While watching my certificates to renew (hopefully not failing again) and crawling through my logs I found some Warnings on all of my master and replicas.
Do I have to worry about something the "ocspSigningCert cert-pki-ca" is one of the certificates expiring in 9 days.
journalctl -u pki-tomcatd@pki-tomcat
on idm1 (Replication Master)
Nov 20 17:13:19 idm1.example.com.example.com[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Nov 20 17:13:19 idm1.example.com[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm1.example.com:9080/ca/ocsp' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_C Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,- Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM com.netscape.cms.tomcat.PKIListener lifecycleEvent Nov 20 17:13:19 idm1.example.com server[9668]: INFO: PKIListener: org.apache.catalina.core.StandardServer [before_init] Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.coyote.AbstractProtocol init Nov 20 17:13:19 idm1.example.com server[9668]: INFO: Initializing ProtocolHandler ["http-bio-8080"] Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.coyote.AbstractProtocol init Nov 20 17:13:19 idm1.example.com server[9668]: INFO: Initializing ProtocolHandler ["http-bio-8443"] Nov 20 17:13:20 idm1.example.com server[9668]: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Nov 20 17:13:20 idm1.example.com server[9668]: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss
and the other masters (e.g. idm2)
Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm2.example.com:8080/ca/ocsp' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_ Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA, Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DE Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WIT Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property.
Christof Schulze via FreeIPA-users wrote:
While watching my certificates to renew (hopefully not failing again) and crawling through my logs I found some Warnings on all of my master and replicas.
Do I have to worry about something the "ocspSigningCert cert-pki-ca" is one of the certificates expiring in 9 days.
journalctl -u pki-tomcatd@pki-tomcat
on idm1 (Replication Master)
Nov 20 17:13:19 idm1.example.com.example.com[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Nov 20 17:13:19 idm1.example.com[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm1.example.com:9080/ca/ocsp' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_C
Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-
Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES
Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH
Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.catalina.startup.SetAllPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Nov 20 17:13:19 idm1.example.com server[9668]: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM com.netscape.cms.tomcat.PKIListener lifecycleEvent Nov 20 17:13:19 idm1.example.com server[9668]: INFO: PKIListener: org.apache.catalina.core.StandardServer [before_init] Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.coyote.AbstractProtocol init Nov 20 17:13:19 idm1.example.com server[9668]: INFO: Initializing ProtocolHandler ["http-bio-8080"] Nov 20 17:13:19 idm1.example.com server[9668]: Nov 20, 2019 5:13:19 PM org.apache.coyote.AbstractProtocol init Nov 20 17:13:19 idm1.example.com server[9668]: INFO: Initializing ProtocolHandler ["http-bio-8443"] Nov 20 17:13:20 idm1.example.com server[9668]: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Nov 20 17:13:20 idm1.example.com server[9668]: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss
and the other masters (e.g. idm2)
Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm2.example.com:8080/ca/ocsp' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_
Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,
Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DE
Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WIT
Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Nov 20 17:13:15 idm2.example.com server[10334]: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property.
The dogtag team tells me they are harmless. They no longer show in versions higher than 10.5.
rob
freeipa-users@lists.fedorahosted.org