[Freeipa-users] Re: pki-tomcatd service stopped

2024-06-05 Thread Natxo Asenjo via FreeIPA-users 
hi,

a bit late, apologies.

I found that I do have a replica, so the pressure is off, so this is nice
:-). Still, if you are still willing to investigate why this happened, I am
too (just curious). Otherwise we can drop this issue.

I see no dogtag-jss or dogtag-tomcat-jss packages, but I guess those are
id-jss and idm-tomcatjss

This is the output in the host with problems (running alma 9.3):

root@kdc1 ~]# rpm -qa | grep -i jss
idm-jss-5.4.1-2.el9.x86_64
idm-tomcatjss-8.4.0-1.el9.noarch

And on the not yet updated replica, where it still runs (also alma 9.3):
[root@kdc2 ~]# rpm -qa | grep jss
idm-jss-5.4.1-2.el9.x86_64
idm-tomcatjss-8.4.0-1.el9.noarch

I created a third replica to have even better redundancy, and this one
running alma 9.4 has this version:

idm-jss-5.5.0-1.el9.x86_64
idm-jss-tomcat-5.5.0-1.el9.x86_64

Regards,
Natxo


On Thu, May 30, 2024 at 6:13 PM Rob Crittenden  wrote:

> What version of dogtag-jss and dogtag-tomcat-jss are you running? I
> wonder if there is some requirement that it be in sync with the rest of
> the dogtag packages.
>
> rob
>
> Natxo Asenjo wrote:
> > hi,
> >
> > digging further, the tomcat service does not start because the of this
> > error:
> >
> > server[48368]: org.xml.sax.SAXParseException; systemId:
> > file:/var/lib/pki/pki-tomcat/conf/server.xml; lineNumber: 86;
> > columnNumber: 861; Error at line [86] column [861]: [Cannot invoke
> > "Object.getClass()" because the return value of
> > "org.apache.catalina.connector.Connector.getProtocolHandler()" is null]
> >
> > If I check the server.xml, there is no colum 861 in line 86, the last
> > char is 860
> >
> >  > protocol="org.dogtagpki.jss.tomcat.Http11NioProtocol" SSLEnabled="true"
> > sslImplementationName="org.dogtagpki.jss.tomcat.JSSImplementation"
> > scheme="https" secure="true" connectionTimeout="8"
> > keepAliveTimeout="30" maxHttpHeaderSize="8192" acceptCount="100"
> > maxThreads="150" minSpareThreads="25" enableLookups="false"
> > disableUploadTimeout="true" enableOCSP="false"
> > ocspResponderURL="http://kdc.sub.domain.tld:8080/ca/ocsp;
> > ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
> > ocspCacheSize="1000" ocspMinCacheEntryDuration="7200"
> > ocspMaxCacheEntryDuration="14400" ocspTimeout="10"
> > serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf"
> > passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf"
> > passwordClass="org.dogtagpki.jss.tomcat.PlainPasswordFile"
> > certdbDir="/var/lib/pki/pki-tomcat/alias">
> >
> >
> > This line looks similar (replacying the ocsp url) to other ipa ca
> > servers I manage, so I do not know where this is coming from.
> >
> > If I run this as root it starts but apparently not well enough, because
> > then the ExecStartPost command /usr/libexec/ipa/ipa-pki-wait-running
> > fails with a 404
> >
> > # /usr/libexec/ipa/ipa-pki-wait-running
> >
> > pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in
> > PKIConnection.__init__() has been deprecated
> > (https://github.com/dogtagpki/pki/wiki/PKI-10.8-Python-Changes).
> > ipa-pki-wait-running: Created connection
> http://kdc.sub.domain.tld:8080/ca
> > ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error:
> > for url: http://kdc.sub.domain.tld:8080/ca/admin/ca/getStatus
> >
> > Any clues?
> >
> > Regards,
> >
> > Natxo
> >
> >
> >
> > On Wed, May 29, 2024 at 4:06 PM Natxo Asenjo  > > wrote:
> >
> >
> >
> > On Wed, May 29, 2024 at 3:03 PM Rob Crittenden  > > wrote:
> >
> > Since it starts directly as root perhaps check for SELinux AVCs?
> > Maybe a
> > relabel would help (or try permissive to catch the full set).
> >
> > rob
> >
> >
> >
> > unfortunately selinux was already in permissive mode and no recent
> avcs:
> > # ausearch -m avc -ts recent
> > 
> >
> > The latest avc is from a few days agoi regarding the ipa_custodia
> > which we do not use.
> >
> > I did a restorecon -rv / and it corrected some labels, but no
> > difference so far.
> >
> >
> >
> >
> >
> > --
> > --
> > Groeten,
> > natxo
>
>

-- 
--
Groeten,
natxo
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: pki-tomcatd service stopped

2024-05-30 Thread Rob Crittenden via FreeIPA-users 
What version of dogtag-jss and dogtag-tomcat-jss are you running? I
wonder if there is some requirement that it be in sync with the rest of
the dogtag packages.

rob

Natxo Asenjo wrote:
> hi,
> 
> digging further, the tomcat service does not start because the of this
> error:
> 
> server[48368]: org.xml.sax.SAXParseException; systemId:
> file:/var/lib/pki/pki-tomcat/conf/server.xml; lineNumber: 86;
> columnNumber: 861; Error at line [86] column [861]: [Cannot invoke
> "Object.getClass()" because the return value of
> "org.apache.catalina.connector.Connector.getProtocolHandler()" is null]
> 
> If I check the server.xml, there is no colum 861 in line 86, the last
> char is 860
> 
>      protocol="org.dogtagpki.jss.tomcat.Http11NioProtocol" SSLEnabled="true"
> sslImplementationName="org.dogtagpki.jss.tomcat.JSSImplementation"
> scheme="https" secure="true" connectionTimeout="8"
> keepAliveTimeout="30" maxHttpHeaderSize="8192" acceptCount="100"
> maxThreads="150" minSpareThreads="25" enableLookups="false"
> disableUploadTimeout="true" enableOCSP="false"
> ocspResponderURL="http://kdc.sub.domain.tld:8080/ca/ocsp;
> ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
> ocspCacheSize="1000" ocspMinCacheEntryDuration="7200"
> ocspMaxCacheEntryDuration="14400" ocspTimeout="10"
> serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf"
> passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf"
> passwordClass="org.dogtagpki.jss.tomcat.PlainPasswordFile"
> certdbDir="/var/lib/pki/pki-tomcat/alias">
> 
> 
> This line looks similar (replacying the ocsp url) to other ipa ca
> servers I manage, so I do not know where this is coming from.
> 
> If I run this as root it starts but apparently not well enough, because
> then the ExecStartPost command /usr/libexec/ipa/ipa-pki-wait-running
> fails with a 404
> 
> # /usr/libexec/ipa/ipa-pki-wait-running
> 
> pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in
> PKIConnection.__init__() has been deprecated
> (https://github.com/dogtagpki/pki/wiki/PKI-10.8-Python-Changes).
> ipa-pki-wait-running: Created connection http://kdc.sub.domain.tld:8080/ca
> ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: 
> for url: http://kdc.sub.domain.tld:8080/ca/admin/ca/getStatus
> 
> Any clues?
> 
> Regards,
> 
> Natxo
> 
> 
> 
> On Wed, May 29, 2024 at 4:06 PM Natxo Asenjo  > wrote:
> 
> 
> 
> On Wed, May 29, 2024 at 3:03 PM Rob Crittenden  > wrote:
> 
> Since it starts directly as root perhaps check for SELinux AVCs?
> Maybe a
> relabel would help (or try permissive to catch the full set).
> 
> rob
> 
> 
> 
> unfortunately selinux was already in permissive mode and no recent avcs:
> # ausearch -m avc -ts recent
> 
> 
> The latest avc is from a few days agoi regarding the ipa_custodia
> which we do not use.
> 
> I did a restorecon -rv / and it corrected some labels, but no
> difference so far.
> 
> 
> 
> 
> 
> -- 
> --
> Groeten,
> natxo
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: pki-tomcatd service stopped

2024-05-30 Thread Natxo Asenjo via FreeIPA-users 
hi,

digging further, the tomcat service does not start because the of this
error:

server[48368]: org.xml.sax.SAXParseException; systemId:
file:/var/lib/pki/pki-tomcat/conf/server.xml; lineNumber: 86; columnNumber:
861; Error at line [86] column [861]: [Cannot invoke "Object.getClass()"
because the return value of
"org.apache.catalina.connector.Connector.getProtocolHandler()" is null]

If I check the server.xml, there is no colum 861 in line 86, the last char
is 860

http://kdc.sub.domain.tld:8080/ca/ocsp;
ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
ocspCacheSize="1000" ocspMinCacheEntryDuration="7200"
ocspMaxCacheEntryDuration="14400" ocspTimeout="10"
serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf"
passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf"
passwordClass="org.dogtagpki.jss.tomcat.PlainPasswordFile"
certdbDir="/var/lib/pki/pki-tomcat/alias">


This line looks similar (replacying the ocsp url) to other ipa ca servers I
manage, so I do not know where this is coming from.

If I run this as root it starts but apparently not well enough, because
then the ExecStartPost command /usr/libexec/ipa/ipa-pki-wait-running fails
with a 404

# /usr/libexec/ipa/ipa-pki-wait-running

pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in
PKIConnection.__init__() has been deprecated (
https://github.com/dogtagpki/pki/wiki/PKI-10.8-Python-Changes).
ipa-pki-wait-running: Created connection http://kdc.sub.domain.tld:8080/ca
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error:  for
url: http://kdc.sub.domain.tld:8080/ca/admin/ca/getStatus

Any clues?

Regards,

Natxo



On Wed, May 29, 2024 at 4:06 PM Natxo Asenjo  wrote:

>
>
> On Wed, May 29, 2024 at 3:03 PM Rob Crittenden 
> wrote:
>
>> Since it starts directly as root perhaps check for SELinux AVCs? Maybe a
>> relabel would help (or try permissive to catch the full set).
>>
>> rob
>
>
>
> unfortunately selinux was already in permissive mode and no recent avcs:
> # ausearch -m avc -ts recent
> 
>
> The latest avc is from a few days agoi regarding the ipa_custodia which we
> do not use.
>
> I did a restorecon -rv / and it corrected some labels, but no difference
> so far.
>
>
>
>

-- 
--
Groeten,
natxo
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: pki-tomcatd service stopped

2024-05-29 Thread Natxo Asenjo via FreeIPA-users 
On Wed, May 29, 2024 at 3:03 PM Rob Crittenden  wrote:

> Since it starts directly as root perhaps check for SELinux AVCs? Maybe a
> relabel would help (or try permissive to catch the full set).
>
> rob



unfortunately selinux was already in permissive mode and no recent avcs:
# ausearch -m avc -ts recent


The latest avc is from a few days agoi regarding the ipa_custodia which we
do not use.

I did a restorecon -rv / and it corrected some labels, but no difference so
far.
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: pki-tomcatd service stopped

2024-05-29 Thread Rob Crittenden via FreeIPA-users 
Since it starts directly as root perhaps check for SELinux AVCs? Maybe a
relabel would help (or try permissive to catch the full set).

rob

Natxo Asenjo wrote:
> hi,
> 
> yes, there was something wrong with another file :-):
> 
> # grep -r "11.5.0" /etc/pki/ 
> /etc/pki/pki-tomcat/tomcat.conf: PKI_VERSION="11.5.0"
> 
> So I modified that to
> 
> PKI_VERSION=11.4.2
> 
> And now I have another error :-), it fails to start because of this (I
> know I should not start this from systemctl, but from ipactl restart,
> debugging, it takes longer to run ipactl restart):
> 
> May 29 14:23:01 kdc.sub.domain.tld systemd[1]: Starting PKI Tomcat
> Server pki-tomcat...
> ░░ Subject: A start job for unit pki-tomcatd@pki-tomcat.service has
> begun execution
> ░░ Defined-By: systemd
> ░░ Support: https://access.redhat.com/support
> ░░
> ░░ A start job for unit pki-tomcatd@pki-tomcat.service has begun execution.
> ░░
> ░░ The job identifier is 35769.
> May 29 14:23:03 kdc.sub.domain.tld pki-server[43389]: NOTE: Picked up
> JDK_JAVA_OPTIONS:  --add-opens=j>
> May 29 14:23:03 kdc.sub.domain.tld pki-server[43371]: AJP connector
> requiredSecret: None
> May 29 14:23:03 kdc.sub.domain.tld pki-server[43371]: AJP connector
> requiredSecret: None
> May 29 14:23:03 kdc.sub.domain.tld server[43423]: Java virtual machine
> used: /usr/lib/jvm/jre-17-openj>
> May 29 14:23:03 kdc.sub.domain.tld server[43423]: classpath used:
> /usr/share/tomcat/bin/bootstrap.jar:>
> May 29 14:23:03 kdc.sub.domain.tld server[43423]: main class used:
> org.apache.catalina.startup.Bootstr>
> May 29 14:23:03 kdc.sub.domain.tld server[43423]: flags used:
> -Dcom.redhat.fips=false
> May 29 14:23:03 kdc.sub.domain.tld server[43423]: options used:
> -Dcatalina.base=/var/lib/pki/pki-tomca>
> May 29 14:23:03 kdc.sub.domain.tld server[43423]: arguments used: start
> May 29 14:23:03 kdc.sub.domain.tld server[43423]: NOTE: Picked up
> JDK_JAVA_OPTIONS:  --add-opens=java.>
> May 29 14:23:03 kdc.sub.domain.tld server[43423]: WARNING: A command
> line option has enabled the Secur>
> May 29 14:23:03 kdc.sub.domain.tld server[43423]: WARNING: The Security
> Manager is deprecated and will>
> May 29 14:23:04 kdc.sub.domain.tld ipa-pki-wait-running[43424]:
> pki.client: /usr/libexec/ipa/ipa-pki-w>
> May 29 14:23:04 kdc.sub.domain.tld ipa-pki-wait-running[43424]:
> ipa-pki-wait-running: Created connecti>
> May 29 14:23:04 kdc.sub.domain.tld ipa-pki-wait-running[43424]:
> ipa-pki-wait-running: Connection faile>
> May 29 14:23:05 kdc.sub.domain.tld server[43423]: SEVERE: Protocol
> handler instantiation failed
> May 29 14:23:05 kdc.sub.domain.tld server[43423]:
> java.lang.ClassNotFoundException: org.dogtagpki.jss.>
> May 29 14:23:05 kdc.sub.domain.tld server[43423]: at
> java.base/java.net.URLClassLoader.findCla>
> May 29 14:23:05 kdc.sub.domain.tld server[43423]: at
> java.base/java.lang.ClassLoader.loadClass>
> lines 1094-1145/1353 80%
> ░░ Defined-By: systemd
> ░░ Support: https://access.redhat.com/support
> ░░
> ░░ A start job for unit pki-tomcatd@pki-tomcat.service has begun execution.
> ░░
> ░░ The job identifier is 35665.
> May 29 14:19:36 kdc.sub.domain.tld pki-server[43128]: NOTE: Picked up
> JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED
> --add-opens=java.base/java.io =ALL-UNNAMED
> --add-opens=java.base/java.util=>
> May 29 14:19:36 kdc.sub.domain.tld pki-server[43109]: AJP connector
> requiredSecret: None
> May 29 14:19:36 kdc.sub.domain.tld pki-server[43109]: AJP connector
> requiredSecret: None
> May 29 14:19:36 kdc.sub.domain.tld server[43162]: Java virtual machine
> used: /usr/lib/jvm/jre-17-openjdk/bin/java
> May 29 14:19:36 kdc.sub.domain.tld server[43162]: classpath used:
> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:
> May 29 14:19:36 kdc.sub.domain.tld server[43162]: main class used:
> org.apache.catalina.startup.Bootstrap
> May 29 14:19:36 kdc.sub.domain.tld server[43162]: flags used:
> -Dcom.redhat.fips=false
> May 29 14:19:36 kdc.sub.domain.tld server[43162]: options used:
> -Dcatalina.base=/var/lib/pki/pki-tomcat
> -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs=
> -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp ->
> May 29 14:19:36 kdc.sub.domain.tld server[43162]: arguments used: start
> May 29 14:19:36 kdc.sub.domain.tld server[43162]: NOTE: Picked up
> JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED
> --add-opens=java.base/java.io =ALL-UNNAMED
> --add-opens=java.base/java.util=ALL->
> May 29 14:19:36 kdc.sub.domain.tld server[43162]: WARNING: A command
> line option has enabled the Security Manager
> May 29 14:19:36 kdc.sub.domain.tld server[43162]: WARNING: The Security
> Manager is deprecated and will be removed in a future release
> May 29 14:19:37 kdc.sub.domain.tld ipa-pki-wait-running[43163]:
> pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in
>

[Freeipa-users] Re: pki-tomcatd service stopped

2024-05-29 Thread Natxo Asenjo via FreeIPA-users 
hi,

yes, there was something wrong with another file :-):

# grep -r "11.5.0" /etc/pki/
/etc/pki/pki-tomcat/tomcat.conf: PKI_VERSION="11.5.0"

So I modified that to

PKI_VERSION=11.4.2

And now I have another error :-), it fails to start because of this (I know
I should not start this from systemctl, but from ipactl restart, debugging,
it takes longer to run ipactl restart):

May 29 14:23:01 kdc.sub.domain.tld systemd[1]: Starting PKI Tomcat Server
pki-tomcat...
░░ Subject: A start job for unit pki-tomcatd@pki-tomcat.service has begun
execution
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░
░░ A start job for unit pki-tomcatd@pki-tomcat.service has begun execution.
░░
░░ The job identifier is 35769.
May 29 14:23:03 kdc.sub.domain.tld pki-server[43389]: NOTE: Picked up
JDK_JAVA_OPTIONS:  --add-opens=j>
May 29 14:23:03 kdc.sub.domain.tld pki-server[43371]: AJP connector
requiredSecret: None
May 29 14:23:03 kdc.sub.domain.tld pki-server[43371]: AJP connector
requiredSecret: None
May 29 14:23:03 kdc.sub.domain.tld server[43423]: Java virtual machine
used: /usr/lib/jvm/jre-17-openj>
May 29 14:23:03 kdc.sub.domain.tld server[43423]: classpath used:
/usr/share/tomcat/bin/bootstrap.jar:>
May 29 14:23:03 kdc.sub.domain.tld server[43423]: main class used:
org.apache.catalina.startup.Bootstr>
May 29 14:23:03 kdc.sub.domain.tld server[43423]: flags used:
-Dcom.redhat.fips=false
May 29 14:23:03 kdc.sub.domain.tld server[43423]: options used:
-Dcatalina.base=/var/lib/pki/pki-tomca>
May 29 14:23:03 kdc.sub.domain.tld server[43423]: arguments used: start
May 29 14:23:03 kdc.sub.domain.tld server[43423]: NOTE: Picked up
JDK_JAVA_OPTIONS:  --add-opens=java.>
May 29 14:23:03 kdc.sub.domain.tld server[43423]: WARNING: A command line
option has enabled the Secur>
May 29 14:23:03 kdc.sub.domain.tld server[43423]: WARNING: The Security
Manager is deprecated and will>
May 29 14:23:04 kdc.sub.domain.tld ipa-pki-wait-running[43424]: pki.client:
/usr/libexec/ipa/ipa-pki-w>
May 29 14:23:04 kdc.sub.domain.tld ipa-pki-wait-running[43424]:
ipa-pki-wait-running: Created connecti>
May 29 14:23:04 kdc.sub.domain.tld ipa-pki-wait-running[43424]:
ipa-pki-wait-running: Connection faile>
May 29 14:23:05 kdc.sub.domain.tld server[43423]: SEVERE: Protocol handler
instantiation failed
May 29 14:23:05 kdc.sub.domain.tld server[43423]:
java.lang.ClassNotFoundException: org.dogtagpki.jss.>
May 29 14:23:05 kdc.sub.domain.tld server[43423]: at
java.base/java.net.URLClassLoader.findCla>
May 29 14:23:05 kdc.sub.domain.tld server[43423]: at
java.base/java.lang.ClassLoader.loadClass>
lines 1094-1145/1353 80%
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░
░░ A start job for unit pki-tomcatd@pki-tomcat.service has begun execution.
░░
░░ The job identifier is 35665.
May 29 14:19:36 kdc.sub.domain.tld pki-server[43128]: NOTE: Picked up
JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED
--add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=>
May 29 14:19:36 kdc.sub.domain.tld pki-server[43109]: AJP connector
requiredSecret: None
May 29 14:19:36 kdc.sub.domain.tld pki-server[43109]: AJP connector
requiredSecret: None
May 29 14:19:36 kdc.sub.domain.tld server[43162]: Java virtual machine
used: /usr/lib/jvm/jre-17-openjdk/bin/java
May 29 14:19:36 kdc.sub.domain.tld server[43162]: classpath used:
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:
May 29 14:19:36 kdc.sub.domain.tld server[43162]: main class used:
org.apache.catalina.startup.Bootstrap
May 29 14:19:36 kdc.sub.domain.tld server[43162]: flags used:
-Dcom.redhat.fips=false
May 29 14:19:36 kdc.sub.domain.tld server[43162]: options used:
-Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp ->
May 29 14:19:36 kdc.sub.domain.tld server[43162]: arguments used: start
May 29 14:19:36 kdc.sub.domain.tld server[43162]: NOTE: Picked up
JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED
--add-opens=java.base/java.io=ALL-UNNAMED
--add-opens=java.base/java.util=ALL->
May 29 14:19:36 kdc.sub.domain.tld server[43162]: WARNING: A command line
option has enabled the Security Manager
May 29 14:19:36 kdc.sub.domain.tld server[43162]: WARNING: The Security
Manager is deprecated and will be removed in a future release
May 29 14:19:37 kdc.sub.domain.tld ipa-pki-wait-running[43163]: pki.client:
/usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in
PKIConnection.__init__() has been deprecated (https://github.com/dogtagp>
May 29 14:19:37 kdc.sub.domain.tld ipa-pki-wait-running[43163]:
ipa-pki-wait-running: Created connection http://kdc.sub.domain.tld:8080/ca
May 29 14:19:37 kdc.sub.domain.tld ipa-pki-wait-running[43163]:
ipa-pki-wait-running: Connection failed:
HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries
exceeded with url: /ca/admin/ca>
May 29 14:19:37 kdc.sub.domain.tld

[Freeipa-users] Re: pki-tomcatd service stopped

2024-05-29 Thread Alexander Bokovoy via FreeIPA-users 

On Срд, 29 мая 2024, Natxo Asenjo wrote:

hi,

indeed, sorry.

# cat
/etc/pki/pki.version
│
Configuration-Version: 11.5.0

# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
1 service(s) are not running

May 29 12:12:34 kdc.sub.domain.tld systemd[1]: Starting PKI Tomcat Server
pki-tomcat...
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: ERROR: Unable to
parse version number: "11.5.0"
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: Traceback (most
recent call last):
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line 41, in

May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:
cli.execute(sys.argv)
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line 145, in
execute
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:
super().execute(args)
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, in execute
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:
module.execute(module_args)
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 144, in
execute
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: self.upgrade(
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 178, in
upgrade
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: upgrader.upgrade()
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 481, in upgrade
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: versions =
self.versions()
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 238, in versions
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: current_version =
self.get_current_version()
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 341, in
get_current_version
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: current_version =
self.get_tracker().get_version()
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 141, in get_version
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: return
pki.util.Version(version)
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/util.py", line 613, in __init__
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: raise
Exception('Unable to parse version number: %s' % obj)
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: Exception: Unable to
parse version number: "11.5.0"


The only way to get this string in double quotes is if it was in double
quotes in the original file:

-

obj = "11.5.0"
m = re.match(r'^(\d+)\.(\d+)\.(\d+)', obj)
m.group(2)

'5'

raise Exception('Unable to parse version number: %s' % obj)

Traceback (most recent call last):
  File "", line 1, in 
Exception: Unable to parse version number: 11.5.0

obj = '"11.5.0"'
m = re.match(r'^(\d+)\.(\d+)\.(\d+)', obj)
m.group(2)

Traceback (most recent call last):
  File "", line 1, in 
AttributeError: 'NoneType' object has no attribute 'group'

raise Exception('Unable to parse version number: %s' % obj)

Traceback (most recent call last):
  File "", line 1, in 
Exception: Unable to parse version number: "11.5.0"
-

So I still think there is something wrong with the file it reads...



If I revert it to 11.4.2, so it looks as though it is not reading this file
for getting this information.

# cat /etc/pki/pki.version
Configuration-Version: 11.4.2

# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

# ipactl status
Directory Service: RUNNING
krb5kdc Service:

[Freeipa-users] Re: pki-tomcatd service stopped

2024-05-29 Thread Natxo Asenjo via FreeIPA-users 
hi,

indeed, sorry.

# cat
/etc/pki/pki.version
│
Configuration-Version: 11.5.0

# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
1 service(s) are not running

May 29 12:12:34 kdc.sub.domain.tld systemd[1]: Starting PKI Tomcat Server
pki-tomcat...
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: ERROR: Unable to
parse version number: "11.5.0"
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: Traceback (most
recent call last):
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line 41, in

May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:
cli.execute(sys.argv)
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line 145, in
execute
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:
super().execute(args)
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, in execute
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:
module.execute(module_args)
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 144, in
execute
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: self.upgrade(
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 178, in
upgrade
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: upgrader.upgrade()
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 481, in upgrade
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: versions =
self.versions()
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 238, in versions
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: current_version =
self.get_current_version()
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 341, in
get_current_version
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: current_version =
self.get_tracker().get_version()
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 141, in get_version
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: return
pki.util.Version(version)
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:   File
"/usr/lib/python3.9/site-packages/pki/util.py", line 613, in __init__
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: raise
Exception('Unable to parse version number: %s' % obj)
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: Exception: Unable to
parse version number: "11.5.0"

If I revert it to 11.4.2, so it looks as though it is not reading this file
for getting this information.

# cat /etc/pki/pki.version
Configuration-Version: 11.4.2

# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
1 service(s) are not running

May 29 12:17:08 kdc.sub.domain.tld systemd[1]: Starting PKI Tomcat Server
pki-tomcat...
May 29 12:17:08 kdc.sub.domain.tld pki-server[37297]: ERROR: Unable to
parse version number: "11.5.0"

Strange.


On Tue, May 28, 2024 at 7:35 PM Rob Crittenden  wrote:

> Natxo Asenjo via FreeIPA-users wrote:
> > hi,
> >
> > no, it's without quotes but the rolledback version:
> >
> > Configuration-Version: 11.4.2
> >
> > I tried modifiying it to 11.5.0 and ipactl restart, but it does not help
> > (reset it to the proper value 11.4.2 now)
>
> Did the error change when you switched to 11.4.2? You didn't include a
> new traceback.
>
> rob
>
> >
> >
> >
> > On Fri, May 24, 2024 at 5:14 PM

[Freeipa-users] Re: pki-tomcatd service stopped

2024-05-28 Thread Rob Crittenden via FreeIPA-users 
Natxo Asenjo via FreeIPA-users wrote:
> hi,
> 
> no, it's without quotes but the rolledback version:
> 
> Configuration-Version: 11.4.2
> 
> I tried modifiying it to 11.5.0 and ipactl restart, but it does not help
> (reset it to the proper value 11.4.2 now)

Did the error change when you switched to 11.4.2? You didn't include a
new traceback.

rob

> 
> 
> 
> On Fri, May 24, 2024 at 5:14 PM Alexander Bokovoy  > wrote:
> 
> On Fri, 24 May 2024, Natxo Asenjo via FreeIPA-users wrote:
> >hi,
> >
> >after a botched update
> (https://access.redhat.com/solutions/7065748) and
> >rolling back the changes, this service will not start:
> >
> ># ipactl status
> >Directory Service: RUNNING
> >krb5kdc Service: RUNNING
> >kadmin Service: RUNNING
> >named Service: RUNNING
> >httpd Service: RUNNING
> >ipa-custodia Service: RUNNING
> >pki-tomcatd Service: STOPPED
> >smb Service: RUNNING
> >winbind Service: RUNNING
> >ipa-otpd Service: RUNNING
> >ipa-dnskeysyncd Service: RUNNING
> >1 service(s) are not running
> >
> >in journalctl I found this stdout/stderr messages:
> >
> >
> >May 24 11:40:35 kdc1.sub.domain.tld named[27437]: zone
> sub.domain.tld/IN:
> >sending notifies (serial 1716543629)
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: ERROR: Unable to
> >parse version number: "11.5.0"
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Traceback (most
> >recent call last):
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line 41, in
> >
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:
> >cli.execute(sys.argv)
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line
> 145, in
> >execute
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:
> >super().execute(args)
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217,
> in execute
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:
> >module.execute(module_args)
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line
> 144, in
> >execute
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   
>  self.upgrade(
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line
> 178, in
> >upgrade
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:
> >upgrader.upgrade()
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 481, in upgrade
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:     versions =
> >self.versions()
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 238, in
> versions
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   
>  current_version
> >= self.get_current_version()
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 341, in
> >get_current_version
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   
>  current_version
> >= self.get_tracker().get_version()
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 141, in
> get_version
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:     return
> >pki.util.Version(version)
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/util.py", line 613, in __init__
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:     raise
> >Exception('Unable to parse version number: %s' % obj)
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Exception:
> Unable to
> >parse version number: "11.5.0"
> 
> What do you have in /etc/pki/pki.version file? Is it literally
> 
> # cat /etc/pki/pki.version
> Configuration-Version: "11.5.0"
> 
> ? If so, then remove quotes around 11.5.0, they are not expected.
> 
> >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]:
> >pki-tomcatd@pki-tomcat.service: Control process exited, code=exited,
> >status=1/FAILURE
> >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]:
> >pki-tomcatd@pki-tomcat.service: Failed with result 'exit-code'.
> >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: Failed to start PKI
> Tomcat
> >Server pki-tomcat.
> >
> >So it seems something is broken on

[Freeipa-users] Re: pki-tomcatd service stopped

2024-05-27 Thread Natxo Asenjo via FreeIPA-users 
hi,

no, it's without quotes but the rolledback version:

Configuration-Version: 11.4.2

I tried modifiying it to 11.5.0 and ipactl restart, but it does not help
(reset it to the proper value 11.4.2 now)



On Fri, May 24, 2024 at 5:14 PM Alexander Bokovoy 
wrote:

> On Fri, 24 May 2024, Natxo Asenjo via FreeIPA-users wrote:
> >hi,
> >
> >after a botched update (https://access.redhat.com/solutions/7065748) and
> >rolling back the changes, this service will not start:
> >
> ># ipactl status
> >Directory Service: RUNNING
> >krb5kdc Service: RUNNING
> >kadmin Service: RUNNING
> >named Service: RUNNING
> >httpd Service: RUNNING
> >ipa-custodia Service: RUNNING
> >pki-tomcatd Service: STOPPED
> >smb Service: RUNNING
> >winbind Service: RUNNING
> >ipa-otpd Service: RUNNING
> >ipa-dnskeysyncd Service: RUNNING
> >1 service(s) are not running
> >
> >in journalctl I found this stdout/stderr messages:
> >
> >
> >May 24 11:40:35 kdc1.sub.domain.tld named[27437]: zone sub.domain.tld/IN:
> >sending notifies (serial 1716543629)
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: ERROR: Unable to
> >parse version number: "11.5.0"
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Traceback (most
> >recent call last):
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line 41, in
> >
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:
> >cli.execute(sys.argv)
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line 145,
> in
> >execute
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:
> >super().execute(args)
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, in
> execute
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:
> >module.execute(module_args)
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 144, in
> >execute
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: self.upgrade(
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 178, in
> >upgrade
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:
> >upgrader.upgrade()
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 481, in upgrade
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: versions =
> >self.versions()
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 238, in versions
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: current_version
> >= self.get_current_version()
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 341, in
> >get_current_version
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: current_version
> >= self.get_tracker().get_version()
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 141, in
> get_version
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: return
> >pki.util.Version(version)
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
> >"/usr/lib/python3.9/site-packages/pki/util.py", line 613, in __init__
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: raise
> >Exception('Unable to parse version number: %s' % obj)
> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Exception: Unable
> to
> >parse version number: "11.5.0"
>
> What do you have in /etc/pki/pki.version file? Is it literally
>
> # cat /etc/pki/pki.version
> Configuration-Version: "11.5.0"
>
> ? If so, then remove quotes around 11.5.0, they are not expected.
>
> >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]:
> >pki-tomcatd@pki-tomcat.service: Control process exited, code=exited,
> >status=1/FAILURE
> >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]:
> >pki-tomcatd@pki-tomcat.service: Failed with result 'exit-code'.
> >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: Failed to start PKI Tomcat
> >Server pki-tomcat.
> >
> >So it seems something is broken on this upgrade script. This is in in
> >almalinux 9.3
> >ipa-server-4.10.2-5.el9_3.alma.1.x86_64
> >
> >I cannot upgrade because I get bitten by the named ldap thing, even though
> >the versions are newer.
> >
> >I will create a replicat to a rhel host but first I need to get the CA up
> >and running obviously :-).
> >
> >Any ideas?
> >
> >Thanks!
> >
> >--
> >regards,
> >
> >natxo
> >
> >--
> >--
> >Groeten,
> >natxo
>
>
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>

-- 
--
Groeten,
natxo
--

[Freeipa-users] Re: pki-tomcatd service stopped

2024-05-24 Thread Alexander Bokovoy via FreeIPA-users 

On Fri, 24 May 2024, Natxo Asenjo via FreeIPA-users wrote:

hi,

after a botched update (https://access.redhat.com/solutions/7065748) and
rolling back the changes, this service will not start:

# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
1 service(s) are not running

in journalctl I found this stdout/stderr messages:


May 24 11:40:35 kdc1.sub.domain.tld named[27437]: zone sub.domain.tld/IN:
sending notifies (serial 1716543629)
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: ERROR: Unable to
parse version number: "11.5.0"
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Traceback (most
recent call last):
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
"/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line 41, in

May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:
cli.execute(sys.argv)
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
"/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line 145, in
execute
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:
super().execute(args)
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
"/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, in execute
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:
module.execute(module_args)
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 144, in
execute
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: self.upgrade(
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 178, in
upgrade
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:
upgrader.upgrade()
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 481, in upgrade
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: versions =
self.versions()
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 238, in versions
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: current_version
= self.get_current_version()
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 341, in
get_current_version
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: current_version
= self.get_tracker().get_version()
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 141, in get_version
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: return
pki.util.Version(version)
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:   File
"/usr/lib/python3.9/site-packages/pki/util.py", line 613, in __init__
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: raise
Exception('Unable to parse version number: %s' % obj)
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Exception: Unable to
parse version number: "11.5.0"


What do you have in /etc/pki/pki.version file? Is it literally

# cat /etc/pki/pki.version
Configuration-Version: "11.5.0"

? If so, then remove quotes around 11.5.0, they are not expected.


May 24 11:40:35 kdc1.sub.domain.tld systemd[1]:
pki-tomcatd@pki-tomcat.service: Control process exited, code=exited,
status=1/FAILURE
May 24 11:40:35 kdc1.sub.domain.tld systemd[1]:
pki-tomcatd@pki-tomcat.service: Failed with result 'exit-code'.
May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: Failed to start PKI Tomcat
Server pki-tomcat.

So it seems something is broken on this upgrade script. This is in in
almalinux 9.3
ipa-server-4.10.2-5.el9_3.alma.1.x86_64

I cannot upgrade because I get bitten by the named ldap thing, even though
the versions are newer.

I will create a replicat to a rhel host but first I need to get the CA up
and running obviously :-).

Any ideas?

Thanks!

--
regards,

natxo

--
--
Groeten,
natxo





--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: pki-tomcatd service stopped

2023-07-07 Thread Rob Crittenden via FreeIPA-users 
Polavarapu Manideep Sai wrote:
> Hi Rob,
> 
> Other servers are fine, not expired
> 
> Please let me know if more details required on this
> 
> [root@dir01 ~]# getcert list | grep -i expire
> expires: 2023-11-10 12:17:39 UTC
> expires: 2023-11-10 12:18:15 UTC
> expires: 2024-01-23 09:06:01 UTC
> expires: 2024-01-23 09:06:31 UTC
> expires: 2024-01-23 09:06:11 UTC
> expires: 2024-01-23 09:06:21 UTC
> expires: 2038-04-12 14:15:30 UTC
> expires: 2023-10-19 12:17:37 UTC
> expires: 2023-11-10 12:18:05 UTC

What about the other certificates on the broken CA machine? Does
anything work at all? In particular, replication.

If replication is working then you can re-set your renewal master. This
will make available most of the missing CA certificates. The tomcat
Server-Cert will still be a problem. You can try ipa-cert-fix to correct
that once the others are updated.

Or you can just drop this replica and re-create it since the rest of the
topology is in good shape. That would be a lot less work.

Note that IPA 4.5.0 is no longer supported. You need to start looking to
upgrade to something far newer. That is going to require a number of
step upgrades so it will take some time.

rob

> 
> 
> Regards
> Sai
> 
> 
> -Original Message-
> From: Rob Crittenden 
> Sent: 07 July 2023 22:44
> To: FreeIPA users list ; Florence 
> Blanc-Renaud 
> Cc: Polavarapu Manideep Sai 
> Subject: Re: [Freeipa-users] Re: pki-tomcatd service stopped
> 
> 
> CAUTION. This email originated from outside the organization. Please exercise 
> caution before clicking on links or attachments in case of suspicion or 
> unknown senders.
> 
> 
> 
> 
> Polavarapu Manideep Sai via FreeIPA-users wrote:
>> Hi Florence
>>
>>
>>
>> I have multiple ipa servers, actually the master server should be a CA
>> renewal master, but when I checked now it is not, now CA renewal
>> master showing as replica server, the same replica server where I am
>> facing this pki-tomcatd service failure issue
>>
>>
>>
>> Not sure how it got changed
>>
>>
>>
>> [root@sai ~]# ipa config-show | grep 'CA renewal master'
>>
>>   IPA CA renewal master: dires01.ipa.domain.com
>>
>>
>>
>> My CA renewal master should be : aaa01.ipa.domain.com
>>
>>
>>
>> Please let us know for more details
> 
> What is the condition of certificates on the other servers? Are they also 
> expired? Using `getcert list` is an easier way to get the expiration times 
> for all tracked certs.
> 
> rob
> 
>>
>>
>>
>>
>>
>> Regards
>>
>> Sai
>>
>>
>>
>>
>>
>> *From:*Florence Blanc-Renaud 
>> *Sent:* 07 July 2023 17:22
>> *To:* FreeIPA users list 
>> *Cc:* Polavarapu Manideep Sai 
>> *Subject:* Re: [Freeipa-users] pki-tomcatd service stopped
>>
>>
>>
>>
>>
>> *CAUTION.*This email originated from outside the organization. Please
>> exercise caution before clicking on links or attachments in case of
>> suspicion or unknown senders.
>>
>>
>>
>> Hi,
>>
>>
>>
>> we need more details in order to help you. Do you have a single IPA
>> server or multiple servers? Which one is the CA renewal master?
>>
>> flo
>>
>>
>>
>> On Fri, Jul 7, 2023 at 10:02 AM Polavarapu Manideep Sai via
>> FreeIPA-users > <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>
>> Hi Team,
>>
>>
>>
>> As we checked pki-tomcatd service was stopped, couldn’t possible to
>> set the clock back as other certificates will not valid
>>
>>
>>
>> PFB details, please let us know if more details required on this
>>
>>
>>
>> As you can see Unable to communicate with CMS (404) when performed
>> ipa cert-show for the serial no , ipa version is VERSION: 4.5.0
>>
>>
>>
>> Please guide us to proceed further
>>
>>
>>
>>
>>
>> [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n
>> "Server-Cert cert-pki-ca" |grep -i after
>>
>> Not After : Mon Jan 10 06:35:46 2022
>>
>> [root@sai ~]#
>>
>> [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n
>> "Server-Cert cert-pki-ca" |grep -i before
>>
>> Not Before: Tue Jan 21 06:35:46 2020
>>
&

[Freeipa-users] Re: pki-tomcatd service stopped

2023-07-07 Thread Polavarapu Manideep Sai via FreeIPA-users 
Hi Rob,

Other servers are fine, not expired

Please let me know if more details required on this

[root@dir01 ~]# getcert list | grep -i expire
expires: 2023-11-10 12:17:39 UTC
expires: 2023-11-10 12:18:15 UTC
expires: 2024-01-23 09:06:01 UTC
expires: 2024-01-23 09:06:31 UTC
expires: 2024-01-23 09:06:11 UTC
expires: 2024-01-23 09:06:21 UTC
expires: 2038-04-12 14:15:30 UTC
expires: 2023-10-19 12:17:37 UTC
expires: 2023-11-10 12:18:05 UTC


Regards
Sai


-Original Message-
From: Rob Crittenden 
Sent: 07 July 2023 22:44
To: FreeIPA users list ; Florence 
Blanc-Renaud 
Cc: Polavarapu Manideep Sai 
Subject: Re: [Freeipa-users] Re: pki-tomcatd service stopped


CAUTION. This email originated from outside the organization. Please exercise 
caution before clicking on links or attachments in case of suspicion or unknown 
senders.




Polavarapu Manideep Sai via FreeIPA-users wrote:
> Hi Florence
>
>
>
> I have multiple ipa servers, actually the master server should be a CA
> renewal master, but when I checked now it is not, now CA renewal
> master showing as replica server, the same replica server where I am
> facing this pki-tomcatd service failure issue
>
>
>
> Not sure how it got changed
>
>
>
> [root@sai ~]# ipa config-show | grep 'CA renewal master'
>
>   IPA CA renewal master: dires01.ipa.domain.com
>
>
>
> My CA renewal master should be : aaa01.ipa.domain.com
>
>
>
> Please let us know for more details

What is the condition of certificates on the other servers? Are they also 
expired? Using `getcert list` is an easier way to get the expiration times for 
all tracked certs.

rob

>
>
>
>
>
> Regards
>
> Sai
>
>
>
>
>
> *From:*Florence Blanc-Renaud 
> *Sent:* 07 July 2023 17:22
> *To:* FreeIPA users list 
> *Cc:* Polavarapu Manideep Sai 
> *Subject:* Re: [Freeipa-users] pki-tomcatd service stopped
>
>
>
>
>
> *CAUTION.*This email originated from outside the organization. Please
> exercise caution before clicking on links or attachments in case of
> suspicion or unknown senders.
>
>
>
> Hi,
>
>
>
> we need more details in order to help you. Do you have a single IPA
> server or multiple servers? Which one is the CA renewal master?
>
> flo
>
>
>
> On Fri, Jul 7, 2023 at 10:02 AM Polavarapu Manideep Sai via
> FreeIPA-users  <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>
> Hi Team,
>
>
>
> As we checked pki-tomcatd service was stopped, couldn’t possible to
> set the clock back as other certificates will not valid
>
>
>
> PFB details, please let us know if more details required on this
>
>
>
> As you can see Unable to communicate with CMS (404) when performed
> ipa cert-show for the serial no , ipa version is VERSION: 4.5.0
>
>
>
> Please guide us to proceed further
>
>
>
>
>
> [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n
> "Server-Cert cert-pki-ca" |grep -i after
>
> Not After : Mon Jan 10 06:35:46 2022
>
> [root@sai ~]#
>
> [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n
> "Server-Cert cert-pki-ca" |grep -i before
>
> Not Before: Tue Jan 21 06:35:46 2020
>
> [root@sai ~]#
>
> [root@sai ~]#
>
> [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n
> "Server-Cert cert-pki-ca" |grep -i serial
>
> Serial Number: 80 (0x50)
>
> [root@sai ~]#
>
> [root@sai ~]#
>
> [root@sai ~]# ipa cert-show 80
>
> ipa: ERROR: Certificate operation cannot be completed: Unable to
> communicate with CMS (404)
>
> [root@sai ~]#
>
> [root@sai ~]#
>
> [root@sai ~]# # Not possible to reset clock back , because other
> certificates were not valid
>
> [root@sai ~]#
>
> [root@sai ~]#
>
> [root@sai ~]#
>
> [root@sai ~]# ipa --version
>
> VERSION: 4.5.0, API_VERSION: 2.228
>
> [root@sai ~]#
>
> [root@sai ~]#
>
>
>
> Regards
>
> Sai
>
>
>
>
> --
> --
>
>
> DISCLAIMER: The information in this message is confidential and may
> be legally privileged. It is intended solely for the addressee.
> Access to this message by anyone else is unauthorized. If you are
> not the intended recipient, any disclosure, copying, or distribution
> of the message, or any action or omission taken by you in reliance
> on it, is pro

[Freeipa-users] Re: pki-tomcatd service stopped

2023-07-07 Thread Rob Crittenden via FreeIPA-users 
Polavarapu Manideep Sai via FreeIPA-users wrote:
> Hi Florence
> 
>  
> 
> I have multiple ipa servers, actually the master server should be a CA
> renewal master, but when I checked now it is not, now CA renewal master
> showing as replica server, the same replica server where I am facing
> this pki-tomcatd service failure issue
> 
>  
> 
> Not sure how it got changed
> 
>  
> 
> [root@sai ~]# ipa config-show | grep 'CA renewal master'
> 
>   IPA CA renewal master: dires01.ipa.domain.com
> 
>  
> 
> My CA renewal master should be : aaa01.ipa.domain.com
> 
>  
> 
> Please let us know for more details

What is the condition of certificates on the other servers? Are they
also expired? Using `getcert list` is an easier way to get the
expiration times for all tracked certs.

rob

> 
>  
> 
>  
> 
> Regards
> 
> Sai
> 
>  
> 
>  
> 
> *From:*Florence Blanc-Renaud 
> *Sent:* 07 July 2023 17:22
> *To:* FreeIPA users list 
> *Cc:* Polavarapu Manideep Sai 
> *Subject:* Re: [Freeipa-users] pki-tomcatd service stopped
> 
>  
> 
>   
> 
> *CAUTION.*This email originated from outside the organization. Please
> exercise caution before clicking on links or attachments in case of
> suspicion or unknown senders.
> 
>   
> 
> Hi,
> 
>  
> 
> we need more details in order to help you. Do you have a single IPA
> server or multiple servers? Which one is the CA renewal master?
> 
> flo
> 
>  
> 
> On Fri, Jul 7, 2023 at 10:02 AM Polavarapu Manideep Sai via
> FreeIPA-users  > wrote:
> 
> Hi Team,
> 
>  
> 
> As we checked pki-tomcatd service was stopped, couldn’t possible to
> set the clock back as other certificates will not valid
> 
>  
> 
> PFB details, please let us know if more details required on this
> 
>  
> 
> As you can see Unable to communicate with CMS (404) when performed
> ipa cert-show for the serial no , ipa version is VERSION: 4.5.0
> 
>  
> 
> Please guide us to proceed further
> 
>  
> 
>  
> 
> [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n
> "Server-Cert cert-pki-ca" |grep -i after
> 
>     Not After : Mon Jan 10 06:35:46 2022
> 
> [root@sai ~]#
> 
> [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n
> "Server-Cert cert-pki-ca" |grep -i before
> 
>     Not Before: Tue Jan 21 06:35:46 2020
> 
> [root@sai ~]#
> 
> [root@sai ~]#
> 
> [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n
> "Server-Cert cert-pki-ca" |grep -i serial
> 
>     Serial Number: 80 (0x50)
> 
> [root@sai ~]#
> 
> [root@sai ~]#
> 
> [root@sai ~]# ipa cert-show 80
> 
> ipa: ERROR: Certificate operation cannot be completed: Unable to
> communicate with CMS (404)
> 
> [root@sai ~]#
> 
> [root@sai ~]#
> 
> [root@sai ~]# # Not possible to reset clock back , because other
> certificates were not valid
> 
> [root@sai ~]#
> 
> [root@sai ~]#
> 
> [root@sai ~]#
> 
> [root@sai ~]# ipa --version
> 
> VERSION: 4.5.0, API_VERSION: 2.228
> 
> [root@sai ~]#
> 
> [root@sai ~]#
> 
>  
> 
> Regards
> 
> Sai
> 
>  
> 
> 
> 
> 
> DISCLAIMER: The information in this message is confidential and may
> be legally privileged. It is intended solely for the addressee.
> Access to this message by anyone else is unauthorized. If you are
> not the intended recipient, any disclosure, copying, or distribution
> of the message, or any action or omission taken by you in reliance
> on it, is prohibited and may be unlawful. Please immediately contact
> the sender if you have received this message in error. Further, this
> e-mail may contain viruses and all reasonable precaution to minimize
> the risk arising there from is taken by OnMobile. OnMobile is not
> liable for any damage sustained by you as a result of any virus in
> this e-mail. All applicable virus checks should be carried out by
> you before opening this e-mail or any attachment thereto.
> Thank you - OnMobile Global Limited.
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> 
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> 
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
> 
> 
> 
> 
>

[Freeipa-users] Re: pki-tomcatd service stopped

2023-07-07 Thread Polavarapu Manideep Sai via FreeIPA-users 
Hi Florence

I have multiple ipa servers, actually the master server should be a CA renewal 
master, but when I checked now it is not, now CA renewal master showing as 
replica server, the same replica server where I am facing this pki-tomcatd 
service failure issue

Not sure how it got changed

[root@sai ~]# ipa config-show | grep 'CA renewal master'
  IPA CA renewal master: dires01.ipa.domain.com

My CA renewal master should be : aaa01.ipa.domain.com

Please let us know for more details


Regards
Sai


From: Florence Blanc-Renaud 
Sent: 07 July 2023 17:22
To: FreeIPA users list 
Cc: Polavarapu Manideep Sai 
Subject: Re: [Freeipa-users] pki-tomcatd service stopped



CAUTION. This email originated from outside the organization. Please exercise 
caution before clicking on links or attachments in case of suspicion or unknown 
senders.


Hi,

we need more details in order to help you. Do you have a single IPA server or 
multiple servers? Which one is the CA renewal master?
flo

On Fri, Jul 7, 2023 at 10:02 AM Polavarapu Manideep Sai via FreeIPA-users 
mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:
Hi Team,

As we checked pki-tomcatd service was stopped, couldn’t possible to set the 
clock back as other certificates will not valid

PFB details, please let us know if more details required on this

As you can see Unable to communicate with CMS (404) when performed ipa 
cert-show for the serial no , ipa version is VERSION: 4.5.0

Please guide us to proceed further


[root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert 
cert-pki-ca" |grep -i after
Not After : Mon Jan 10 06:35:46 2022
[root@sai ~]#
[root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert 
cert-pki-ca" |grep -i before
Not Before: Tue Jan 21 06:35:46 2020
[root@sai ~]#
[root@sai ~]#
[root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert 
cert-pki-ca" |grep -i serial
Serial Number: 80 (0x50)
[root@sai ~]#
[root@sai ~]#
[root@sai ~]# ipa cert-show 80
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate 
with CMS (404)
[root@sai ~]#
[root@sai ~]#
[root@sai ~]# # Not possible to reset clock back , because other certificates 
were not valid
[root@sai ~]#
[root@sai ~]#
[root@sai ~]#
[root@sai ~]# ipa --version
VERSION: 4.5.0, API_VERSION: 2.228
[root@sai ~]#
[root@sai ~]#

Regards
Sai



DISCLAIMER: The information in this message is confidential and may be legally 
privileged. It is intended solely for the addressee. Access to this message by 
anyone else is unauthorized. If you are not the intended recipient, any 
disclosure, copying, or distribution of the message, or any action or omission 
taken by you in reliance on it, is prohibited and may be unlawful. Please 
immediately contact the sender if you have received this message in error. 
Further, this e-mail may contain viruses and all reasonable precaution to 
minimize the risk arising there from is taken by OnMobile. OnMobile is not 
liable for any damage sustained by you as a result of any virus in this e-mail. 
All applicable virus checks should be carried out by you before opening this 
e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.
___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue



DISCLAIMER: The information in this message is confidential and may be legally 
privileged. It is intended solely for the addressee. Access to this message by 
anyone else is unauthorized. If you are not the intended recipient, any 
disclosure, copying, or distribution of the message, or any action or omission 
taken by you in reliance on it, is prohibited and may be unlawful. Please 
immediately contact the sender if you have received this message in error. 
Further, this e-mail may contain viruses and all reasonable precaution to 
minimize the risk arising there from is taken by OnMobile. OnMobile is not 
liable for any damage sustained by you as a result of any virus in this e-mail. 
All applicable virus checks should be carried out by you before opening this 
e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:

[Freeipa-users] Re: pki-tomcatd service stopped

2023-07-07 Thread Florence Blanc-Renaud via FreeIPA-users 
Hi,

we need more details in order to help you. Do you have a single IPA server
or multiple servers? Which one is the CA renewal master?
flo

On Fri, Jul 7, 2023 at 10:02 AM Polavarapu Manideep Sai via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi Team,
>
>
>
> As we checked pki-tomcatd service was stopped, couldn’t possible to set
> the clock back as other certificates will not valid
>
>
>
> PFB details, please let us know if more details required on this
>
>
>
> As you can see Unable to communicate with CMS (404) when performed ipa
> cert-show for the serial no , ipa version is VERSION: 4.5.0
>
>
>
> Please guide us to proceed further
>
>
>
>
>
> [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert
> cert-pki-ca" |grep -i after
>
> Not After : Mon Jan 10 06:35:46 2022
>
> [root@sai ~]#
>
> [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert
> cert-pki-ca" |grep -i before
>
> Not Before: Tue Jan 21 06:35:46 2020
>
> [root@sai ~]#
>
> [root@sai ~]#
>
> [root@sai ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert
> cert-pki-ca" |grep -i serial
>
> Serial Number: 80 (0x50)
>
> [root@sai ~]#
>
> [root@sai ~]#
>
> [root@sai ~]# ipa cert-show 80
>
> ipa: ERROR: Certificate operation cannot be completed: Unable to
> communicate with CMS (404)
>
> [root@sai ~]#
>
> [root@sai ~]#
>
> [root@sai ~]# # Not possible to reset clock back , because other
> certificates were not valid
>
> [root@sai ~]#
>
> [root@sai ~]#
>
> [root@sai ~]#
>
> [root@sai ~]# ipa --version
>
> VERSION: 4.5.0, API_VERSION: 2.228
>
> [root@sai ~]#
>
> [root@sai ~]#
>
>
>
> Regards
>
> Sai
>
> --
>
> DISCLAIMER: The information in this message is confidential and may be
> legally privileged. It is intended solely for the addressee. Access to this
> message by anyone else is unauthorized. If you are not the intended
> recipient, any disclosure, copying, or distribution of the message, or any
> action or omission taken by you in reliance on it, is prohibited and may be
> unlawful. Please immediately contact the sender if you have received this
> message in error. Further, this e-mail may contain viruses and all
> reasonable precaution to minimize the risk arising there from is taken by
> OnMobile. OnMobile is not liable for any damage sustained by you as a
> result of any virus in this e-mail. All applicable virus checks should be
> carried out by you before opening this e-mail or any attachment thereto.
> Thank you - OnMobile Global Limited.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue