-ca/common/lib to point to it. Do thinks work now after restarting? John -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
weird. Can you try putting selinux in permissive mode, and then restarting ipa? On Wed, 2012-09-05 at 08:21 -0700, george he wrote: > This is a newly installed system. It does most of the things, but I > just cannot del the host that I have uninstalled ipa-client, which > prvents me from re-installing ipa-client. > Here are the versions: > > pki-ca.noarch9.0.3-24.el6 > pki-common.noarch 9.0.3-24.el6 > jss.x86_64 4.2.6-22.el6 > nss.x86_643.13.5-1.el6_3 > tomcat6.noarch 6.0.24-45.el6 > java-1.5.0-gcj.x86_64 1.5.0.0-29.1.el6 > java-1.6.0-openjdk.x86_64 1:1.6.0.0-1.48.1.11.3.el6_2 > java_cup.x86_64 1:0.10k-5.el6 > Thanks for your help. > George > > > __ > From: Ade Lee > To: george he > Cc: Rob Crittenden ; > "freeipa-users@redhat.com" > Sent: Wednesday, September 5, 2012 10:46 AM > Subject: Re: [Freeipa-users] ipa host-del > > > The logs seem to show that the CA cannot find JSS. > > What versions of the following are on your system? > pki-ca, pki-common, jss, nss, tomcat6, tomcat, java > > Is this a system that was working and now fails to work? Or > is this a > new instance? > > Ade > On Wed, 2012-09-05 at 06:41 -0700, george he wrote: > > there are somethign like these: > > > > type=AVC msg=audit(1346710042.243:56): avc: denied > { execute } for > > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 > > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file > > type=AVC msg=audit(1346710042.243:57): avc: denied > { execute } for > > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 > > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file > > > > > > > > and some others like these: > > type=AVC msg=audit(1346838993.154:2567): avc: denied > { search } for > > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 > > scontext=unconfined_u:system_r:pki_ca_t:s0 > > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir > > type=AVC msg=audit(1346838993.154:2568): avc: denied > { search } for > > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 > > scontext=unconfined_u:system_r:pki_ca_t:s0 > > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir > > > > > > > > And yes, I did yum update recently. > > Where else should I look? > > Thanks, > > George > > > > > > > __ > >From: Rob Crittenden > >To: george he > >Cc: Ade Lee ; > "freeipa-users@redhat.com" > > > >Sent: Wednesday, September 5, 2012 8:40 AM > >Subject: Re: [Freeipa-users] ipa host-del > > > > > >george he wrote: > >> here are the new errors: > >> # rm /var/log/pki-ca/* > >> # service dirsrv restart > >> # service pki-cad restart > >> # grep -i error /var/log/pki-ca/* > >> /var/log/pki-ca/catalina.2012-09-05.log:WARNING: > Error while > >removing > >> context [/ca] > >> /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: > Error > >initializing > >> socket factory > > > > > /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: > Error > >> loading SSL Implementation > >> org.apache.tomcat.util.net.jss.JSSImplementation > >> :java.lang.ClassNotFoundException: > >org.mozilla.jss.ssl.SSLSocket > > > > /var/log/pki
Re: [Freeipa-users] ipa host-del
This is a newly installed system. It does most of the things, but I just cannot del the host that I have uninstalled ipa-client, which prvents me from re-installing ipa-client. Here are the versions: pki-ca.noarch 9.0.3-24.el6 pki-common.noarch 9.0.3-24.el6 jss.x86_64 4.2.6-22.el6 nss.x86_64 3.13.5-1.el6_3 tomcat6.noarch 6.0.24-45.el6 java-1.5.0-gcj.x86_64 1.5.0.0-29.1.el6 java-1.6.0-openjdk.x86_64 1:1.6.0.0-1.48.1.11.3.el6_2 java_cup.x86_64 1:0.10k-5.el6 Thanks for your help. George > > From: Ade Lee >To: george he >Cc: Rob Crittenden ; "freeipa-users@redhat.com" > >Sent: Wednesday, September 5, 2012 10:46 AM >Subject: Re: [Freeipa-users] ipa host-del > >The logs seem to show that the CA cannot find JSS. > >What versions of the following are on your system? >pki-ca, pki-common, jss, nss, tomcat6, tomcat, java > >Is this a system that was working and now fails to work? Or is this a >new instance? > >Ade >On Wed, 2012-09-05 at 06:41 -0700, george he wrote: >> there are somethign like these: >> >> type=AVC msg=audit(1346710042.243:56): avc: denied { execute } for >> pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 >> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 >> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file >> type=AVC msg=audit(1346710042.243:57): avc: denied { execute } for >> pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 >> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 >> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file >> >> >> >> and some others like these: >> type=AVC msg=audit(1346838993.154:2567): avc: denied { search } for >> pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 >> scontext=unconfined_u:system_r:pki_ca_t:s0 >> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir >> type=AVC msg=audit(1346838993.154:2568): avc: denied { search } for >> pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 >> scontext=unconfined_u:system_r:pki_ca_t:s0 >> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir >> >> >> >> And yes, I did yum update recently. >> Where else should I look? >> Thanks, >> George >> >> >> __ >> From: Rob Crittenden >> To: george he >> Cc: Ade Lee ; "freeipa-users@redhat.com" >> >> Sent: Wednesday, September 5, 2012 8:40 AM >> Subject: Re: [Freeipa-users] ipa host-del >> >> >> george he wrote: >> > here are the new errors: >> > # rm /var/log/pki-ca/* >> > # service dirsrv restart >> > # service pki-cad restart >> > # grep -i error /var/log/pki-ca/* >> > /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while >> removing >> > context [/ca] >> > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error >> initializing >> > socket factory >> > >>/var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: >>Error >> > loading SSL Implementation >> > org.apache.tomcat.util.net.jss.JSSImplementation >> > :java.lang.ClassNotFoundException: >> org.mozilla.jss.ssl.SSLSocket >> > /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: >> Protocol >> > handler initialization failed: >> java.lang.ClassNotFoundException: Error >> > loading SSL Implementation >> > org.apache.tomcat.util.net.jss.JSSImplementation >> > :java.lang.ClassNotFoundException: >> org.mozilla.jss.ssl.SSLSocket >> > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error >> deploying web >> > application directory ca >> > /var/log/pki-ca/catalina.out:SEVERE: Error initializing >> socket factory >> > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: >>Error >> > loading SSL Implementation >> > org.apache.tomcat.util.net.jss.JSSImplementation >> > :java.lang.ClassNotFoundException: >> org.mozilla.jss.ssl.SSLSocket >>
Re: [Freeipa-users] ipa host-del
The logs seem to show that the CA cannot find JSS. What versions of the following are on your system? pki-ca, pki-common, jss, nss, tomcat6, tomcat, java Is this a system that was working and now fails to work? Or is this a new instance? Ade On Wed, 2012-09-05 at 06:41 -0700, george he wrote: > there are somethign like these: > > type=AVC msg=audit(1346710042.243:56): avc: denied { execute } for > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file > type=AVC msg=audit(1346710042.243:57): avc: denied { execute } for > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file > > > > and some others like these: > type=AVC msg=audit(1346838993.154:2567): avc: denied { search } for > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 > scontext=unconfined_u:system_r:pki_ca_t:s0 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir > type=AVC msg=audit(1346838993.154:2568): avc: denied { search } for > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 > scontext=unconfined_u:system_r:pki_ca_t:s0 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir > > > > And yes, I did yum update recently. > Where else should I look? > Thanks, > George > > > __ > From: Rob Crittenden > To: george he > Cc: Ade Lee ; "freeipa-users@redhat.com" > > Sent: Wednesday, September 5, 2012 8:40 AM > Subject: Re: [Freeipa-users] ipa host-del > > > george he wrote: > > here are the new errors: > > # rm /var/log/pki-ca/* > > # service dirsrv restart > > # service pki-cad restart > > # grep -i error /var/log/pki-ca/* > > /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while > removing > > context [/ca] > > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error > initializing > > socket factory > > > /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: > Error > > loading SSL Implementation > > org.apache.tomcat.util.net.jss.JSSImplementation > > :java.lang.ClassNotFoundException: > org.mozilla.jss.ssl.SSLSocket > > /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: > Protocol > > handler initialization failed: > java.lang.ClassNotFoundException: Error > > loading SSL Implementation > > org.apache.tomcat.util.net.jss.JSSImplementation > > :java.lang.ClassNotFoundException: > org.mozilla.jss.ssl.SSLSocket > > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error > deploying web > > application directory ca > > /var/log/pki-ca/catalina.out:SEVERE: Error initializing > socket factory > > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error > > loading SSL Implementation > > org.apache.tomcat.util.net.jss.JSSImplementation > > :java.lang.ClassNotFoundException: > org.mozilla.jss.ssl.SSLSocket > > /var/log/pki-ca/catalina.out:LifecycleException: Protocol > handler > > initialization failed: java.lang.ClassNotFoundException: > Error loading > > SSL Implementation > org.apache.tomcat.util.net.jss.JSSImplementation > > :java.lang.ClassNotFoundException: > org.mozilla.jss.ssl.SSLSocket > > /var/log/pki-ca/catalina.out:SEVERE: Error deploying web > application > > directory ca > > /var/log/pki-ca/catalina.out:SEVERE: Error initializing > socket factory > > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error > > loading SSL Implementation > > org.apache.tomcat.util.net.jss.JSSImplementation > > :java.lang.ClassNotFoundException: > org.mozilla.jss.ssl.SSLSocket > > /var/log/pki-ca/catalina.out:LifecycleException: Protocol > handler > > initialization failed: java.lang.ClassNotFoundException: > Error loading > > SSL Implementation > org.apache.tomcat.util.net.jss.JSSImplementation > > :java.lang
Re: [Freeipa-users] ipa host-del
there are somethign like these: type=AVC msg=audit(1346710042.243:56): avc: denied { execute } for pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1346710042.243:57): avc: denied { execute } for pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file and some others like these: type=AVC msg=audit(1346838993.154:2567): avc: denied { search } for pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir type=AVC msg=audit(1346838993.154:2568): avc: denied { search } for pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir And yes, I did yum update recently. Where else should I look? Thanks, George > > From: Rob Crittenden >To: george he >Cc: Ade Lee ; "freeipa-users@redhat.com" > >Sent: Wednesday, September 5, 2012 8:40 AM >Subject: Re: [Freeipa-users] ipa host-del > >george he wrote: >> here are the new errors: >> # rm /var/log/pki-ca/* >> # service dirsrv restart >> # service pki-cad restart >> # grep -i error /var/log/pki-ca/* >> /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing >> context [/ca] >> /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing >> socket factory >> /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: >> Error >> loading SSL Implementation >> org.apache.tomcat.util.net.jss.JSSImplementation >> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >> /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: Protocol >> handler initialization failed: java.lang.ClassNotFoundException: Error >> loading SSL Implementation >> org.apache.tomcat.util.net.jss.JSSImplementation >> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >> /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web >> application directory ca >> /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory >> /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error >> loading SSL Implementation >> org.apache.tomcat.util.net.jss.JSSImplementation >> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >> /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler >> initialization failed: java.lang.ClassNotFoundException: Error loading >> SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation >> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >> /var/log/pki-ca/catalina.out:SEVERE: Error deploying web application >> directory ca >> /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory >> /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error >> loading SSL Implementation >> org.apache.tomcat.util.net.jss.JSSImplementation >> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >> /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler >> initialization failed: java.lang.ClassNotFoundException: Error loading >> SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation >> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket > >Hmm. Is there any additional information in the debug log? Any AVCs in >/var/log/audit/audit.log? > >Have you updated any packages recently? I'm not sure why dogtag would be >throwing this exception. > >rob > >> >> >> *From:* Rob Crittenden >> *To:* george he >> *Cc:* John Dennis ; "freeipa-users@redhat.com" >> >> *Sent:* Tuesday, September 4, 2012 9:49 PM >> *Subject:* Re: [Freeipa-users] ipa host-del >> >> george he wrote: >> > both of the commands "service dirsrv restart" and "service pki-cad >> > restart" reported: >> > stopping ... OK >> > starting ... OK >> > but host-del still has the same error. >> > More suggestions? >> >> Check the logs again. The service starting does not mean it kept >> running. >> >> rob >> >> > Thanks
Re: [Freeipa-users] ipa host-del
george he wrote: here are the new errors: # rm /var/log/pki-ca/* # service dirsrv restart # service pki-cad restart # grep -i error /var/log/pki-ca/* /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing context [/ca] /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web application directory ca /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:SEVERE: Error deploying web application directory ca /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket Hmm. Is there any additional information in the debug log? Any AVCs in /var/log/audit/audit.log? Have you updated any packages recently? I'm not sure why dogtag would be throwing this exception. rob *From:* Rob Crittenden *To:* george he *Cc:* John Dennis ; "freeipa-users@redhat.com" *Sent:* Tuesday, September 4, 2012 9:49 PM *Subject:* Re: [Freeipa-users] ipa host-del george he wrote: > both of the commands "service dirsrv restart" and "service pki-cad > restart" reported: > stopping ... OK > starting ... OK > but host-del still has the same error. > More suggestions? Check the logs again. The service starting does not mean it kept running. rob > Thanks, > George > > >*From:* Rob Crittenden mailto:rcrit...@redhat.com>> >*To:* george he mailto:george_...@yahoo.com>> >*Cc:* John Dennis mailto:jden...@redhat.com>>; "freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>" > mailto:freeipa-users@redhat.com>> >*Sent:* Tuesday, September 4, 2012 4:20 PM >*Subject:* Re: [Freeipa-users] ipa host-del > >george he wrote: > > I'm running centos 6.3 > > # uname -r > > 2.6.32-279.5.2.el6.x86_64 > > > > pki-ca: unrecognized service > > > > There are tons of errors in /var/log/pki-ca/*, some of them are: > > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] >[3] [3] > > Cannot build CA chain. Error java.security.cert.CertificateException: > > Certificate is not a PKCS #11 certificate > > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] >[13] [3] > > authz instance DirAclAuthz initialization failed and skipped, > > error=Property internaldb.ldapconn.port missing value > > /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] > > [3] [3] Cannot build CA chain. Error > > java.security.cert.CertificateException: Certificate is not a >PKCS #11 > > certificate > > /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] > > [3] [3] CASigningUnit: Object certificate not found. Error > > org.mozilla.jss.crypto.ObjectNotFoundException > > /var/log/pki-ca/system:3281.main
Re: [Freeipa-users] ipa host-del
here are the new errors: # rm /var/log/pki-ca/* # service dirsrv restart # service pki-cad restart # grep -i error /var/log/pki-ca/* /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing context [/ca] /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web application directory ca /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:SEVERE: Error deploying web application directory ca /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket > > From: Rob Crittenden >To: george he >Cc: John Dennis ; "freeipa-users@redhat.com" > >Sent: Tuesday, September 4, 2012 9:49 PM >Subject: Re: [Freeipa-users] ipa host-del > >george he wrote: >> both of the commands "service dirsrv restart" and "service pki-cad >> restart" reported: >> stopping ... OK >> starting ... OK >> but host-del still has the same error. >> More suggestions? > >Check the logs again. The service starting does not mean it kept running. > >rob > >> Thanks, >> George >> >> >> *From:* Rob Crittenden >> *To:* george he >> *Cc:* John Dennis ; "freeipa-users@redhat.com" >> >> *Sent:* Tuesday, September 4, 2012 4:20 PM >> *Subject:* Re: [Freeipa-users] ipa host-del >> >> george he wrote: >> > I'm running centos 6.3 >> > # uname -r >> > 2.6.32-279.5.2.el6.x86_64 >> > >> > pki-ca: unrecognized service >> > >> > There are tons of errors in /var/log/pki-ca/*, some of them are: >> > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] >> [3] [3] >> > Cannot build CA chain. Error java.security.cert.CertificateException: >> > Certificate is not a PKCS #11 certificate >> > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] >> [13] [3] >> > authz instance DirAclAuthz initialization failed and skipped, >> > error=Property internaldb.ldapconn.port missing value >> > /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] >> > [3] [3] Cannot build CA chain. Error >> > java.security.cert.CertificateException: Certificate is not a >> PKCS #11 >> > certificate >> > /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] >> > [3] [3] CASigningUnit: Object certificate not found. Error >> > org.mozilla.jss.crypto.ObjectNotFoundException >> > /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] >> [3] In >> > Ldap (bound) connection pool to host cushing.psych.yale.edu port >> 7389, >> > Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: >> > failed to connect to server ldap://cushing.psych.yale.edu:7389 (91) >> > >> > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing >> > socket fact
Re: [Freeipa-users] ipa host-del
george he wrote: both of the commands "service dirsrv restart" and "service pki-cad restart" reported: stopping ... OK starting ... OK but host-del still has the same error. More suggestions? Check the logs again. The service starting does not mean it kept running. rob Thanks, George *From:* Rob Crittenden *To:* george he *Cc:* John Dennis ; "freeipa-users@redhat.com" *Sent:* Tuesday, September 4, 2012 4:20 PM *Subject:* Re: [Freeipa-users] ipa host-del george he wrote: > I'm running centos 6.3 > # uname -r > 2.6.32-279.5.2.el6.x86_64 > > pki-ca: unrecognized service > > There are tons of errors in /var/log/pki-ca/*, some of them are: > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [3] [3] > Cannot build CA chain. Error java.security.cert.CertificateException: > Certificate is not a PKCS #11 certificate > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [13] [3] > authz instance DirAclAuthz initialization failed and skipped, > error=Property internaldb.ldapconn.port missing value > /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] > [3] [3] Cannot build CA chain. Error > java.security.cert.CertificateException: Certificate is not a PKCS #11 > certificate > /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] > [3] [3] CASigningUnit: Object certificate not found. Error > org.mozilla.jss.crypto.ObjectNotFoundException > /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] [3] In > Ldap (bound) connection pool to host cushing.psych.yale.edu port 7389, > Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: > failed to connect to server ldap://cushing.psych.yale.edu:7389 (91) > > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing > socket factory > /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: Error > loading SSL Implementation > org.apache.tomcat.util.net.jss.JSSImplementation > :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket > /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: Protocol > handler initialization failed: java.lang.ClassNotFoundException: Error > loading SSL Implementation > org.apache.tomcat.util.net.jss.JSSImplementation > :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web > application directory ca The problem looks to be that the dogtag 389-ds instance is not started. I'd try: service dirsrv restart PKI-IPA Then service pki-cad restart rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
both of the commands "service dirsrv restart" and "service pki-cad restart" reported: stopping ... OK starting ... OK but host-del still has the same error. More suggestions? Thanks, George > > From: Rob Crittenden >To: george he >Cc: John Dennis ; "freeipa-users@redhat.com" > >Sent: Tuesday, September 4, 2012 4:20 PM >Subject: Re: [Freeipa-users] ipa host-del > >george he wrote: >> I'm running centos 6.3 >> # uname -r >> 2.6.32-279.5.2.el6.x86_64 >> >> pki-ca: unrecognized service >> >> There are tons of errors in /var/log/pki-ca/*, some of them are: >> /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [3] [3] >> Cannot build CA chain. Error java.security.cert.CertificateException: >> Certificate is not a PKCS #11 certificate >> /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [13] [3] >> authz instance DirAclAuthz initialization failed and skipped, >> error=Property internaldb.ldapconn.port missing value >> /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] >> [3] [3] Cannot build CA chain. Error >> java.security.cert.CertificateException: Certificate is not a PKCS #11 >> certificate >> /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] >> [3] [3] CASigningUnit: Object certificate not found. Error >> org.mozilla.jss.crypto.ObjectNotFoundException >> /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] [3] In >> Ldap (bound) connection pool to host cushing.psych.yale.edu port 7389, >> Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: >> failed to connect to server ldap://cushing.psych.yale.edu:7389 (91) >> >> /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing >> socket factory >> /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: >> Error >> loading SSL Implementation >> org.apache.tomcat.util.net.jss.JSSImplementation >> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >> /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: Protocol >> handler initialization failed: java.lang.ClassNotFoundException: Error >> loading SSL Implementation >> org.apache.tomcat.util.net.jss.JSSImplementation >> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >> /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web >> application directory ca > >The problem looks to be that the dogtag 389-ds instance is not started. >I'd try: service dirsrv restart PKI-IPA > >Then service pki-cad restart > >rob > > > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
george he wrote: I'm running centos 6.3 # uname -r 2.6.32-279.5.2.el6.x86_64 pki-ca: unrecognized service There are tons of errors in /var/log/pki-ca/*, some of them are: /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] [3] In Ldap (bound) connection pool to host cushing.psych.yale.edu port 7389, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: failed to connect to server ldap://cushing.psych.yale.edu:7389 (91) /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web application directory ca The problem looks to be that the dogtag 389-ds instance is not started. I'd try: service dirsrv restart PKI-IPA Then service pki-cad restart rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
How do I start dogtag? It's centos 6.3. some errors are posted to my other email. Thanks, George > > From: Rob Crittenden >To: george he >Cc: John Dennis ; "freeipa-users@redhat.com" > >Sent: Tuesday, September 4, 2012 10:26 AM >Subject: Re: [Freeipa-users] ipa host-del > >george he wrote: >> First of all, i don't see any java process after ipactl stop. >> >> Then I turned on debug and this is what I get on terminal: >> # ipa host-del hnl09.psych.yale.edu >> .. >> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer >> ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" >> ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 >> ipa: DEBUG: Caught fault 4301 from server >> http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be >> completed: Unable to communicate with CMS (Service Temporarily Unavailable) >> ipa: DEBUG: Destroyed connection context.xmlclient >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (Service Temporarily Unavailable) >> >> So there's a "fault 4301" being caught. >> And this is at the end of /var/log/httpd/error_log: >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage = >> SSLServer intended_usage = SSLServer >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for >> "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer >> = 130.132.167.68:443 >> [Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP: >> attempt to connect to 127.0.0.1:9447 (localhost) failed >> [Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling >> worker for (localhost) >> [Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection >> to backend: localhost >> [Tue Sep 04 10:17:05 2012] [error] ipa: INFO: ad...@psych.yale.edu: >> host_del((u'hnl09.psych.yale.edu',), updatedns=False): >> CertificateOperationError >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response: >> CertificateOperationError: Certificate operation cannot be completed: >> Unable to communicate with CMS (Service Temporarily Unavailable) >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection >> context.ldap2 > >dogtag does not appear to be running. I'd suggest looking at >/var/log/pki-ca/catalina.out or debug to see if it has any hints as what >the problem is. > >What distribution is this? > >rob > > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
I'm running centos 6.3 # uname -r 2.6.32-279.5.2.el6.x86_64 pki-ca: unrecognized service There are tons of errors in /var/log/pki-ca/*, some of them are: /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] [3] In Ldap (bound) connection pool to host cushing.psych.yale.edu port 7389, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: failed to connect to server ldap://cushing.psych.yale.edu:7389 (91) /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web application directory ca Thanks, George > > From: John Dennis >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Tuesday, September 4, 2012 10:40 AM >Subject: Re: [Freeipa-users] ipa host-del > >On 09/04/2012 10:23 AM, george he wrote: >> First of all, i don't see any java process after ipactl stop. >> >> Then I turned on debug and this is what I get on terminal: >> # ipa host-del hnl09.psych.yale.edu >> .. >> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer >> ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" >> ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 >> ipa: DEBUG: Caught fault 4301 from server >> http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be >> completed: Unable to communicate with CMS (Service Temporarily Unavailable) >> ipa: DEBUG: Destroyed connection context.xmlclient >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (Service Temporarily Unavailable) >> >> So there's a "fault 4301" being caught. >> And this is at the end of /var/log/httpd/error_log: >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage = >> SSLServer intended_usage = SSLServer >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for >> "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer >> = 130.132.167.68:443 >> [Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP: >> attempt to connect to 127.0.0.1:9447 (localhost) failed >> [Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling >> worker for (localhost) >> [Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection >> to backend: localhost >> [Tue Sep 04 10:17:05 2012] [error] ipa: INFO: ad...@psych.yale.edu: >> host_del((u'hnl09.psych.yale.edu',), updatedns=False): >> CertificateOperationError >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response: >> CertificateOperationError: Certificate operation cannot be completed: >> Unable to communicate with CMS (Service Temporarily Unavailable) >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection >> context.ldap2 >> >> Thanks, >> George > >It appears as if your CA instance is not running (pki-ca). Depending on which >OS you're running on could you verify pki-ca is running via either the service >or systemctl command. Do you see any errors in the log files found under >/var/log/pki-ca? > >-- John Dennis > >Looking to carve out IT costs? >www.redhat.com/carveoutcosts/ > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
On 09/04/2012 10:23 AM, george he wrote: First of all, i don't see any java process after ipactl stop. Then I turned on debug and this is what I get on terminal: # ipa host-del hnl09.psych.yale.edu .. ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 ipa: DEBUG: Caught fault 4301 from server http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) So there's a "fault 4301" being caught. And this is at the end of /var/log/httpd/error_log: [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 [Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP: attempt to connect to 127.0.0.1:9447 (localhost) failed [Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling worker for (localhost) [Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection to backend: localhost [Tue Sep 04 10:17:05 2012] [error] ipa: INFO: ad...@psych.yale.edu: host_del((u'hnl09.psych.yale.edu',), updatedns=False): CertificateOperationError [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response: CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection context.ldap2 Thanks, George It appears as if your CA instance is not running (pki-ca). Depending on which OS you're running on could you verify pki-ca is running via either the service or systemctl command. Do you see any errors in the log files found under /var/log/pki-ca? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
george he wrote: First of all, i don't see any java process after ipactl stop. Then I turned on debug and this is what I get on terminal: # ipa host-del hnl09.psych.yale.edu .. ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 ipa: DEBUG: Caught fault 4301 from server http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) So there's a "fault 4301" being caught. And this is at the end of /var/log/httpd/error_log: [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 [Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP: attempt to connect to 127.0.0.1:9447 (localhost) failed [Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling worker for (localhost) [Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection to backend: localhost [Tue Sep 04 10:17:05 2012] [error] ipa: INFO: ad...@psych.yale.edu: host_del((u'hnl09.psych.yale.edu',), updatedns=False): CertificateOperationError [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response: CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection context.ldap2 dogtag does not appear to be running. I'd suggest looking at /var/log/pki-ca/catalina.out or debug to see if it has any hints as what the problem is. What distribution is this? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
First of all, i don't see any java process after ipactl stop. Then I turned on debug and this is what I get on terminal: # ipa host-del hnl09.psych.yale.edu .. ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 ipa: DEBUG: Caught fault 4301 from server http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) So there's a "fault 4301" being caught. And this is at the end of /var/log/httpd/error_log: [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 [Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP: attempt to connect to 127.0.0.1:9447 (localhost) failed [Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling worker for (localhost) [Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection to backend: localhost [Tue Sep 04 10:17:05 2012] [error] ipa: INFO: ad...@psych.yale.edu: host_del((u'hnl09.psych.yale.edu',), updatedns=False): CertificateOperationError [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response: CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection context.ldap2 Thanks, George > > From: John Dennis >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Tuesday, September 4, 2012 8:53 AM >Subject: Re: [Freeipa-users] ipa host-del > >On 09/04/2012 08:28 AM, george he wrote: >> >> There's only one conf file in /etc/ipa/, which is default.conf. ca_host >> is not defined there. But I think my CA is the IPA server. >> >> Everything is reported running: >> # ipactl status >> Directory Service: RUNNING >> KDC Service: RUNNING >> KPASSWD Service: RUNNING >> MEMCACHE Service: RUNNING >> HTTP Service: RUNNING >> CA Service: RUNNING >> >> but when I try # ipactl restart, it reports: >> Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker >> ajp://localhost:9447/ already used by another worker >> [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already >> used by another worker > >ajp worker threads are used by tomcat instances of which the CA is one >example. It sounds like your CA has gotten into a funny state. I would do a >ipactl stop to shut down all your services and then do a ps to look for any >Java processes that are still running (I'm assuming the only Java you're >running on this box would be for the CA). If you can identify a running Java >process that you believe belongs to the CA then kill it and try starting IPA >again (or you could use a big hammer and reboot). > >BTW, the ajp threads are the listeners on the CA communication ports, if those >treads are not in the right state you could see the CA communication problems >you reported. > >If that still does not work then my next suggestion would be to add this line >to /etc/ipa/default.conf > >debug=True > >and restart IPA, that will cause verbose logging to be written to >/var/log/httpd/error_log which may have more detailed messages indicating >where things might be going wrong. > > >-- John Dennis > >Looking to carve out IT costs? >www.redhat.com/carveoutcosts/ > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
george he wrote: There's only one conf file in /etc/ipa/, which is default.conf. ca_host is not defined there. But I think my CA is the IPA server. Everything is reported running: # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try # ipactl restart, it reports: Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker This can be ignored, it is a known issue in Apache and doesn't mean anything is wrong. We're tracking an upstream fix for this, https://fedorahosted.org/freeipa/ticket/1853 I would set debug = True in /etc/ipa/default.conf and restart Apache. Then try the host-del again and examine /var/log/httpd/error_log. We currently only log CS connection issues when in debug mode (there is a ticket on that too). The CA log in /var/log/pki-ca/debug may have some tips too. When a host is deleted we try to revoke its certificate. If we can't talk to the CA then the delete fails. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
On 09/04/2012 08:28 AM, george he wrote: There's only one conf file in /etc/ipa/, which is default.conf. ca_host is not defined there. But I think my CA is the IPA server. Everything is reported running: # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try # ipactl restart, it reports: Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker ajp worker threads are used by tomcat instances of which the CA is one example. It sounds like your CA has gotten into a funny state. I would do a ipactl stop to shut down all your services and then do a ps to look for any Java processes that are still running (I'm assuming the only Java you're running on this box would be for the CA). If you can identify a running Java process that you believe belongs to the CA then kill it and try starting IPA again (or you could use a big hammer and reboot). BTW, the ajp threads are the listeners on the CA communication ports, if those treads are not in the right state you could see the CA communication problems you reported. If that still does not work then my next suggestion would be to add this line to /etc/ipa/default.conf debug=True and restart IPA, that will cause verbose logging to be written to /var/log/httpd/error_log which may have more detailed messages indicating where things might be going wrong. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
There's only one conf file in /etc/ipa/, which is default.conf. ca_host is not defined there. But I think my CA is the IPA server. Everything is reported running: # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try # ipactl restart, it reports: Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker Thanks for your help, George > > From: John Dennis >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Tuesday, September 4, 2012 8:10 AM >Subject: Re: [Freeipa-users] ipa host-del > >On 09/03/2012 06:00 PM, george he wrote: >> Hello all, >> >> I'm trying to reinstall myipaclient so I did ipa-client-install >> --uninstall on my client, but when I try to do >> ipa host-del on the sever, I got the following error: >> >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (Not Found) >> >> What does it mean, and how do I fix this? >> ps, both the server and the client are centos 6.3 > >I'm guessing the configuration option that specifies where to locate your CA >was lost. Check and see if ca_host is defined in any of the .conf files under >/etc/ipa, if so is it the correct host? If not then the server will assume >it's co-located on the same machine. Is your CA on the same machine as your >IPA server? > >One other thing to check, is the CA running? Do an ipactl status to verify or >an ipactl restart. > > >-- John Dennis > >Looking to carve out IT costs? >www.redhat.com/carveoutcosts/ > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
On 09/03/2012 06:00 PM, george he wrote: Hello all, I'm trying to reinstall myipaclient so I did ipa-client-install --uninstall on my client, but when I try to do ipa host-del on the sever, I got the following error: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) What does it mean, and how do I fix this? ps, both the server and the client are centos 6.3 I'm guessing the configuration option that specifies where to locate your CA was lost. Check and see if ca_host is defined in any of the .conf files under /etc/ipa, if so is it the correct host? If not then the server will assume it's co-located on the same machine. Is your CA on the same machine as your IPA server? One other thing to check, is the CA running? Do an ipactl status to verify or an ipactl restart. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users