[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)
On 04/10/2018 04:30 PM, Hillar Aarelaid wrote: On 10. apr 2018, at 15:05, Florence Blanc-Renaud wrote: I would start by checking if all the certificates are up-to-date, especially subsystemCert cert-pki-ca. sorry, i did not touch any certificates. Hi, (re-adding the mailing in copy) the certificates may have expired between the time you did the backup and reinstalled. What is the output of ipactl status? If only pki-tomcatd fails to start, then the logs from /var/log/pki/pki-tomcat/ca may provide more information. Flo it was simple ipa-backup->ipa-restore as described in https://www.freeipa.org/page/Backup_and_Restore#Server_Loss_Cases i had _single_ server and (by scenario 'Catastrophic hardware failure') i lost it so i start with new server from scratch... i followed https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/restore as it says: "Important It is recommended that you uninstall a server before performing a full-server restore on it." i tried a) ipa-server-install and then uninstall and then ipa-restore b) no ipa-server-install, straight to ipa-restore and always ended up with tomcat not starting it seems that most was restored, as i can do kinit with previously existed users and i can find them with ldapsearch but command line "ipa whatever-command" fail, so ;( ;( ;( Hillar #ref https://github.com/hillar/detektiven/blob/master/vagans/createFedoraIPA.bash#L71 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)
On 04/10/2018 11:35 AM, Hillar Aarelaid via FreeIPA-users wrote: Hi not exactly same, but feels similar here ;( _single_ freeipa server (Linux ipa.idm.domain.tld 4.15.14-300.fc27.x86_64 IPA VERSION: 4.6.3, API_VERSION: 2.229) 1) full backup made with ipa-backup 2) server loss 3) new server build from scratch 4) ipa-restore 5) ..Failed to start pki-tomcatd Service --- ipa: DEBUG: response body b'Apache Tomcat/8.0.50 - Error reportH1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;} HTTP Status 500 - Subsystem unavailabletype Exception reportmessage Subsystem unavailabledescription The server encountered an internal error that prevented it from fulfilling this request.exceptionjavax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:138)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:81)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)\n\torg.apache.tomcat.util.net.NioEndpoint$Sock etProcessor.run(NioEndpoint.java:1495)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\nnote The full stack trace of the root cause is available in the Apache Tomcat/8.0.50 logs.Apache Tomcat/8.0.50' ipa: DEBUG: The CA status is: check interrupted due to error: Retrieving CA status failed with status 500 ipa: DEBUG: Waiting for CA to start... Failed to start pki-tomcatd Service ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Hi, you can find troubleshooting information in this blog: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ I would start by checking if all the certificates are up-to-date, especially subsystemCert cert-pki-ca. HTH, Flo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)
Hi not exactly same, but feels similar here ;( _single_ freeipa server (Linux ipa.idm.domain.tld 4.15.14-300.fc27.x86_64 IPA VERSION: 4.6.3, API_VERSION: 2.229) 1) full backup made with ipa-backup 2) server loss 3) new server build from scratch 4) ipa-restore 5) ..Failed to start pki-tomcatd Service --- ipa: DEBUG: response body b'Apache Tomcat/8.0.50 - Error reportH1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;} HTTP Status 500 - Subsystem unavailabletype Exception reportmessage Subsystem unavailabledescription The server encountered an internal error that prevented it from fulfilling this request.exceptionjavax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:138)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:81)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)\n\torg.apache.tomcat.util.net.NioEndpoint$Sock etProcessor.run(NioEndpoint.java:1495)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\nnote The full stack trace of the root cause is available in the Apache Tomcat/8.0.50 logs.Apache Tomcat/8.0.50' ipa: DEBUG: The CA status is: check interrupted due to error: Retrieving CA status failed with status 500 ipa: DEBUG: Waiting for CA to start... Failed to start pki-tomcatd Service ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)
On 04/04/18 12:00, lejeczek via FreeIPA-users wrote: hi here I have something very easily reproducible I think. I have two masters IPA, fist one stood alone for a while and then I added the second server. Then I ipa-restored the first master to a data backup from a day or two before second master was added and now: ... Starting pki-tomcatd Service Failed to start pki-tomcatd Service in /var/log/pki/pki-tomcat/ca/debug: ... [04/Apr/2018:11:56:27][localhost-startStop-1]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [04/Apr/2018:11:56:27][localhost-startStop-1]: Candidate cert: subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: SSLClientCertificateSelectionCB: desired cert found in list: subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host swir.private port 636 Error netscape.ldap.LDAPException: Authentication failed (49) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1176) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1082) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:572) at com.netscape.certsrv.apps.CMS.init(CMS.java:189) at com.netscape.certsrv.apps.CMS.start(CMS.java:1631) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) ... Is this normal/expected? Many thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org nope, ipa-restore most likely does not any such thing as I thought. It was rather my bad/broken backup data. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org