Hi, On Fri, Aug 30, 2024 at 11:59 AM Duarte Petiz via FreeIPA-users < [email protected]> wrote:
> Steps to reproduce: > > 1- Execute a docker-compose of freeipa with a clean volume (fresh install). > 2- Wait until it boots (after 2/3 minutes) everything is ok > >> [root@prod-us-freeipa /]# curl >> http://prod-us-freeipa.example.com:8080/ca/admin/ca/getStatus >> { >> "Response" : { >> "State" : "1", >> "Type" : "CA", >> "Status" : "running", >> "Version" : "11.3.0-1" >> } >> > 3- Restore data (backup data only and full tested) > >> ipa-restore /var/lib/ipa/backup/ipa-data-2024-08-30-10-28-58/ >> Directory Manager (existing master) password: > > Preparing restore from /var/lib/ipa/backup/ipa-data-2024-08-30-10-28-58/ >> on prod-us-freeipa.example.com >> Performing DATA restore from DATA backup >> Temporary setting umask to 022 >> Restoring data will overwrite existing live data. Continue to restore? >> [no]: yes >> Each master will individually need to be re-initialized or >> re-created from this one. The replication agreements on >> masters running IPA 3.1 or earlier will need to be manually >> re-enabled. See the man page for details. >> Disabling all replication. >> Stopping Directory Server >> Restoring from userRoot in EXAMPLE-COM >> Restoring from ipaca in EXAMPLE-COM >> Starting Directory Server >> Restoring umask to 18 > > *The ipa-restore command was successful * > > > 4- Freeipa restart > 5- pki no more boots > >> [root@prod-us-freeipa pki]# curl >> http://prod-us-freeipa.example.com:8080/ca/admin/ca/getStatus >> curl: (7) Failed to connect to prod-us-freeipa.example.com port 8080: >> Connection refused >> > > I'm getting really frustrated with this error... > I don't have replicas so I really need to have this fixed. > Does anyone have any ideas? > > > cat /var/log/pki/pki-tomcat/ca/debug.2024-08-30.log > 2024-08-30 09:48:12 [main] INFO: Shutting down CA subsystem > 2024-08-30 09:48:12 [main] INFO: RequestSubsystem: Request subsystem > stopped > 2024-08-30 09:48:12 [main] INFO: Destroying > LogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) > 2024-08-30 09:48:12 [main] SEVERE: Exception sending context initialized > event to listener instance of class [org.dogtagpki.server.ca.CAWebListener] > com.netscape.certsrv.base.PKIException: Unable to start CA engine: Unable > to connect to LDAP server: Authentication failed > at > com.netscape.cmscore.apps.PKIWebListener.contextInitialized(PKIWebListener.java:44) > at > org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4768) > at > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5230) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:728) > at > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129) > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150) > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140) > at > java.base/java.security.AccessController.doPrivileged(AccessController.java:318) > at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:698) > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:696) > at > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:690) > at > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1889) > at > java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) > at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) > at > org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) > at > java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:123) > at > org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:583) > at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:473) > at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1618) > at > org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:319) > at > org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) > at > org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423) > at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366) > at > org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:948) > at > org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:835) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > at > org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1398) > at > org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1388) > at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) > at > org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) > at > java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:145) > at > org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:921) > at > org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:263) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > at > org.apache.catalina.core.StandardService.startInternal(StandardService.java:437) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > at > org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:934) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > at org.apache.catalina.startup.Catalina.start(Catalina.java:772) > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:568) > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:345) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:476) > Caused by: Unable to connect to LDAP server: Authentication failed > at > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeNewConnection(LdapBoundConnFactory.java:321) > at > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:278) > at > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:262) > at > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:224) > at > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:193) > at org.dogtagpki.server.ca.CAEngine.initDatabase(CAEngine.java:192) > at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1160) > at > com.netscape.cmscore.apps.PKIWebListener.contextInitialized(PKIWebListener.java:39) > ... 45 more > Caused by: netscape.ldap.LDAPException: Authentication failed (49) > When the PKI server starts, it tries to establish a connection to the LDAP server and authenticates with a certificate. The error 49 means invalid credentials. You can find troubleshooting tips in https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ flo at netscape.ldap.LDAPSaslBind.checkForSASLBindCompletion(Unknown Source) > at netscape.ldap.LDAPSaslBind.bind(Unknown Source) > at netscape.ldap.LDAPSaslBind.bind(Unknown Source) > at netscape.ldap.LDAPConnection.authenticate(Unknown Source) > at netscape.ldap.LDAPConnection.authenticate(Unknown Source) > at netscape.ldap.LDAPConnection.checkClientAuth(Unknown Source) > at netscape.ldap.LDAPConnection.connect(Unknown Source) > at netscape.ldap.LDAPConnection.connect(Unknown Source) > at netscape.ldap.LDAPConnection.connect(Unknown Source) > at > com.netscape.cmscore.ldapconn.LdapBoundConnection.<init>(LdapBoundConnection.java:108) > at > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeNewConnection(LdapBoundConnFactory.java:303) > ... 52 more > > 2024-08-30 09:48:12 [main] INFO: Shutting down CA subsystem > 2024-08-30 09:48:12 [main] INFO: RequestSubsystem: Request subsystem > stopped > 2024-08-30 09:48:12 [main] INFO: Destroying > LogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) > > On Wed, Aug 28, 2024 at 6:51 PM Rob Crittenden via FreeIPA-users < > [email protected]> wrote: > >> Luis Correia via FreeIPA-users wrote: >> > I looked at those logs, and saw that we're getting a lot of these: >> > 2024-08-28 09:05:10 [main] INFO: PKISocketFactory: Creating SSL socket >> for <my-freeipa-hostname>:636 >> > 2024-08-28 09:05:10 [main] SEVERE: Add listener!!! >> org.dogtagpki.server.PKIClientSocketListener@79ac50fe >> > 2024-08-28 09:05:10 [main] INFO: PKISocketFactory: Creating SSL socket >> for <my-freeipa-hostname>:636 >> > 2024-08-28 09:05:10 [main] SEVERE: Add listener!!! >> org.dogtagpki.server.PKIClientSocketListener@79ac50fe >> > 2024-08-28 09:05:10 [main] INFO: PKISocketFactory: Creating SSL socket >> for <my-freeipa-hostname>:636 >> > 2024-08-28 09:05:10 [main] SEVERE: Add listener!!! >> org.dogtagpki.server.PKIClientSocketListener@79ac50fe >> > 2024-08-28 09:05:10 [main] INFO: PKISocketFactory: Creating SSL socket >> for <my-freeipa-hostname>:636 >> > 2024-08-28 09:05:10 [main] SEVERE: Add listener!!! >> org.dogtagpki.server.PKIClientSocketListener@79ac50fe >> > 2024-08-28 09:05:10 [main] INFO: PKISocketFactory: Creating SSL socket >> for <my-freeipa-hostname>:636 >> > 2024-08-28 09:05:10 [main] SEVERE: Add listener!!! >> org.dogtagpki.server.PKIClientSocketListener@79ac50fe >> > 2024-08-28 09:05:10 [main] SEVERE: Exception sending context >> initialized event to listener instance of class [org.dogtagpki.server.ca >> .CAWebListener] >> > java.lang.StackOverflowError: java.lang.StackOverflowError >> > at >> java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native >> Method) >> > at >> java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77) >> > at >> java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >> > at >> java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) >> > at >> java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:481) >> > at >> org.mozilla.jss.ssl.SocketBase.processExceptions(SocketBase.java:448) >> > at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method) >> > at >> com.netscape.cmscore.ldapconn.PKISocketFactory.makeSSLSocket(PKISocketFactory.java:240) >> > at >> com.netscape.cmscore.ldapconn.PKISocketFactory.makeSocket(PKISocketFactory.java:256) >> > at >> netscape.ldap.LDAPConnSetupMgr.connectServer(LDAPConnSetupMgr.java:525) >> > at >> netscape.ldap.LDAPConnSetupMgr.openSerial(LDAPConnSetupMgr.java:451) >> > at >> netscape.ldap.LDAPConnSetupMgr.connect(LDAPConnSetupMgr.java:290) >> > at >> netscape.ldap.LDAPConnSetupMgr.openConnection(LDAPConnSetupMgr.java:215) >> > at netscape.ldap.LDAPConnThread.connect(LDAPConnThread.java:136) >> > at >> netscape.ldap.LDAPConnection.connect(LDAPConnection.java:1126) >> > at >> netscape.ldap.LDAPConnection.restoreConnection(LDAPConnection.java:1905) >> > at >> netscape.ldap.LDAPConnection.sendRequest(LDAPConnection.java:1870) >> > at netscape.ldap.LDAPSaslBind.saslBind(LDAPSaslBind.java:276) >> > at netscape.ldap.LDAPSaslBind.bind(LDAPSaslBind.java:194) >> > at netscape.ldap.LDAPSaslBind.bind(LDAPSaslBind.java:115) >> > at >> netscape.ldap.LDAPConnection.authenticate(LDAPConnection.java:1446) >> > at >> netscape.ldap.LDAPConnection.authenticate(LDAPConnection.java:1406) >> > at >> netscape.ldap.LDAPConnection.checkClientAuth(LDAPConnection.java:1170) >> > at >> netscape.ldap.LDAPConnection.connect(LDAPConnection.java:1128) >> > >> > I'm not sure what it could mean though. Do you have any idea? >> > >> >> There isn't really enough information. Probably need more context above >> this. PKI tends to continue past failures so bottom-up debugging isn't >> always fruitful. It also has some red herring warnings so it can be >> difficult, even for experienced admins, to tell what is going on. >> >> It looks like it is having troubles reaching LDAP though. I guess what >> I'd suggest is: >> >> ipactl start --skip-version-check --ignore-service-failures >> >> That should bring the services up without trying the upgrade and without >> failing if PKI fails to start. >> >> Then you can try starting PKI alone to see if that makes a difference. >> >> And/or check on your certificates: getcert list >> >> And see if any are expired or expiring. >> >> rob >> >> -- >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > > > -- > *Kind Regards* > > *Duarte Petiz* > *DevOps Team Lead *| jscrambler.com > > > > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
