Language and Page Formatting Options
Appendix A. Troubleshooting: General Guidelines
This appendix describes general steps for determining the root cause of a problem, for example by querying logs and service statuses.
For lists of specific problems and their solutions, see Appendix B, Troubleshooting: Solutions to Specific Problems.
What were you doing when you encountered the problem?
If you know which specific area of IdM is causing the problem, follow these links:
If this guide does not help you find and fix the problem and you proceed to file a customer case, include any notable error output that you determined using these troubleshooting procedures in the case report. See also Contacting Red Hat Technical Support.
A.1. Investigating Failures when Executing the
- Add the
-v) option to the command. This displays debug information.
- Add the
-vvoption to the command. This displays the JSON response and request.
Figure A.1, “The architecture of executing the ipa cert-show command” shows which components interact when the user uses the IdM command-line utility. Querying these components can help you investigate where the problem occurred and what caused it.
- Use the following utilities:
For details on using these utilities, see their man pages.
hostto check the DNS resolution of the IdM server or client
pingto check if the IdM server is available
iptablesto check the current firewall configuration on the IdM server
dateto check the current time
ncto try to connect to the required ports, as listed in Section 2.1.6, “Port Requirements”
- Set the
KRB5_TRACEenvironment variable to the
/dev/stdoutfile to send trace-logging output to
$ KRB5_TRACE=/dev/stdout ipa cert-findReview the Kerberos key distribution center (KDC) log:
- Review the Apache error log:
Run the command with the
- Enable debug level on the server: Open the
/etc/ipa/server.conffile, and add the
debug=Trueoption to the
- Restart the
# systemctl restart httpd.service
- Run the command that failed again.
- Review the
httpderror log on the server:
-vvvoption to display the HTTP request and response.
- Review the Apache access log:
/var/log/httpd/access_log.Review the logs for the Certificate System component:
- Use the # journalctl -u firstname.lastname@example.org command to review the
- Review the Directory Server access log:
Figure A.1. The architecture of executing the ipa cert-show command
- See Section C.2, “Identity Management Log Files and Directories” for descriptions of various Identity Management log files.