This page contains troubleshooting advice for the FreeIPA administration framework and Web UI. For other issues, refer to the index at Troubleshooting.
Starting with FreeIPA 4.5, management framework runs in separate processes and uses GSS-Proxy to obtain Kerberos credentials. Privilege Separation page describes this setup in detail, including how to debug privilege separation related issues.
ipa command returns Internal Server Error#
/var/log/httpd/error_logfor traceback and potentially for more related information
ipa command crashes or returns no data#
Try running the command with verbose output and see what exactly is being sent to the server:
ipa -vv user-show admin
Try enabling debug level on server and see if there is useful information:
Run the command again
Cannot authenticate to Web UI—————————
Make sure that the user can authenticate in CLI, e.g. with
Make sure that
ipa_memcachedservices on the affected FreeIPA server are running.
Make sure there are no related SELinux AVCs
Make sure that cookies are enabled on the client browser
Make sure that the time on the FreeIPA server is up to date and there is no (significant) clock skew (freeipa-users thread)
Search for any related errors in
Browser shows ERR_CERT_COMMON_NAME_INVALID - missing Subject Alternative Name extension in certificate#
For more details see Fraser’s blog post Implications of Common Name deprecation for Dogtag and FreeIPA.
A certificate which is used for web needs to include Subject Alternative Name extension. If cert was issued without this extension then it needs to be renewed to include the extension in following way:
getcert listto find the REQUEST-ID to use; it will be the certificate in NSSDB
getcert resubmit -i REQUEST-ID -D DNS-NAMEto request a new HTTP certificate with the appropriate DNS-NAME Subject Alt Name value(s).