Rudi Gabler via FreeIPA-users wrote:
> Hi,
>
> I've a bunch of 5 servers for my domain. One has CA on it and on any other
> the attempt to bring it up as secondary,.. CA replica fails with:
>
> ipa-ca-install
>
> ...
> caSigningCert cert-pki-ca CTu,Cu,Cu
> ocspSigningCert cert-pki-ca u,u,u
> subsystemCert cert-pki-ca u,u,u
>
> Installation failed:
> <html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
> H2
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
> H3 {font-f
> amily:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
> BODY
> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P
> {font-family:Tahoma,Arial,sa
> ns-serif;background:white;color:black;font-size:12px;}A {color :
> black;}A.name {color : black;}HR {color : #525D76;}--></style>
> </head><body><h1>HTTP Status 500 - javax.ws.rs.ProcessingException: Unable to
> invoke request</h1><HR size="1" noshade="noshade"><p><b>type</b>
> Exception report</p><p><b>message</b> <u>javax.ws.rs.ProcessingException:
> Unable to invoke request</u></p><p><b>description</b> <u>The server
> encountered an internal error that prevented it from fulfilling this
> request.</u></p><p><b>exception</b> <pre>org.jboss.resteasy.
> spi.UnhandledException: javax.ws.rs.ProcessingException: Unable to invoke
> request
>
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
>
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>
> together with a (journalctl)
>
> Jul 17 10:24:14 kre.example.com server[21753]: CMS Warning: FAILURE: authz
> instance DirAclAuthz initialization failed and skipped, error=Property
> internaldb.ldapconn.port missing value|
> Jul 17 10:24:14 kre.example.com server[21753]: CA is started.
> Jul 17 10:24:17 server[21753]: getSystemCertProfileID tag: subsystem
> defaultName: caInternalAuthSubsystemCert keyType: null
> Jul 17 10:24:17 kre.example.com server[21753]: FATAL: SSL alert received:
> HANDSHAKE_FAILURE
>
> The pki-tomcat is the last thing started, but throws an exeption
>
> I can provide the ipareplication-install.log. For all servers the failure is
> exactly the same (without the running master of course).
>
> Software: centos 7 with
>
> pa-common-4.6.8-5.el7.centos.14.noarch
> ipa-server-trust-ad-4.6.8-5.el7.centos.14.x86_64
> ipa-client-common-4.6.8-5.el7.centos.14.noarch
> ipa-client-4.6.8-5.el7.centos.14.x86_64
> ipa-server-dns-4.6.8-5.el7.centos.14.noarch
> ipa-server-common-4.6.8-5.el7.centos.14.noarch
> ipa-server-4.6.8-5.el7.centos.14.x86_64
>
> Maybe someone has a tip for me?
>
You'd want to look at the pki-ca-spawn log and since things partially
started, /var/log/pki/pki-tomcat/ca/debug*.log
rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
