Hi Freeipa Users, I have upgraded one of my ipa replicas from 4.9.11 to 4.10.2 however I am struggling to get pki-tomcatd@pki-tomcat to start both via ipactl start and systemctl start pki-tomcatd.
My java/tomcat versions are Java: Idm-pki-java 11.4.2-1.el9 Java-11-openjdk-headless 1:11.0.22.0.7-2.el9 Java-17-openjdk-headless 1:17.0.10.0.7-2.el9 Javapackages-filesystem 6.0.0-4.el9 Javapackages-tools 6.0.0-4.el9 Tzdata-java 2023d-1.elp Tomat: Idm-tomcatjss 8.4.0-1.el9 Tomcat 1:9.0.62-37.el9_3.1 Tomcat-el-3.0-api.noarch 1:9.0.62-37.el9_3.1 Tomcat-jsp-2.3-api 1:9.0.2-37.el9_3.1 Tomcat-lib 1:9.0.62-37.el9_3.1 Tomcat-servlet-4.0-api 1:9.0.62-37.el9_3.1 When I run journalctl -xeu pki-tomcatd@pki-tomcat I see: Ipa-pki-wait-running: Created connection http://<servername>:8080/ca WARNING: Some of the specified [protocols are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1]] Ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host=<servername>, port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError(‘<urllib3.connection.HTTPConnection object at 0x7XXXX>: Failed to estable a new connection: [Errno 113] No route to host’)) I’ve attempted to follow https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ where I see my cert is valid until 2025. If I run getcert list I see: Number of certificates and requests being tracked: 0 In the /var/log/ipaupgrade.log i see: ERROR: No kra subsystem in instance pki-tomcat If I run pki-server subsystem-find Subsystem ID: ca Instance ID: pki-tomcat Enabled: true If I run ipa-server-upgrade it fails with the same message. If I run ipactl start –ignore-service-failures it tries to run the ipa-server-upgrade If I run pkidestroy -i pki-tomcat -s KRA ERROR: PKI subsystem ‘KRA’ for instance ‘/var/lib/pki-pki-tomcat’ does not exist Is there any way to solve this error? Many Thanks, Tania -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue