lejeczek via FreeIPA-users wrote: > > > On 17/09/2021 13:35, pp via FreeIPA-users wrote: >> Could you check if your "requiredSecret" value matches the "secret" in >> "/etc/pki/pki-tomcat/server.xml"? >> I had two lines where they were different and the value has to match >> the secret in "/etc/httpd/conf.d/ipa-pki-proxy.conf". Once they all >> matched I restarted pki-tomcatd@pki-tomcat.service and httpd and both >> CLI and WebGUI certificate management worked again. >> According to a different thread "tomcat pre-9.0.31.0 uses >> 'requiredSecret' and afterward uses 'secret'." >> I am running my FreeIPA server on CentOS 8 Stream which uses tomcat >> 9.0.30. My uninformed guess is the last FreeIPA update from 4.9.3 to >> 4.9.6 configured "secret" only and not "requiredSecret" which "broke" >> the config for the tomcat version used. Hope this helps. > I too can confirm that this is the issue and the fixed worked. > many! thanks.
The strange thing is this upgrade code has been in IPA since 4.9.0 so its unclear why it decided to break now, and in the way it did. It should only change the attribute from requiredSecret to secret if "tomcat version" reports a version >= 9.0.31.0. Another user told me that starting pki with the requiredSecret name it is getting renamed to secret. I'll check with the pki team to see if they do any of their own renaming of it. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
