Freeipa Troubleshooting
Freeipa Troubleshooting
Freeipa Troubleshooting
This page contains troubleshooting advice for FreeIPA server installation. For
trouble shooting other issues, refer to the index at Troubleshooting.
Contents
1 Server Installation
2 pki-selinux policy not loaded properly
3 Replica Installation
3.1 Migrating from RHEL 6/CentOS 6
3.2 Replica Installation fails with Invalid Credentials
4 Client Installation
4.1 Installation breaks on decoding/downloading CA certificate
4.2 Failed to update DNS records
4.3 Installation breaks on Joining realm
Server Installation
If the installation crashed on installing PKI server (Dogtag), check it's logs as
well. The most useful logs are the following:
/var/log/pki/pki-ca-spawn.$TIME_OF_INSTALLATION.log
/var/log/pki/pki-tomcat/catalina.out
/var/log/pki/pki-tomcat/ca/system
/var/log/pki/pki-tomcat/ca/debug
It indicates bug 1322059. Issue is that RHEL6, while creating replica file,
uses certificates from a file which was created during server installation and
potentially contains expired certificates instead of fetching the certs from
database where they are valid. It is fixed on FreeIPA 3.2+. Recovery is to update
the file with valid certs and then run ipa-replica-prepare again and try replica
installation again:
create a /root/dbpass file containing the 'internal' (not 'internaldb')
password from /etc/pki-ca/password
create a /root/dmpass file containing the DM password
run PKCS12Export:
# /usr/share/pki/scripts/restore-subsystem-user.py -v
This can happen when the ipa-replica-install command is called with --no-ntp and
the clocks of the master and the replica are not in sync. Once they are
synchronized (either manually or with NTP or chrony), ipa-replica-install should
succeed
Client Installation
This may mean that PKI CA Certificate stored in LDAP was not properly imported
during upgrade in some of the older versions
Verify that the CA certificate is stored correctly
$ ldapsearch -h your.ipa.server.fqdn -x -b
"cn=CAcert,cn=ipa,cn=etc,dc=example,dc=test"
# kinit admin
# ldapdelete -Y GSSAPI "cn=CAcert,cn=ipa,cn=etc,dc=example,dc=test"
# ipa-ldap-updater --upgrade
When client cannot update the DNS record in FreeIPA managed DNS zone:
Make sure that the respective FreeIPA DNS zone has Dynamic Updates option
enabled:
Make sure that the FreeIPA server with DNS service has port 53 opened for both
UDP and TCP (related user case)