Appendix A. Troubleshooting: General Guidelines
A.1. Investigating Failures when Executing the
- Add the
-v) option to the command. This displays debug information.
- Add the
-vvoption to the command. This displays the JSON response and request.
ipa cert-showcommand” shows which components interact when the user uses the IdM command-line utility. Querying these components can help you investigate where the problem occurred and what caused it.
- Use the following utilities:
For details on using these utilities, see their man pages.
hostto check the DNS resolution of the IdM server or client
pingto check if the IdM server is available
iptablesto check the current firewall configuration on the IdM server
dateto check the current time
ncto try to connect to the required ports, as listed in Section 2.1.4, “Port Requirements”
- Set the
KRB5_TRACEenvironment variable to the
/dev/stdoutfile to send trace-logging output to
$ KRB5_TRACE=/dev/stdout ipa cert-findReview the Kerberos key distribution center (KDC) log:
- Review the Apache error log:
Run the command with the
- Enable debug level on the server: Open the
/etc/ipa/server.conffile, and add the
debug=Trueoption to the
- Restart the
# systemctl restart httpd.service
- Run the command that failed again.
- Review the
httpderror log on the server:
-vvvoption to display the HTTP request and response.
- Review the Apache access log:
/var/log/httpd/access_log.Review the logs for the Certificate System component:
- Use the
# journalctl -u firstname.lastname@example.org to review the
- Review the Directory Server access log:
Figure A.1. The architecture of executing the
ipa cert-show command
- See Section C.2, “Identity Management Log Files and Directories” for descriptions of various Identity Management log files.