On Thu, Nov 17, 2011 at 11:25, Adam Young <[email protected]> wrote: > On 11/17/2011 10:58 AM, Dan Scott wrote: > > On Wed, Nov 16, 2011 at 14:01, Rob Crittenden <[email protected]> wrote: > > Dan Scott wrote: > > On Wed, Nov 16, 2011 at 10:39, Rob Crittenden<[email protected]> wrote: > > Dan Scott wrote: > > On Wed, Nov 16, 2011 at 09:23, Rob Crittenden<[email protected]> > wrote: > > Dan Scott wrote: > > Hi, > > I receive the following error when I try to remove a host from IPA: > > djscott@pc35:~$ ipa host-del pc60 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) > > I'm running a Fedora 16 (freeipa-server-2.1.3-5.fc16.x86_64) server > replicated with a Fedora 15 (freeipa-server-2.1.3-2.fc15.i686) server. > > I've looked at this: > > https://fedorahosted.org/freeipa/ticket/1889 > > But it looks like it was fixed in 2.1.2 or 2.1.3. Any ideas for what I > need to do? > > Thanks, > > Dan > > This would suggest that dogtag isn't running. Is dogtag and its LDAP > instance up? > > It seems to be, there are 2 entries 'loaded active running' for the > dirsrv@ instances. I don't see any errors in the > /var/log/dirsrv/slapd-PKI-IPA/errors file. > > Tomcat is running too. > > Dan > > Hmm, ok, lets see if we can talk to the cert system at all. > > $ ipa cert-show 1 > > fileserver1 is the IPA server with PKI-IPA running: > > [root@fileserver1 ~]# ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) > > SELinux is my normal culprit when things don't work. It may be so in > this case. My /var/log/audit/audit.log hasn't changed since 11th > November..... > > Unfortunately, temporarily disabling it doesn't seem to help: > > [root@fileserver1 ~]# setenforce Permissive > [root@fileserver1 ~]# ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) > > What processes should be running for the certificate server? I have > the ns-slapd process and tomcat6 running. The tomcat logs are empty. > > Dan > > It sounds like you have the right processes running. > > The dogtag logs are in /var/log/pki-ca. debug is rather verbose and where I > usually start looking for issues. > > The /var/log/pki-ca/debug file hasn't been updated since the 11th > November. I've attached an extract from catalina.out which contains > some pretty severe errors. > > To summarise, the errors are: > SEVERE: Error initializing socket factory > java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket > SEVERE: Failed to initialize connector [Connector[HTTP/1.1-9443]] > java.io.IOException: Failed to access resource /WEB-INF/lib/osutil.jar > > I'd guess that this means I'm missing a package? I'm having trouble > figuring out which one contains the code I'm missing. Maybe I need to > reinstall one? > > Thanks, > > Dan > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > Is this on F16? It might be that the package is there but not being picked > up. > > > JSS and osutils are a JNI packages, and you should find them in > /usr/lib64/java/jss4.jar and osutil.jar, but they might end up in > /usr/lib/java/jss4.jar and osutil,jar
Both of those files exist, in the lib64 directory: [root@fileserver1 ~]# ls -l /usr/lib64/java/ total 700 -rw-r--r--. 1 root root 698429 Oct 5 22:14 jss4.jar -rw-r--r--. 1 root root 9390 Oct 5 23:11 osutil.jar -rw-r--r--. 1 root root 1858 Oct 7 23:06 symkey.jar I'm not sure which of the pki* and dogtag* packages should be installed. The dogtag packages that I have installed have older version numbers than the pki packages. [root@fileserver1 ~]# rpm -qa|grep pki pki-silent-9.0.15-1.fc16.noarch pki-symkey-9.0.15-1.fc16.x86_64 pki-java-tools-9.0.15-1.fc16.noarch dogtag-pki-common-theme-9.0.9-1.fc15.noarch krb5-pkinit-openssl-1.9.1-18.fc16.x86_64 pki-common-9.0.15-1.fc16.noarch pki-native-tools-9.0.15-1.fc16.x86_64 pki-selinux-9.0.15-1.fc16.noarch pki-util-9.0.15-1.fc16.noarch pki-setup-9.0.15-1.fc16.noarch pki-ca-9.0.15-1.fc16.noarch dogtag-pki-ca-theme-9.0.9-1.fc15.noarch And I have the following 'orphans': [root@fileserver1 ~]# package-cleanup --orphans dogtag-pki-ca-theme-9.0.9-1.fc15.noarch dogtag-pki-common-theme-9.0.9-1.fc15.noarch Do you know which versions should be installed? Thanks, Dan _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
