Hi, On Tue, Dec 13, 2022 at 11:00 AM junhou he via FreeIPA-users < [email protected]> wrote:
> Hi , > rpm -qa | grep pki > krb5-pkinit-1.18.2-14.el8.x86_64 > pki-base-10.12.0-2.module+el8.6.0+788+76246f77.noarch > pki-base-java-10.12.0-2.module+el8.6.0+788+76246f77.noarch > pki-acme-10.12.0-2.module+el8.6.0+788+76246f77.noarch > python3-pki-10.12.0-2.module+el8.6.0+788+76246f77.noarch > pki-servlet-4.0-api-9.0.30-3.module+el8.5.0+697+f586bb30.noarch > pki-tools-10.12.0-2.module+el8.6.0+788+76246f77.x86_64 > pki-servlet-engine-9.0.30-3.module+el8.5.0+697+f586bb30.noarch > ^^ This is pre 9.0.31 so it looks like your server.xml is consistent (contains requiredSecret). IIRC in debug mode there are additional messages in httpd's error log. You can do the following: - create a file /etc/ipa/server.conf with the following content [global] debug=True - restart ipa to take the config change into account: ipactl restart - launch the command that will create new logs kinit admin ipa cert-show 1 - check the content of /var/log/httpd/error_log There is also a command that makes roughly the same call to PKI (run as root): curl -v --cert /var/lib/ipa/ra-agent.pem --key /var/lib/ipa/ra-agent.key -d 'op=displayBySerial&serialNumber=1' -k https:// `hostname`:443/ca/agent/ca/displayBySerial If there are issues during the handshake you should be able to see error messages. flo pki-ca-10.12.0-2.module+el8.6.0+788+76246f77.noarch > pki-kra-10.12.0-2.module+el8.6.0+788+76246f77.noarch > pki-server-10.12.0-2.module+el8.6.0+788+76246f77.noarch > pki-symkey-10.12.0-2.module+el8.6.0+788+76246f77.x86_64 > [root@wocfreeipa ~]# rpm -qa | grep tomcat > tomcatjss-7.7.1-1.module+el8.6.0+788+76246f77.noarch > [root@wocfreeipa ~]# > [root@wocfreeipa ~]# > [root@wocfreeipa ~]# ipa --version > VERSION: 4.9.8, API_VERSION: 2.245 > > thanks, > Junhou > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
