What version of dogtag-jss and dogtag-tomcat-jss are you running? I wonder if there is some requirement that it be in sync with the rest of the dogtag packages.
rob Natxo Asenjo wrote: > hi, > > digging further, the tomcat service does not start because the of this > error: > > server[48368]: org.xml.sax.SAXParseException; systemId: > file:/var/lib/pki/pki-tomcat/conf/server.xml; lineNumber: 86; > columnNumber: 861; Error at line [86] column [861]: [Cannot invoke > "Object.getClass()" because the return value of > "org.apache.catalina.connector.Connector.getProtocolHandler()" is null] > > If I check the server.xml, there is no colum 861 in line 86, the last > char is 860 > > <Connector name="Secure" port="8443" > protocol="org.dogtagpki.jss.tomcat.Http11NioProtocol" SSLEnabled="true" > sslImplementationName="org.dogtagpki.jss.tomcat.JSSImplementation" > scheme="https" secure="true" connectionTimeout="80000" > keepAliveTimeout="300000" maxHttpHeaderSize="8192" acceptCount="100" > maxThreads="150" minSpareThreads="25" enableLookups="false" > disableUploadTimeout="true" enableOCSP="false" > ocspResponderURL="http://kdc.sub.domain.tld:8080/ca/ocsp"; > ocspResponderCertNickname="ocspSigningCert cert-pki-ca" > ocspCacheSize="1000" ocspMinCacheEntryDuration="7200" > ocspMaxCacheEntryDuration="14400" ocspTimeout="10" > serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf" > passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf" > passwordClass="org.dogtagpki.jss.tomcat.PlainPasswordFile" > certdbDir="/var/lib/pki/pki-tomcat/alias"> > > > This line looks similar (replacying the ocsp url) to other ipa ca > servers I manage, so I do not know where this is coming from. > > If I run this as root it starts but apparently not well enough, because > then the ExecStartPost command /usr/libexec/ipa/ipa-pki-wait-running > fails with a 404 > > # /usr/libexec/ipa/ipa-pki-wait-running > > pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in > PKIConnection.__init__() has been deprecated > (https://github.com/dogtagpki/pki/wiki/PKI-10.8-Python-Changes). > ipa-pki-wait-running: Created connection http://kdc.sub.domain.tld:8080/ca > ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: > for url: http://kdc.sub.domain.tld:8080/ca/admin/ca/getStatus > > Any clues? > > Regards, > > Natxo > > > > On Wed, May 29, 2024 at 4:06 PM Natxo Asenjo <[email protected] > <mailto:[email protected]>> wrote: > > > > On Wed, May 29, 2024 at 3:03 PM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Since it starts directly as root perhaps check for SELinux AVCs? > Maybe a > relabel would help (or try permissive to catch the full set). > > rob > > > > unfortunately selinux was already in permissive mode and no recent avcs: > # ausearch -m avc -ts recent > <no matches> > > The latest avc is from a few days agoi regarding the ipa_custodia > which we do not use. > > I did a restorecon -rv / and it corrected some labels, but no > difference so far. > > > > > > -- > -- > Groeten, > natxo -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
