[Freeipa-users] Re: ipa.service "fails" to start

Wed, 24 Oct 2018 23:11:46 -0700 

Hi Flo,
I have debug enabled in both /etc/ipa/server.conf and /etc/ipa/default.conf and 
/var/log/pki/pki-tomcat/ca/debug reads: 
 

[08/Aug/2018:10:12:02][localhost-startStop-1]: =====  DEBUG SUBSYSTEM 
INITIALIZED   =======
java.lang.Exception: Certificate ocspSigningCert cert-pki-ca is invalid: 
Invalid certificate: (-8181) Peer's Certificate has expired.
        at 
com.netscape.cmscore.cert.CertUtils.verifySystemCertByNickname(CertUtils.java:844)
        at 
com.netscape.cmscore.cert.CertUtils.verifySystemCertByTag(CertUtils.java:936)
        at 
com.netscape.cmscore.cert.CertUtils.verifySystemCerts(CertUtils.java:1053)
        at 
com.netscape.cmscore.apps.CMSEngine.verifySystemCerts(CMSEngine.java:1803)
        at com.netscape.certsrv.apps.CMS.verifySystemCerts(CMS.java:1402)
        at 
com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:193)
        at 
com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:858)
        at 
com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1808)
        at 
com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1914)
        at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1355)
        at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
        at com.netscape.certsrv.apps.CMS.start(CMS.java:1617)
        at 
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
        at javax.servlet.GenericServlet.init(GenericServlet.java:158)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
        at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
        at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
        at 
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
        at 
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
        at 
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
        at 
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
        at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
        at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
        at 
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
        at 
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
        at 
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
        at java.security.AccessController.doPrivileged(Native Method)
        at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
        at 
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
        at 
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
        at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.cert.CertificateException: Invalid certificate: 
(-8181) Peer's Certificate has expired.
        at org.mozilla.jss.CryptoManager.verifyCertificateNowNative(Native 
Method)
        at 
org.mozilla.jss.CryptoManager.verifyCertificate(CryptoManager.java:1554)
        at 
com.netscape.cmscore.cert.CertUtils.verifySystemCertByNickname(CertUtils.java:842)
        ... 44 more
Invalid class name repositorytop
        at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485)
        at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167)
        at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137)
        at 
com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125)
        at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244)
        at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460)
        at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1371)
        at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
        at com.netscape.certsrv.apps.CMS.start(CMS.java:1617)
        at 
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
        at javax.servlet.GenericServlet.init(GenericServlet.java:158)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
        at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
        at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
        at 
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
        at 
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
        at 
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
        at 
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
        at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
        at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
        at 
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
        at 
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
        at 
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
        at java.security.AccessController.doPrivileged(Native Method)
        at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
        at 
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
        at 
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
        at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
############ end of debug ##############

## I worry now that I am not making progress with cert renewal. With stopped 
ntp and back in time /var/log/ipa/renew.log reads: 

2018-08-07T17:12:34Z    4375    MainThread      ipa     DEBUG   Initializing 
principal host/ca-ldap01.domain....@domain.com using keytab /etc/krb5.keytab
2018-08-07T17:12:34Z    4375    MainThread      ipa     DEBUG   using ccache 
/var/run/certmonger/tmp-M09nld/ccache
2018-08-07T17:12:34Z    4375    MainThread      ipa     DEBUG   Attempt 1/1: 
success
2018-08-07T17:12:34Z    4375    MainThread      ipa     DEBUG   Loading 
StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2018-08-07T17:12:35Z    4375    MainThread      ipa     DEBUG   Could not 
connect to the Directory Server on ca-ldap01.domain.com: Insufficient access:  
Invalid credentials


## OKAY, so need to enable NTPD and back in time again, now renew.log reads: 

2018-08-07T17:11:34Z    6773    MainThread      ipa     DEBUG   importing all 
plugin modules in ipaserver.plugins...
2018-08-07T17:11:34Z    6773    MainThread      ipa     DEBUG   
ipaserver.plugins.baseldap is not a valid plugin module
2018-08-07T17:11:34Z    6773    MainThread      ipa     DEBUG   
ipaserver.plugins.hbac is not a valid plugin module
2018-08-07T17:11:34Z    6773    MainThread      ipa     DEBUG   
ipaserver.plugins.otp is not a valid plugin module
2018-08-07T17:11:34Z    6773    MainThread      ipa     DEBUG   Starting 
external process
2018-08-07T17:11:34Z    6773    MainThread      ipa     DEBUG   args=klist -V
2018-08-07T17:11:34Z    6773    MainThread      ipa     DEBUG   Process 
finished, return code=0
2018-08-07T17:11:34Z    6773    MainThread      ipa     DEBUG   stdout=Kerberos 
5 version 1.14.1
2018-08-07T17:11:34Z    6773    MainThread      ipa     DEBUG   stderr=
2018-08-07T17:11:34Z    6773    MainThread      ipa     DEBUG   importing 
plugin module ipaserver.plugins.rabase
2018-08-07T17:11:34Z    6773    MainThread      ipa     DEBUG   importing 
plugin module ipaserver.plugins.sudo
2018-08-07T17:11:34Z    6773    MainThread      ipa     DEBUG   
ipaserver.plugins.sudo is not a valid plugin module
2018-08-07T17:11:34Z    6773    MainThread      ipa     DEBUG   
ipaserver.plugins.virtual is not a valid plugin module
2018-08-07T17:11:34Z    6773    MainThread      ipa     DEBUG   importing 
plugin module ipaserver.plugins.xmlserver
2018-08-07T17:11:35Z    6773    MainThread      ipa     DEBUG   Initializing 
principal host/ca-ldap01.domain....@domain.com using keytab /etc/krb5.keytab
2018-08-07T17:11:35Z    6773    MainThread      ipa     DEBUG   using ccache 
/var/run/certmonger/tmp-5bCOl7/ccache
2018-08-07T17:11:35Z    6773    MainThread      ipa     DEBUG   Attempt 1/1: 
success
2018-08-07T17:11:35Z    6773    MainThread      ipa     DEBUG   Loading 
StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2018-08-07T17:11:35Z    6773    MainThread      
ipa.ipapython.ipaldap.SchemaCache       DEBUG   flushing 
ldap://ca-ldap01.domain.com:389 from SchemaCache
2018-08-07T17:11:35Z    6773    MainThread      
ipa.ipapython.ipaldap.SchemaCache       DEBUG   retrieving schema for 
SchemaCache url=ldap://ca-ldap01.domain.com:389 
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x5a69320>
2018-08-07T17:11:36Z    6773    MainThread      ipa     DEBUG   Starting 
external process
2018-08-07T17:11:36Z    6773    MainThread      ipa     DEBUG   
args=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit -vv
2018-08-07T17:11:36Z    6773    MainThread      ipa     DEBUG   Process 
finished, return code=2
2018-08-07T17:11:36Z    6773    MainThread      ipa     DEBUG   stdout=
2018-08-07T17:11:36Z    6773    MainThread      ipa     DEBUG   stderr=* About 
to connect() to ca-ldap01.domain.com port 8080 (#0)
*   Trying 10.211.9.58...
* Connected to ca-ldap01.domain.com (10.211.9.58) port 8080 (#0)
> GET 
> /ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true
>  HTTP/1.1
Host: ca-ldap01.domain.com:8080
Accept: */*

< HTTP/1.1 404 Not Found
< Server: Apache-Coyote/1.1
< Content-Type: text/html;charset=utf-8
< Content-Language: en
< Content-Length: 995
< Date: Thu, 25 Oct 2018 05:42:30 GMT
<
* Connection #0 to host ca-ldap01.domain.com left intact
GET 
"http://ca-ldap01.domain.com:8080/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true";
code = 0
code_text = "No error"
results = "<html><head><title>Apache Tomcat/7.0.69 - Error 
report</title><style><!--H1 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
 H2 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
 H3 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
 BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} 
B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P 
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
 {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> 
</head><body><h1>HTTP Status 404 - /ca/ee/ca/profileSubmit</h1><HR size="1" 
noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> 
<u>/ca/ee/ca/profileSubmit</u></p><p><b>description</b> <u>The requested 
resource is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache 
Tomcat/7.0.69</h3></body
 ></html>"
Entity: line 1: parser error : Opening and ending tag mismatch: HR line 1 and 
body
able.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.69</h3></body>
                                                                               ^
Entity: line 1: parser error : Opening and ending tag mismatch: HR line 1 and 
html
Entity: line 1: parser error : Premature end of data in tag body line 1
Entity: line 1: parser error : Premature end of data in tag html line 1
Entity: line 1: parser error : Opening and ending tag mismatch: HR line 1 and 
body
able.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.69</h3></body>
                                                                               ^

## And status of certmonger service reads: 


Aug 07 10:12:45 ca-ldap01.domain.com dogtag-ipa-renew-agent-submit[6998]: GET 
http://ca-ldap01.domain.com:8080/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=7&renewal=true&xml=true

Aug 07 10:12:45 ca-ldap01.domain.com dogtag-ipa-renew-agent-submit[6998]: 
<html><head><title>Apache Tomcat/7.0.69 - Error report</title><style><!--H1 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
 H2 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
 H3 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
 BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} 
B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P 
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
 {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> 
</head><body><h1>HTTP Status 404 - /ca/ee/ca/profileSubmit</h1><HR size="1" 
noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> 
<u>/ca/ee/ca/profileSubmit</u></p><p><b>description</b> <u>The requested 
resource is not available.</u></p><HR
  size="1" noshade="noshade"><h3>Apache Tomcat/7.0.69</h3></body></html>

Aug 07 10:12:45 ca-ldap01.domain.com dogtag-ipa-ca-renew-agent-submit[6884]: 
dogtag-ipa-renew-agent returned 2

Thanks in advance for any sugestion on next step. 


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to