Kristian Petersen wrote:
I'm still struggling with this one and it seems at least partially
responsible for the UI misbehaving as we discussed in another thread.
Have you had any new insights regarding this?


I'd start with looking at /var/log/pki/pki-tomcat/ca/debug. You want to find the latest start and work down from there (rather than bottom up).

rob


On Mon, Oct 9, 2017 at 3:54 PM, Kristian Petersen <nesre...@chem.byu.edu
<mailto:nesre...@chem.byu.edu>> wrote:

    The installation is a standard RedHat IdM install with DNS, SMB, and
    CA services installed.

    The output of the ldapsearch you mentioned is:
    -bash-4.2$ ldapsearch -LLL -Y GSSAPI -b cn=ipa1.chem.byu.edu
    <http://ipa1.chem.byu.edu>,cn=masters,cn=ipa,cn=etc,dc=chem,dc=byu,dc=edu

    SASL/GSSAPI authentication started
    SASL username: nesre...@chem.byu.edu <mailto:nesre...@chem.byu.edu>
    SASL SSF: 56
    SASL data security layer installed.
    dn: cn=ipa1.chem.byu.edu
    <http://ipa1.chem.byu.edu>,cn=masters,cn=ipa,cn=etc,dc=chem,dc=byu,dc=edu

    ipaMaxDomainLevel: 1
    ipaReplTopoManagedSuffix: dc=chem,dc=byu,dc=edu
    ipaReplTopoManagedSuffix: o=ipaca
    objectClass: top
    objectClass: nsContainer
    objectClass: ipaConfigObject
    objectClass: ipaSupportedDomainLevelConfig
    objectClass: ipaReplTopoManagedServer
    cn: ipa1.chem.byu.edu <http://ipa1.chem.byu.edu>
    ipaMinDomainLevel: 0

    dn: cn=CA,cn=ipa1.chem.byu.edu
    <http://ipa1.chem.byu.edu>,cn=masters,cn=ipa,cn=etc,dc=chem,dc=byu,dc=edu

    objectClass: ipaConfigObject
    objectClass: nsContainer
    objectClass: top
    ipaConfigString: enabledService
    ipaConfigString: startOrder 50
    ipaConfigString: caRenewalMaster
    cn: CA

    dn: cn=KDC,cn=ipa1.chem.byu.edu
    <http://ipa1.chem.byu.edu>,cn=masters,cn=ipa,cn=etc,dc=chem,dc=byu,dc=edu

    objectClass: ipaConfigObject
    objectClass: nsContainer
    objectClass: top
    ipaConfigString: startOrder 10
    ipaConfigString: enabledService
    ipaConfigString: kdcProxyEnabled
    ipaConfigString: pkinitEnabled
    cn: KDC

    dn: cn=KPASSWD,cn=ipa1.chem.byu.edu
    <http://ipa1.chem.byu.edu>,cn=masters,cn=ipa,cn=etc,dc=chem,dc=byu,dc
    =edu
    objectClass: ipaConfigObject
    objectClass: nsContainer
    objectClass: top
    ipaConfigString: enabledService
    ipaConfigString: startOrder 20
    cn: KPASSWD

    dn: cn=MEMCACHE,cn=ipa1.chem.byu.edu
    <http://ipa1.chem.byu.edu>,cn=masters,cn=ipa,cn=etc,dc=chem,dc=byu,d
    c=edu
    objectClass: ipaConfigObject
    objectClass: nsContainer
    objectClass: top
    ipaConfigString: startOrder 39
    ipaConfigString: enabledService
    cn: MEMCACHE

    dn: cn=OTPD,cn=ipa1.chem.byu.edu
    <http://ipa1.chem.byu.edu>,cn=masters,cn=ipa,cn=etc,dc=chem,dc=byu,dc=ed

    u
    objectClass: ipaConfigObject
    objectClass: nsContainer
    objectClass: top
    ipaConfigString: startOrder 80
    ipaConfigString: enabledService
    cn: OTPD

    dn: cn=HTTP,cn=ipa1.chem.byu.edu
    <http://ipa1.chem.byu.edu>,cn=masters,cn=ipa,cn=etc,dc=chem,dc=byu,dc=ed

    u
    objectClass: ipaConfigObject
    objectClass: nsContainer
    objectClass: top
    ipaConfigString: startOrder 40
    ipaConfigString: enabledService
    cn: HTTP

    dn: cn=DNS,cn=ipa1.chem.byu.edu
    <http://ipa1.chem.byu.edu>,cn=masters,cn=ipa,cn=etc,dc=chem,dc=byu,dc=edu

    objectClass: ipaConfigObject
    objectClass: nsContainer
    objectClass: top
    ipaConfigString: startOrder 30
    ipaConfigString: enabledService
    cn: DNS

    dn: cn=ADTRUST,cn=ipa1.chem.byu.edu
    <http://ipa1.chem.byu.edu>,cn=masters,cn=ipa,cn=etc,dc=chem,dc=byu,dc
    =edu
    objectClass: ipaConfigObject
    objectClass: nsContainer
    objectClass: top
    ipaConfigString: startOrder 60
    ipaConfigString: enabledService
    cn: ADTRUST

    dn: cn=EXTID,cn=ipa1.chem.byu.edu
    <http://ipa1.chem.byu.edu>,cn=masters,cn=ipa,cn=etc,dc=chem,dc=byu,dc=e
    du
    objectClass: ipaConfigObject
    objectClass: nsContainer
    objectClass: top
    ipaConfigString: startOrder 70
    ipaConfigString: enabledService
    cn: EXTID

    dn: cn=DNSKeySync,cn=ipa1.chem.byu.edu
    <http://ipa1.chem.byu.edu>,cn=masters,cn=ipa,cn=etc,dc=chem,dc=byu
    ,dc=edu
    objectClass: ipaConfigObject
    objectClass: nsContainer
    objectClass: top
    ipaConfigString: dnssecVersion 1
    ipaConfigString: startOrder 110
    ipaConfigString: enabledService
    cn: DNSKeySync

    dn: cn=NTP,cn=ipa1.chem.byu.edu
    <http://ipa1.chem.byu.edu>,cn=masters,cn=ipa,cn=etc,dc=chem,dc=byu,dc=edu

    objectClass: ipaConfigObject
    objectClass: nsContainer
    objectClass: top
    ipaConfigString: startOrder 45
    ipaConfigString: enabledService
    cn: NTP

    dn: cn=KEYS,cn=ipa1.chem.byu.edu
    <http://ipa1.chem.byu.edu>,cn=masters,cn=ipa,cn=etc,dc=chem,dc=byu,dc=ed

    u
    objectClass: ipaConfigObject
    objectClass: nsContainer
    objectClass: top
    ipaConfigString: startOrder 41
    ipaConfigString: enabledService
    cn: KEYS

    This shows up at the bottom of the ipaupgrade.log file while
    everything before this looks OK from what I can tell:

    2017-09-27T17:18:57Z DEBUG request POST
    http://ipa1.chem.byu.edu:8080/ca/admin/ca/getStatus
    <http://ipa1.chem.byu.edu:8080/ca/admin/ca/getStatus>
    2017-09-27T17:18:57Z DEBUG request body ''
    2017-09-27T17:18:57Z DEBUG httplib request failed:
    Traceback (most recent call last):
      File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line
    204, in _httplib_request
        conn.request(method, uri, body=request_body, headers=headers)
      File "/usr/lib64/python2.7/httplib.py", line 1017, in request
        self._send_request(method, url, body, headers)
      File "/usr/lib64/python2.7/httplib.py", line 1051, in _send_request
        self.endheaders(body)
      File "/usr/lib64/python2.7/httplib.py", line 1013, in endheaders
        self._send_output(message_body)
      File "/usr/lib64/python2.7/httplib.py", line 864, in _send_output
        self.send(msg)
      File "/usr/lib64/python2.7/httplib.py", line 826, in send
        self.connect()
      File "/usr/lib64/python2.7/httplib.py", line 807, in connect
        self.timeout, self.source_address)
      File "/usr/lib64/python2.7/socket.py", line 571, in create_connection
        raise err
    error: [Errno 111] Connection refused
    2017-09-27T17:18:57Z DEBUG Failed to check CA status: cannot connect
    to 'http://ipa1.chem.byu.edu:8080/ca/admin/ca/getStatus
    <http://ipa1.chem.byu.edu:8080/ca/admin/ca/getStatus>': [Errno 111]
    Connection refused
    2017-09-27T17:18:57Z DEBUG Ensuring that service
    pki-tomcatd@pki-tomcat is not running while the next set of commands
    is being executed.
    2017-09-27T17:18:57Z DEBUG Starting external process
    2017-09-27T17:18:57Z DEBUG args=/bin/systemctl is-active
    pki-tomcatd@pki-tomcat.service
    2017-09-27T17:18:57Z DEBUG Process finished, return code=3
    2017-09-27T17:18:57Z DEBUG stdout=failed

    2017-09-27T17:18:57Z DEBUG stderr=
    2017-09-27T17:18:57Z DEBUG Service pki-tomcatd@pki-tomcat is not
    running, continue.
    2017-09-27T17:18:57Z DEBUG Starting external process
    2017-09-27T17:18:57Z DEBUG args=/bin/systemctl is-active
    pki-tomcatd@pki-tomcat.service
    2017-09-27T17:18:57Z DEBUG Process finished, return code=3
    2017-09-27T17:18:57Z DEBUG stdout=failed

    2017-09-27T17:18:57Z DEBUG stderr=
    2017-09-27T17:18:57Z INFO [Migrate CRL publish directory]
    2017-09-27T17:18:57Z DEBUG Loading StateFile from
    '/var/lib/ipa/sysupgrade/sysupgrade.state'
    2017-09-27T17:18:57Z INFO CRL tree already moved
    2017-09-27T17:18:57Z INFO [Verifying that CA proxy configuration is
    correct]
    2017-09-27T17:18:57Z DEBUG Loading StateFile from
    '/var/lib/ipa/sysrestore/sysrestore.state'
    2017-09-27T17:18:57Z DEBUG Proxy configuration up-to-date
    2017-09-27T17:18:57Z DEBUG Starting external process
    2017-09-27T17:18:57Z DEBUG args=/bin/systemctl start
    pki-tomcatd@pki-tomcat.service
    2017-09-27T17:18:57Z DEBUG Process finished, return code=1
    2017-09-27T17:18:57Z DEBUG stdout=
    2017-09-27T17:18:57Z DEBUG stderr=Job for
    pki-tomcatd@pki-tomcat.service failed because the control process
    exited with error code. See "systemctl status
    pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.

    2017-09-27T17:18:57Z ERROR IPA server upgrade failed: Inspect
    /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
    2017-09-27T17:18:57Z DEBUG   File
    "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172,
    in execute
        return_value = self.run()
      File
    "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
    line 46, in run
        server.upgrade()
      File
    "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
    line 1913, in upgrade
        upgrade_configuration()
      File
    "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
    line 1652, in upgrade_configuration
        ca.start('pki-tomcat')
      File
    "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
    line 401, in start
        self.service.start(instance_name, capture_output=capture_output,
    wait=wait)
      File
    "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py",
    line 211, in start
        instance_name, capture_output=capture_output, wait=wait)
      File
    "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py",
    line 294, in start
        skip_output=not capture_output)
      File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line
    511, in run
        raise CalledProcessError(p.returncode, arg_string, str(output))

    2017-09-27T17:18:57Z DEBUG The ipa-server-upgrade command failed,
    exception: CalledProcessError: Command '/bin/systemctl start
    pki-tomcatd@pki-tomcat.service' returned non-zero exit status 1
    2017-09-27T17:18:57Z ERROR Unexpected error - see
    /var/log/ipaupgrade.log for details

    Any thoughts?  Is that URL it is requesting to get the status
    something that is a valid URL that should be responding?  I tried
    with a simple wget and also get connection refused for the response.

    On Tue, Oct 3, 2017 at 8:13 AM, Rob Crittenden <rcrit...@redhat.com
    <mailto:rcrit...@redhat.com>> wrote:

        Kristian Petersen wrote:
        > That path does not exist.

        Ok, then you need to describe your installation, particularly what
        services are enabled.

        IPA will try to start services based on this search so seeing this
        output would be useful as well:

        $ ldapsearch -LLL -Y GSSAPI -b
        cn=`hostname`,cn=masters,cn=ipa,cn=etc,dc=example,dc=com cn

        I'd also suggest you look at /var/log/ipaupgrade.log to see if the
        upgrade was successful.

        rob

        >
        > On Tue, Oct 3, 2017 at 8:03 AM, Rob Crittenden <rcrit...@redhat.com 
<mailto:rcrit...@redhat.com>
        > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:
        >
        >     Kristian Petersen via FreeIPA-users wrote:
        >     > When I recently updated one of my IPA servers (it reports
        >     > 4.5.0-21.el7_4.1.2 in yum), the result was that it could
        start back up
        >     > because pki-tomcatd kept failing.  I was able to get it
        running for now
        >     > by ignoring the failure of that one service, but I
        haven't been able to
        >     > to determine the cause.  The logs are pretty quiet on
        this one.  They
        >     > show the failure itself, but not information that helps
        me fix the problem.
        >
        >     You'll need to share what information you have. I'd start
        by looking at
        >     /var/log/pki/pki-tomcat/ca/debug
        >
        >     rob
        >
        >
        >
        >
        > --
        > Kristian Petersen
        > System Administrator
        > Dept. of Chemistry and Biochemistry




    --
    Kristian Petersen
    System Administrator
    Dept. of Chemistry and Biochemistry




--
Kristian Petersen
System Administrator
Dept. of Chemistry and Biochemistry
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to