[Freeipa-users] Re: Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
On 04/04/2018 04:16 PM, lejeczek via FreeIPA-users wrote: On 04/04/18 12:43, Florence Blanc-Renaud wrote: You need to check which server is your renewal master (ipa config-show | grep 'IPA CA renewal master'), then make sure that the certs were properly renewed on this master (check consistency between /etc/pki/pki-tomcat/alias, the certs in cn=certificates,cn=ipa,cn=etc,$BASEDN, and the content in /etc/pki/pki-tomcat/ca/CS.cfg). I have only one cert, a ipaCertSubject: CN=Certificate Authority,O=PRIVATE.CCNR.CEB.PRIVATE.CAM.AC.UK which seems to correspond with: $ certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'caSigningCert cert-pki-ca' The renewed certificates (if any) can be found in LDAP below cn=ca_renewal,cn=ipa,cn=etc,$BASEDN. If your replication got broken at one point, you need to check on different masters. which is also in /etc/pki/pki-tomcat/ca/CS.cfg, and that is: ca.signing.cert which is different from ca.subsystem.cert But I'd imagine that's expected(?) New CA master renewing server still fails: ... [04/Apr/2018:15:14:44][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [04/Apr/2018:15:14:44][localhost-startStop-1]: Candidate cert: Server-Cert cert-pki-ca [04/Apr/2018:15:14:44][localhost-startStop-1]: Candidate cert: caSigningCert cert-pki-ca [04/Apr/2018:15:14:44][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: null [04/Apr/2018:15:14:44][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host whale port 636 Error netscape.ldap.LDAPException: Authentication failed (48) ... It seems that these certs are as they should be. How can troubleshoot it further? Can logs verbosity be upped? You can add verbosity by creating this file: $ cat /etc/ipa/server.conf [global] debug=True then restart ipa stack. This will add information in httpd's logs. HTH, Flo Many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
On 04/04/2018 03:21 PM, lejeczek via FreeIPA-users wrote: On 04/04/18 12:43, Florence Blanc-Renaud wrote: Hi, CA_WORKING means that certmonger's helper is trying to download the certificate from LDAP, but does not find new certs. In topologies with multiple servers, only one server is the renewal master. When one of auditSigningCert cert-pki-ca, ocspSigningCert cert-pki-ca, subsystemCert cert-pki-ca or caSigningCert cert-pki-ca expires, the renewal master is the one that actually handles the renewal, and the other masters simply download the new certs from LDAP. You need to check which server is your renewal master (ipa config-show | grep 'IPA CA renewal master'), then make sure that the certs were properly renewed on this master (check consistency between /etc/pki/pki-tomcat/alias, the certs in cn=certificates,cn=ipa,cn=etc,$BASEDN, and the content in /etc/pki/pki-tomcat/ca/CS.cfg). Then check that replication is working between the renewal master and the other masters. If the replication is broken, the certs will not be copied on the other masters and the download will not detect new certificates. HTH, I also see differences here in case it mattes(and then what to do about it): on rider: Replica Update Vectors: rider.private:389: 71 whale.private:389: 91 Certificate Server Replica Update Vectors: rider.private:389: 1075 whale.private:389: 1170 on whale: Replica Update Vectors: whale.private:389: 91 rider.private:389: 71 Certificate Server Replica Update Vectors: whale.private:389: 1170 Also on whale host I see: .. [04/Apr/2018:14:19:28.872403514 +0100] - WARN - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=cloneAgreement1-whale.private-pki-tomcat" (rider:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. even though on rider I did: $ ipa-replica-manage re-initialize --from The replication handles 2 different suffixes, one for IdM data (below dc=domain,dc=com), and one for CA data (below o=ipaca). In your case, the replication of CA data is broken and the right command to fix that is ipa-csreplica-manage re-initialize instead of ipa-replica-manage re-initialize. Flo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
On 04/04/2018 02:49 PM, lejeczek via FreeIPA-users wrote: On 04/04/18 12:43, Florence Blanc-Renaud wrote: On 04/04/2018 12:37 PM, lejeczek via FreeIPA-users wrote: On 04/04/18 09:36, Florence Blanc-Renaud wrote: On 04/03/2018 08:37 PM, lejeczek wrote: On 29/03/18 12:43, Florence Blanc-Renaud wrote: On 03/28/2018 12:42 PM, lejeczek via FreeIPA-users wrote: hi guys, I fail to troubleshoot this here: $ ipactl start --ignore-service-failures Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting httpd Service Starting ipa-custodia Service Starting ntpd Service Starting pki-tomcatd Service Failed to start pki-tomcatd Service Forced start, ignoring pki-tomcatd Service, continuing normal operation Hi, pki-tomcatd may fail to start when the subsystemCert cert-pki-ca did not properly get renewed. Please find more information in this blog: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ Flo Starting ipa-otpd Service Starting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful logs in /var/log/pki/pki-tomcat: localhost.2018-03-28.log ... Mar 28, 2018 11:35:14 AM org.apache.catalina.core.StandardHostValve invoke SEVERE: Exception Processing /ca/admin/ca/getStatus javax.ws.rs.ServiceUnavailableException: Subsystem unavailable ?? at com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145) ?? at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500) ?? at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) ?? at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) ?? at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) ?? at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) ?? at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) ?? at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087) ?? at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) ?? at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) ?? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ?? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ?? at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ?? at java.lang.Thread.run(Thread.java:748) in catalina.2018-03-28.log: ... Mar 28, 2018 11:41:35 AM org.apache.catalina.core.ContainerBase backgroundProcess WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@1e572093 background process javax.ws.rs.ServiceUnavailableException: Subsystem unavailable ?? at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) ?? at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) ?? at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) ?? at java.lang.Thread.run(Thread.java:748) Would you able to conclude anything from those errors? What might be a problem? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org I have followed those instructions from the link and it seems that both certutil & ldap have the same certificate. However I also see: $ sudo journalctl -lf -o cat -u dirsrv@ ... GSSAPI client step 1 GSSAPI client step 1 GSSAPI client step 2 [03/Apr/2018:19:30:53.962565693 +0100] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) [03/Apr/2018:19:30:53.965606137 +0100] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) GSSAPI client step 1 GSSAPI client step 1 GSSAPI client step 1 .. and in /var/log/pki/pki-tomcat/ca/debug [03/Apr/2018:19:09:45][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [03/Apr/2018:19:09:45][localhost-startStop-1]: Candidate cert: Server-Cert cert-pki-ca [03/Apr/2018:19:09:45][localhost-startStop-
[Freeipa-users] Re: Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
On 04/04/18 12:43, Florence Blanc-Renaud wrote: You need to check which server is your renewal master (ipa config-show | grep 'IPA CA renewal master'), then make sure that the certs were properly renewed on this master (check consistency between /etc/pki/pki-tomcat/alias, the certs in cn=certificates,cn=ipa,cn=etc,$BASEDN, and the content in /etc/pki/pki-tomcat/ca/CS.cfg). I have only one cert, a ipaCertSubject: CN=Certificate Authority,O=PRIVATE.CCNR.CEB.PRIVATE.CAM.AC.UK which seems to correspond with: $ certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'caSigningCert cert-pki-ca' which is also in /etc/pki/pki-tomcat/ca/CS.cfg, and that is: ca.signing.cert which is different from ca.subsystem.cert But I'd imagine that's expected(?) New CA master renewing server still fails: ... [04/Apr/2018:15:14:44][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [04/Apr/2018:15:14:44][localhost-startStop-1]: Candidate cert: Server-Cert cert-pki-ca [04/Apr/2018:15:14:44][localhost-startStop-1]: Candidate cert: caSigningCert cert-pki-ca [04/Apr/2018:15:14:44][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: null [04/Apr/2018:15:14:44][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host whale port 636 Error netscape.ldap.LDAPException: Authentication failed (48) ... It seems that these certs are as they should be. How can troubleshoot it further? Can logs verbosity be upped? Many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
On 04/04/18 12:43, Florence Blanc-Renaud wrote: Hi, CA_WORKING means that certmonger's helper is trying to download the certificate from LDAP, but does not find new certs. In topologies with multiple servers, only one server is the renewal master. When one of auditSigningCert cert-pki-ca, ocspSigningCert cert-pki-ca, subsystemCert cert-pki-ca or caSigningCert cert-pki-ca expires, the renewal master is the one that actually handles the renewal, and the other masters simply download the new certs from LDAP. You need to check which server is your renewal master (ipa config-show | grep 'IPA CA renewal master'), then make sure that the certs were properly renewed on this master (check consistency between /etc/pki/pki-tomcat/alias, the certs in cn=certificates,cn=ipa,cn=etc,$BASEDN, and the content in /etc/pki/pki-tomcat/ca/CS.cfg). Then check that replication is working between the renewal master and the other masters. If the replication is broken, the certs will not be copied on the other masters and the download will not detect new certificates. HTH, I also see differences here in case it mattes(and then what to do about it): on rider: Replica Update Vectors: rider.private:389: 71 whale.private:389: 91 Certificate Server Replica Update Vectors: rider.private:389: 1075 whale.private:389: 1170 on whale: Replica Update Vectors: whale.private:389: 91 rider.private:389: 71 Certificate Server Replica Update Vectors: whale.private:389: 1170 Also on whale host I see: .. [04/Apr/2018:14:19:28.872403514 +0100] - WARN - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=cloneAgreement1-whale.private-pki-tomcat" (rider:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. even though on rider I did: $ ipa-replica-manage re-initialize --from ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
On 04/04/18 12:43, Florence Blanc-Renaud wrote: On 04/04/2018 12:37 PM, lejeczek via FreeIPA-users wrote: On 04/04/18 09:36, Florence Blanc-Renaud wrote: On 04/03/2018 08:37 PM, lejeczek wrote: On 29/03/18 12:43, Florence Blanc-Renaud wrote: On 03/28/2018 12:42 PM, lejeczek via FreeIPA-users wrote: hi guys, I fail to troubleshoot this here: $ ipactl start --ignore-service-failures Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting httpd Service Starting ipa-custodia Service Starting ntpd Service Starting pki-tomcatd Service Failed to start pki-tomcatd Service Forced start, ignoring pki-tomcatd Service, continuing normal operation Hi, pki-tomcatd may fail to start when the subsystemCert cert-pki-ca did not properly get renewed. Please find more information in this blog: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ Flo Starting ipa-otpd Service Starting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful logs in /var/log/pki/pki-tomcat: localhost.2018-03-28.log ... Mar 28, 2018 11:35:14 AM org.apache.catalina.core.StandardHostValve invoke SEVERE: Exception Processing /ca/admin/ca/getStatus javax.ws.rs.ServiceUnavailableException: Subsystem unavailable ?? at com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145) ?? at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500) ?? at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) ?? at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) ?? at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) ?? at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) ?? at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) ?? at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087) ?? at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) ?? at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) ?? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ?? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ?? at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ?? at java.lang.Thread.run(Thread.java:748) in catalina.2018-03-28.log: ... Mar 28, 2018 11:41:35 AM org.apache.catalina.core.ContainerBase backgroundProcess WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@1e572093 background process javax.ws.rs.ServiceUnavailableException: Subsystem unavailable ?? at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) ?? at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) ?? at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) ?? at java.lang.Thread.run(Thread.java:748) Would you able to conclude anything from those errors? What might be a problem? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org I have followed those instructions from the link and it seems that both certutil & ldap have the same certificate. However I also see: $ sudo journalctl -lf -o cat -u dirsrv@ ... GSSAPI client step 1 GSSAPI client step 1 GSSAPI client step 2 [03/Apr/2018:19:30:53.962565693 +0100] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) [03/Apr/2018:19:30:53.965606137 +0100] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) GSSAPI client step 1 GSSAPI client step 1 GSSAPI client step 1 .. and in /var/log/pki/pki-tomcat/ca/debug [03/Apr/2018:19:09:45][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [03/Apr/2018:19:09:45][localhost-startStop-1]: Candidate cert: Server-Cert cert-pki-ca [03/Apr/2018:19:09:45][localhost-startStop-1]: Candidate cert: caSigningCert cert-pki-ca [03/Apr
[Freeipa-users] Re: Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
On 04/04/2018 12:37 PM, lejeczek via FreeIPA-users wrote: On 04/04/18 09:36, Florence Blanc-Renaud wrote: On 04/03/2018 08:37 PM, lejeczek wrote: On 29/03/18 12:43, Florence Blanc-Renaud wrote: On 03/28/2018 12:42 PM, lejeczek via FreeIPA-users wrote: hi guys, I fail to troubleshoot this here: $ ipactl start --ignore-service-failures Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting httpd Service Starting ipa-custodia Service Starting ntpd Service Starting pki-tomcatd Service Failed to start pki-tomcatd Service Forced start, ignoring pki-tomcatd Service, continuing normal operation Hi, pki-tomcatd may fail to start when the subsystemCert cert-pki-ca did not properly get renewed. Please find more information in this blog: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ Flo Starting ipa-otpd Service Starting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful logs in /var/log/pki/pki-tomcat: localhost.2018-03-28.log ... Mar 28, 2018 11:35:14 AM org.apache.catalina.core.StandardHostValve invoke SEVERE: Exception Processing /ca/admin/ca/getStatus javax.ws.rs.ServiceUnavailableException: Subsystem unavailable ?? at com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145) ?? at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500) ?? at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) ?? at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) ?? at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) ?? at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) ?? at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) ?? at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087) ?? at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) ?? at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) ?? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ?? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ?? at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ?? at java.lang.Thread.run(Thread.java:748) in catalina.2018-03-28.log: ... Mar 28, 2018 11:41:35 AM org.apache.catalina.core.ContainerBase backgroundProcess WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@1e572093 background process javax.ws.rs.ServiceUnavailableException: Subsystem unavailable ?? at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) ?? at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) ?? at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) ?? at java.lang.Thread.run(Thread.java:748) Would you able to conclude anything from those errors? What might be a problem? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org I have followed those instructions from the link and it seems that both certutil & ldap have the same certificate. However I also see: $ sudo journalctl -lf -o cat -u dirsrv@ ... GSSAPI client step 1 GSSAPI client step 1 GSSAPI client step 2 [03/Apr/2018:19:30:53.962565693 +0100] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) [03/Apr/2018:19:30:53.965606137 +0100] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) GSSAPI client step 1 GSSAPI client step 1 GSSAPI client step 1 .. and in /var/log/pki/pki-tomcat/ca/debug [03/Apr/2018:19:09:45][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [03/Apr/2018:19:09:45][localhost-startStop-1]: Candidate cert: Server-Cert cert-pki-ca [03/Apr/2018:19:09:45][localhost-startStop-1]: Candidate cert: caSigningCert cert-pki-ca [03/Apr/2018:19:09:45][localhost-startStop-1]: SSLClientCertifi
[Freeipa-users] Re: Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
On 04/04/18 09:36, Florence Blanc-Renaud wrote: On 04/03/2018 08:37 PM, lejeczek wrote: On 29/03/18 12:43, Florence Blanc-Renaud wrote: On 03/28/2018 12:42 PM, lejeczek via FreeIPA-users wrote: hi guys, I fail to troubleshoot this here: $ ipactl start --ignore-service-failures Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting httpd Service Starting ipa-custodia Service Starting ntpd Service Starting pki-tomcatd Service Failed to start pki-tomcatd Service Forced start, ignoring pki-tomcatd Service, continuing normal operation Hi, pki-tomcatd may fail to start when the subsystemCert cert-pki-ca did not properly get renewed. Please find more information in this blog: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ Flo Starting ipa-otpd Service Starting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful logs in /var/log/pki/pki-tomcat: localhost.2018-03-28.log ... Mar 28, 2018 11:35:14 AM org.apache.catalina.core.StandardHostValve invoke SEVERE: Exception Processing /ca/admin/ca/getStatus javax.ws.rs.ServiceUnavailableException: Subsystem unavailable ?? at com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145) ?? at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500) ?? at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) ?? at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) ?? at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) ?? at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) ?? at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) ?? at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087) ?? at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) ?? at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) ?? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ?? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ?? at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ?? at java.lang.Thread.run(Thread.java:748) in catalina.2018-03-28.log: ... Mar 28, 2018 11:41:35 AM org.apache.catalina.core.ContainerBase backgroundProcess WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@1e572093 background process javax.ws.rs.ServiceUnavailableException: Subsystem unavailable ?? at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) ?? at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) ?? at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) ?? at java.lang.Thread.run(Thread.java:748) Would you able to conclude anything from those errors? What might be a problem? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org I have followed those instructions from the link and it seems that both certutil & ldap have the same certificate. However I also see: $ sudo journalctl -lf -o cat -u dirsrv@ ... GSSAPI client step 1 GSSAPI client step 1 GSSAPI client step 2 [03/Apr/2018:19:30:53.962565693 +0100] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) [03/Apr/2018:19:30:53.965606137 +0100] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) GSSAPI client step 1 GSSAPI client step 1 GSSAPI client step 1 .. and in /var/log/pki/pki-tomcat/ca/debug [03/Apr/2018:19:09:45][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [03/Apr/2018:19:09:45][localhost-startStop-1]: Candidate cert: Server-Cert cert-pki-ca [03/Apr/2018:19:09:45][localhost-startStop-1]: Candidate cert: caSigningCert cert-pki-ca [03/Apr/2018:19:09:45][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: null Hi, it looks like
[Freeipa-users] Re: Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
On 04/04/18 09:36, Florence Blanc-Renaud wrote: On 04/03/2018 08:37 PM, lejeczek wrote: On 29/03/18 12:43, Florence Blanc-Renaud wrote: On 03/28/2018 12:42 PM, lejeczek via FreeIPA-users wrote: hi guys, I fail to troubleshoot this here: $ ipactl start --ignore-service-failures Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting httpd Service Starting ipa-custodia Service Starting ntpd Service Starting pki-tomcatd Service Failed to start pki-tomcatd Service Forced start, ignoring pki-tomcatd Service, continuing normal operation Hi, pki-tomcatd may fail to start when the subsystemCert cert-pki-ca did not properly get renewed. Please find more information in this blog: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ Flo Starting ipa-otpd Service Starting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful logs in /var/log/pki/pki-tomcat: localhost.2018-03-28.log ... Mar 28, 2018 11:35:14 AM org.apache.catalina.core.StandardHostValve invoke SEVERE: Exception Processing /ca/admin/ca/getStatus javax.ws.rs.ServiceUnavailableException: Subsystem unavailable ?? at com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145) ?? at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500) ?? at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) ?? at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) ?? at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) ?? at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) ?? at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) ?? at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087) ?? at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) ?? at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) ?? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ?? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ?? at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ?? at java.lang.Thread.run(Thread.java:748) in catalina.2018-03-28.log: ... Mar 28, 2018 11:41:35 AM org.apache.catalina.core.ContainerBase backgroundProcess WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@1e572093 background process javax.ws.rs.ServiceUnavailableException: Subsystem unavailable ?? at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) ?? at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) ?? at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) ?? at java.lang.Thread.run(Thread.java:748) Would you able to conclude anything from those errors? What might be a problem? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org I have followed those instructions from the link and it seems that both certutil & ldap have the same certificate. However I also see: $ sudo journalctl -lf -o cat -u dirsrv@ ... GSSAPI client step 1 GSSAPI client step 1 GSSAPI client step 2 [03/Apr/2018:19:30:53.962565693 +0100] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) [03/Apr/2018:19:30:53.965606137 +0100] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) GSSAPI client step 1 GSSAPI client step 1 GSSAPI client step 1 .. and in /var/log/pki/pki-tomcat/ca/debug [03/Apr/2018:19:09:45][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [03/Apr/2018:19:09:45][localhost-startStop-1]: Candidate cert: Server-Cert cert-pki-ca [03/Apr/2018:19:09:45][localhost-startStop-1]: Candidate cert: caSigningCert cert-pki-ca [03/Apr/2018:19:09:45][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: null Hi, it looks like
[Freeipa-users] Re: Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
On 04/03/2018 08:37 PM, lejeczek wrote: On 29/03/18 12:43, Florence Blanc-Renaud wrote: On 03/28/2018 12:42 PM, lejeczek via FreeIPA-users wrote: hi guys, I fail to troubleshoot this here: $ ipactl start --ignore-service-failures Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting httpd Service Starting ipa-custodia Service Starting ntpd Service Starting pki-tomcatd Service Failed to start pki-tomcatd Service Forced start, ignoring pki-tomcatd Service, continuing normal operation Hi, pki-tomcatd may fail to start when the subsystemCert cert-pki-ca did not properly get renewed. Please find more information in this blog: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ Flo Starting ipa-otpd Service Starting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful logs in /var/log/pki/pki-tomcat: localhost.2018-03-28.log ... Mar 28, 2018 11:35:14 AM org.apache.catalina.core.StandardHostValve invoke SEVERE: Exception Processing /ca/admin/ca/getStatus javax.ws.rs.ServiceUnavailableException: Subsystem unavailable ?? at com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145) ?? at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500) ?? at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) ?? at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) ?? at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) ?? at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) ?? at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) ?? at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087) ?? at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) ?? at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) ?? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ?? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ?? at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ?? at java.lang.Thread.run(Thread.java:748) in catalina.2018-03-28.log: ... Mar 28, 2018 11:41:35 AM org.apache.catalina.core.ContainerBase backgroundProcess WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@1e572093 background process javax.ws.rs.ServiceUnavailableException: Subsystem unavailable ?? at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) ?? at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) ?? at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) ?? at java.lang.Thread.run(Thread.java:748) Would you able to conclude anything from those errors? What might be a problem? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org I have followed those instructions from the link and it seems that both certutil & ldap have the same certificate. However I also see: $ sudo journalctl -lf -o cat -u dirsrv@ ... GSSAPI client step 1 GSSAPI client step 1 GSSAPI client step 2 [03/Apr/2018:19:30:53.962565693 +0100] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) [03/Apr/2018:19:30:53.965606137 +0100] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) GSSAPI client step 1 GSSAPI client step 1 GSSAPI client step 1 .. and in /var/log/pki/pki-tomcat/ca/debug [03/Apr/2018:19:09:45][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [03/Apr/2018:19:09:45][localhost-startStop-1]: Candidate cert: Server-Cert cert-pki-ca [03/Apr/2018:19:09:45][localhost-startStop-1]: Candidate cert: caSigningCert cert-pki-ca [03/Apr/2018:19:09:45][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: null Hi, it looks like the subsystemCert is not picked to authenticate to the LD
[Freeipa-users] Re: Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
On 29/03/18 12:43, Florence Blanc-Renaud wrote: On 03/28/2018 12:42 PM, lejeczek via FreeIPA-users wrote: hi guys, I fail to troubleshoot this here: $ ipactl start --ignore-service-failures Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting httpd Service Starting ipa-custodia Service Starting ntpd Service Starting pki-tomcatd Service Failed to start pki-tomcatd Service Forced start, ignoring pki-tomcatd Service, continuing normal operation Hi, pki-tomcatd may fail to start when the subsystemCert cert-pki-ca did not properly get renewed. Please find more information in this blog: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ Flo Starting ipa-otpd Service Starting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful logs in /var/log/pki/pki-tomcat: localhost.2018-03-28.log ... Mar 28, 2018 11:35:14 AM org.apache.catalina.core.StandardHostValve invoke SEVERE: Exception Processing /ca/admin/ca/getStatus javax.ws.rs.ServiceUnavailableException: Subsystem unavailable ?? at com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145) ?? at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500) ?? at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) ?? at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) ?? at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) ?? at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) ?? at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) ?? at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087) ?? at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) ?? at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) ?? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ?? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ?? at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ?? at java.lang.Thread.run(Thread.java:748) in catalina.2018-03-28.log: ... Mar 28, 2018 11:41:35 AM org.apache.catalina.core.ContainerBase backgroundProcess WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@1e572093 background process javax.ws.rs.ServiceUnavailableException: Subsystem unavailable ?? at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) ?? at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) ?? at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) ?? at java.lang.Thread.run(Thread.java:748) Would you able to conclude anything from those errors? What might be a problem? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org I have followed those instructions from the link and it seems that both certutil & ldap have the same certificate. However I also see: $ sudo journalctl -lf -o cat -u dirsrv@ ... GSSAPI client step 1 GSSAPI client step 1 GSSAPI client step 2 [03/Apr/2018:19:30:53.962565693 +0100] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) [03/Apr/2018:19:30:53.965606137 +0100] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) GSSAPI client step 1 GSSAPI client step 1 GSSAPI client step 1 .. and in /var/log/pki/pki-tomcat/ca/debug [03/Apr/2018:19:09:45][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [03/Apr/2018:19:09:45][localhost-startStop-1]: Candidate cert: Server-Cert cert-pki-ca [03/Apr/2018:19:09:45][localhost-startStop-1]: Candidate cert: caSigningCert cert-pki-ca [03/Apr/2018:19:09:45][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: null [03/Apr/2018:19:09:45][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host rider.pri
[Freeipa-users] Re: Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
On 03/28/2018 12:42 PM, lejeczek via FreeIPA-users wrote: hi guys, I fail to troubleshoot this here: $ ipactl start --ignore-service-failures Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting httpd Service Starting ipa-custodia Service Starting ntpd Service Starting pki-tomcatd Service Failed to start pki-tomcatd Service Forced start, ignoring pki-tomcatd Service, continuing normal operation Hi, pki-tomcatd may fail to start when the subsystemCert cert-pki-ca did not properly get renewed. Please find more information in this blog: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ Flo Starting ipa-otpd Service Starting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful logs in /var/log/pki/pki-tomcat: localhost.2018-03-28.log ... Mar 28, 2018 11:35:14 AM org.apache.catalina.core.StandardHostValve invoke SEVERE: Exception Processing /ca/admin/ca/getStatus javax.ws.rs.ServiceUnavailableException: Subsystem unavailable ?? at com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145) ?? at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500) ?? at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) ?? at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) ?? at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) ?? at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) ?? at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) ?? at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087) ?? at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) ?? at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) ?? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ?? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ?? at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ?? at java.lang.Thread.run(Thread.java:748) in catalina.2018-03-28.log: ... Mar 28, 2018 11:41:35 AM org.apache.catalina.core.ContainerBase backgroundProcess WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@1e572093 background process javax.ws.rs.ServiceUnavailableException: Subsystem unavailable ?? at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) ?? at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) ?? at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) ?? at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) ?? at java.lang.Thread.run(Thread.java:748) Would you able to conclude anything from those errors? What might be a problem? many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org