Hi, On Sat, Sep 3, 2022 at 11:17 AM Sascha Kolanos via FreeIPA-users < [email protected]> wrote:
> Hello all, > > since one or two days I can't access the WebUI on my IPA Master (4.9.10). > With the Replica it works without problems. > > In the /var/log/messages I have the following message > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caTPSCert.cfg:82: > policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1wit> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg:83: > policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1with> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg:83: > policyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRS> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caAgentFileSigning.cfg:83: > policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRS> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caOtherCert.cfg:82: > policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1wi> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caUUIDdeviceCert.cfg:96: > policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caUserCert.cfg:98: > policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1with> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caRACert.cfg:82: > policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caRARouterCert.cfg:82: > policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caUserSMIMEcapCert.cfg:98: > policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caRAagentCert.cfg:92: > policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1w> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caRAserverCert.cfg:82: > policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caRouterCert.cfg:82: > policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caCrossSignedCACert.cfg:79: > policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,S> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:92: > policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384wi> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:164: > policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512with> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:168: > policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caDirPinUserCert.cfg:96: > policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg:96: > policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1w> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_DirUserCert.cfg:101: > policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA51> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:92: > policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:164: > policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:168: > policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1wit> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_UserCert.cfg:101: > policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512wi> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caDualRAuserCert.cfg:91: > policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caSigningUserCert.cfg:82: > policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRS> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caECDualCert.cfg:164: > policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caInternalAuthOCSPCert.cfg:68: > policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512with> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caEncUserCert.cfg:92: > policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg:82: > policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,> > Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in > /etc/pki/pki-tomcat/ca/profiles/ca/caInstallCACert.cfg:83: > policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1w> > Sep 3 10:44:49 fedora server[2507]: Java virtual machine used: > /usr/lib/jvm/jre-17-openjdk/bin/java > Sep 3 10:44:49 fedora server[2507]: classpath used: > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar: > Sep 3 10:44:49 fedora server[2507]: main class used: > org.apache.catalina.startup.Bootstrap > Sep 3 10:44:49 fedora server[2507]: flags used: -Dcom.redhat.fips=false > Sep 3 10:44:49 fedora server[2507]: options used: > -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat > -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp > -Djava.util.logging.config.file=/var/lib/pk> > Sep 3 10:44:49 fedora server[2507]: arguments used: start > Sep 3 10:44:49 fedora server[2507]: NOTE: Picked up JDK_JAVA_OPTIONS: > --add-opens=java.base/java.lang=ALL-UNNAMED > --add-opens=java.base/java.io=ALL-UNNAMED > --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/ > java.util.co> > Sep 3 10:44:49 fedora server[2507]: WARNING: A command line option has > enabled the Security Manager > Sep 3 10:44:49 fedora server[2507]: WARNING: The Security Manager is > deprecated and will be removed in a future release > Sep 3 10:44:50 fedora ipa-pki-wait-running[2508]: pki.client: > /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in > PKIConnection.__init__() has been deprecated ( > https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes). > Sep 3 10:44:50 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: > Created connection http://ipa.kolanos.net:8080/ca > Sep 3 10:44:50 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: > Connection failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): > Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by > NewConnectionError('<url> > Sep 3 10:44:51 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: > Connection failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): > Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by > NewConnectionError('<url> > Sep 3 10:44:52 fedora certmonger[2542]: 2022-09-03 10:44:52 [2542] > Certificate "KOLANOS.NET IPA CA" valid for 589414559s. > Sep 3 10:44:52 fedora pcscd[833]: 03957038 > auth.c:137:IsClientAuthorized() Process 2507 (user: 17) is NOT authorized > for action: access_pcsc > Sep 3 10:44:52 fedora pcscd[833]: 00000451 > winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client > Sep 3 10:44:52 fedora pcscd[833]: 00048514 > auth.c:137:IsClientAuthorized() Process 2507 (user: 17) is NOT authorized > for action: access_pcsc > Sep 3 10:44:52 fedora pcscd[833]: 00000400 > winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client > Sep 3 10:44:52 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: > Connection failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): > Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by > NewConnectionError('<url> > Sep 3 10:44:52 fedora pcscd[833]: 00035722 > auth.c:137:IsClientAuthorized() Process 2507 (user: 17) is NOT authorized > for action: access_pcsc > Sep 3 10:44:52 fedora pcscd[833]: 00000293 > winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client > Sep 3 10:44:52 fedora pcscd[833]: 00039624 > auth.c:137:IsClientAuthorized() Process 2507 (user: 17) is NOT authorized > for action: access_pcsc > Sep 3 10:44:52 fedora pcscd[833]: 00000335 > winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client > Sep 3 10:44:53 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: > Connection failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): > Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by > NewConnectionError('<url> > Sep 3 10:44:54 fedora server[2507]: WARNING: Some of the specified > [protocols] are not supported by the SSL engine and have been skipped: > [[TLSv1, TLSv1.1]] > Sep 3 10:44:55 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: > Connection failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): > Read timed out. (read timeout=1.0) > > This looks like pki fails to start. What is the output of "ipactl status" on the master? If the services are down, you can restart them with "ipactl start --ignore-service-failures" and troubleshoot the failing services. HTH, flo > Does anyone have a tip for me how I can proceed here? > > Thanks a lot > vapaa > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
