2016-12-01 17:20 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > Rob Verduijn wrote: > > > > > > 2016-12-01 15:41 GMT+01:00 Rob Crittenden <rcrit...@redhat.com > > <mailto:rcrit...@redhat.com>>: > > > > Rob Verduijn wrote: > > > Hello, > > > > > > For some reason my ipa server no longer boots. > > > It keeps trying to start pki-tomcat service. > > > > > > Does anybody know where I should start looking to get this fixed ? > > > > > > Rob Verduijn > > > > > > ipactl -d start gives this output: > > > ipa: DEBUG: The CA status is: check interrupted due to error: > Command > > > ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' > '--no-check-certificate' > > > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus > > <https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus>'' > returned > > > non-zero exit status 8 > > > ipa: DEBUG: Waiting for CA to start... > > > ipa: DEBUG: Starting external process > > > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' > > > '--no-check-certificate' > > > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus > > <https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus>' > > > ipa: DEBUG: Process finished, return code=8 > > > ipa: DEBUG: stdout= > > > ipa: DEBUG: stderr=--2016-12-01 11:06:12-- > > > https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus > > <https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus> > > > Resolving freeipa02.tjako.thuis (freeipa02.tjako.thuis)... > 172.16.1.13 > > > Connecting to freeipa02.tjako.thuis > > > (freeipa02.tjako.thuis)|172.16.1.13|:8443... connected. > > > HTTP request sent, awaiting response... > > > HTTP/1.1 500 Internal Server Error > > > Server: Apache-Coyote/1.1 > > > Content-Type: text/html;charset=utf-8 > > > Content-Language: en > > > Content-Length: 2134 > > > Date: Thu, 01 Dec 2016 10:06:13 GMT > > > Connection: close > > > 2016-12-01 11:06:13 ERROR 500: Internal Server Error. > > > > > > There are also some java warnings in the logs, but its java and I > can > > > never tell if its a serious error when java gives a warning. > > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Dec 1 09:53:59 freeipa02 server: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'serverCertNickFile' to > > > '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a > > > matching property. > > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Dec 1 09:53:59 freeipa02 server: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' > did not > > > find a matching property. > > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Dec 1 09:53:59 freeipa02 server: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'passwordClass' to 'org.apache.tomcat.util.net > > <http://org.apache.tomcat.util.net>.jss.PlainPasswordFile' > > > did not find a matching property. > > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Dec 1 09:53:59 freeipa02 server: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a > matching > > > property. > > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM > > > org.apache.tomcat.util.digester.SetPropertiesRule begin > > > Dec 1 09:53:59 freeipa02 server: WARNING: > > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > > > 'xmlValidation' to 'false' did not find a matching property. > > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM > > > org.apache.tomcat.util.digester.SetPropertiesRule begin > > > Dec 1 09:53:59 freeipa02 server: WARNING: > > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > > > 'xmlNamespaceAware' to 'false' did not find a matching property. > > > > > > > > > I'm running centos7.2 x86_64 with the latest patches applied. > > > some package versions below > > > rpm -qa|egrep "ipa|tomcat"|sort > > > ipa-admintools-4.2.0-15.0.1.el7.centos.19.x86_64 > > > ipa-client-4.2.0-15.0.1.el7.centos.19.x86_64 > > > ipa-python-4.2.0-15.0.1.el7.centos.19.x86_64 > > > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 > > > ipa-server-dns-4.2.0-15.0.1.el7.centos.19.x86_64 > > > libipa_hbac-1.13.0-40.el7_2.12.x86_64 > > > python-iniparse-0.4-9.el7.noarch > > > python-libipa_hbac-1.13.0-40.el7_2.12.x86_64 > > > sssd-ipa-1.13.0-40.el7_2.12.x86_64 > > > tomcat-7.0.54-8.el7_2.noarch > > > tomcat-el-2.2-api-7.0.54-8.el7_2.noarch > > > tomcat-jsp-2.2-api-7.0.54-8.el7_2.noarch > > > tomcatjss-7.1.2-1.el7.noarch > > > tomcat-lib-7.0.54-8.el7_2.noarch > > > tomcat-servlet-3.0-api-7.0.54-8.el7_2.noarch > > > > The debug log is quite verbose. I find it helpful to note where the > > previous log ended, starting and pulling the difference and going > line > > by line. It sometimes fails in one place which cascades to others > this > > generally makes it hard to grok. > > > > I'd also run `getcert list` and check to ensure that the CA subsystem > > certificates are still valid. > > > > rob > > > > > > > > Hi, > > > > My certs where indeed expired. > > I did what was said in here > > http://www.freeipa.org/page/Howto/CA_Certificate_Renewal > > And now they are all valid again. > > > > However it is still stuck at the same spot. > > It keeps waiting for the ca to start and gets an internal error. > > > > In the pki-cataline logs this keeps repeating : > > Dec 01, 2016 4:22:44 PM org.apache.catalina.core.ContainerBase > > backgroundProcess > > WARNING: Exception processing realm > > com.netscape.cms.tomcat.ProxyRealm@6934e456 background process > > java.lang.NullPointerException > > at > > com.netscape.cms.tomcat.ProxyRealm.backgroundProcess( > ProxyRealm.java:108) > > at > > org.apache.catalina.core.ContainerBase.backgroundProcess( > ContainerBase.java:1360) > > at > > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor. > processChildren(ContainerBase.java:1530) > > at > > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor. > processChildren(ContainerBase.java:1540) > > at > > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor. > processChildren(ContainerBase.java:1540) > > at > > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor. > run(ContainerBase.java:1519) > > at java.lang.Thread.run(Thread.java:745) > > > > I keep digging through the logs, but they are rather overwhelming. > > > > Have you got any pointers for me ? > > My only recommendation is to read top-down instead of bottom up as one > would normally do. Look for the selftest and see if it was successful. > If it wasn't then nothing will work. > > rob >
in the pki-catalina log I find a lot of warnings are these real warnings or just noise from tomcat ? Dec 01, 2016 6:18:40 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Dec 01, 2016 6:18:40 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://freeipa02.tjako.thuis:9080/ca/ocsp' did not find a matching property. Dec 01, 2016 6:18:40 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Dec 01, 2016 6:18:40 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Dec 01, 2016 6:18:40 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Dec 01, 2016 6:18:40 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Dec 01, 2016 6:18:40 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Dec 01, 2016 6:18:40 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Dec 01, 2016 6:18:40 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Rob Verduijn
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project