Re: [Freeipa-users] FreeIPA doesnt start
On Fri, Jul 01, 2016 at 09:00:03AM +0200, Andreas Ladanyi wrote: > Hi Fraser. > >>> Hi, > >>> > >>> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 > >>> > >>> When i want to start IPA with ipactl start i run into the situation > >>> starting pki-tomcat take a long time and ipactl aborts the starting > >>> process and shutdown services. So IPA doesnt start. > >> Sounds like > >> https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/ > >> > > I concur - it is likely to be the same issue. A new release of pki > > on f23 is going to happen in the next day or so. If it is the same > > issue, that will fix it. > yes it was the same issue. I could fix it. > > Andreas > Glad to hear it, Andreas. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA doesnt start
Hi Tomasz, > On Thu, Jun 30, 2016 at 02:51:02PM +0200, Andreas Ladanyi wrote: >> Hi, >> >> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 >> >> When i want to start IPA with ipactl start i run into the situation >> starting pki-tomcat take a long time and ipactl aborts the starting >> process and shutdown services. So IPA doesnt start. > Sounds like > https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/ Thank you. You are right. The not imported certificate profiles in ldap during upgrade process is the problem. I solved this issue with the information of the above link. Andreas smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA doesnt start
Hi Fraser. >>> Hi, >>> >>> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 >>> >>> When i want to start IPA with ipactl start i run into the situation >>> starting pki-tomcat take a long time and ipactl aborts the starting >>> process and shutdown services. So IPA doesnt start. >> Sounds like >> https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/ >> > I concur - it is likely to be the same issue. A new release of pki > on f23 is going to happen in the next day or so. If it is the same > issue, that will fix it. yes it was the same issue. I could fix it. Andreas smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA doesnt start
On Thu, Jun 30, 2016 at 03:36:22PM +0200, Tomasz Torcz wrote: > On Thu, Jun 30, 2016 at 02:51:02PM +0200, Andreas Ladanyi wrote: > > Hi, > > > > i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 > > > > When i want to start IPA with ipactl start i run into the situation > > starting pki-tomcat take a long time and ipactl aborts the starting > > process and shutdown services. So IPA doesnt start. > > Sounds like > https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/ > I concur - it is likely to be the same issue. A new release of pki on f23 is going to happen in the next day or so. If it is the same issue, that will fix it. Cheers, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA doesnt start
> > org.apache.catalina.startup.ClassLoaderFactory validateFile > WARNING: Problem with JAR file > [/var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar], exists: > [false], canRead: [false] > org.apache.catalina.startup.ClassLoaderFactory validateFile > roblem with JAR file > [/var/lib/pki/pki-tomcat/lib/tomcat-jsp-2.2-api.jar], exists: [false], > canRead: [false] > org.apache.catalina.startup.ClassLoaderFactory validateFile > WARNING: Problem with JAR file > [/var/lib/pki/pki-tomcat/lib/tomcat7-websocket.jar], exists: [false], > canRead: [false] > org.apache.catalina.startup.ClassLoaderFactory validateFile > Problem with JAR file > [/var/lib/pki/pki-tomcat/lib/tomcat-el-2.2-api.jar], exists: [false], > canRead: [false] rpm -qa | grep tomcat tomcatjss-7.1.3-1.fc23.noarch tomcat-servlet-3.1-api-8.0.32-5.fc23.noarch tomcat-8.0.32-5.fc23.noarch tomcat-jsp-2.3-api-8.0.32-5.fc23.noarch tomcat-el-3.0-api-8.0.32-5.fc23.noarch tomcat-lib-8.0.32-5.fc23.noarch ls -la /var/lib/pki/pki-tomcat/lib/ insgesamt 20 drwxrwx---. 2 pkiuser pkiuser 4096 28. Jun 15:59 . drwxrwx---. 8 pkiuser pkiuser 4096 22. Mai 2015 .. lrwxrwxrwx. 1 pkiuser pkiuser 41 28. Jun 15:59 annotations-api.jar -> /usr/share/tomcat/lib/annotations-api.jar lrwxrwxrwx. 1 pkiuser pkiuser 38 28. Jun 15:59 catalina-ant.jar -> /usr/share/tomcat/lib/catalina-ant.jar lrwxrwxrwx. 1 pkiuser pkiuser 37 28. Jun 15:59 catalina-ha.jar -> /usr/share/tomcat/lib/catalina-ha.jar lrwxrwxrwx. 1 pkiuser pkiuser 34 28. Jun 15:59 catalina.jar -> /usr/share/tomcat/lib/catalina.jar lrwxrwxrwx. 1 pkiuser pkiuser 46 28. Jun 15:59 catalina-storeconfig.jar -> /usr/share/tomcat/lib/catalina-storeconfig.jar lrwxrwxrwx. 1 pkiuser pkiuser 41 28. Jun 15:59 catalina-tribes.jar -> /usr/share/tomcat/lib/catalina-tribes.jar lrwxrwxrwx. 1 pkiuser pkiuser 45 28. Jun 15:59 commons-collections.jar -> /usr/share/tomcat/lib/commons-collections.jar lrwxrwxrwx. 1 pkiuser pkiuser 38 28. Jun 15:59 commons-dbcp.jar -> /usr/share/tomcat/lib/commons-dbcp.jar lrwxrwxrwx. 1 pkiuser pkiuser 38 28. Jun 15:59 commons-pool.jar -> /usr/share/tomcat/lib/commons-pool.jar lrwxrwxrwx. 1 pkiuser pkiuser 35 28. Jun 15:59 jasper-el.jar -> /usr/share/tomcat/lib/jasper-el.jar lrwxrwxrwx. 1 pkiuser pkiuser 32 28. Jun 15:59 jasper.jar -> /usr/share/tomcat/lib/jasper.jar lrwxrwxrwx. 1 pkiuser pkiuser 36 28. Jun 15:59 jasper-jdt.jar -> /usr/share/tomcat/lib/jasper-jdt.jar lrwxrwxrwx. 1 pkiuser pkiuser 36 22. Mai 2015 log4j.properties -> /etc/pki/pki-tomcat/log4j.properties lrwxrwxrwx. 1 pkiuser pkiuser 43 28. Jun 15:59 tomcat7-websocket.jar -> /usr/share/tomcat/lib/tomcat7-websocket.jar lrwxrwxrwx. 1 pkiuser pkiuser 36 28. Jun 15:59 tomcat-api.jar -> /usr/share/tomcat/lib/tomcat-api.jar lrwxrwxrwx. 1 pkiuser pkiuser 39 28. Jun 15:59 tomcat-coyote.jar -> /usr/share/tomcat/lib/tomcat-coyote.jar lrwxrwxrwx. 1 pkiuser pkiuser 37 28. Jun 15:59 tomcat-dbcp.jar -> /usr/share/tomcat/lib/tomcat-dbcp.jar lrwxrwxrwx. 1 pkiuser pkiuser 43 28. Jun 15:59 tomcat-el-2.2-api.jar -> /usr/share/tomcat/lib/tomcat-el-2.2-api.jar lrwxrwxrwx. 1 pkiuser pkiuser 43 28. Jun 15:59 tomcat-el-3.0-api.jar -> /usr/share/tomcat/lib/tomcat-el-3.0-api.jar lrwxrwxrwx. 1 pkiuser pkiuser 40 28. Jun 15:59 tomcat-i18n-es.jar -> /usr/share/tomcat/lib/tomcat-i18n-es.jar lrwxrwxrwx. 1 pkiuser pkiuser 40 28. Jun 15:59 tomcat-i18n-fr.jar -> /usr/share/tomcat/lib/tomcat-i18n-fr.jar lrwxrwxrwx. 1 pkiuser pkiuser 40 28. Jun 15:59 tomcat-i18n-ja.jar -> /usr/share/tomcat/lib/tomcat-i18n-ja.jar lrwxrwxrwx. 1 pkiuser pkiuser 37 28. Jun 15:59 tomcat-jdbc.jar -> /usr/share/tomcat/lib/tomcat-jdbc.jar lrwxrwxrwx. 1 pkiuser pkiuser 36 28. Jun 15:59 tomcat-jni.jar -> /usr/share/tomcat/lib/tomcat-jni.jar lrwxrwxrwx. 1 pkiuser pkiuser 44 28. Jun 15:59 tomcat-jsp-2.2-api.jar -> /usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar lrwxrwxrwx. 1 pkiuser pkiuser 44 28. Jun 15:59 tomcat-jsp-2.3-api.jar -> /usr/share/tomcat/lib/tomcat-jsp-2.3-api.jar lrwxrwxrwx. 1 pkiuser pkiuser 37 28. Jun 15:59 tomcat-juli.jar -> /usr/share/tomcat/lib/tomcat-juli.jar lrwxrwxrwx. 1 pkiuser pkiuser 48 28. Jun 15:59 tomcat-servlet-3.0-api.jar -> /usr/share/tomcat/lib/tomcat-servlet-3.0-api.jar lrwxrwxrwx. 1 pkiuser pkiuser 48 28. Jun 15:59 tomcat-servlet-3.1-api.jar -> /usr/share/tomcat/lib/tomcat-servlet-3.1-api.jar lrwxrwxrwx. 1 pkiuser pkiuser 37 28. Jun 15:59 tomcat-util.jar -> /usr/share/tomcat/lib/tomcat-util.jar lrwxrwxrwx. 1 pkiuser pkiuser 42 28. Jun 15:59 tomcat-util-scan.jar -> /usr/share/tomcat/lib/tomcat-util-scan.jar lrwxrwxrwx. 1 pkiuser pkiuser 42 28. Jun 15:59 tomcat-websocket.jar -> /usr/share/tomcat/lib/tomcat-websocket.jar lrwxrwxrwx. 1 pkiuser pkiuser 39 28. Jun 15:59 websocket-api.jar -> /usr/share/tomcat/lib/websocket-api.jar For example: ls -la /usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar -> File is not available ls -la /usr/share/tomcat/lib/tomcat-jsp-2.3-api.jar -> File is ok. >
Re: [Freeipa-users] FreeIPA doesnt start
On Thu, Jun 30, 2016 at 02:51:02PM +0200, Andreas Ladanyi wrote: > Hi, > > i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 > > When i want to start IPA with ipactl start i run into the situation > starting pki-tomcat take a long time and ipactl aborts the starting > process and shutdown services. So IPA doesnt start. Sounds like https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/ -- Tomasz Torcz"Funeral in the morning, IDE hacking xmpp: zdzich...@chrome.plin the afternoon and evening." - Alan Cox -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA doesnt start
Here are some more infos. journal -xe tells me some error: INFO: Initializing ProtocolHandler ["http-bio-8443"] Error: SSL cipher "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss Error: SSL cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Error: SSL cipher "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Error: SSL cipher "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS .. org.apache.jasper.servlet.TldScanner scanJars INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list o ... org.apache.catalina.startup.ClassLoaderFactory validateFile WARNING: Problem with JAR file [/var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar], exists: [false], canRead: [false] org.apache.catalina.startup.ClassLoaderFactory validateFile roblem with JAR file [/var/lib/pki/pki-tomcat/lib/tomcat-jsp-2.2-api.jar], exists: [false], canRead: [false] org.apache.catalina.startup.ClassLoaderFactory validateFile WARNING: Problem with JAR file [/var/lib/pki/pki-tomcat/lib/tomcat7-websocket.jar], exists: [false], canRead: [false] org.apache.catalina.startup.ClassLoaderFactory validateFile Problem with JAR file [/var/lib/pki/pki-tomcat/lib/tomcat-el-2.2-api.jar], exists: [false], canRead: [false] org.apache.catalina.startup.Catalina stopServer SEVERE: Could not contact localhost:8005. Tomcat may not be running. org.apache.catalina.startup.Catalina stopServer SEVERE: Catalina.stop: java.net.ConnectException: Connection refused . pki-tomcatd@pki-tomcat.service: Control process exited, code=exited status=1 > Hi, > > i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 > > When i want to start IPA with ipactl start i run into the situation > starting pki-tomcat take a long time and ipactl aborts the starting > process and shutdown services. So IPA doesnt start. > > ipactl start: > > Starting Directory Service > Starting krb5kdc Service > Starting kadmin Service > Starting ipa_memcached Service > Starting httpd Service > Starting pki-tomcatd Service > > ...hangs... > > Failed to start pki-tomcatd Service > Shutting down > Aborting ipactl > > > systemctl status shows the errors: > > ipa.service > > loaded failed failedIdentity, Policy, Audit > kadmin.service > > loaded failed failedKerberos 5 Password-changing and Administration > pki-tomcatd@pki-tomcat.service > > loaded failed failedPKI Tomcat Server pki-tomcat > > > Which logfiles are important to analyse this issue of IPA ? > > > Andreas > > > > -- Karlsruher Institut für Technologie (KIT) Fakultät für Informatik ATIS – Abteilung Technische Infrastruktur Dipl.-Ing. Andreas Ladanyi - Systemadministrator - Am Fasanengarten 5, Gebäude 50.34, Raum 013 76131 Karlsruhe Telefon: +49 721 608 - 4 3663 Fax: +49 721 608 - 4 6699 E-Mail: andreas.lada...@kit.edu www.atis.informatik.kit.edu www.kit.edu KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA doesnt start
Hi, i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 When i want to start IPA with ipactl start i run into the situation starting pki-tomcat take a long time and ipactl aborts the starting process and shutdown services. So IPA doesnt start. ipactl start: Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting ipa_memcached Service Starting httpd Service Starting pki-tomcatd Service ...hangs... Failed to start pki-tomcatd Service Shutting down Aborting ipactl systemctl status shows the errors: ipa.service loaded failed failedIdentity, Policy, Audit kadmin.service loaded failed failedKerberos 5 Password-changing and Administration pki-tomcatd@pki-tomcat.service loaded failed failedPKI Tomcat Server pki-tomcat Which logfiles are important to analyse this issue of IPA ? Andreas smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project