Hi,

On Fri, Apr 12, 2024 at 10:52 PM Basile Pinsard via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi freeipa experts.
>
> I have been using freeipa for the past 5 years running in a docker
> container, no replicas.
> currently  on VERSION: 4.9.6, API_VERSION: 2.245
>
> I have the following issue, not sure what caused this: pki-tomcat service
> is not starting, and it is no longer possible to login through the web-ui.
> Auth through ldap (some websites) and through sssd on linux servers is
> still working, kerberos tickets are generated when logging with password or
> when running kinit, so critical operations are still possible.
>
> The messages in `systemctl status pki-tomcatd@pki-tomcat.service` are
> ```
> Apr 12 13:50:33 ipa.domain.com ipa-pki-wait-running[17869]:
> ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error:  for
> url: http://ipa.domain.com:8080/ca/admin/ca/getStatus
> Apr 12 13:50:34 ipa.domain.com systemd[1]: pki-tomcatd@pki-tomcat.service:
> start-post operation timed out. Terminating.
> Apr 12 13:50:34 ipa.domain.com systemd[1]: pki-tomcatd@pki-tomcat.service:
> Control process exited, code=killed, status=15/TERM
> Apr 12 13:50:34 ipa.domain.com systemd[1]: pki-tomcatd@pki-tomcat.service:
> Failed with result 'timeout'.
> Apr 12 13:50:34 ipa.domain.com systemd[1]: Failed to start PKI Tomcat
> Server pki-tomcat.
> ```
>
> journalctl give other errors (filtered what seems relevant).
> ```
> Apr 12 13:49:05 ipa.domain.com server[17868]: WARNING: Problem with JAR
> file [/usr/share/pki/server/common/lib/commons-collections.jar], exists:
> [false], canRead: [false]
> Apr 12 13:49:07 ipa.domain.com java[17868]: usr/lib/api/apiutil.c Could
> not open /run/lock/opencryptoki/LCK..APIlock
>
The above error was a known issue in selinux, should have been fixed in
RHEL 8.5 (Bug 1894132 <https://bugzilla.redhat.com/show_bug.cgi?id=1894132>
- SELinux prevents 2 programs from accessing
/run/lock/opencryptoki/LCK..APIlock).

What are your exact versions of ipa, pki and selinux-policy? On which OS is
your server running?
flo

Apr 12 13:49:18 ipa.domain.com server[17868]: SEVERE: Context [/acme]
> startup failed due to previous errors
>
> ```
>
>
> `/var/log/pki/pki-tomcat/pki/debug.2024-04-12.log`
> contains the following errors
> ```
> 2024-04-12 15:01:12 [main] SEVERE: Exception initializing random number
> generator using provider [Mozilla-JSS]
> java.security.NoSuchProviderException: no such provider: Mozilla-JSS
>         at
> java.base/sun.security.jca.GetInstance.getService(GetInstance.java:83)
>         at
> java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
> ....
> ```
>
> `/var/log/pki/pki-tomcat/ca/debug.2024-04-12.log`
> contains the following type of errors
>
> ```
> 2024-04-12 00:17:37 [main] SEVERE: Unable to start CA engine: Property
> instanceRoot missing value
> Property instanceRoot missing value
>         at
> com.netscape.cmscore.base.PropConfigStore.getString(PropConfigStore.java:297)
>         at
> com.netscape.cmscore.apps.EngineConfig.getInstanceDir(EngineConfig.java:55)
>         at
> com.netscape.cmscore.apps.CMSEngine.loadConfig(CMSEngine.java:233)
>         at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1025)
> ....
>
> 2024-04-12 17:49:21 [main] SEVERE: Exception sending context initialized
> event to listener instance of class [org.dogtagpki.server.ca.CAEngine]
> java.lang.RuntimeException: Unable to start CA engine: Property
> instanceRoot missing value
>         at
> com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine.java:1672)
>         at
> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4768)
>         at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5230)
> ```
>
> `getcert list` reports all entries except the caCACert as expired.
>
> I tried pretty much everything I could find on the internet (though most
> of the threads I found were never resolved).
> Tried ipa-cert-fix.
> Tried ipa-restoring a backup in a new container, same problem occurs.
>
> My guess is that an upgrade years back did break the certificate
> auto-renewal and went undetected, and now everything is expired it's
> failing.
>
> If you have any ideas of what to check/try I would be very grateful as I
> am losing my sanity here.
> Also, I am a bit scared of breaking what is currently working (ldap+sssd)
> and critical to our operations, so if anything can be tested on a copy of
> the data in a container that would be great.
>
> Thanks!
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to