Hi Rob There are some logs in /var/log/pki-ca/catalina.out that appear to indicate a problem: CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| Server is started.
SEVERE: A web application appears to have started a thread named [Timer-0] but has failed to stop it. This is very likely to create a memory leak. May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-3] but has failed to stop it. This is very likely to create a memory leak. May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-4] but has failed to stop it. This is very likely to create a memory leak. May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [/var/lib/pki-ca/logs/system.flush-5] but has failed to stop it. This is very likely to create a memory leak. May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [/var/lib/pki-ca/logs/system.rollover-6] but has failed to stop it. This is very likely to create a memory leak. May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [/var/lib/pki-ca/logs/transactions.flush-7] but has failed to stop it. This is very likely to create a memory leak. May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [/var/lib/pki-ca/logs/transactions.rollover-8] but has failed to stop it. This is very likely to create a memory leak. May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [/var/lib/pki-ca/logs/selftests.log.flush-9] but has failed to stop it. This is very likely to create a memory leak. May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [/var/lib/pki-ca/logs/selftests.log.rollover-10] but has failed to stop it. This is very likely to create a memory leak. May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [LDAPConnThread-2 ldap://dc.ourdom.com:7389] but has failed to stop it. This is very likely to create a memory leak. May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [LDAPConnThread-3 ldap://dc.ourdom.com:7389] but has failed to stop it. This is very likely to create a memory leak. May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [LDAPConnThread-4 ldap://dc.ourdom.com:7389] but has failed to stop it. This is very likely to create a memory leak. May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [LDAPConnThread-5 ldap://dc.ourdom.com:7389] but has failed to stop it. This is very likely to create a memory leak. May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [LDAPConnThread-6 ldap://dc.ourdom.com:7389] but has failed to stop it. This is very likely to create a memory leak. May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [LDAPConnThread-8 ldap://dc.ourdom.com:7389] but has failed to stop it. This is very likely to create a memory leak. May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads May 24, 2013 11:48:10 AM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1@7e8905bd]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web application was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. May 24, 2013 12:17:01 PM org.apache.catalina.loader.WebappClassLoader clearThreadLocalMap SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1@7e8905bd]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web application was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. May 24, 2013 12:17:01 PM org.apache.catalina.loader.WebappClassLoader clearThreadLocalMap SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1@7e8905bd]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web application was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. Also running "getcert list" tells me there are two expired certs: Request ID '20130524104636': status: CA_UNREACHABLE ca-error: Server at https://dc.ourdom.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://dc.ourdom.com:443/ca/agent/ca/displayBySerial': [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.). stuck: no Request ID '20130524104828': status: CA_UNREACHABLE ca-error: Server at https://dc.ourdom.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://dc.ourdom.com:443/ca/agent/ca/displayBySerial': [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.). stuck: no I'd be grateful to know what to do. On Mon, May 18, 2015 at 3:05 PM, Rob Crittenden <[email protected]> wrote: > Sina Owolabi wrote: >> >> Yes CA is running, and it's on the same machine. >> >> [root@dc ~]# ipa-replica-prepare dc01.ourdom.com >> <http://dc01.ourdom.com> --ip-address 192.168.2.40 >> >> Directory Manager (existing master) password: >> >> >> Preparing replica for dc01.ourdom.com <http://dc01.ourdom.com> from >> dc.ourdom.com <http://dc.ourdom.com> >> >> Creating SSL certificate for the Directory Server >> >> Certificate operation cannot be completed: Unable to communicate with >> CMS (Not Found) >> >> [root@dc ~]# ipactl status >> >> Directory Service: RUNNING >> >> KDC Service: RUNNING >> >> KPASSWD Service: RUNNING >> >> DNS Service: RUNNING >> >> MEMCACHE Service: RUNNING >> >> HTTP Service: RUNNING >> >> CA Service: RUNNING >> >> [root@dc ~]# > > > This suggests that while the process is running the CA isn't actually > operational. You'll need to poke through the logs in /var/log/pki* to see if > there are any errors. > > I'd also see if the certificates are expired by running `getcert list` as > root. > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
