On Tue, 2014-12-09 at 23:52 +0100, chymian wrote: > Am Dienstag, 9. Dezember 2014, 09:49:04 schrieb Ade Lee: > > > On Tue, 2014-12-09 at 13:54 +0100, chymian wrote: > > > > hey people, > > > > > > > > after a successful install of ipa 4.0.5-2 on jessie, the named > services started flawless during setup. see attached log, Installation > summary (line 3107) > > > > but after reboot, it refuses to start. (did this install a couple > times, on vanilla jessie) > > > > > > > > I can reach & work with Dogtag https://ipa.eb8.lan:8443/ca, but > not the admin-services on https://ipa.eb8.lan/ca/ee/ca and > https://ipa.eb8.lan/ca/agent/ca. > > > > > > > > > > > > $ systemctl status firstname.lastname@example.org > > > > ● email@example.com - PKI Tomcat Server pki-tomcat > > > > Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled) > > > > Active: failed (Result: resources) > > > > > > > > Dez 08 20:40:13 ipa systemd: Starting PKI Tomcat Server > pki-tomcat... > > > > Dez 08 20:40:13 ipa systemd: Failed to load environment files: > No such file or directory > > > > Dez 08 20:40:13 ipa systemd: firstname.lastname@example.org > failed to run 'start-pre' task: No such file or directory > > > > Dez 08 20:40:13 ipa systemd: Failed to start PKI Tomcat Server > pki-tomcat. > > > > Dez 08 20:40:13 ipa systemd: Unit > email@example.com entered failed state. > > > > > > > > > > > > > > Is dogtag actually running? ps -ef |grep java > > > > it shows: > > pkiuser 676 1 0 13:25 ? 00:00:26 /usr/lib/jvm/default-java/bin/java > -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > -DRESTEASY_LIB=/usr/share/java/ > -Djava.endorsed.dirs=/usr/share/tomcat7/endorsed -classpath > /usr/share/tomcat7/bin/bootstrap.jar:/var/lib/pki/pki-tomcat/bin/tomcat-juli.jar > -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat7 > -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp > org.apache.catalina.startup.Bootstrap start > > > > is it ment to be, that the dogtag-pki package it’s self is not > installed, just the dogtag-pki-server-theme is > > and a couple pki-packages… pki-base, pki-ca, pki-server, pki-tools? > > Ok, so as far as I can see, the dogtag CA is in fact up and operational. The systemctl error messages are probably a result of the systemd unit scripts not yet being used.
We clearly see that the IPA RA and Jar signing certs are issued with no problems. I do notice a few attempts to reach the agent pages which result in failed authentication. My guess is that you are trying to access these pages using the browser and are not providing the agent cert. As you have the dogtag-pki-server-theme package installed, you should be able to reach the UI. But .. -- If you try to access the dogtag UI pages through port 80 and 443, then you are going through the apache instance for IPA. This instance talks to Dogtag on the back-end using AJP, and has a proxy configuration file that only permits certain URL paths to go through. -- If you want to access the Dogtag UI pages, you need to access https://host:8443/... or http://host:8080/... To access the agent pages, you need to import the IPA RA agent certificate into your browser (and trust the CA cert). That cert/key is in the IPA HTTP certdb. You will need to extract it from there as a p12 file and import it into your browser. Ade > > > > > > > > You could try restarting it - > > > systemctl restart firstname.lastname@example.org > > > > fails with same log-msg. > > > > > > > > The logs should be found in the journal --> > > > journalctl -u email@example.com > > > > same as above. > > > > > > > > Other debug logs should be found under /var/log/pki/pki-tomcat/. > Please > > > provide a tar of that directory. > > > > attached > > > > > I am curious what the unit file looks like: On Fedora, its > > > > at /firstname.lastname@example.org > > > > lrwxrwxrwx 1 pkiuser pkiuser 40 Dez 8 20:22 > email@example.com > -> /lib/systemd/system/pki-tomcatd@.service > > root@ipa /etc/systemd/system/pki-tomcatd.target.wants > > $ cat firstname.lastname@example.org > > [Unit] > > Description=PKI Tomcat Server %i > > After=pki-tomcatd.target network.target > > PartOf=pki-tomcatd.target > > > > [Service] > > Type=simple > > EnvironmentFile=/etc/tomcat/tomcat.conf > > Environment="NAME=%i" > > EnvironmentFile=-/etc/default/%i > > ExecStartPre=/usr/bin/pkidaemon start %i > > ExecStart=/usr/libexec/tomcat/server start > > ExecStop=/usr/libexec/tomcat/server stop > > SuccessExitStatus=143 > > User=pkiuser > > Group=pkiuser > > > > [Install] > > WantedBy=multi-user.target > > > > > > > which points to an EnvironmentFile /etc/tomcat/tomcat.conf. Does > that > > > file exist? > > > > there is not even an dir. /etc/tomcat/, or rather a tomcat.conf in it. > > > > this is what was installed: > > > > ii libtomcat7-java 7.0.56-1 > > ii libtomcatjss-java 7.1.1-2 > > ii tomcat7-common 7.0.56-1 > > ii tomcat7-user 7.0.56-1 > > > > and if I would install tomcat7, it would give me an /etc/tomcat7 – not > a /etc/tomcat > > > > and, here on debian, there is no such dir. /usr/libexec. > > seems that the unitfile is more a centos one. > > > > > > but: > > > > systemctl status pki-tomcatd.service > > ● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time > > Loaded: loaded (/etc/init.d/pki-tomcatd) > > Active: active (running) since Di 2014-12-09 13:25:12 CET; 10h ago > > CGroup: > /user.slice/user-0.slice/session-5.scope/system.slice/pki-tomcatd.service > > └─676 /usr/lib/jvm/default-java/bin/java > -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties > -Djava.util.log... > > > > Dez 09 13:25:12 ipa pki-tomcatd: . > > Dez 09 13:25:12 ipa systemd: Started LSB: Start pki-tomcatd at boot > time. > > > > > > which is started with a /etc/init.d/pki-tomcatd script, not > systemd-unit-file – yet. > > > > > > > > Ade > > > > thx, > > guenter > > > > > > > > > a second service fails to start: > > > > > > > > $ systemctl status dirsrv-snmp.service > > > > ● dirsrv-snmp.service - 389 Directory Server SNMP Subagent. > > > > Loaded: loaded (/lib/systemd/system/dirsrv-snmp.service; enabled) > > > > Active: failed (Result: exit-code) since Di 2014-12-09 13:25:04 > CET; 5min ago > > > > Process: 156 > ExecStart=/usr/sbin/ldap-agent /etc/dirsrv/config/ldap-agent.conf > (code=exited, status=1/FAILURE) > > > > > > > > Dez 09 13:25:04 ipa systemd: Starting 389 Directory Server SNMP > Subagent.... > > > > Dez 09 13:25:04 ipa ldap-agent: ldap-agent: No server > instances defined in config file > > > > Dez 09 13:25:04 ipa systemd: dirsrv-snmp.service: control > process exited, code=exited status=1 > > > > Dez 09 13:25:04 ipa systemd: Failed to start 389 Directory > Server SNMP Subagent.. > > > > Dez 09 13:25:04 ipa systemd: Unit dirsrv-snmp.service entered > failed state. > > > > > > > > > > > > except these, I was able to subscribe a jessie-client with > autodiscovery right after I did configure the ipa-server, before first > reboot. > > > > > > > > > > > > any help appreciated, since I do not have much experience with IPA > – yet. > > > > guenter > > > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project