This page contains troubleshooting advice for the FreeIPA administration framework and Web UI. For other issues, refer to the index at Troubleshooting.

Administration Framework#

Privilege Separation#

Starting with FreeIPA 4.5, management framework runs in separate processes and uses GSS-Proxy to obtain Kerberos credentials. Privilege Separation page describes this setup in detail, including how to debug privilege separation related issues.

ipa command returns Internal Server Error#

  • See /var/log/httpd/error_log for traceback and potentially for more related information

ipa command crashes or returns no data#

  • Try running the command with verbose output and see what exactly is being sent to the server:

    ipa -vv user-show admin

  • Try enabling debug level on server and see if there is useful information:

    • Add debug=True to [global] section of /etc/ipa/default.conf or /etc/ipa/server.conf and reload httpd service

    • Run the command again

Web UI#

Cannot authenticate to Web UI—————————

  • Make sure that the user can authenticate in CLI, e.g. with kinit $USER

  • Make sure that httpd, dirsrv and ipa_memcached services on the affected FreeIPA server are running.

  • Make sure there are no related SELinux AVCs

  • Make sure that cookies are enabled on the client browser

  • Make sure that the time on the FreeIPA server is up to date and there is no (significant) clock skew (freeipa-users thread)

  • Search for any related errors in /var/log/httpd/error_log

Browser shows ERR_CERT_COMMON_NAME_INVALID - missing Subject Alternative Name extension in certificate#

For more details see Fraser’s blog post Implications of Common Name deprecation for Dogtag and FreeIPA.

A certificate which is used for web needs to include Subject Alternative Name extension. If cert was issued without this extension then it needs to be renewed to include the extension in following way:

  • Use getcert list to find the REQUEST-ID to use; it will be the certificate in NSSDB /etc/httpd/alias with nickname Server-Cert.

  • Use getcert resubmit -i REQUEST-ID -D DNS-NAME to request a new HTTP certificate with the appropriate DNS-NAME Subject Alt Name value(s).