Product SiteDocumentation Site

6.10. Troubleshooting Host Problems

6.10.1. Certificate Not Found/Serial Number Not Found Errors

The FreeIPA information is stored in a separate LDAP directory than the certificate information, and these two LDAP databases are replicated separately. It is possible for a replication agreement to be broken for one directory and working for another, which can cause problems with managing clients.
Specifically, if the replication agreement between the two CA databases is broken, then a server may not be able to find certificate information about a valid FreeIPA client, causing certificate errors:
Certificate operation cannot be completed: EXCEPTION (Certificate serial number 0x2d not found)
For example, a FreeIPA server and replica have a function replication agreement between their FreeIPA databases, but the replication agreement between their CA databases is broken. If a host is created on the server, the host entry is replicated over to the replica — but the certificate for that host is not replicated. The replica is aware of the client, but any management operations for that client will fail because the replica doesn't have a copy of its certificate.

6.10.2. Debugging Client Connection Problems

Client connection problems are apparent immediately. This can mean that users cannot log into a machine or attempts to access user and group information fails (for example, getent passwd admin).
Authentication in FreeIPA is managed with the SSSD daemon, which is described in the Red Hat Enterprise Linux Deployment Guide. If there are problems with client authentication, then check the SSSD information.
First, check the SSSD logs in /var/log/sssd/. There is a specific log file for the DNS domain, such as sssd_example.com.log. If there is not enough information in the logs at the default logging level, then increase the log level.
To increase the log level:
  1. Open the sssd.conf file.
    vim /etc/sssd/sssd.conf
  2. In the [domain/example.com] section, set debug_level.
    debug_level = 9
  3. Restart the sssd daemon.
    service sssd restart
  4. Check the /var/log/sssd/sssd_example.com.log file for the debug messages.