On 04/04/18 09:36, Florence Blanc-Renaud wrote:
On 04/03/2018 08:37 PM, lejeczek wrote:
On 29/03/18 12:43, Florence Blanc-Renaud wrote:
On 03/28/2018 12:42 PM, lejeczek via FreeIPA-users wrote:
hi guys,
I fail to troubleshoot this here:
$ ipactl start --ignore-service-failures
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Forced start, ignoring pki-tomcatd Service, continuing
normal operation
Hi,
pki-tomcatd may fail to start when the subsystemCert
cert-pki-ca did not properly get renewed. Please find
more information in this blog:
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
Flo
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
logs in /var/log/pki/pki-tomcat:
localhost.2018-03-28.log
...
Mar 28, 2018 11:35:14 AM
org.apache.catalina.core.StandardHostValve invoke
SEVERE: Exception Processing /ca/admin/ca/getStatus
javax.ws.rs.ServiceUnavailableException: Subsystem
unavailable
?????????????? at
com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)
?????????????? at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500)
?????????????? at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
?????????????? at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
?????????????? at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
?????????????? at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
?????????????? at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
?????????????? at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
?????????????? at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
?????????????? at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
?????????????? at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
?????????????? at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
?????????????? at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
?????????????? at java.lang.Thread.run(Thread.java:748)
in catalina.2018-03-28.log:
...
Mar 28, 2018 11:41:35 AM
org.apache.catalina.core.ContainerBase backgroundProcess
WARNING: Exception processing realm
com.netscape.cms.tomcat.ProxyRealm@1e572093 background
process
javax.ws.rs.ServiceUnavailableException: Subsystem
unavailable
?????? at
com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
?????? at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
?????? at
org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
?????? at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
?????? at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
?????? at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
?????? at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
?????? at java.lang.Thread.run(Thread.java:748)
Would you able to conclude anything from those errors?
What might be a problem?
many thanks, L.
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
I have followed those instructions from the link and it
seems that both certutil & ldap have the same certificate.
However I also see:
$ sudo journalctl -lf -o cat -u dirsrv@
...
GSSAPI client step 1
GSSAPI client step 1
GSSAPI client step 2
[03/Apr/2018:19:30:53.962565693 +0100] - ERR -
slapi_ldap_bind - Error: could not send startTLS request:
error -11 (Connect error)
[03/Apr/2018:19:30:53.965606137 +0100] - ERR -
slapi_ldap_bind - Error: could not send startTLS request:
error -11 (Connect error)
GSSAPI client step 1
GSSAPI client step 1
GSSAPI client step 1
..
and in /var/log/pki/pki-tomcat/ca/debug
[03/Apr/2018:19:09:45][localhost-startStop-1]:
SSLClientCertificatSelectionCB: Entering!
[03/Apr/2018:19:09:45][localhost-startStop-1]: Candidate
cert: Server-Cert cert-pki-ca
[03/Apr/2018:19:09:45][localhost-startStop-1]: Candidate
cert: caSigningCert cert-pki-ca
[03/Apr/2018:19:09:45][localhost-startStop-1]:
SSLClientCertificateSelectionCB: returning: null
Hi,
it looks like the subsystemCert is not picked to
authenticate to the LDAP server. Can you check if the
content of /etc/pki/pki-tomcat/ca/CS.cfg is also
consistent: this file contains an entry for
ca.subsystem.cert=MII.. that should match the cert
'subsystemCert cert-pki-ca' stored in
/etc/pki/pki-tomcat/alias/ and in LDAP.
Flo
hi
all three places:
$ /etc/pki/pki-tomcat/ca/CS.cfg
$ certutil -L -d /etc/pki/pki-tomcat/alias/ -n
'subsystemCert cert-pki-ca' -f
/etc/pki/pki-tomcat/alias/pwdfile.txt -a
$ ldapsearch -D 'cn=directory manager' -W -b
uid=pkidbuser,ou=people,o=ipaca userCertificate description
seeAlso
show identical certificate. More from debug log:
...
[04/Apr/2018:10:20:54][localhost-startStop-1]:
============================================
[04/Apr/2018:10:20:54][localhost-startStop-1]: ===== DEBUG
SUBSYSTEM INITIALIZED =======
[04/Apr/2018:10:20:54][localhost-startStop-1]:
============================================
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
restart at autoShutdown? false
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
autoShutdown crumb file path?
/var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
about to look for cert for auto-shutdown
support:auditSigningCert cert-pki-ca
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
found cert:auditSigningCert cert-pki-ca
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
done init id=debug
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
initialized debug
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
initSubsystem id=log
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
ready to init id=log
[04/Apr/2018:10:20:54][localhost-startStop-1]: Creating
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)
[04/Apr/2018:10:20:54][localhost-startStop-1]: Creating
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)
[04/Apr/2018:10:20:54][localhost-startStop-1]: Creating
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions)
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
restart at autoShutdown? false
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
autoShutdown crumb file path?
/var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
about to look for cert for auto-shutdown
support:auditSigningCert cert-pki-ca
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
found cert:auditSigningCert cert-pki-ca
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
done init id=log
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
initialized log
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
initSubsystem id=jss
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
ready to init id=jss
[04/Apr/2018:10:20:54][localhost-startStop-1]: JssSubsystem:
initializing JSS subsystem
[04/Apr/2018:10:20:54][localhost-startStop-1]: JssSubsystem:
enabled: true
[04/Apr/2018:10:20:54][localhost-startStop-1]: JssSubsystem:
NSS database: /var/lib/pki/pki-tomcat/alias/
[04/Apr/2018:10:20:54][localhost-startStop-1]: JssSubsystem:
initializing CryptoManager
[04/Apr/2018:10:20:54][localhost-startStop-1]: JssSubsystem:
initializing SSL
[04/Apr/2018:10:20:54][localhost-startStop-1]: JssSubsystem:
random:
[04/Apr/2018:10:20:54][localhost-startStop-1]: JssSubsystem:
- algorithm: pkcs11prng
[04/Apr/2018:10:20:54][localhost-startStop-1]: JssSubsystem:
- provider: Mozilla-JSS
[04/Apr/2018:10:20:54][localhost-startStop-1]: JssSubsystem:
initialization complete
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
restart at autoShutdown? false
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
autoShutdown crumb file path?
/var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
about to look for cert for auto-shutdown
support:auditSigningCert cert-pki-ca
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
found cert:auditSigningCert cert-pki-ca
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
done init id=jss
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
initialized jss
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
initSubsystem id=dbs
[04/Apr/2018:10:20:54][localhost-startStop-1]: CMSEngine:
ready to init id=dbs
[04/Apr/2018:10:20:54][localhost-startStop-1]: DBSubsystem:
init() mEnableSerialMgmt=true
[04/Apr/2018:10:20:54][localhost-startStop-1]: Creating
LdapBoundConnFactor(DBSubsystem)
[04/Apr/2018:10:20:54][localhost-startStop-1]:
LdapBoundConnFactory: init
[04/Apr/2018:10:20:54][localhost-startStop-1]:
LdapBoundConnFactory:doCloning true
[04/Apr/2018:10:20:54][localhost-startStop-1]: LdapAuthInfo:
init()
[04/Apr/2018:10:20:54][localhost-startStop-1]: LdapAuthInfo:
init begins
[04/Apr/2018:10:20:54][localhost-startStop-1]: LdapAuthInfo:
init ends
[04/Apr/2018:10:20:54][localhost-startStop-1]: init: before
makeConnection errorIfDown is true
[04/Apr/2018:10:20:54][localhost-startStop-1]:
makeConnection: errorIfDown true
[04/Apr/2018:10:20:54][localhost-startStop-1]: TCP
Keep-Alive: true
[04/Apr/2018:10:20:54][localhost-startStop-1]:
SSLClientCertificateSelectionCB: Setting desired cert
nickname to: subsystemCert cert-pki-ca
[04/Apr/2018:10:20:54][localhost-startStop-1]:
LdapJssSSLSocket: set client auth cert nickname
subsystemCert cert-pki-ca
[04/Apr/2018:10:20:54][localhost-startStop-1]:
SSLClientCertificatSelectionCB: Entering!
[04/Apr/2018:10:20:54][localhost-startStop-1]: Candidate
cert: Server-Cert cert-pki-ca
[04/Apr/2018:10:20:54][localhost-startStop-1]: Candidate
cert: caSigningCert cert-pki-ca
[04/Apr/2018:10:20:54][localhost-startStop-1]:
SSLClientCertificateSelectionCB: returning: null
[04/Apr/2018:10:20:54][localhost-startStop-1]: SSL handshake
happened
Could not connect to LDAP server host ...
What's the way out of this? It's two masters IPA setup.
Is there a way to stop/start only pki without doing so to
the rest of the services?
I cannot just remove PKI from the IPA, can I?
many thanks, L.
[03/Apr/2018:19:09:45][localhost-startStop-1]: SSL
handshake happened
Could not connect to LDAP server host rider.private port
636 Error netscape.ldap.LDAPException: Authentication
failed (48)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)
at
com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1176)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1082)
at
com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:572)
at com.netscape.certsrv.apps.CMS.init(CMS.java:189)
at
com.netscape.certsrv.apps.CMS.start(CMS.java:1631)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
at
javax.servlet.GenericServlet.init(GenericServlet.java:158)
at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at
java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at
java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at
java.util.concurrent.FutureTask.run(FutureTask.java:266)
..
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org