subject:"\[Freeipa\-users\] Re\: ipa\-restore breaks pki\-tomcatd \(\?\)"

[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)

2018-04-10 Thread Florence Blanc-Renaud via FreeIPA-users


On 04/10/2018 04:30 PM, Hillar Aarelaid wrote:



On 10. apr 2018, at 15:05, Florence Blanc-Renaud  wrote:

I would start by checking if all the certificates are up-to-date, especially 
subsystemCert cert-pki-ca.


sorry, i did not touch any certificates.


Hi,

(re-adding the mailing in copy)
the certificates may have expired between the time you did the backup 
and reinstalled.


What is the output of ipactl status? If only pki-tomcatd fails to start, 
then the logs from /var/log/pki/pki-tomcat/ca may provide more information.


Flo


it was simple ipa-backup->ipa-restore as described in 
https://www.freeipa.org/page/Backup_and_Restore#Server_Loss_Cases
i had _single_ server and  (by scenario 'Catastrophic hardware failure') i lost 
it so i start with new server from scratch...
i followed 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/restore
as it says: "Important It is recommended that you uninstall a server before 
performing a full-server restore on it."
i tried
a) ipa-server-install and then uninstall and then ipa-restore
b) no ipa-server-install, straight to ipa-restore

and always ended up with tomcat not starting
it seems that most was restored, as i can do kinit with previously existed 
users and i can find them with ldapsearch
but command line "ipa whatever-command" fail, so ;( ;( ;(

Hillar

#ref 
https://github.com/hillar/detektiven/blob/master/vagans/createFedoraIPA.bash#L71




___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)

2018-04-10 Thread Florence Blanc-Renaud via FreeIPA-users


On 04/10/2018 11:35 AM, Hillar Aarelaid via FreeIPA-users wrote:

Hi

not exactly same, but feels similar  here ;(

_single_ freeipa server
(Linux ipa.idm.domain.tld 4.15.14-300.fc27.x86_64 IPA VERSION: 4.6.3, 
API_VERSION: 2.229)

1) full backup made with ipa-backup
2) server loss
3) new server build from scratch
4) ipa-restore
5) ..Failed to start pki-tomcatd Service


---

ipa: DEBUG: response body b'Apache Tomcat/8.0.50 - Error reportH1 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P 
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;} HTTP Status 500 - Subsystem 
unavailabletype Exception reportmessage Subsystem unavailabledescription 
The server encountered an internal error
  that prevented it from fulfilling this 
request.exceptionjavax.ws.rs.ServiceUnavailableException:
 Subsystem 
unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:138)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:81)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)\n\torg.apache.tomcat.util.net.NioEndpoint$Sock
  
etProcessor.run(NioEndpoint.java:1495)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\nnote
 The full stack trace of the root cause is available in the Apache Tomcat/8.0.50 logs.Apache Tomcat/8.0.50'
ipa: DEBUG: The CA status is: check interrupted due to error: Retrieving CA 
status failed with status 500
ipa: DEBUG: Waiting for CA to start...
Failed to start pki-tomcatd Service
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


Hi,

you can find troubleshooting information in this blog:
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/

I would start by checking if all the certificates are up-to-date, 
especially subsystemCert cert-pki-ca.


HTH,
Flo

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)

2018-04-10 Thread Hillar Aarelaid via FreeIPA-users

Hi

not exactly same, but feels similar  here ;(

_single_ freeipa server 
(Linux ipa.idm.domain.tld 4.15.14-300.fc27.x86_64 IPA VERSION: 4.6.3, 
API_VERSION: 2.229)

1) full backup made with ipa-backup 
2) server loss
3) new server build from scratch
4) ipa-restore 
5) ..Failed to start pki-tomcatd Service


---

ipa: DEBUG: response body b'Apache 
Tomcat/8.0.50 - Error reportH1 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
 H2 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
 H3 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
 BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} 
B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P 
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
 {color : black;}A.name {color : black;}.line {height: 1px; background-color: 
#525D76; border: none;} HTTP Status 500 - Subsystem 
unavailabletype Exception 
reportmessage Subsystem 
unavailabledescription The server encountered an internal 
error 
 that prevented it from fulfilling this 
request.exceptionjavax.ws.rs.ServiceUnavailableException:
 Subsystem 
unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:138)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:81)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)\n\torg.apache.tomcat.util.net.NioEndpoint$Sock
 
etProcessor.run(NioEndpoint.java:1495)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\nnote
 The full stack trace of the root cause is available in the Apache 
Tomcat/8.0.50 logs.Apache 
Tomcat/8.0.50'
ipa: DEBUG: The CA status is: check interrupted due to error: Retrieving CA 
status failed with status 500
ipa: DEBUG: Waiting for CA to start...
Failed to start pki-tomcatd Service
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)

2018-04-04 Thread lejeczek via FreeIPA-users




On 04/04/18 12:00, lejeczek via FreeIPA-users wrote:

hi

here I have something very easily reproducible I think.

I have two masters IPA, fist one stood alone for a while 
and then I added the second server.
Then I ipa-restored the first master to a data backup from 
a day or two before second master was added and now:

...
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service

in /var/log/pki/pki-tomcat/ca/debug:
...
[04/Apr/2018:11:56:27][localhost-startStop-1]: 
SSLClientCertificateSelectionCB: Setting desired cert 
nickname to: subsystemCert cert-pki-ca
[04/Apr/2018:11:56:27][localhost-startStop-1]: 
LdapJssSSLSocket: set client auth cert nickname 
subsystemCert cert-pki-ca
[04/Apr/2018:11:56:27][localhost-startStop-1]: 
SSLClientCertificatSelectionCB: Entering!
[04/Apr/2018:11:56:27][localhost-startStop-1]: Candidate 
cert: subsystemCert cert-pki-ca
[04/Apr/2018:11:56:27][localhost-startStop-1]: 
SSLClientCertificateSelectionCB: desired cert found in 
list: subsystemCert cert-pki-ca
[04/Apr/2018:11:56:27][localhost-startStop-1]: 
SSLClientCertificateSelectionCB: returning: subsystemCert 
cert-pki-ca
[04/Apr/2018:11:56:27][localhost-startStop-1]: SSL 
handshake happened
Could not connect to LDAP server host swir.private port 
636 Error netscape.ldap.LDAPException: Authentication 
failed (49)
    at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
    at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)
    at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)
    at 
com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) 

    at 
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1176) 

    at 
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1082) 

    at 
com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:572)

    at com.netscape.certsrv.apps.CMS.init(CMS.java:189)
    at com.netscape.certsrv.apps.CMS.start(CMS.java:1631)
    at 
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
    at 
javax.servlet.GenericServlet.init(GenericServlet.java:158)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method)
    at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

    at java.lang.reflect.Method.invoke(Method.java:498)
    at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) 

    at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) 

    at java.security.AccessController.doPrivileged(Native 
Method)

...

Is this normal/expected?
Many thanks, L.
___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org


nope, ipa-restore most likely does not any such thing as I 
thought. It was rather my bad/broken backup data.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)

[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)

[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)

[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)

4 matches

Site Navigation

Mail list logo

Footer information