Hello,

following steps works in my cloned test scenario:

cp
/var/log/pki/server/upgrade/10.2.2/1/oldfiles/var/lib/pki/pki-tomcat/conf/Catalina/localhost/ca.xml
/etc/pki/pki-tomcat/Catalina/localhost/ca.xml
rsync -a
/var/log/pki/server/upgrade/10.2.2/1/oldfiles/var/lib/pki/pki-tomcat/webapps/var/lib/pki/pki-tomcat/webapps/
ipactl start
systemctl restart certmonger

certmonger will renew certificates. In my catalina logfile, i can find
this exception:

Jul 30, 2017 8:00:32 AM org.apache.catalina.core.StandardContext
resourcesStart
SCHWERWIEGEND: Error starting static Resources
java.lang.IllegalArgumentException: Document base
/usr/share/pki/server/common/webapps/pki does not exist or is not a
readable directory
  at
org.apache.naming.resources.FileDirContext.setDocBase(FileDirContext.java:136)
  at
org.apache.catalina.core.StandardContext.resourcesStart(StandardContext.java:5197)
  at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5386)
  at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
  at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
  at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
  at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
  at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
  at java.security.AccessController.doPrivileged(Native Method)
  at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
  at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
  at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
  at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
  at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
  at java.util.concurrent.FutureTask.run(FutureTask.java:266)
  at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
  at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
  at java.lang.Thread.run(Thread.java:748)

So i think something went wrong with updating FreeIPA in the past, there
must be a change from webapps/ca to webapps/pki. Which steps did i miss ?

Michael


Am 09.08.2017 um 19:03 schrieb Rob Crittenden:
> Michael Gusek wrote:
>> Hello Rob,
>>
>> i can understand why CA won't start with expired certs. Actually my
>> system date is a day before expiring (expiring date is 30 Jul 2017,
>> system date now 29 Jul 2017), but CA won't start. How to "ensure that
>> the CA comes up" ?
> Ok, well the logs I responded to were from [07/Aug/2017:14:21:41].
>
> ipactl is going to restart ntpd which would revert the time.
>
> What I'd try is:
>
> - ipactl stop
> - service ntpd stop (to be sure)
> - date <past>
> - service pki-tomcatd@pki-tomcat.service start
>
> To see if the CA came up:
>
> curl http://`hostname`:8080/ca/ee/ca/getCertChain
>
> If so then service certmonger restart
>
> rob
>
>> Michael
>>
>>
>> Am 08.08.2017 um 17:40 schrieb Rob Crittenden:
>>> Michael Gusek via FreeIPA-users wrote:
>>>> Hi Fraser,
>>>>
>>>> at the moment, i can't provide this logfile, i've moved that back to
>>>> have only new log lines. But a new new logfile is not created ??? In my
>>>> old logfile i have some lines after switch to basic auth, but before
>>>> setting time to past:
>>>>
>>> The CA won't start with expired certs.
>>>
>>> I'd set the time back to the past and ensure that the CA comes up. The
>>> debug log in that case should tell you what is going on. Be sure that
>>> ntpd is stopped.
>>>
>>> Restarting certmonger should be sufficient to have it try renewal as it
>>> will see on startup that the certs need to be refreshed.
>>>
>>> rob
>>

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to