Discussion:
[Freeipa-users] ipa host-del
george he
2012-09-03 22:00:15 UTC
Permalink
Hello all,

I'm trying to reinstall myipaclient so I did ipa-client-install --uninstall on my client, but when I try to do
ipa host-del on the sever, I got the following error:

ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

What does it mean, and how do I fix this?
ps, both the server and the client are centos 6.3

Thanks,
George
John Dennis
2012-09-04 12:10:59 UTC
Permalink
Post by george he
Hello all,
I'm trying to reinstall myipaclient so I did ipa-client-install
--uninstall on my client, but when I try to do
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)
What does it mean, and how do I fix this?
ps, both the server and the client are centos 6.3
I'm guessing the configuration option that specifies where to locate
your CA was lost. Check and see if ca_host is defined in any of the
.conf files under /etc/ipa, if so is it the correct host? If not then
the server will assume it's co-located on the same machine. Is your CA
on the same machine as your IPA server?

One other thing to check, is the CA running? Do an ipactl status to
verify or an ipactl restart.
--
John Dennis <***@redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
george he
2012-09-04 12:28:31 UTC
Permalink
There's only one conf file in /etc/ipa/, which is default.conf. ca_host is not defined there. But I think my CA is the IPA server.

Everything is reported running:
# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING

but when I try # ipactl restart, it reports:
Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker
[Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker

Thanks for your help,
George
________________________________
Sent: Tuesday, September 4, 2012 8:10 AM
Subject: Re: [Freeipa-users] ipa host-del
Post by george he
Hello all,
I'm trying to reinstall myipaclient so I did ipa-client-install
--uninstall on my client, but when I try to do
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)
What does it mean, and how do I fix this?
ps, both the server and the client are centos 6.3
I'm guessing the configuration option that specifies where to locate your CA was lost. Check and see if ca_host is defined in any of the .conf files under /etc/ipa, if so is it the correct host? If not then the server will assume it's co-located on the same machine. Is your CA on the same machine as your IPA server?
One other thing to check, is the CA running? Do an ipactl status to verify or an ipactl restart.
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
John Dennis
2012-09-04 12:53:29 UTC
Permalink
Post by george he
There's only one conf file in /etc/ipa/, which is default.conf. ca_host
is not defined there. But I think my CA is the IPA server.
# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker
ajp://localhost:9447/ already used by another worker
[Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already
used by another worker
ajp worker threads are used by tomcat instances of which the CA is one
example. It sounds like your CA has gotten into a funny state. I would
do a ipactl stop to shut down all your services and then do a ps to look
for any Java processes that are still running (I'm assuming the only
Java you're running on this box would be for the CA). If you can
identify a running Java process that you believe belongs to the CA then
kill it and try starting IPA again (or you could use a big hammer and
reboot).

BTW, the ajp threads are the listeners on the CA communication ports, if
those treads are not in the right state you could see the CA
communication problems you reported.

If that still does not work then my next suggestion would be to add this
line to /etc/ipa/default.conf

debug=True

and restart IPA, that will cause verbose logging to be written to
/var/log/httpd/error_log which may have more detailed messages
indicating where things might be going wrong.
--
John Dennis <***@redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
george he
2012-09-04 14:23:01 UTC
Permalink
First of all, i don't see any java process after ipactl stop.

Then I turned on debug and this is what I get on terminal:
# ipa host-del hnl09.psych.yale.edu

......

ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU"
ipa: DEBUG: handshake complete, peer = 130.132.167.68:443
ipa: DEBUG: Caught fault 4301 from server http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable)
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable)


So there's a "fault 4301" being caught.
And this is at the end of /var/log/httpd/error_log:

[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU"
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer = 130.132.167.68:443
[Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP: attempt to connect to 127.0.0.1:9447 (localhost) failed
[Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling worker for (localhost)
[Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection to backend: localhost
[Tue Sep 04 10:17:05 2012] [error] ipa: INFO: ***@PSYCH.YALE.EDU: host_del((u'hnl09.psych.yale.edu',), updatedns=False): CertificateOperationError
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response: CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable)
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection context.ldap2


Thanks,
George
________________________________
Sent: Tuesday, September 4, 2012 8:53 AM
Subject: Re: [Freeipa-users] ipa host-del
Post by george he
There's only one conf file in /etc/ipa/, which is default.conf. ca_host
is not defined there. But I think my CA is the IPA server.
# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker
ajp://localhost:9447/ already used by another worker
[Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already
used by another worker
ajp worker threads are used by tomcat instances of which the CA is one example. It sounds like your CA has gotten into a funny state. I would do a ipactl stop to shut down all your services and then do a ps to look for any Java processes that are still running (I'm assuming the only Java you're running on this box would be for the CA). If you can identify a running Java process that you believe belongs to the CA then kill it and try starting IPA again (or you could use a big hammer and reboot).
BTW, the ajp threads are the listeners on the CA communication ports, if those treads are not in the right state you could see the CA communication problems you reported.
If that still does not work then my next suggestion would be to add this line to /etc/ipa/default.conf
debug=True
and restart IPA, that will cause verbose logging to be written to /var/log/httpd/error_log which may have more detailed messages indicating where things might be going wrong.
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
Rob Crittenden
2012-09-04 14:26:30 UTC
Permalink
Post by george he
First of all, i don't see any java process after ipactl stop.
# ipa host-del hnl09.psych.yale.edu
......
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU"
ipa: DEBUG: handshake complete, peer = 130.132.167.68:443
ipa: DEBUG: Caught fault 4301 from server
http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be
completed: Unable to communicate with CMS (Service Temporarily Unavailable)
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Service Temporarily Unavailable)
So there's a "fault 4301" being caught.
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage =
SSLServer intended_usage = SSLServer
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for
"CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU"
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer
= 130.132.167.68:443
attempt to connect to 127.0.0.1:9447 (localhost) failed
[Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling
worker for (localhost)
[Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection
to backend: localhost
CertificateOperationError
Unable to communicate with CMS (Service Temporarily Unavailable)
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection context.ldap2
dogtag does not appear to be running. I'd suggest looking at
/var/log/pki-ca/catalina.out or debug to see if it has any hints as what
the problem is.

What distribution is this?

rob
george he
2012-09-04 17:52:44 UTC
Permalink
How do I start dogtag?
It's centos 6.3.

some errors are posted to my other email.
Thanks,
George
________________________________
Sent: Tuesday, September 4, 2012 10:26 AM
Subject: Re: [Freeipa-users] ipa host-del
Post by george he
First of all, i don't see any java process after ipactl stop.
# ipa host-del hnl09.psych.yale.edu
......
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU"
ipa: DEBUG: handshake complete, peer = 130.132.167.68:443
ipa: DEBUG: Caught fault 4301 from server
http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be
completed: Unable to communicate with CMS (Service Temporarily Unavailable)
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Service Temporarily Unavailable)
So there's a "fault 4301" being caught.
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage =
SSLServer intended_usage = SSLServer
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for
"CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU"
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer
= 130.132.167.68:443
attempt to connect to 127.0.0.1:9447 (localhost) failed
[Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling
worker for (localhost)
[Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection
to backend: localhost
CertificateOperationError
Unable to communicate with CMS (Service Temporarily Unavailable)
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection context.ldap2
dogtag does not appear to be running. I'd suggest looking at
/var/log/pki-ca/catalina.out or debug to see if it has any hints as what
the problem is.
What distribution is this?
rob
John Dennis
2012-09-04 14:40:29 UTC
Permalink
Post by george he
First of all, i don't see any java process after ipactl stop.
# ipa host-del hnl09.psych.yale.edu
......
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU"
ipa: DEBUG: handshake complete, peer = 130.132.167.68:443
ipa: DEBUG: Caught fault 4301 from server
http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be
completed: Unable to communicate with CMS (Service Temporarily Unavailable)
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Service Temporarily Unavailable)
So there's a "fault 4301" being caught.
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage =
SSLServer intended_usage = SSLServer
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for
"CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU"
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer
= 130.132.167.68:443
attempt to connect to 127.0.0.1:9447 (localhost) failed
[Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling
worker for (localhost)
[Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection
to backend: localhost
CertificateOperationError
Unable to communicate with CMS (Service Temporarily Unavailable)
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection context.ldap2
Thanks,
George
It appears as if your CA instance is not running (pki-ca). Depending on
which OS you're running on could you verify pki-ca is running via either
the service or systemctl command. Do you see any errors in the log files
found under /var/log/pki-ca?
--
John Dennis <***@redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
george he
2012-09-04 17:49:46 UTC
Permalink
I'm running centos 6.3
# uname -r
2.6.32-279.5.2.el6.x86_64


pki-ca: unrecognized service


There are tons of errors in /var/log/pki-ca/*, some of them are:
/var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate
/var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value
/var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate
/var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
/var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] [3] In Ldap (bound) connection pool to host cushing.psych.yale.edu port 7389, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: failed to connect to server ldap://cushing.psych.yale.edu:7389 (91)

/var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing socket factory
/var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-03.log:LifecycleException:  Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web application directory ca


Thanks,
George
________________________________
Sent: Tuesday, September 4, 2012 10:40 AM
Subject: Re: [Freeipa-users] ipa host-del
Post by george he
First of all, i don't see any java process after ipactl stop.
# ipa host-del hnl09.psych.yale.edu
......
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU"
ipa: DEBUG: handshake complete, peer = 130.132.167.68:443
ipa: DEBUG: Caught fault 4301 from server
http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be
completed: Unable to communicate with CMS (Service Temporarily Unavailable)
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Service Temporarily Unavailable)
So there's a "fault 4301" being caught.
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage =
SSLServer intended_usage = SSLServer
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for
"CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU"
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer
= 130.132.167.68:443
attempt to connect to 127.0.0.1:9447 (localhost) failed
[Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling
worker for (localhost)
[Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection
to backend: localhost
CertificateOperationError
Unable to communicate with CMS (Service Temporarily Unavailable)
[Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection context.ldap2
Thanks,
George
It appears as if your CA instance is not running (pki-ca). Depending on which OS you're running on could you verify pki-ca is running via either the service or systemctl command. Do you see any errors in the log files found under /var/log/pki-ca?
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
Rob Crittenden
2012-09-04 20:20:05 UTC
Permalink
Post by george he
I'm running centos 6.3
# uname -r
2.6.32-279.5.2.el6.x86_64
pki-ca: unrecognized service
/var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [3] [3]
Certificate is not a PKCS #11 certificate
/var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [13] [3]
authz instance DirAclAuthz initialization failed and skipped,
error=Property internaldb.ldapconn.port missing value
/var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT]
[3] [3] Cannot build CA chain. Error
java.security.cert.CertificateException: Certificate is not a PKCS #11
certificate
/var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT]
[3] [3] CASigningUnit: Object certificate not found. Error
org.mozilla.jss.crypto.ObjectNotFoundException
/var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] [3] In
Ldap (bound) connection pool to host cushing.psych.yale.edu port 7389,
failed to connect to server ldap://cushing.psych.yale.edu:7389 (91)
/var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing socket factory
/var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: Protocol
handler initialization failed: java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web
application directory ca
The problem looks to be that the dogtag 389-ds instance is not started.
I'd try: service dirsrv restart PKI-IPA

Then service pki-cad restart

rob
george he
2012-09-04 21:12:55 UTC
Permalink
both of the commands "service dirsrv restart" and "service pki-cad restart" reported:
stopping ... OK
starting ... OK
but host-del still has the same error.
More suggestions?
Thanks,
George
________________________________
Sent: Tuesday, September 4, 2012 4:20 PM
Subject: Re: [Freeipa-users] ipa host-del
Post by george he
I'm running centos 6.3
# uname -r
2.6.32-279.5.2.el6.x86_64
pki-ca: unrecognized service
/var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [3] [3]
Certificate is not a PKCS #11 certificate
/var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [13] [3]
authz instance DirAclAuthz initialization failed and skipped,
error=Property internaldb.ldapconn.port missing value
/var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT]
[3] [3] Cannot build CA chain. Error
java.security.cert.CertificateException: Certificate is not a PKCS #11
certificate
/var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT]
[3] [3] CASigningUnit: Object certificate not found. Error
org.mozilla.jss.crypto.ObjectNotFoundException
/var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] [3] In
Ldap (bound) connection pool to host cushing.psych.yale.edu port 7389,
failed to connect to server ldap://cushing.psych.yale.edu:7389 (91)
/var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing socket factory
/var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-03.log:LifecycleException:  Protocol
handler initialization failed: java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web
application directory ca
The problem looks to be that the dogtag 389-ds instance is not started.
I'd try: service dirsrv restart PKI-IPA
Then service pki-cad restart
rob
Rob Crittenden
2012-09-05 01:49:14 UTC
Permalink
Post by george he
stopping ... OK
starting ... OK
but host-del still has the same error.
More suggestions?
Check the logs again. The service starting does not mean it kept running.

rob
Post by george he
Thanks,
George
------------------------------------------------------------------------
*Sent:* Tuesday, September 4, 2012 4:20 PM
*Subject:* Re: [Freeipa-users] ipa host-del
Post by george he
I'm running centos 6.3
# uname -r
2.6.32-279.5.2.el6.x86_64
pki-ca: unrecognized service
/var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT]
[3] [3]
Post by george he
Certificate is not a PKCS #11 certificate
/var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT]
[13] [3]
Post by george he
authz instance DirAclAuthz initialization failed and skipped,
error=Property internaldb.ldapconn.port missing value
/var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT]
[3] [3] Cannot build CA chain. Error
java.security.cert.CertificateException: Certificate is not a
PKCS #11
Post by george he
certificate
/var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT]
[3] [3] CASigningUnit: Object certificate not found. Error
org.mozilla.jss.crypto.ObjectNotFoundException
/var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8]
[3] In
Post by george he
Ldap (bound) connection pool to host cushing.psych.yale.edu port
7389,
Post by george he
failed to connect to server ldap://cushing.psych.yale.edu:7389 (91)
/var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing
socket factory
/var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: Error
Post by george he
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: Protocol
Error
Post by george he
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web
application directory ca
The problem looks to be that the dogtag 389-ds instance is not started.
I'd try: service dirsrv restart PKI-IPA
Then service pki-cad restart
rob
george he
2012-09-05 10:00:35 UTC
Permalink
here are the new errors:
# rm /var/log/pki-ca/*
# service dirsrv restart
# service pki-cad restart
# grep -i error /var/log/pki-ca/*
/var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing context [/ca]
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing socket factory
/var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-05.log:LifecycleException:  Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web application directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:LifecycleException:  Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:SEVERE: Error deploying web application directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:LifecycleException:  Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
________________________________
Sent: Tuesday, September 4, 2012 9:49 PM
Subject: Re: [Freeipa-users] ipa host-del
Post by george he
stopping ... OK
starting ... OK
but host-del still has the same error.
More suggestions?
Check the logs again. The service starting does not mean it kept running.
rob
Post by george he
Thanks,
George
    ------------------------------------------------------------------------
    *Sent:* Tuesday, September 4, 2012 4:20 PM
    *Subject:* Re: [Freeipa-users] ipa host-del
      > I'm running centos 6.3
      > # uname -r
      > 2.6.32-279.5.2.el6.x86_64
      >
      > pki-ca: unrecognized service
      >
      > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT]
    [3] [3]
      > Certificate is not a PKCS #11 certificate
      > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT]
    [13] [3]
      > authz instance DirAclAuthz initialization failed and skipped,
      > error=Property internaldb.ldapconn.port missing value
      > /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT]
      > [3] [3] Cannot build CA chain. Error
      > java.security.cert.CertificateException: Certificate is not a
    PKCS #11
      > certificate
      > /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT]
      > [3] [3] CASigningUnit: Object certificate not found. Error
      > org.mozilla.jss.crypto.ObjectNotFoundException
      > /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8]
    [3] In
      > Ldap (bound) connection pool to host cushing.psych.yale.edu port
    7389,
      > failed to connect to server ldap://cushing.psych.yale.edu:7389 (91)
      >
      > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing
      > socket factory
      >
    Error
      > loading SSL Implementation
      > org.apache.tomcat.util.net.jss.JSSImplementation
      > :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
      > /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException:  Protocol
    Error
      > loading SSL Implementation
      > org.apache.tomcat.util.net.jss.JSSImplementation
      > :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
      > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web
      > application directory ca
    The problem looks to be that the dogtag 389-ds instance is not started.
    I'd try: service dirsrv restart PKI-IPA
    Then service pki-cad restart
    rob
Rob Crittenden
2012-09-05 12:40:35 UTC
Permalink
Post by george he
# rm /var/log/pki-ca/*
# service dirsrv restart
# service pki-cad restart
# grep -i error /var/log/pki-ca/*
/var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing context [/ca]
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing socket factory
/var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: Protocol
handler initialization failed: java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web
application directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:LifecycleException: Protocol handler
initialization failed: java.lang.ClassNotFoundException: Error loading
SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:SEVERE: Error deploying web application directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:LifecycleException: Protocol handler
initialization failed: java.lang.ClassNotFoundException: Error loading
SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
Hmm. Is there any additional information in the debug log? Any AVCs in
/var/log/audit/audit.log?

Have you updated any packages recently? I'm not sure why dogtag would be
throwing this exception.

rob
Post by george he
------------------------------------------------------------------------
*Sent:* Tuesday, September 4, 2012 9:49 PM
*Subject:* Re: [Freeipa-users] ipa host-del
Post by george he
both of the commands "service dirsrv restart" and "service pki-cad
stopping ... OK
starting ... OK
but host-del still has the same error.
More suggestions?
Check the logs again. The service starting does not mean it kept running.
rob
Post by george he
Thanks,
George
------------------------------------------------------------------------
Post by george he
*Sent:* Tuesday, September 4, 2012 4:20 PM
*Subject:* Re: [Freeipa-users] ipa host-del
Post by george he
I'm running centos 6.3
# uname -r
2.6.32-279.5.2.el6.x86_64
pki-ca: unrecognized service
There are tons of errors in /var/log/pki-ca/*, some of
/var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT]
[3] [3]
Post by george he
Cannot build CA chain. Error
Certificate is not a PKCS #11 certificate
/var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT]
[13] [3]
Post by george he
authz instance DirAclAuthz initialization failed and skipped,
error=Property internaldb.ldapconn.port missing value
/var/log/pki-ca/system:11605.http-9445-1 -
[30/Aug/2012:16:35:01 EDT]
Post by george he
Post by george he
[3] [3] Cannot build CA chain. Error
java.security.cert.CertificateException: Certificate is not a
PKCS #11
Post by george he
certificate
/var/log/pki-ca/system:11605.http-9445-1 -
[30/Aug/2012:16:35:10 EDT]
Post by george he
Post by george he
[3] [3] CASigningUnit: Object certificate not found. Error
org.mozilla.jss.crypto.ObjectNotFoundException
/var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28
EDT] [8]
Post by george he
[3] In
Post by george he
Ldap (bound) connection pool to host
cushing.psych.yale.edu port
Post by george he
7389,
Post by george he
failed to connect to server
ldap://cushing.psych.yale.edu:7389 (91)
Post by george he
Post by george he
/var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error
initializing
Post by george he
Post by george he
socket factory
Error
Post by george he
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: Protocol
Post by george he
Error
Post by george he
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
org.mozilla.jss.ssl.SSLSocket
Post by george he
Post by george he
/var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error
deploying web
Post by george he
Post by george he
application directory ca
The problem looks to be that the dogtag 389-ds instance is not
started.
Post by george he
I'd try: service dirsrv restart PKI-IPA
Then service pki-cad restart
rob
george he
2012-09-05 13:41:40 UTC
Permalink
there are somethign like these:

type=AVC msg=audit(1346710042.243:56): avc:  denied  { execute } for  pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1346710042.243:57): avc:  denied  { execute } for  pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file


and some others like these:
type=AVC msg=audit(1346838993.154:2567): avc:  denied  { search } for  pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1346838993.154:2568): avc:  denied  { search } for  pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir


And yes, I did yum update recently.
Where else should I look?
Thanks,
George
________________________________
Sent: Wednesday, September 5, 2012 8:40 AM
Subject: Re: [Freeipa-users] ipa host-del
Post by george he
# rm /var/log/pki-ca/*
# service dirsrv restart
# service pki-cad restart
# grep -i error /var/log/pki-ca/*
/var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing context [/ca]
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing socket factory
/var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-05.log:LifecycleException:  Protocol
handler initialization failed: java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web
application directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:LifecycleException:  Protocol handler
initialization failed: java.lang.ClassNotFoundException: Error loading
SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:SEVERE: Error deploying web application directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.out:LifecycleException:  Protocol handler
initialization failed: java.lang.ClassNotFoundException: Error loading
SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation
:java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
Hmm. Is there any additional information in the debug log? Any AVCs in
/var/log/audit/audit.log?
Have you updated any packages recently? I'm not sure why dogtag would be
throwing this exception.
rob
Post by george he
    ------------------------------------------------------------------------
    *Sent:* Tuesday, September 4, 2012 9:49 PM
    *Subject:* Re: [Freeipa-users] ipa host-del
      > both of the commands "service dirsrv restart" and "service pki-cad
      > stopping ... OK
      > starting ... OK
      > but host-del still has the same error.
      > More suggestions?
    Check the logs again. The service starting does not mean it kept
    running.
    rob
      > Thanks,
      > George
      >
      >
    ------------------------------------------------------------------------
      >    *Sent:* Tuesday, September 4, 2012 4:20 PM
      >    *Subject:* Re: [Freeipa-users] ipa host-del
      >
      >      > I'm running centos 6.3
      >      > # uname -r
      >      > 2.6.32-279.5.2.el6.x86_64
      >    >
      >      > pki-ca: unrecognized service
      >      >
      >      > There are tons of errors in /var/log/pki-ca/*, some of
      >      > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT]
      >    [3] [3]
      >      > Cannot build CA chain. Error
      >      > Certificate is not a PKCS #11 certificate
      >      > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT]
      >    [13] [3]
      >      > authz instance DirAclAuthz initialization failed and skipped,
      >      > error=Property internaldb.ldapconn.port missing value
      >      > /var/log/pki-ca/system:11605.http-9445-1 -
    [30/Aug/2012:16:35:01 EDT]
      >      > [3] [3] Cannot build CA chain. Error
      >      > java.security.cert.CertificateException: Certificate is not a
      >    PKCS #11
      >      > certificate
      >      > /var/log/pki-ca/system:11605.http-9445-1 -
    [30/Aug/2012:16:35:10 EDT]
      >      > [3] [3] CASigningUnit: Object certificate not found. Error
      >      > org.mozilla.jss.crypto.ObjectNotFoundException
      >      > /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28
    EDT] [8]
      >    [3] In
      >      > Ldap (bound) connection pool to host
    cushing.psych.yale.edu port
      >    7389,
      >      > failed to connect to server
    ldap://cushing.psych.yale.edu:7389 (91)
      > >
      >      > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error
    initializing
      >      > socket factory
      >      >
      >
      >    Error
      >      > loading SSL Implementation
      >      > org.apache.tomcat.util.net.jss.JSSImplementation
    org.mozilla.jss.ssl.SSLSocket
      >      >
    /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException:  Protocol
      >    Error
      >      > loading SSL Implementation
      >      > org.apache.tomcat.util.net.jss.JSSImplementation
    org.mozilla.jss.ssl.SSLSocket
      >      > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error
    deploying web
      >      > application directory ca
      >
      >    The problem looks to be that the dogtag 389-ds instance is not
    started.
      >    I'd try: service dirsrv restart PKI-IPA
      >
      >    Then service pki-cad restart
      >
      >    rob
      >
      >
      >
      >
Ade Lee
2012-09-05 14:46:16 UTC
Permalink
The logs seem to show that the CA cannot find JSS.

What versions of the following are on your system?
pki-ca, pki-common, jss, nss, tomcat6, tomcat, java

Is this a system that was working and now fails to work? Or is this a
new instance?

Ade
type=AVC msg=audit(1346710042.243:56): avc: denied { execute } for
pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1346710042.243:57): avc: denied { execute } for
pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1346838993.154:2567): avc: denied { search } for
pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
scontext=unconfined_u:system_r:pki_ca_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1346838993.154:2568): avc: denied { search } for
pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
scontext=unconfined_u:system_r:pki_ca_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
And yes, I did yum update recently.
Where else should I look?
Thanks,
George
______________________________________________________________
Sent: Wednesday, September 5, 2012 8:40 AM
Subject: Re: [Freeipa-users] ipa host-del
Post by george he
# rm /var/log/pki-ca/*
# service dirsrv restart
# service pki-cad restart
# grep -i error /var/log/pki-ca/*
/var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while
removing
Post by george he
context [/ca]
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error
initializing
Post by george he
socket factory
/var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
org.mozilla.jss.ssl.SSLSocket
Protocol
java.lang.ClassNotFoundException: Error
Post by george he
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
org.mozilla.jss.ssl.SSLSocket
Post by george he
/var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error
deploying web
Post by george he
application directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error initializing
socket factory
Post by george he
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
org.mozilla.jss.ssl.SSLSocket
Post by george he
/var/log/pki-ca/catalina.out:LifecycleException: Protocol
handler
Error loading
Post by george he
SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
org.mozilla.jss.ssl.SSLSocket
Post by george he
/var/log/pki-ca/catalina.out:SEVERE: Error deploying web
application
Post by george he
directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error initializing
socket factory
Post by george he
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
org.mozilla.jss.ssl.SSLSocket
Post by george he
/var/log/pki-ca/catalina.out:LifecycleException: Protocol
handler
Error loading
Post by george he
SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
org.mozilla.jss.ssl.SSLSocket
Hmm. Is there any additional information in the debug log? Any AVCs in
/var/log/audit/audit.log?
Have you updated any packages recently? I'm not sure why dogtag would be
throwing this exception.
rob
------------------------------------------------------------------------
Post by george he
*Sent:* Tuesday, September 4, 2012 9:49 PM
*Subject:* Re: [Freeipa-users] ipa host-del
Post by george he
both of the commands "service dirsrv restart" and
"service pki-cad
Post by george he
Post by george he
stopping ... OK
starting ... OK
but host-del still has the same error.
More suggestions?
Check the logs again. The service starting does not mean
it kept
Post by george he
running.
rob
Post by george he
Thanks,
George
------------------------------------------------------------------------
Post by george he
Post by george he
*Sent:* Tuesday, September 4, 2012 4:20 PM
*Subject:* Re: [Freeipa-users] ipa host-del
Post by george he
I'm running centos 6.3
# uname -r
2.6.32-279.5.2.el6.x86_64
pki-ca: unrecognized service
There are tons of errors in /var/log/pki-ca/*,
some of
Post by george he
Post by george he
Post by george he
/var/log/pki-ca/system:11605.main -
[30/Aug/2012:16:34:56 EDT]
Post by george he
Post by george he
[3] [3]
Post by george he
Cannot build CA chain. Error
Certificate is not a PKCS #11 certificate
/var/log/pki-ca/system:11605.main -
[30/Aug/2012:16:34:56 EDT]
Post by george he
Post by george he
[13] [3]
Post by george he
authz instance DirAclAuthz initialization
failed and skipped,
Post by george he
Post by george he
Post by george he
error=Property internaldb.ldapconn.port
missing value
Post by george he
Post by george he
Post by george he
/var/log/pki-ca/system:11605.http-9445-1 -
[30/Aug/2012:16:35:01 EDT]
Post by george he
Post by george he
[3] [3] Cannot build CA chain. Error
Certificate is not a
Post by george he
Post by george he
PKCS #11
Post by george he
certificate
/var/log/pki-ca/system:11605.http-9445-1 -
[30/Aug/2012:16:35:10 EDT]
Post by george he
Post by george he
[3] [3] CASigningUnit: Object certificate not
found. Error
Post by george he
Post by george he
Post by george he
org.mozilla.jss.crypto.ObjectNotFoundException
/var/log/pki-ca/system:3281.main -
[31/Aug/2012:17:54:28
Post by george he
EDT] [8]
Post by george he
[3] In
Post by george he
Ldap (bound) connection pool to host
cushing.psych.yale.edu port
Post by george he
7389,
Post by george he
failed to connect to server
ldap://cushing.psych.yale.edu:7389 (91)
/var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing
Post by george he
Post by george he
socket factory
Error
Post by george he
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
Post by george he
org.mozilla.jss.ssl.SSLSocket
Protocol
Post by george he
Post by george he
Error
Post by george he
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
Post by george he
org.mozilla.jss.ssl.SSLSocket
/var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web
Post by george he
Post by george he
application directory ca
The problem looks to be that the dogtag 389-ds
instance is not
Post by george he
started.
Post by george he
I'd try: service dirsrv restart PKI-IPA
Then service pki-cad restart
rob
george he
2012-09-05 15:21:19 UTC
Permalink
This is a newly installed system. It does most of the things, but I just cannot del the host that I have uninstalled ipa-client, which prvents me from re-installing ipa-client.
Here are the versions:

pki-ca.noarch                    9.0.3-24.el6
pki-common.noarch          9.0.3-24.el6
jss.x86_64                         4.2.6-22.el6
nss.x86_64                        3.13.5-1.el6_3
tomcat6.noarch                  6.0.24-45.el6
java-1.5.0-gcj.x86_64           1.5.0.0-29.1.el6
java-1.6.0-openjdk.x86_64   1:1.6.0.0-1.48.1.11.3.el6_2
java_cup.x86_64                  1:0.10k-5.el6
Thanks for your help.
George
________________________________
Sent: Wednesday, September 5, 2012 10:46 AM
Subject: Re: [Freeipa-users] ipa host-del
The logs seem to show that the CA cannot find JSS.
What versions of the following are on your system?
pki-ca, pki-common, jss, nss, tomcat6, tomcat, java
Is this a system that was working and now fails to work?  Or is this a
new instance?
Ade
Post by george he
type=AVC msg=audit(1346710042.243:56): avc:  denied  { execute } for
pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1346710042.243:57): avc:  denied  { execute } for
pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1346838993.154:2567): avc:  denied  { search } for
pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
scontext=unconfined_u:system_r:pki_ca_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1346838993.154:2568): avc:  denied  { search } for
pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
scontext=unconfined_u:system_r:pki_ca_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
And yes, I did yum update recently.
Where else should I look?
Thanks,
George
       
        ______________________________________________________________
        Sent: Wednesday, September 5, 2012 8:40 AM
        Subject: Re: [Freeipa-users] ipa host-del
       
       
        > # rm /var/log/pki-ca/*
        > # service dirsrv restart
        > # service pki-cad restart
        > # grep -i error /var/log/pki-ca/*
        > /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while
        removing
        > context [/ca]
        > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error
        initializing
        > socket factory
        > /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error
        > loading SSL Implementation
        > org.apache.tomcat.util.net.jss.JSSImplementation
        org.mozilla.jss.ssl.SSLSocket
        Protocol
        java.lang.ClassNotFoundException: Error
        > loading SSL Implementation
        > org.apache.tomcat.util.net.jss.JSSImplementation
        org.mozilla.jss.ssl.SSLSocket
        > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error
        deploying web
        > application directory ca
        > /var/log/pki-ca/catalina.out:SEVERE: Error initializing
        socket factory
        > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
        > loading SSL Implementation
        > org.apache.tomcat.util.net.jss.JSSImplementation
        org.mozilla.jss.ssl.SSLSocket
        > /var/log/pki-ca/catalina.out:LifecycleException:  Protocol
        handler
        Error loading
        > SSL Implementation
        org.apache.tomcat.util.net.jss.JSSImplementation
        org.mozilla.jss.ssl.SSLSocket
        > /var/log/pki-ca/catalina.out:SEVERE: Error deploying web
        application
        > directory ca
        > /var/log/pki-ca/catalina.out:SEVERE: Error initializing
        socket factory
        > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
        > loading SSL Implementation
        > org.apache.tomcat.util.net.jss.JSSImplementation
        org.mozilla.jss.ssl.SSLSocket
        > /var/log/pki-ca/catalina.out:LifecycleException:  Protocol
        handler
        Error loading
        > SSL Implementation
        org.apache.tomcat.util.net.jss.JSSImplementation
        org.mozilla.jss.ssl.SSLSocket
       
        Hmm. Is there any additional information in the debug log? Any
        AVCs in
        /var/log/audit/audit.log?
       
        Have you updated any packages recently? I'm not sure why
        dogtag would be
        throwing this exception.
       
        rob
       
        >
        >
        ------------------------------------------------------------------------
        >    *Sent:* Tuesday, September 4, 2012 9:49 PM
        >    *Subject:* Re: [Freeipa-users] ipa host-del
        >
        >      > both of the commands "service dirsrv restart" and
        "service pki-cad
        >      > stopping ... OK
        >      > starting ... OK
        >      > but host-del still has the same error.
        >      > More suggestions?
        >
        >    Check the logs again. The service starting does not mean
        it kept
        >    running.
        >
        >    rob
        >
        >      > Thanks,
        >      > George
        >      >
        >      >
        >
        ------------------------------------------------------------------------
        >      >    *Sent:* Tuesday, September 4, 2012 4:20 PM
        >      >    *Subject:* Re: [Freeipa-users] ipa host-del
        >      >
        >      >      > I'm running centos 6.3
        >      >      > # uname -r
        >      >      > 2.6.32-279.5.2.el6.x86_64
        >      >    >
        >      >      > pki-ca: unrecognized service
        >      >      >
        >      >      > There are tons of errors in /var/log/pki-ca/*,
        some of
        >      >      > /var/log/pki-ca/system:11605.main -
        [30/Aug/2012:16:34:56 EDT]
        >      >    [3] [3]
        >      >      > Cannot build CA chain. Error
        >      >      > Certificate is not a PKCS #11 certificate
        >      >      > /var/log/pki-ca/system:11605.main -
        [30/Aug/2012:16:34:56 EDT]
        >      >    [13] [3]
        >      >      > authz instance DirAclAuthz initialization
        failed and skipped,
        >      >      > error=Property internaldb.ldapconn.port
        missing value
        >      >      > /var/log/pki-ca/system:11605.http-9445-1 -
        >    [30/Aug/2012:16:35:01 EDT]
        >      >      > [3] [3] Cannot build CA chain. Error
        Certificate is not a
        >      >    PKCS #11
        >      >      > certificate
        >      >      > /var/log/pki-ca/system:11605.http-9445-1 -
        >    [30/Aug/2012:16:35:10 EDT]
        >      >      > [3] [3] CASigningUnit: Object certificate not
        found. Error
        >      >      > org.mozilla.jss.crypto.ObjectNotFoundException
        >      >      > /var/log/pki-ca/system:3281.main -
        [31/Aug/2012:17:54:28
        >    EDT] [8]
        >      >    [3] In
        >      >      > Ldap (bound) connection pool to host
        >    cushing.psych.yale.edu port
        >      >    7389,
        >      >      > failed to connect to server
        >    ldap://cushing.psych.yale.edu:7389 (91)
        >      > >
        >      >
        > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error
        >    initializing
        >      >      > socket factory
        >      >      >
        >      >
        >
        >      >    Error
        >      >      > loading SSL Implementation
        >      >      >
        org.apache.tomcat.util.net.jss.JSSImplementation
        >    org.mozilla.jss.ssl.SSLSocket
        >      >      >
        >
        Protocol
        >      >    Error
        >      >      > loading SSL Implementation
        >      >      >
        org.apache.tomcat.util.net.jss.JSSImplementation
        >    org.mozilla.jss.ssl.SSLSocket
        >      >
        > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error
        >    deploying web
        >      >      > application directory ca
        >      >
        >      >    The problem looks to be that the dogtag 389-ds
        instance is not
        >    started.
        >      >    I'd try: service dirsrv restart PKI-IPA
        >      >
        >      >    Then service pki-cad restart
        >      >
        >      >    rob
        >      >
        >      >
        >      >
        >      >
        >
        >
        >
       
       
       
       
Ade Lee
2012-09-05 15:38:42 UTC
Permalink
weird. Can you try putting selinux in permissive mode, and then
restarting ipa?
Post by george he
This is a newly installed system. It does most of the things, but I
just cannot del the host that I have uninstalled ipa-client, which
prvents me from re-installing ipa-client.
pki-ca.noarch 9.0.3-24.el6
pki-common.noarch 9.0.3-24.el6
jss.x86_64 4.2.6-22.el6
nss.x86_64 3.13.5-1.el6_3
tomcat6.noarch 6.0.24-45.el6
java-1.5.0-gcj.x86_64 1.5.0.0-29.1.el6
java-1.6.0-openjdk.x86_64 1:1.6.0.0-1.48.1.11.3.el6_2
java_cup.x86_64 1:0.10k-5.el6
Thanks for your help.
George
______________________________________________________________
Sent: Wednesday, September 5, 2012 10:46 AM
Subject: Re: [Freeipa-users] ipa host-del
The logs seem to show that the CA cannot find JSS.
What versions of the following are on your system?
pki-ca, pki-common, jss, nss, tomcat6, tomcat, java
Is this a system that was working and now fails to work? Or is this a
new instance?
Ade
type=AVC msg=audit(1346710042.243:56): avc: denied
{ execute } for
pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1346710042.243:57): avc: denied
{ execute } for
pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1346838993.154:2567): avc: denied
{ search } for
pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
scontext=unconfined_u:system_r:pki_ca_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1346838993.154:2568): avc: denied
{ search } for
pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
scontext=unconfined_u:system_r:pki_ca_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
And yes, I did yum update recently.
Where else should I look?
Thanks,
George
______________________________________________________________
Sent: Wednesday, September 5, 2012 8:40 AM
Subject: Re: [Freeipa-users] ipa host-del
Post by george he
# rm /var/log/pki-ca/*
# service dirsrv restart
# service pki-cad restart
# grep -i error /var/log/pki-ca/*
Error while
removing
Post by george he
context [/ca]
Error
initializing
Post by george he
socket factory
/var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error
Post by george he
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
org.mozilla.jss.ssl.SSLSocket
Protocol
java.lang.ClassNotFoundException: Error
Post by george he
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
org.mozilla.jss.ssl.SSLSocket
Error
deploying web
Post by george he
application directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error
initializing
socket factory
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
Post by george he
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
org.mozilla.jss.ssl.SSLSocket
Protocol
handler
Error loading
Post by george he
SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
org.mozilla.jss.ssl.SSLSocket
Post by george he
/var/log/pki-ca/catalina.out:SEVERE: Error
deploying web
application
Post by george he
directory ca
/var/log/pki-ca/catalina.out:SEVERE: Error
initializing
socket factory
/var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
Post by george he
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
org.mozilla.jss.ssl.SSLSocket
Protocol
handler
Error loading
Post by george he
SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
org.mozilla.jss.ssl.SSLSocket
Hmm. Is there any additional information in the debug
log? Any
AVCs in
/var/log/audit/audit.log?
Have you updated any packages recently? I'm not sure
why
dogtag would be
throwing this exception.
rob
------------------------------------------------------------------------
Post by george he
*Sent:* Tuesday, September 4, 2012 9:49 PM
*Subject:* Re: [Freeipa-users] ipa host-del
Post by george he
both of the commands "service dirsrv
restart" and
"service pki-cad
Post by george he
Post by george he
stopping ... OK
starting ... OK
but host-del still has the same error.
More suggestions?
Check the logs again. The service starting does
not mean
it kept
Post by george he
running.
rob
Post by george he
Thanks,
George
------------------------------------------------------------------------
Post by george he
Post by george he
*From:* Rob Crittenden
*Sent:* Tuesday, September 4, 2012 4:20
PM
Post by george he
Post by george he
*Subject:* Re: [Freeipa-users] ipa
host-del
Post by george he
Post by george he
Post by george he
I'm running centos 6.3
# uname -r
2.6.32-279.5.2.el6.x86_64
pki-ca: unrecognized service
There are tons of errors
in /var/log/pki-ca/*,
some of
Post by george he
Post by george he
Post by george he
/var/log/pki-ca/system:11605.main -
[30/Aug/2012:16:34:56 EDT]
Post by george he
Post by george he
[3] [3]
Post by george he
Cannot build CA chain. Error
Certificate is not a PKCS #11
certificate
Post by george he
Post by george he
Post by george he
/var/log/pki-ca/system:11605.main -
[30/Aug/2012:16:34:56 EDT]
Post by george he
Post by george he
[13] [3]
Post by george he
authz instance DirAclAuthz
initialization
failed and skipped,
Post by george he
Post by george he
Post by george he
error=Property
internaldb.ldapconn.port
missing value
/var/log/pki-ca/system:11605.http-9445-1 -
Post by george he
[30/Aug/2012:16:35:01 EDT]
Post by george he
Post by george he
[3] [3] Cannot build CA chain. Error
Certificate is not a
Post by george he
Post by george he
PKCS #11
Post by george he
certificate
/var/log/pki-ca/system:11605.http-9445-1 -
Post by george he
[30/Aug/2012:16:35:10 EDT]
Post by george he
Post by george he
[3] [3] CASigningUnit: Object
certificate not
found. Error
org.mozilla.jss.crypto.ObjectNotFoundException
Post by george he
Post by george he
Post by george he
/var/log/pki-ca/system:3281.main -
[31/Aug/2012:17:54:28
Post by george he
EDT] [8]
Post by george he
[3] In
Post by george he
Ldap (bound) connection pool to host
cushing.psych.yale.edu port
Post by george he
7389,
Post by george he
failed to connect to server
ldap://cushing.psych.yale.edu:7389 (91)
Error
Post by george he
initializing
Post by george he
Post by george he
socket factory
Error
Post by george he
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
Post by george he
org.mozilla.jss.ssl.SSLSocket
Protocol
Post by george he
Post by george he
Error
Post by george he
loading SSL Implementation
org.apache.tomcat.util.net.jss.JSSImplementation
Post by george he
org.mozilla.jss.ssl.SSLSocket
Error
Post by george he
deploying web
Post by george he
Post by george he
application directory ca
The problem looks to be that the dogtag
389-ds
instance is not
Post by george he
started.
Post by george he
I'd try: service dirsrv restart PKI-IPA
Then service pki-cad restart
rob
george he
2012-09-05 16:00:00 UTC
Permalink
I did:

# setenforce 0
# ipactl restart
 (here still the same error about worker ajp://localhost:9447/ already used by another worker )
# ipa host-del myclient
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable)

By the way, I can delete other clients with no problem. The only difference of this client is that I once did ipa-getkeytab on it for nfs client (and it turns out I don't need a keytab to be an nfs client).

Thanks,
George
________________________________
Sent: Wednesday, September 5, 2012 11:38 AM
Subject: Re: [Freeipa-users] ipa host-del
weird.  Can you try putting selinux in permissive mode, and then
restarting ipa?
Post by george he
This is a newly installed system. It does most of the things, but I
just cannot del the host that I have uninstalled ipa-client, which
prvents me from re-installing ipa-client.
pki-ca.noarch                    9.0.3-24.el6
pki-common.noarch          9.0.3-24.el6
jss.x86_64                        4.2.6-22.el6
nss.x86_64                        3.13.5-1.el6_3
tomcat6.noarch                  6.0.24-45.el6
java-1.5.0-gcj.x86_64          1.5.0.0-29.1.el6
java-1.6.0-openjdk.x86_64  1:1.6.0.0-1.48.1.11.3.el6_2
java_cup.x86_64                  1:0.10k-5.el6
Thanks for your help.
George
       
        ______________________________________________________________
        Sent: Wednesday, September 5, 2012 10:46 AM
        Subject: Re: [Freeipa-users] ipa host-del
       
       
        The logs seem to show that the CA cannot find JSS.
       
        What versions of the following are on your system?
        pki-ca, pki-common, jss, nss, tomcat6, tomcat, java
       
        Is this a system that was working and now fails to work?  Or
        is this a
        new instance?
       
        Ade
        >
        > type=AVC msg=audit(1346710042.243:56): avc:  denied
        { execute } for
        > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
        > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
        > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
        > type=AVC msg=audit(1346710042.243:57): avc:  denied
        { execute } for
        > pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
        > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
        > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
        >
        >
        >
        > type=AVC msg=audit(1346838993.154:2567): avc:  denied
        { search } for
        > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
        > scontext=unconfined_u:system_r:pki_ca_t:s0
        > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
        > type=AVC msg=audit(1346838993.154:2568): avc:  denied
        { search } for
        > pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
        > scontext=unconfined_u:system_r:pki_ca_t:s0
        > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
        >
        >
        >
        > And yes, I did yum update recently.
        > Where else should I look?
        > Thanks,
        > George
        >
        >       
        >
        ______________________________________________________________
        >        Sent: Wednesday, September 5, 2012 8:40 AM
        >        Subject: Re: [Freeipa-users] ipa host-del
        >       
        >       
        >        > # rm /var/log/pki-ca/*
        >        > # service dirsrv restart
        >        > # service pki-cad restart
        >        > # grep -i error /var/log/pki-ca/*
        Error while
        >        removing
        >        > context [/ca]
        Error
        >        initializing
        >        > socket factory
        >
        > /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error
        >        > loading SSL Implementation
        >        > org.apache.tomcat.util.net.jss.JSSImplementation
        >        org.mozilla.jss.ssl.SSLSocket
        >
        >        Protocol
        >        java.lang.ClassNotFoundException: Error
        >        > loading SSL Implementation
        >        > org.apache.tomcat.util.net.jss.JSSImplementation
        >        org.mozilla.jss.ssl.SSLSocket
        Error
        >        deploying web
        >        > application directory ca
        >        > /var/log/pki-ca/catalina.out:SEVERE: Error
        initializing
        >        socket factory
        >
        > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
        >        > loading SSL Implementation
        >        > org.apache.tomcat.util.net.jss.JSSImplementation
        >        org.mozilla.jss.ssl.SSLSocket
        Protocol
        >        handler
        >        Error loading
        >        > SSL Implementation
        >        org.apache.tomcat.util.net.jss.JSSImplementation
        >        org.mozilla.jss.ssl.SSLSocket
        >        > /var/log/pki-ca/catalina.out:SEVERE: Error
        deploying web
        >        application
        >        > directory ca
        >        > /var/log/pki-ca/catalina.out:SEVERE: Error
        initializing
        >        socket factory
        >
        > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
        >        > loading SSL Implementation
        >        > org.apache.tomcat.util.net.jss.JSSImplementation
        >        org.mozilla.jss.ssl.SSLSocket
        Protocol
        >        handler
        >        Error loading
        >        > SSL Implementation
        >        org.apache.tomcat.util.net.jss.JSSImplementation
        >        org.mozilla.jss.ssl.SSLSocket
        >       
        >        Hmm. Is there any additional information in the debug
        log? Any
        >        AVCs in
        >        /var/log/audit/audit.log?
        >       
        >        Have you updated any packages recently? I'm not sure
        why
        >        dogtag would be
        >        throwing this exception.
        >       
        >        rob
        >       
        >        >
        >        >
        >
        ------------------------------------------------------------------------
        >        >    *Sent:* Tuesday, September 4, 2012 9:49 PM
        >        >    *Subject:* Re: [Freeipa-users] ipa host-del
        >        >
        >        >      > both of the commands "service dirsrv
        restart" and
        >        "service pki-cad
        >        >      > stopping ... OK
        >        >      > starting ... OK
        >        >      > but host-del still has the same error.
        >        >      > More suggestions?
        >        >
        >        >    Check the logs again. The service starting does
        not mean
        >        it kept
        >        >    running.
        >        >
        >        >    rob
        >        >
        >        >      > Thanks,
        >        >      > George
        >        >      >
        >        >      >
        >        >
        >
        ------------------------------------------------------------------------
        >        >      >    *From:* Rob Crittenden
        >        >      >    *Sent:* Tuesday, September 4, 2012 4:20
        PM
        >        >      >    *Subject:* Re: [Freeipa-users] ipa
        host-del
        >        >      >
        >        >      >      > I'm running centos 6.3
        >        >      >      > # uname -r
        >        >      >      > 2.6.32-279.5.2.el6.x86_64
        >        >      >    >
        >        >      >      > pki-ca: unrecognized service
        >        >      >      >
        >        >      >      > There are tons of errors
        in /var/log/pki-ca/*,
        >        some of
        >        >      >      > /var/log/pki-ca/system:11605.main -
        >        [30/Aug/2012:16:34:56 EDT]
        >        >      >    [3] [3]
        >        >      >      > Cannot build CA chain. Error
        >        >      >      > Certificate is not a PKCS #11
        certificate
        >        >      >      > /var/log/pki-ca/system:11605.main -
        >        [30/Aug/2012:16:34:56 EDT]
        >        >      >    [13] [3]
        >        >      >      > authz instance DirAclAuthz
        initialization
        >        failed and skipped,
        >        >      >      > error=Property
        internaldb.ldapconn.port
        >        missing value
        >        >      >
        > /var/log/pki-ca/system:11605.http-9445-1 -
        >        >    [30/Aug/2012:16:35:01 EDT]
        >        >      >      > [3] [3] Cannot build CA chain. Error
        >        >      >      >
        >        Certificate is not a
        >        >      >    PKCS #11
        >        >      >      > certificate
        >        >      >
        > /var/log/pki-ca/system:11605.http-9445-1 -
        >        >    [30/Aug/2012:16:35:10 EDT]
        >        >      >      > [3] [3] CASigningUnit: Object
        certificate not
        >        found. Error
        >        >      >      >
        org.mozilla.jss.crypto.ObjectNotFoundException
        >        >      >      > /var/log/pki-ca/system:3281.main -
        >        [31/Aug/2012:17:54:28
        >        >    EDT] [8]
        >        >      >    [3] In
        >        >      >      > Ldap (bound) connection pool to host
        >        >    cushing.psych.yale.edu port
        >        >      >    7389,
        >        >      >      > failed to connect to server
        >        >    ldap://cushing.psych.yale.edu:7389 (91)
        >        >      > >
        >        >      >
        Error
        >        >    initializing
        >        >      >      > socket factory
        >        >      >      >
        >        >      >
        >        >
        >
        >        >      >    Error
        >        >      >      > loading SSL Implementation
        >        >      >      >
        >        org.apache.tomcat.util.net.jss.JSSImplementation
        >        >    org.mozilla.jss.ssl.SSLSocket
        >        >      >      >
        >        >
        >
        >        Protocol
        >        >      >    Error
        >        >      >      > loading SSL Implementation
        >        >      >      >
        >        org.apache.tomcat.util.net.jss.JSSImplementation
        >        >    org.mozilla.jss.ssl.SSLSocket
        >        >      >
        Error
        >        >    deploying web
        >        >      >      > application directory ca
        >        >      >
        >        >      >    The problem looks to be that the dogtag
        389-ds
        >        instance is not
        >        >    started.
        >        >      >    I'd try: service dirsrv restart PKI-IPA
        >        >      >
        >        >      >    Then service pki-cad restart
        >        >      >
        >        >      >    rob
        >        >      >
        >        >      >
        >        >      >
        >        >      >
        >        >
        >        >
        >        >
        >       
        >       
        >       
        >       
       
       
       
       
       
John Dennis
2012-09-05 18:04:57 UTC
Permalink
Post by Ade Lee
The logs seem to show that the CA cannot find JSS.
What versions of the following are on your system?
pki-ca, pki-common, jss, nss, tomcat6, tomcat, java
Is this a system that was working and now fails to work? Or is this a
new instance?
Let's verify the link to the jss4.jar is in place. Note this is an
x86_64 system, Mathew did make some adjustments to where native (i.e.
arch specific) jars are located. I think it moved from /usr/lib/java to
/usr/lib64/java. pki-create would have been modified to set up links to
them on a new install but it's possible the links weren't updated on an
existing install. Not sure, guessing at the moment but I think it's
worth pursuing.

Please do this, it will list all the jars which should be visible to the
CA tomcat instance, the jss4.jar should have a link under
/var/lib/pki-ca/common/lib.

sudo ls -l /var/lib/pki-ca/common/lib /var/lib/pki-ca/webapps/ca/WEB-INF/lib

We want to verify none of the symbolic links listed above are dangling
(point to a non-existent file). Pay particular attention to
/var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing file
that's a valid jar? If not can you locate jss4.jar? Is it now under
/var/lib64/java? If so adjust the symbolic link under
/var/lib/pki-ca/common/lib to point to it. Do thinks work now after
restarting?

John
--
John Dennis <***@redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
george he
2012-09-05 18:40:10 UTC
Permalink
Thanks a lot. It's deleted now!
The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing to /usr/lib/..., but when I was struggling, I read on the web there was a post saying they should point to /usr/lib64/..., so I changed them. The weird thing is I THINK they were pointing to existing files, but now they are not.

So I changed the links one more times to make them pointing to /usr/lib/..., restarted ipa, and host-del worked.
Thanks again, guys.
George
________________________________
Sent: Wednesday, September 5, 2012 2:04 PM
Subject: Re: [Freeipa-users] ipa host-del
Post by Ade Lee
The logs seem to show that the CA cannot find JSS.
What versions of the following are on your system?
pki-ca, pki-common, jss, nss, tomcat6, tomcat, java
Is this a system that was working and now fails to work?  Or is this a
new instance?
Let's verify the link to the jss4.jar is in place. Note this is an x86_64 system, Mathew did make some adjustments to where native (i.e. arch specific) jars are located. I think it moved from /usr/lib/java to /usr/lib64/java. pki-create would have been modified to set up links to them on a new install but it's possible the links weren't updated on an existing install. Not sure, guessing at the moment but I think it's worth pursuing.
Please do this, it will list all the jars which should be visible to the CA tomcat instance, the jss4.jar should have a link under /var/lib/pki-ca/common/lib.
sudo ls -l /var/lib/pki-ca/common/lib /var/lib/pki-ca/webapps/ca/WEB-INF/lib
We want to verify none of the symbolic links listed above are dangling (point to a non-existent file). Pay particular attention to /var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing file that's a valid jar? If not can you locate jss4.jar? Is it now under /var/lib64/java? If so adjust the symbolic link under /var/lib/pki-ca/common/lib to point to it. Do thinks work now after restarting?
John
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
Rob Crittenden
2012-09-05 18:43:18 UTC
Permalink
Post by george he
Thanks a lot. It's deleted now!
The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing
to /usr/lib/..., but when I was struggling, I read on the web there was
a post saying they should point to /usr/lib64/..., so I changed them.
The weird thing is I THINK they were pointing to existing files, but now
they are not.
So I changed the links one more times to make them pointing to
/usr/lib/..., restarted ipa, and host-del worked.
Glad it's working.

I just wanted to follow up on this though. The host-del failure was just
one symptom of the problem. Eventually you'd have hit a harder wall,
such as not being able to prepare a new replica.

regards

rob
John Dennis
2012-09-05 19:41:29 UTC
Permalink
Post by george he
Thanks a lot. It's deleted now!
The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing
to /usr/lib/..., but when I was struggling, I read on the web there was
a post saying they should point to /usr/lib64/..., so I changed them.
The weird thing is I THINK they were pointing to existing files, but now
they are not.
So I changed the links one more times to make them pointing to
/usr/lib/..., restarted ipa, and host-del worked.
Thanks again, guys.
George
Glad it's working. Obviously we would like to know how you got into this
situation and perhaps open a bug. But unfortunately since you've
manually changed links it's hard to know if the logic used to update an
existing system is robust or not. I recall when the issue of where to
locate native jars on 64bit came up there was a fair amount of back and
forth over where things would be installed and which links to introduce.
Unfortunately I do not recall the final resolution, it might be that the
tomcat instances were supposed to continue to point to /usr/lib/java and
links would be set up there to point to the 64bit version. In any event
I don't think we can file a bug at this point, but perhaps we need to
pay attention and see if anyone else gets bitten by this.

John
Post by george he
------------------------------------------------------------------------
*Sent:* Wednesday, September 5, 2012 2:04 PM
*Subject:* Re: [Freeipa-users] ipa host-del
Post by Ade Lee
The logs seem to show that the CA cannot find JSS.
What versions of the following are on your system?
pki-ca, pki-common, jss, nss, tomcat6, tomcat, java
Is this a system that was working and now fails to work? Or is
this a
Post by Ade Lee
new instance?
Let's verify the link to the jss4.jar is in place. Note this is an
x86_64 system, Mathew did make some adjustments to where native
(i.e. arch specific) jars are located. I think it moved from
/usr/lib/java to /usr/lib64/java. pki-create would have been
modified to set up links to them on a new install but it's possible
the links weren't updated on an existing install. Not sure, guessing
at the moment but I think it's worth pursuing.
Please do this, it will list all the jars which should be visible to
the CA tomcat instance, the jss4.jar should have a link under
/var/lib/pki-ca/common/lib.
sudo ls -l /var/lib/pki-ca/common/lib
/var/lib/pki-ca/webapps/ca/WEB-INF/lib
We want to verify none of the symbolic links listed above are
dangling (point to a non-existent file). Pay particular attention to
/var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing
file that's a valid jar? If not can you locate jss4.jar? Is it now
under /var/lib64/java? If so adjust the symbolic link under
/var/lib/pki-ca/common/lib to point to it. Do thinks work now after
restarting?
John
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
--
John Dennis <***@redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
Simo Sorce
2012-09-05 21:40:48 UTC
Permalink
Post by John Dennis
Post by george he
Thanks a lot. It's deleted now!
The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing
to /usr/lib/..., but when I was struggling, I read on the web there was
a post saying they should point to /usr/lib64/..., so I changed them.
The weird thing is I THINK they were pointing to existing files, but now
they are not.
So I changed the links one more times to make them pointing to
/usr/lib/..., restarted ipa, and host-del worked.
Thanks again, guys.
George
Glad it's working. Obviously we would like to know how you got into this
situation and perhaps open a bug. But unfortunately since you've
manually changed links it's hard to know if the logic used to update an
existing system is robust or not. I recall when the issue of where to
locate native jars on 64bit came up there was a fair amount of back and
forth over where things would be installed and which links to introduce.
Unfortunately I do not recall the final resolution, it might be that the
tomcat instances were supposed to continue to point to /usr/lib/java and
links would be set up there to point to the 64bit version. In any event
I don't think we can file a bug at this point, but perhaps we need to
pay attention and see if anyone else gets bitten by this.
I just recently had to fix this for my 'stable' install too, seem like
we need to do better on upgrades going forward.

Simo.
--
Simo Sorce * Red Hat, Inc * New York
Rob Crittenden
2012-09-04 13:02:59 UTC
Permalink
Post by george he
There's only one conf file in /etc/ipa/, which is default.conf. ca_host
is not defined there. But I think my CA is the IPA server.
# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker
ajp://localhost:9447/ already used by another worker
[Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already
used by another worker
This can be ignored, it is a known issue in Apache and doesn't mean
anything is wrong. We're tracking an upstream fix for this,
https://fedorahosted.org/freeipa/ticket/1853


I would set debug = True in /etc/ipa/default.conf and restart Apache.
Then try the host-del again and examine /var/log/httpd/error_log. We
currently only log CS connection issues when in debug mode (there is a
ticket on that too). The CA log in /var/log/pki-ca/debug may have some
tips too.

When a host is deleted we try to revoke its certificate. If we can't
talk to the CA then the delete fails.

rob
Alexander Bokovoy
2012-09-05 23:47:21 UTC
Permalink
I did fix this for Fedora with F16 release in past -- in /usr/libexec/freeipa-systemd-update in Fedora packages there is an elaborate code to handle these updates of the symlinks.
Perhaps we need to extract that part and add to RHEL6? (RHEL6 does not use systemd but the code for jss upgrade is the same).
--
/ Alexander Bokovoy

----- Original Message -----
Sent: Wednesday, September 5, 2012 9:40:10 PM
Subject: Re: [Freeipa-users] ipa host-del
Thanks a lot. It's deleted now!
The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was
pointing to /usr/lib/..., but when I was struggling, I read on the
web there was a post saying they should point to /usr/lib64/..., so
I changed them. The weird thing is I THINK they were pointing to
existing files, but now they are not.
So I changed the links one more times to make them pointing to
/usr/lib/..., restarted ipa, and host-del worked.
Thanks again, guys.
George
Sent: Wednesday, September 5, 2012 2:04 PM
Subject: Re: [Freeipa-users] ipa host-del
Let's verify the link to the jss4.jar is in place. Note this is an
x86_64 system, Mathew did make some adjustments to where native
(i.e. arch specific) jars are located. I think it moved from
/usr/lib/java to /usr/lib64/java. pki-create would have been
modified to set up links to them on a new install but it's possible
the links weren't updated on an existing install. Not sure, guessing
at the moment but I think it's worth pursuing.
Please do this, it will list all the jars which should be visible to
the CA tomcat instance, the jss4.jar should have a link under
/var/lib/pki-ca/common/lib.
sudo ls -l /var/lib/pki-ca/common/lib
/var/lib/pki-ca/webapps/ca/WEB-INF/lib
We want to verify none of the symbolic links listed above are
dangling (point to a non-existent file). Pay particular attention to
/var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing
file that's a valid jar? If not can you locate jss4.jar? Is it now
under /var/lib64/java? If so adjust the symbolic link under
/var/lib/pki-ca/common/lib to point to it. Do thinks work now after
restarting?
John
Dmitri Pal
2012-09-07 16:34:02 UTC
Permalink
Post by Alexander Bokovoy
I did fix this for Fedora with F16 release in past -- in /usr/libexec/freeipa-systemd-update in Fedora packages there is an elaborate code to handle these updates of the symlinks.
Perhaps we need to extract that part and add to RHEL6? (RHEL6 does not use systemd but the code for jss upgrade is the same).
https://bugzilla.redhat.com/show_bug.cgi?id=855413
--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
Loading...