hi,
digging further, the tomcat service does not start because the of this
error:
server[48368]: org.xml.sax.SAXParseException; systemId:
file:/var/lib/pki/pki-tomcat/conf/server.xml; lineNumber: 86; columnNumber:
861; Error at line [86] column [861]: [Cannot invoke "Object.getClass()"
because the return value of
"org.apache.catalina.connector.Connector.getProtocolHandler()" is null]
If I check the server.xml, there is no colum 861 in line 86, the last char
is 860
<Connector name="Secure" port="8443"
protocol="org.dogtagpki.jss.tomcat.Http11NioProtocol" SSLEnabled="true"
sslImplementationName="org.dogtagpki.jss.tomcat.JSSImplementation"
scheme="https" secure="true" connectionTimeout="80000"
keepAliveTimeout="300000" maxHttpHeaderSize="8192" acceptCount="100"
maxThreads="150" minSpareThreads="25" enableLookups="false"
disableUploadTimeout="true" enableOCSP="false" ocspResponderURL="
http://kdc.sub.domain.tld:8080/ca/ocsp";
ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
ocspCacheSize="1000" ocspMinCacheEntryDuration="7200"
ocspMaxCacheEntryDuration="14400" ocspTimeout="10"
serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf"
passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf"
passwordClass="org.dogtagpki.jss.tomcat.PlainPasswordFile"
certdbDir="/var/lib/pki/pki-tomcat/alias">
This line looks similar (replacying the ocsp url) to other ipa ca servers I
manage, so I do not know where this is coming from.
If I run this as root it starts but apparently not well enough, because
then the ExecStartPost command /usr/libexec/ipa/ipa-pki-wait-running fails
with a 404
# /usr/libexec/ipa/ipa-pki-wait-running
pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in
PKIConnection.__init__() has been deprecated (
https://github.com/dogtagpki/pki/wiki/PKI-10.8-Python-Changes).
ipa-pki-wait-running: Created connection http://kdc.sub.domain.tld:8080/ca
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for
url: http://kdc.sub.domain.tld:8080/ca/admin/ca/getStatus
Any clues?
Regards,
Natxo
On Wed, May 29, 2024 at 4:06 PM Natxo Asenjo <[email protected]> wrote:
>
>
> On Wed, May 29, 2024 at 3:03 PM Rob Crittenden <[email protected]>
> wrote:
>
>> Since it starts directly as root perhaps check for SELinux AVCs? Maybe a
>> relabel would help (or try permissive to catch the full set).
>>
>> rob
>
>
>
> unfortunately selinux was already in permissive mode and no recent avcs:
> # ausearch -m avc -ts recent
> <no matches>
>
> The latest avc is from a few days agoi regarding the ipa_custodia which we
> do not use.
>
> I did a restorecon -rv / and it corrected some labels, but no difference
> so far.
>
>
>
>
--
--
Groeten,
natxo
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
