Hi FreeIPA, I am currently using FreeIPA version 4.9.10 with 6 ipareaplicas. I went to upgrade the server to 4.9.11 but the ipa-server-upgrade failed where it attempted to start pki-tomcat. In the /var/log/pki/pki-tomcat/ca/debug.log I see:
Unable to connect to LDAP server: Unable to create socket: java.net.ConnectException: Connection refused (Connection refused) … At netscape.ldap.LDAPConnection(Uknown Source) Unable to start CA engine: Unable to connect to LDAP server: Unable to create socket: java.net.ConnectionExection: Connection refused (Connection refused) …. I've been through the guide https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ where I can confirm the /etc/pki/pki-tomcat/ca/CS.cfg is using: internaldb.ldapauth.authtype=SslClientAuth internaldb.ldapauth.bindDN=cn=Directory Manager internaldb.ldapauth.bindPWPrompt=internaldb internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca internaldb.ldapconn.host=<servername> internaldb.ldapconn.port=636 internaldb.ldapconn.secureConn=true certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' shows the cert with the correct Serial number and the cert does not expire until next year. If I read the private key, I have checked the Nickname is correct and does work on another ipareplica but not the one I'm troubleshooting. grep internal /var/lib/pki/pki-tomcat/conf/password.conf | cut -d= -f2 > /tmp/pwdfile.txt certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca' certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library: invalid arguments. The ldap server configuration looks to be using the correct certificate. I rolled back the server to my last known working server, and find that commands such as ipa cert-find work fine, all my replicas have the same cert, but the command certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca' fails on 4 out of 6 ipareplicas. 2 replicas see the correct result. Could any one help point me to how I might resolve this issue? Many Thanks, Tania _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue