On 05/09/2018 05:54 PM, Michael Rainey (Contractor, Code 7320) via FreeIPA-users wrote: > Along with the logs listed below, searching through the certificates > is not possible. A message is returned: > >> Certificate operation cannot be completed: Unable to communicate with >> CMS (Internal Server Error) > > Certmonger is running and pki-tomcatd is not. "journalctl -u > pki-tomcatd@pki-tomcat.service" shows certificates are not being > matched. What am I missing? > > Server Logs:
What version of 389-ds-base are you using? rpm -qa | grep 389-ds-base >> conn=23 fd=85 slot=85 SSL connection from XXX.XXX.XXX.91 to >> XXX.XXX.XXX.91 >> conn=23 TLS1.2 256-bit AES; client CN=CA Subsystem,O=<REALM>; issuer >> CN=Certificate Authority,O=<REALM> >> conn=23 TLS1.2 failed to map client certificate to LDAP DN (Could not >> matching certificate in User's LDAP entry) >> conn=23 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL >> conn=23 op=0 RESULT err=49 tag=97 nentries=0 etime=0.0022754084 - >> Client certificate mapping failed > >> conn=73 fd=123 slot=123 connection from XXX.XXX.XXX.241 to XXX.XXX.XXX.91 >> [09/May/2018:08:18:50.038802503 -0500] conn=73 op=0 EXT >> oid="1.3.6.1.4.1.1466.20037" name="start_tls_plugin" >> [09/May/2018:08:18:50.038845419 -0500] conn=73 op=0 RESULT err=0 >> tag=120 nentries=0 etime=0.0000382164 >> [09/May/2018:08:18:50.046139659 -0500] conn=73 TLS1.2 256-bit AES-GCM >> [09/May/2018:08:18:50.046531729 -0500] conn=73 op=1 BIND >> dn="cn=Replication Manager >> cloneAgreement1-fitch.<domain>-pki-tomcat,ou=csusers,cn=config" >> method=128 version=3 >> [09/May/2018:08:18:50.046882326 -0500] conn=73 op=1 RESULT err=49 >> tag=97 nentries=0 etime=0.0007732885 >> [09/May/2018:08:18:50.085596219 -0500] conn=73 op=2 UNBIND >> [09/May/2018:08:18:50.085625301 -0500] conn=73 op=2 fd=123 closed - U1 So there are two possibilities here. One, "cn=Replication Manager cloneAgreement1-fitch.<domain>-pki-tomcat,ou=csusers,cn=config" does not exist on the server, or two, you are using the wrong password for this entry in the replication agreement. > > > > *Michael Rainey* > Network Representative > Naval Research Laboratory, Code 7320 > Building 1009, Room C156 > Stennis Space Center, MS 39529 > > On 05/09/2018 03:46 PM, Mark Reynolds via FreeIPA-users wrote: >> >> >> On 05/09/2018 04:23 PM, Michael Rainey (Contractor, Code 7320) via >> FreeIPA-users wrote: >>> Rob, >>> >>> A big thank you for showing me howto bringthe service back. You are >>> correct the doesn't resolve the cause. I suspect I'm in a bit of >>> certificate hades. The first sign of problems start with >>> pki-tomcatd failing to start. Testing of the https:<server_name> >>> url says the connection is refused. I haven't been able to track >>> down the cause. However, I do have other systems exibiting the same >>> problem. >>> >>>> Could not connect to LDAP server host fitch.<domain> port 636 Error >>>> netscape.ldap.LDAPException: Authentication failed (49) >>> From here, I'm not certain where to look. Is this an issue with >>> certmonger, pki-tomcatd, or something else? >> You need to look at the Directory Server access log to find what BIND >> DN is having problems: >> >> /var/log/dirsrv/slapd-YOUR_INSTANCE/access >> >> Then grep for "err=49". It should say if it's a bad password or if >> the bind dn is missing (no such object) >>> >>> Any suggestions? >>> >>> >>> *Michael Rainey* >>> Network Representative >>> Naval Research Laboratory, Code 7320 >>> Building 1009, Room C156 >>> Stennis Space Center, MS 39529 >>> >>> On 05/09/2018 02:41 PM, Rob Crittenden via FreeIPA-users wrote: >>>> Michael Rainey (Contractor, Code 7320) via FreeIPA-users wrote: >>>>> Greetings community, >>>>> >>>>> I'm having some major issues with my IPA servers and myself >>>>> activating the bat signal seeking some help. We recently upgraded >>>>> this system to SL7.5 and ran the ipa-server-upgrade command. >>>>> During the upgrade the process failed and access to the LDAP >>>>> service is nolonger possible. Running the "ipactl restart" command >>>>> results in: >>>>> >>>>>> Failed to get service list from file: Unknown error when >>>>>> retrieving list of services from file: [Errno 2] No such file or >>>>>> directory: '/var/run/ipa/services.list' >>>>> >>>>> I have tried running the "ipa-replica-manage re-initialize" >>>>> command in an attempt resync the servers to noavail. I have also >>>>> been reviewing certificates and no certificates appear to be >>>>> expired. I believe the main cause of this problem has been the >>>>> pki-tomcatd service would not start. >>>>> >>>>> I'm guessing the first step in this process is to get the LDAP >>>>> server running again. Are there any steps that someone could >>>>> recommend to revive LDAP? I'm able to start and stop the service >>>>> mainually, but the listening port 636 is not active. >>>> >>>> Shut down dirsrv then edit dse.ldif and set: >>>> >>>> nsslapd-port = 389 >>>> nsslapd-security = on >>>> >>>> That should get things running but doesn't address the cause of the >>>> upgarde failure. >>>> >>>> rob >>>> >>>>> >>>>>> ERR - slapi_ldap_bind - Error: could not send startTLS request: >>>>>> error -1 (Can't contact LDAP server) errno 107 (Transport >>>>>> endpoint is not connected) >>>>> >>>>> Your help is greatly appreciated. >>>>> >>>>> -- >>>>> *Michael Rainey* >>>>> Network Representative >>>>> Naval Research Laboratory, Code 7320 >>>>> Building 1009, Room C156 >>>>> Stennis Space Center, MS 39529 >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>> To unsubscribe send an email to >>>>> freeipa-users-le...@lists.fedorahosted.org >>>>> >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to >>>> freeipa-users-le...@lists.fedorahosted.org >>> >>> >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
