On 17/09/2021 16:28, Rob Crittenden via FreeIPA-users wrote:
Dirk Silkenbäumer via FreeIPA-users wrote:
According to a different thread "tomcat pre-9.0.31.0 uses 'requiredSecret'
and afterward uses 'secret'."
https://tomcat.apache.org/migration-9.html#Tomcat_9.0.x_noteable_changes
I am running my FreeIPA server on CentOS 8 Stream which uses tomcat 9.0.30. My
uninformed
guess is the last FreeIPA update from 4.9.3 to 4.9.6 configured "secret" only
and not "requiredSecret" which "broke" the config for the tomcat
version used. Hope this helps.
I can confirm this behavior. After update from 4.9.3 to 4.9.6 on CentOS 8 Stream I
had two entries in <Connector ... /> - 'requiredSecret' with the correct
password and 'secret' with wrong password.
Thanks for pointing me to the right direction!
Hmm, not good. Any chance you have an old set of config files you can
pass me out-of-band, with the passwords obfuscated obviously, so I can
see what went wrong with the upgrade process?
I see in: /etc/pki/pki-tomcat/server.xml
<Connector port="8009" protocol="AJP/1.3"
redirectPort="8443" address="localhost4" name="Connector1"
secret="a...some_Btdh" requiredSecret="b...some_W2yFo"/>
<Connector port="8009" protocol="AJP/1.3"
redirectPort="8443" address="localhost6" name="Connector2"
secret="a...some_Btdh" requiredSecret="b...some_W2yFo"/>
and in my: /etc/httpd/conf.d/ipa-pki-proxy.conf
all 'secret' entries are
secret=a...some_Btdh
just to have it cleared - both 'secret' & 'requiredSecret'
must be present in '/etc/pki/pki-tomcat/server.xml' ?
ps. with applied fix, thought origianal error(s) is gone I
still get:
-> $ ipa-healthcheck
Internal error testing KRA clone. KRA clone problem
detected Host: c8kubermaster2.private.lot Port: 443
[
{
"source":
"pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "da1224dc-9caf-49f7-9f77-fcfa2991da78",
"when": "20210917193316Z",
"duration": "1.646698",
"kw": {
"status": "ERROR: pki-tomcat : Internal error
testing KRA clone. Host: c8kubermaster2.private.lot Port: 443"
}
can that be related?
many thanks, L.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
