Omar Pagan via FreeIPA-users wrote: > Hello, > > I came back from vacation and noticed that the pki-tomcatd was not running. > All other services are running fine, I can kinit admin and search for users, > I can also log into the UI and see everything. When I try to start the > service I see the following errors: > Mar 11 20:44:44 ldap01.app.uaap.maxar.com ipa-pki-wait-running[7903]: > ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for > url: http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat> > Mar 11 20:44:44 ldap01.app.uaap.maxar.com systemd[1]: > [email protected]: Start-post operation timed out. Stopping. > > I have checked all the certs and everything is in order: > $ getcert list | grep expire > expires: 2025-01-22 14:07:35 UTC > expires: 2025-01-22 14:06:46 UTC > expires: 2025-01-22 14:06:45 UTC > expires: 2025-01-22 14:06:45 UTC > expires: 2043-02-02 14:06:44 UTC > expires: 2025-01-22 14:06:45 UTC > expires: 2025-02-02 14:08:10 UTC > > I also have checked this: > $ klist -ekt /etc/dirsrv/ds.keytab > Keytab name: FILE:/etc/dirsrv/ds.keytab > KVNO Timestamp Principal > ---- ------------------- > ------------------------------------------------------ > 2 02/02/2023 14:06:06 ldap/[email protected] > (aes256-cts-hmac-sha1-96) > 2 02/02/2023 14:06:06 ldap/[email protected] > (aes128-cts-hmac-sha1-96) > 2 02/02/2023 14:06:06 ldap/[email protected] > (aes128-cts-hmac-sha256-128) > 2 02/02/2023 14:06:06 ldap/[email protected] > (aes256-cts-hmac-sha384-192) > 2 02/02/2023 14:06:06 ldap/[email protected] > (camellia128-cts-cmac) > 2 02/02/2023 14:06:06 ldap/[email protected] > (camellia256-cts-cmac) > > not sure if that's correct or not. Please help, I don't see why pki-tomcatd > would just die on me for no reason. I haven't run any updates / upgrades on > the system and it was working fine before I left. Thanks
The keytab is unrelated. I'd start with: ipactl status Confirm that it isn't running. Then try ipactl start and it will try to restart it. Maybe it was reaped by the OOM killer. The journal should tell you. If it starts then ipa cert-find --sizelimit 10 is a pretty lightweight way to confirm that it is reachable and at least sort of working. Otherwise PKI runs as a webapp so a 404 means it wasn't loaded by tomcat. I'd suggest checking the logs in /var/log/pki. There may be something in catalina or in ca/debug-<date>. The latter most likely. Be wary that there be dragons. PKI often charges on after hitting an error so the last one is often a red herring. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
