Hi,
I've been attempting to install a FreeIPA replica on a RHEL 9 server,
replicating from our existing RHEL 8 servers. Despite several efforts,
the ipa-replica-install process consistently halts at the "Configuring
certificate server (pki-tomcatd)" step
---
[31/33]: importing IPA certificate profiles
Lookup failed: Preferred host freeipa.exemple.fr does not provide CA.
[32/33]: configuring certmonger renewal for lightweight CAs
[33/33]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
CalledProcessError(Command ['/bin/systemctl', 'start',
'pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1:
'Job for pki-tomcatd@pki-tomcat.service failed because the control
process exited with error code.\nSee "systemctl status
pki-tomcatd@pki-tomcat.service" and "journalctl -xeu
pki-tomcatd@pki-tomcat.service" for details.\n')
The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
---
I tried to change the values I have nsslapd-rangelookthroughlimit and
nsslapd-lookthroughlimit on the servers in version 8 but no. The
ipareplica-install.log doesn't provide clear insights it's as if we're
speaking different languages
---
2025-07-02T15:16:51Z DEBUG Starting external process
2025-07-02T15:16:51Z DEBUG args=['/bin/systemctl', 'start',
'pki-tomcatd@pki-tomcat.service']
2025-07-02T15:18:25Z DEBUG Process finished, return code=1
2025-07-02T15:18:25Z DEBUG stdout=
2025-07-02T15:18:25Z DEBUG stderr=Job for
pki-tomcatd@pki-tomcat.service failed because the control process
exited with error code.
See "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl
-xeu pki-tomcatd@pki-tomcat.service" for details.
2025-07-02T15:18:25Z DEBUG File
"/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 219,
in execute
return_value = self.run()
File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py",
line 343, in run
return cfgr.run()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py",
line 360, in run
return self.execute()
(...)
File "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line
612, in run
raise CalledProcessError(
2025-07-02T15:18:25Z DEBUG The ipa-replica-install command failed,
exception: CalledProcessError: CalledProcessError(Command
['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service'] returned
non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service failed
because the control process exited with error code.\nSee "systemctl
status pki-tomcatd@pki-tomcat.service" and "journalctl -xeu
pki-tomcatd@pki-tomcat.service" for details.\n')
2025-07-02T15:18:25Z ERROR CalledProcessError(Command
['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service'] returned
non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service failed
because the control process exited with error code.\nSee "systemctl
status pki-tomcatd@pki-tomcat.service" and "journalctl -xeu
pki-tomcatd@pki-tomcat.service" for details.\n')
2025-07-02T15:18:25Z ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
---
The pki-tomcatd@pki-tomcat.service fails to start due to a timeout, and
I'm at a loss on how to proceed.
pki-tomcatd@pki-tomcat.service: Consumed 15.536s CPU time.
juil. 02 17:18:25 freeipa.exemple.fr systemd[1]: Failed to start PKI
Tomcat Server pki-tomcat.
juil. 02 17:18:25 freeipa.exemple.fr systemd[1]:
pki-tomcatd@pki-tomcat.service: Failed with result 'exit-code'.
juil. 02 17:18:25 freeipa.exemple.fr systemd[1]:
pki-tomcatd@pki-tomcat.service: Control process exited, code=exited,
status=1/FAILURE
juil. 02 17:18:25 freeipa.exemple.fr ipa-pki-wait-running[6543]:
ipa-pki-wait-running: Reached end of wait timeout 90, giving up
juil. 02 17:18:24 freeipa.exemple.fr ipa-pki-wait-running[6543]:
ipa-pki-wait-running: Connection failed:
HTTPConnectionPool(host='freeipa.exemple.fr', port=8080): >
(...)
juil. 02 17:16:55 freeipa.exemple.fr ipa-pki-wait-running[6543]:
ipa-pki-wait-running: Connection failed:
HTTPConnectionPool(host='freeipa.exemple.fr', port=8080): Read timed
out. (read timeout=1.0)
juil. 02 17:16:54 freeipa.exemple.fr server[6542]: WARNING: Tomcat
interprets the [protocols] attribute in a manner consistent with the
latest OpenSSL development branch. Some of the specified [protocols]
are not supported by the configured S>
juil. 02 17:16:53 freeipa.exemple.fr ipa-pki-wait-running[6543]:
ipa-pki-wait-running: Connection failed:
HTTPConnectionPool(host='freeipa.exemple.fr', port=8080): Max retries
exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionErr>
juil. 02 17:16:53 freeipa.exemple.fr ipa-pki-wait-running[6543]:
ipa-pki-wait-running: Created connection http://freeipa.exemple.fr:8080/ca
juil. 02 17:16:53 freeipa.exemple.fr ipa-pki-wait-running[6543]:
pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in
PKIConnection.__init__() has been deprecated
(https://github.com/dogtagpki/pki/wiki/PKI-10.8-Python-Change>
juil. 02 17:16:53 freeipa.exemple.fr server[6542]: WARNING: The
Security Manager is deprecated and will be removed in a future release
juil. 02 17:16:53 freeipa.exemple.fr server[6542]: WARNING: A command
line option has enabled the Security Manager
juil. 02 17:16:53 freeipa.exemple.fr server[6542]: NOTE: Picked up
JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED
--add-opens=java.base/java.io=ALL-UNNAMED
--add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java>
juil. 02 17:16:53 freeipa.exemple.fr server[6542]: arguments used: start
juil. 02 17:16:53 freeipa.exemple.fr server[6542]: options used:
-Dcatalina.base=/var/lib/pki/pki-tomcat
-Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs=
-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
-Djava.util.logging.config.file=/va>
juil. 02 17:16:53 freeipa.exemple.fr server[6542]: flags used:
-Dcom.redhat.fips=false
juil. 02 17:16:53 freeipa.exemple.fr server[6542]: main class used:
org.apache.catalina.startup.Bootstrap
juil. 02 17:16:53 freeipa.exemple.fr server[6542]: classpath used:
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:
juil. 02 17:16:53 freeipa.exemple.fr server[6542]: Java virtual
machine used: /usr/lib/jvm/jre-17-openjdk/bin/java
juil. 02 17:16:53 freeipa.exemple.fr pki-server[6462]: AJP connector
requiredSecret: None
juil. 02 17:16:53 freeipa.exemple.fr pki-server[6462]: AJP connector
requiredSecret: None
juil. 02 17:16:53 freeipa.exemple.fr pki-server[6495]: NOTE: Picked up
JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED
--add-opens=java.base/java.io=ALL-UNNAMED
--add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/>
juil. 02 17:16:51 freeipa.exemple.fr systemd[1]: Starting PKI Tomcat
Server pki-tomcat..
If anyone has suggestions on successfully setting up a replica on RHEL 9
while our other servers remain on RHEL 8, I would greatly appreciate
your guidance.
Thank you in advance for your assistance.
Best regards,
Pierre
Le 30/06/2025 à 09:25, Pierre Labanowski via FreeIPA-users a écrit :
Hi,
In an effort to resolve the issues encountered during the replica
installation, I experimented with increasing several LDAP resource
limit parameters to see if it would improve the situation.
Specifically, I adjusted the following settings:
- nsslapd-rangelookthroughlimit
- nsslapd-lookthroughlimit
- nsslapd-timelimit
- nsbindretrylimit
- nsconcurrentbindlimit
Thank you for your assistance.
Best regards,
*Pierre Labanowski*
Le 27/06/2025 à 17:43, Rob Crittenden a écrit :
There is currently no way to restart an installation.
What specifically did you change in dse.ldif?
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
