On 11/13/2015 11:14 AM, Terry John wrote:
On 11/12/2015 04:51 PM, Terry John wrote:
I got a core dump of certmonger failing user abrt but it's huge. Is there any
particular part that would be useful.
CCing Nalin and David for the core dump. More below.
On 11/12/2015 02:17 PM, Terry John wrote:
I had a working freeipa setup on a CentOS release 6.7 machine. All was well
until I did a yum update. Now I have multiple issue apparently based around the
CMS (Service Unavailable) issue.
My current version of ipa-server is 3.0.0-47 Certmonger crashes with
a segmentation fault at boot time and crashes every time I try to restart it
when ipa is running.
<snip>
# ipa cert-status
Request id: 20140417164153
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Service Unavailable) # service certmonger
status certmonger (pid 3030) is running...
It looks like PKI cannot be contacted. I would recommend checking
/var/log/httpd/error_log, it may have more details. I would also recommend checking
"ipa cert-show 1", it will probably fail with the same bug.
Yes ipa cert-show 1 does show the same thing # ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Service Unavailable)
Next steps may include checking that dogtag service really runs, there is no
SELinux AVC. If neither of this helps, you can check PKI logs /var/log/pki...
to see what went wrong.
I'm pretty certain the dogtag service is not running
Then you have your lucky winner! :-)
Some pointers to logs are for example here:
http://www.freeipa.org/page/Troubleshooting#Server_Installation
/var/log/pki-ca/catalina.out contains the lines at boot time:
SEVERE: Error deploying web application directory ca
java.lang.UnsupportedClassVersionError:
com/netscape/cms/servlet/filter/AgentRequestFilter : Unsupported major.minor
version 51.0 (unable to load class
com.netscape.cms.servlet.filter.AgentRequestFilter) at
org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappC>
lassLoader.java:2334).... lots of traceback
/var/log/pki-ca/system is empty
/var/log/pki-ca/debug has nothing new for 2 days
CCing Fraser. This is a wild guess, but maybe you updated your java to
java-1.8.0-openjdk? PKI does not work on it on RHEL/CentOS:
https://bugzilla.redhat.com/show_bug.cgi?id=1262516
java would need to be switched with "alternate" to pre-1.8.0 version if this is
the case.
The java version was the problem.
Good! Fraser, can we improve anything in pki-core, so that wrong java version
issue like this one does not occur? IIRC, pki-core in RHEL-6.x was updated to
somehow deal with java 1.8.0 (conflict), not sure if lower versions are also
covered.
Luckily I have a java expert to hand and explained that major.minor version
51.0 corresponds to java 7
http://stackoverflow.com/questions/9170832/list-of-java-class-file-format-major-version-numbers
When I did
# ps ax | grep java I got"
1460 ? Sl 1:21 /usr/java/default/bin/java -Djavax.sql.Da.......
# /usr/java/default/bin/java -version
java version "1.6.0_31"
Java(TM) SE Runtime Environment (build 1.6.0_31-b04)
Java HotSpot(TM) 64-Bit Server VM (build 20.6-b01, mixed mode)
I have both java-1.6.0-openjdk and java-1.7.0-openjdk installed but the
/usr/java/default/bin is all from java-1.6.0-openjdk
I have renamed /usr/java/default/bin/java to javaold and done
# ln -s /usr/bin/java /usr/java/default/bin/java
# /usr/java/default/bin/java -version
java version "1.7.0_91"
OpenJDK Runtime Environment (rhel-2.6.2.2.el6_7-x86_64 u91-b00)
OpenJDK 64-Bit Server VM (build 24.91-b01, mixed mode)
This may work, but looks a bit hacky. I think the right way is to use
"alternate" program I mentioned earlier to let you choose the right version of
the java executable and/or libraries.
After a reboot FreeIPA works properly which is great but I'm wondering if there
is a better fix though since all the other executables in are from the 1.6
version. I can't find a corresponding location for 1.7 executables.
The "alternate" approach should "just work". I am glad you made the instance
working again!
Thanks very much
The Manheim group of companies within the UK comprises: Manheim Europe Limited
(registered number: 03183918), Manheim Auctions Limited (registered number:
00448761), Manheim Retail Services Limited (registered number: 02838588),
Motors.co.uk Limited (registered number: 05975777), Real Time Communications
Limited (registered number: 04277845) and Complete Automotive Solutions Limited
(registered number: 05302535). Each of these companies is registered in England
and Wales with the registered office address of Central House, Leeds Road,
Rothwell, Leeds LS26 0JE. The Manheim group of companies operates under various
brand/trading names including Manheim Inspection Services, Manheim Auctions,
Manheim Direct, Manheim De-fleet and Manheim Aftersales Solutions.
V:0CF72C13B2AC
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
