I had to let this sit for a few days, but now that I try again I can remove and re-add the host (using CLI). The web UI still presents an error though IPA Error 4302: CertificateFormatError Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old unsupported format.
This is an error I ran into when working with renewing certs while referring to the wrong path for the certificate database (path changed with versions and I was unaware). Why this is happening in the web UI though still eludes me. The test host I removed via CLI and then added with the ipa-client-install command still does not show “Enrolled” status when I do a search for it in the UI, and the error above is displayed when this host shows up in results, or when I click on the link to the host page. Is it possible that Apache is misconfigured? I’m including my dirsrv and apache access log excerpts from when I try to load the host page. I do see some errors. Apache: [Wed Apr 26 14:37:15.047280 2017] [:error] [pid 7300] Bad remote server certificate: -8179 [Wed Apr 26 14:37:15.047303 2017] [:error] [pid 7300] SSL Library Error: -8179 Certificate is signed by an unknown issuer [Wed Apr 26 14:37:15.047364 2017] [:error] [pid 7300] Re-negotiation handshake failed: Not accepted by client!? [Wed Apr 26 14:37:15.047698 2017] [:error] [pid 7295] ipa: INFO: [xmlserver] host/[email protected]: cert_request(u'MIIEJDCCAwwCAQAwUzErMCkGA1UEChMiQlJFQUtUSFJPVUdIVEVDSE5PTE9HWVNFUlZJQ0VTLkNPTTEkMCIGA1UEAxMbYmx1cGh4cGFwcDAxLmJsdWUtc2hpZnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6cADpaacHWc+aYKkftzRqvhu08fTA0F3z3h5OZGBE7KJYctlA8mnIAB3fxRIr+oh1lVJVV0loQ4rjJrpbB4cyynUiH2Cj+qx6NkLBODpQDkLUV8Cw2CXSREDHqAmghIruCYOKOluwG5EdplYhuDm5ErO/bH0KKgWY/IDA5CCmADUNCWNiJT5CzVLj9aK/IZQp0kKznLCjeSGu7Hndr8PJdKbwsev1p7L3Uld2wAg4BydBTNxew0m9bz6GrT4L8aBofbYcZJF+bm4yrxM4bCvwu+8H37KQlNkpcd8hKASks55yk6UTcttBUA/26TrSM2MmR23JkqGtv2KBANLgiIO9wIDAQABoIIBijB5BgkqhkiG9w0BCRQxbB5qAEkAUABBACAATQBhAGMAaABpAG4AZQAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAC0AIABiAGwAdQBwAGgAeABwAGEAcABwADAAMQAuAGIAbAB1AGUALQBzAGgAaQBmAHQALgBjAG8AbTCCAQsGCSqGSIb3DQEJDjGB/TCB+jCBxwYDVR0RAQEABIG8MIG5oFMGCisGAQQBgjcUAgOgRQxDaG9zdC9ibHVwaHhwYXBwMDEuYmx1ZS1zaGlmdC5jb21AQlJFQUtUSFJPVUdIVEVDSE5PTE9HWVNFUlZJQ0VTLkNPTaBiBgYrBgEFAgKgWDBWoCQbIkJSRUFLVEhST1VHSFRFQ0hOT0xPR1lTRVJWSUNFUy5DT02hLjAsoAMCAQGhJTAjGwRob3N0GxtibHVwaHhwYXBwMDEuYmx1ZS1zaGlmdC5jb20wDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQU8kkbDSyFKalBBieiA0ItRXdIo+8wDQYJKoZIhvcNAQELBQADggEBAJFAdz17m0Ptomeg3m9Gct29HK3uwxdYYDfUbHOJlZuH66renQNcYKyG+qZJxB3FS3wRuEoMw//HbFEtV9sud3ttejalPOz/eplFn2Cq3QHdG3OF1qmagy3Io8dHm38B9S5bSf3tGg7YWGP/uOIEoRAySvP9BLgIYbisGhM6tSP/JAkTX1d7IMCHXyjiWB/ZqpFURojsarQeD+gdyI0XCQ82GnEOBJdzV/uc3/+1mDSStln5CKX1nxbOgS1s198dcsL73BEmxFjjwWbEr1GXvsF48S8csoqN8QqfyCsHpubbXpeFXjby8oHaE8HevYdThfMyPBqtCUjkbsR1JeUdqCc=', principal=u'host/[email protected]', add=True, version=u'2.51'): NetworkError [Wed Apr 26 14:37:15.047856 2017] [:error] [pid 7300] Bad remote server certificate: -8179 [Wed Apr 26 14:37:15.047864 2017] [:error] [pid 7300] SSL Library Error: -8179 Certificate is signed by an unknown issuer [Wed Apr 26 14:37:15.047869 2017] [:error] [pid 7300] SSL Library Error: -8179 Certificate is signed by an unknown issuer [Wed Apr 26 14:37:15.048309 2017] [:error] [pid 7300] Bad remote server certificate: -8179 [Wed Apr 26 14:37:15.048317 2017] [:error] [pid 7300] SSL Library Error: -8179 Certificate is signed by an unknown issuer [Wed Apr 26 14:37:15.235599 2017] [:warn] [pid 9708] NSSProtocol: Unknown protocol 'tlsv1.2' not supported [Wed Apr 26 14:37:15.235637 2017] [:error] [pid 9708] Unknown cipher aes_128_sha_256 [Wed Apr 26 14:37:15.235641 2017] [:error] [pid 9708] Unknown cipher aes_256_sha_256 [Wed Apr 26 14:37:15.235644 2017] [:error] [pid 9708] Unknown cipher ecdhe_ecdsa_aes_128_gcm_sha_256 [Wed Apr 26 14:37:15.235648 2017] [:error] [pid 9708] Unknown cipher ecdhe_ecdsa_aes_256_gcm_sha_384 [Wed Apr 26 14:37:15.235652 2017] [:error] [pid 9708] Unknown cipher ecdhe_rsa_aes_128_gcm_sha_256 [Wed Apr 26 14:37:15.235655 2017] [:error] [pid 9708] Unknown cipher ecdhe_rsa_aes_256_gcm_sha_384 [Wed Apr 26 14:37:15.235658 2017] [:error] [pid 9708] Unknown cipher rsa_aes_128_gcm_sha_256 [Wed Apr 26 14:37:15.235662 2017] [:error] [pid 9708] Unknown cipher rsa_aes_256_gcm_sha_384 Dirsrv: [26/Apr/2017:14:51:54.142433251 -0500] conn=17 op=5296 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" attrs="cn" [26/Apr/2017:14:51:54.142776551 -0500] conn=17 op=5296 RESULT err=32 tag=101 nentries=0 etime=0 [26/Apr/2017:14:51:55.018498792 -0500] conn=8 op=8117 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description" [26/Apr/2017:14:51:55.018666292 -0500] conn=8 op=8117 RESULT err=0 tag=101 nentries=1 etime=0 [26/Apr/2017:14:52:00.146796240 -0500] conn=8 op=8119 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(certStatus=INVALID)" attrs="objectClass serialno notBefore notAfter duration extension subjectName issuerName userCertificate version algorithmId signingAlgorithmId publicKeyData" [26/Apr/2017:14:52:00.147035479 -0500] conn=8 op=8119 SORT notBefore [26/Apr/2017:14:52:00.147051543 -0500] conn=8 op=8119 VLV 200:0:20170426145200Z 1:0 (0) [26/Apr/2017:14:52:00.147092417 -0500] conn=8 op=8119 RESULT err=0 tag=101 nentries=0 etime=0 [26/Apr/2017:14:52:00.147826090 -0500] conn=8 op=8120 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(certStatus=VALID)" attrs="objectClass serialno notBefore notAfter duration extension subjectName issuerName userCertificate version algorithmId signingAlgorithmId publicKeyData" [26/Apr/2017:14:52:00.147982635 -0500] conn=8 op=8120 SORT notAfter [26/Apr/2017:14:52:00.147991868 -0500] conn=8 op=8120 VLV 200:0:20170426145200Z 1:35 (0) [26/Apr/2017:14:52:00.148105485 -0500] conn=8 op=8120 RESULT err=0 tag=101 nentries=1 etime=0 [26/Apr/2017:14:52:00.148933905 -0500] conn=8 op=8121 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(certStatus=REVOKED)" attrs="objectClass revokedOn serialno revInfo notAfter notBefore duration extension subjectName issuerName userCertificate version algorithmId signingAlgorithmId publicKeyData" [26/Apr/2017:14:52:00.149043409 -0500] conn=8 op=8121 SORT notAfter [26/Apr/2017:14:52:00.149052772 -0500] conn=8 op=8121 VLV 200:0:20170426145200Z 1:4 (0) [26/Apr/2017:14:52:00.149160758 -0500] conn=8 op=8121 RESULT err=0 tag=101 nentries=1 etime=0 [26/Apr/2017:14:52:29.001182676 -0500] conn=19057 op=17 UNBIND [26/Apr/2017:14:52:29.001203771 -0500] conn=19057 op=17 fd=122 closed - U1 [26/Apr/2017:14:52:43.956006475 -0500] conn=19059 fd=122 slot=122 connection from 10.11.10.6 to 10.11.10.3 [26/Apr/2017:14:52:43.956364716 -0500] conn=19059 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext lastusn highestcommittedusn aci" [26/Apr/2017:14:52:43.957812723 -0500] conn=19059 op=0 RESULT err=0 tag=101 nentries=1 etime=0 [26/Apr/2017:14:52:43.961326411 -0500] conn=4 op=33437 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/[email protected])(krbPrincipalName:caseIgnoreIA5Match:=host/[email protected])))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [26/Apr/2017:14:52:43.961883409 -0500] conn=4 op=33437 RESULT err=0 tag=101 nentries=1 etime=0 [26/Apr/2017:14:52:43.961970819 -0500] conn=4 op=33438 SRCH base="cn=ipaConfig,cn=etc,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType" [26/Apr/2017:14:52:43.962039666 -0500] conn=4 op=33438 RESULT err=0 tag=101 nentries=1 etime=0 [26/Apr/2017:14:52:43.962141970 -0500] conn=4 op=33439 SRCH base="cn=DOMAIN.COM,cn=kerberos,dc=domain,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [26/Apr/2017:14:52:43.962369262 -0500] conn=4 op=33439 RESULT err=0 tag=101 nentries=1 etime=0 [26/Apr/2017:14:52:43.962455322 -0500] conn=4 op=33440 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/[email protected])(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/[email protected])))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [26/Apr/2017:14:52:43.962718874 -0500] conn=4 op=33440 RESULT err=0 tag=101 nentries=1 etime=0 [26/Apr/2017:14:52:43.962817682 -0500] conn=4 op=33441 SRCH base="cn=Default Host Password Policy,cn=computers,cn=accounts,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [26/Apr/2017:14:52:43.962896540 -0500] conn=4 op=33441 RESULT err=0 tag=101 nentries=1 etime=0 [26/Apr/2017:14:52:43.963503712 -0500] conn=4 op=33442 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/[email protected])(krbPrincipalName:caseIgnoreIA5Match:=host/[email protected])))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [26/Apr/2017:14:52:43.963752103 -0500] conn=4 op=33442 RESULT err=0 tag=101 nentries=1 etime=0 [26/Apr/2017:14:52:43.963849295 -0500] conn=4 op=33443 SRCH base="cn=DOMAIN.COM,cn=kerberos,dc=domain,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [26/Apr/2017:14:52:43.963953657 -0500] conn=4 op=33443 RESULT err=0 tag=101 nentries=1 etime=0 [26/Apr/2017:14:52:43.964039852 -0500] conn=4 op=33444 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/[email protected])(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/[email protected])))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [26/Apr/2017:14:52:43.964273302 -0500] conn=4 op=33444 RESULT err=0 tag=101 nentries=1 etime=0 [26/Apr/2017:14:52:43.964362345 -0500] conn=4 op=33445 SRCH base="cn=Default Host Password Policy,cn=computers,cn=accounts,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [26/Apr/2017:14:52:43.964435619 -0500] conn=4 op=33445 RESULT err=0 tag=101 nentries=1 etime=0 [26/Apr/2017:14:52:43.964567590 -0500] conn=4 op=33446 SRCH base="fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive" [26/Apr/2017:14:52:43.964851835 -0500] conn=4 op=33446 RESULT err=0 tag=101 nentries=1 etime=0 [26/Apr/2017:14:52:43.964901338 -0500] conn=4 op=33447 SRCH base="cn=clienthost.domain2.com,cn=masters,cn=ipa,cn=etc,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [26/Apr/2017:14:52:43.964982222 -0500] conn=4 op=33447 RESULT err=32 tag=101 nentries=0 etime=0 [26/Apr/2017:14:52:43.965190437 -0500] conn=4 op=33448 MOD dn="fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com" [26/Apr/2017:14:52:43.971416149 -0500] conn=4 op=33448 RESULT err=0 tag=103 nentries=0 etime=0 csn=5900fab3000000040000 [26/Apr/2017:14:52:43.972903894 -0500] conn=4 op=33449 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/[email protected])(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/[email protected])))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [26/Apr/2017:14:52:43.973145956 -0500] conn=4 op=33449 RESULT err=0 tag=101 nentries=1 etime=0 [26/Apr/2017:14:52:43.973372685 -0500] conn=4 op=33450 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/[email protected])(krbPrincipalName:caseIgnoreIA5Match:=ldap/[email protected])))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [26/Apr/2017:14:52:43.973601674 -0500] conn=4 op=33450 RESULT err=0 tag=101 nentries=1 etime=0 [26/Apr/2017:14:52:43.973695925 -0500] conn=4 op=33451 SRCH base="cn=DOMAIN.COM,cn=kerberos,dc=domain,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [26/Apr/2017:14:52:43.973792556 -0500] conn=4 op=33451 RESULT err=0 tag=101 nentries=1 etime=0 [26/Apr/2017:14:52:43.973887813 -0500] conn=4 op=33452 SRCH base="dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=host/[email protected]))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [26/Apr/2017:14:52:43.974122262 -0500] conn=4 op=33452 RESULT err=0 tag=101 nentries=1 etime=0 [26/Apr/2017:14:52:43.974232772 -0500] conn=4 op=33453 SRCH base="cn=DOMAIN.COM,cn=kerberos,dc=domain,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [26/Apr/2017:14:52:43.974326465 -0500] conn=4 op=33453 RESULT err=0 tag=101 nentries=1 etime=0 [26/Apr/2017:14:52:43.974905377 -0500] conn=19059 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [26/Apr/2017:14:52:43.980786355 -0500] conn=19059 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [26/Apr/2017:14:52:43.981170143 -0500] conn=19059 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [26/Apr/2017:14:52:43.982397706 -0500] conn=19059 op=2 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [26/Apr/2017:14:52:43.982529305 -0500] conn=19059 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [26/Apr/2017:14:52:43.983192932 -0500] conn=19059 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com" [26/Apr/2017:14:52:43.983449296 -0500] conn=19059 op=4 SRCH base="cn=accounts,dc=domain,dc=com" scope=2 filter="(&(objectClass=ipaHost)(fqdn=clienthost.domain2.com))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID" [26/Apr/2017:14:52:43.984109232 -0500] conn=19059 op=4 RESULT err=0 tag=101 nentries=1 etime=0 notes=P pr_idx=0 pr_cookie=-1 [26/Apr/2017:14:52:43.984622970 -0500] conn=19059 op=5 SRCH base="fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID" [26/Apr/2017:14:52:43.984955433 -0500] conn=19059 op=5 RESULT err=0 tag=101 nentries=1 etime=0 notes=P pr_idx=0 pr_cookie=-1 [26/Apr/2017:14:52:43.985234170 -0500] conn=19059 op=6 SRCH base="cn=sudo,dc=domain,dc=com" scope=2 filter="(&(objectClass=ipasudocmdgrp)(entryusn>=20038636))" attrs="objectClass ipaUniqueID cn member entryusn" [26/Apr/2017:14:52:43.986861159 -0500] conn=19059 op=6 RESULT err=0 tag=101 nentries=0 etime=0 notes=P pr_idx=0 pr_cookie=-1 [26/Apr/2017:14:52:43.987119181 -0500] conn=19059 op=7 SRCH base="cn=sudo,dc=domain,dc=com" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=clienthost.domain2.com,cn=computers,cn=accounts,dc=domain,dc=com))(entryusn>=20038636))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup entryusn" [26/Apr/2017:14:52:43.987828298 -0500] conn=19059 op=7 RESULT err=0 tag=101 nentries=0 etime=0 notes=P pr_idx=0 pr_cookie=-1 [26/Apr/2017:14:56:53.754308324 -0500] conn=8 op=8122 MOD dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca" [26/Apr/2017:14:56:53.758231493 -0500] conn=8 op=8122 RESULT err=0 tag=103 nentries=0 etime=0 [26/Apr/2017:14:56:54.141384397 -0500] conn=17 op=5298 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" attrs="cn" [26/Apr/2017:14:56:54.141558862 -0500] conn=17 op=5298 RESULT err=32 tag=101 nentries=0 etime=0 > On Apr 20, 2017, at 1:03 PM, Rob Crittenden <[email protected]> wrote: > > Andrew Krause wrote: >> Sorry for the self bump but no one has any insight on this? >> >> >>> On Apr 17, 2017, at 11:31 AM, Andrew Krause >>> <[email protected]> wrote: >>> >>> Many hosts in our web ui show a null status for “enrolled”. When you do a >>> search that includes any of these host objects the web UI posts errors, and >>> if you click on one of the problem hosts the same error stops anything from >>> loading on the host page. >>> >>> I’ve been trying to solve this problem on my own for quite some time and >>> have not been successful. It’s impossible to remove the host through the >>> web UI and using CLI commands seem to remove the entry from IPA (host is >>> not found with ipa host-find), but it is still visible in the UI. One >>> thing that may be common with all of these hosts is that they were enrolled >>> with our IPA system back while we were running version 3.0 and likely have >>> had issues for quite some time. Multiple updates have happened since then, >>> and all of our hosts added within the last year are working fine. I >>> suspect there’s an issue with a path somewhere for a certificate database, >>> but I’m unable to pinpoint what is going wrong. > > It should not be possible to have different views in the UI and the CLI > since they make the same backend calls. What you'd want to do, hopefully > on a semi-quiet system, is to do a host-find on the CLI and then list > all hosts in the UI and compare the logs in /var/log/httpd/error_log and > look at the LDAP queries in /var/log/dirsrv/slapd-REALM/access (this is > a buffered log so be patient). > > They should be doing more or less the exact same set of queries. > > Very doubtful that this has anything to do with certs. Anything on the > client would be completely separate from what is on the server. > > One thing you may be seeing though is that in 3.0 clients a host > certificate was obtained for it. This was dropped with 4.0, but it > wouldn't affect any visibility on the server. > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
