hi
here I have something very easily reproducible I think.
I have two masters IPA, fist one stood alone for a while and then I added the second server. Then I ipa-restored the first master to a data backup from a day or two before second master was added and now: ... Starting pki-tomcatd Service Failed to start pki-tomcatd Service
in /var/log/pki/pki-tomcat/ca/debug: ... [04/Apr/2018:11:56:27][localhost-startStop-1]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [04/Apr/2018:11:56:27][localhost-startStop-1]: Candidate cert: subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: SSLClientCertificateSelectionCB: desired cert found in list: subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host swir.private port 636 Error netscape.ldap.LDAPException: Authentication failed (49) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1176) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1082) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:572) at com.netscape.certsrv.apps.CMS.init(CMS.java:189) at com.netscape.certsrv.apps.CMS.start(CMS.java:1631) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) ...
Is this normal/expected? Many thanks, L.
On 04/04/18 12:00, lejeczek via FreeIPA-users wrote:
hi
here I have something very easily reproducible I think.
I have two masters IPA, fist one stood alone for a while and then I added the second server. Then I ipa-restored the first master to a data backup from a day or two before second master was added and now: ... Starting pki-tomcatd Service Failed to start pki-tomcatd Service
in /var/log/pki/pki-tomcat/ca/debug: ... [04/Apr/2018:11:56:27][localhost-startStop-1]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [04/Apr/2018:11:56:27][localhost-startStop-1]: Candidate cert: subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: SSLClientCertificateSelectionCB: desired cert found in list: subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca [04/Apr/2018:11:56:27][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host swir.private port 636 Error netscape.ldap.LDAPException: Authentication failed (49) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1176)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1082)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:572) at com.netscape.certsrv.apps.CMS.init(CMS.java:189) at com.netscape.certsrv.apps.CMS.start(CMS.java:1631) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method) ...
Is this normal/expected? Many thanks, L. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
nope, ipa-restore most likely does not any such thing as I thought. It was rather my bad/broken backup data.
Hi
not exactly same, but feels similar here ;(
_single_ freeipa server (Linux ipa.idm.domain.tld 4.15.14-300.fc27.x86_64 IPA VERSION: 4.6.3, API_VERSION: 2.229)
1) full backup made with ipa-backup 2) server loss 3) new server build from scratch 4) ipa-restore 5) ..Failed to start pki-tomcatd Service
-----------
ipa: DEBUG: response body b'<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.50 - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><div class="line"></div><p><b>type</b> Exception report</p><p><b>message</b> <u>Subsystem unavailable</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b></p><pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:138)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:81)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)\n\torg.apache.tomcat.util.net.NioEndpoint$Sock etProcessor.run(NioEndpoint.java:1495)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/8.0.50 logs.</u></p><hr class="line"><h3>Apache Tomcat/8.0.50</h3></body></html>' ipa: DEBUG: The CA status is: check interrupted due to error: Retrieving CA status failed with status 500 ipa: DEBUG: Waiting for CA to start... Failed to start pki-tomcatd Service
On 04/10/2018 11:35 AM, Hillar Aarelaid via FreeIPA-users wrote:
Hi
not exactly same, but feels similar here ;(
_single_ freeipa server (Linux ipa.idm.domain.tld 4.15.14-300.fc27.x86_64 IPA VERSION: 4.6.3, API_VERSION: 2.229)
- full backup made with ipa-backup
- server loss
- new server build from scratch
- ipa-restore
- ..Failed to start pki-tomcatd Service
ipa: DEBUG: response body b'<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.50 - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><div class="line"></div><p><b>type</b> Exception report</p><p><b>message</b> <u>Subsystem unavailable</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b></p><pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:138)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:81)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)\n\torg.apache.tomcat.util.net.NioEndpoint$Sock etProcessor.run(NioEndpoint.java:1495)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/8.0.50 logs.</u></p><hr class="line"><h3>Apache Tomcat/8.0.50</h3></body></html>' ipa: DEBUG: The CA status is: check interrupted due to error: Retrieving CA status failed with status 500 ipa: DEBUG: Waiting for CA to start... Failed to start pki-tomcatd Service _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
you can find troubleshooting information in this blog: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcat...
I would start by checking if all the certificates are up-to-date, especially subsystemCert cert-pki-ca.
HTH, Flo
freeipa-users@lists.fedorahosted.org