[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

Sean McLennan via FreeIPA-users Wed, 23 Nov 2022 20:07:58 -0800

> I'm asking you to compare because it's unexpected to see a subject
> CN=localhost for the IPA CA. Someone has probably messed up with some
> commands and replaced the original IPA CA with a wrong one in the
> /etc/pki/pki-tomcat/alias database. If that's the case, we can put the
> right CA back with certutil commands but we need to be sure what to put
> there.


So, I believe that I successfully managed to replace the cert in the database 
with /etc/pki/ca.crt; however, still nothing is working. It appears that 
although "ipactrl status" (and systemctl status) shows pki-tomcatd as running, 
there are no services listening. I.e. there is nothing listening on *any* 80xx 
port—I gather pki-tomcatd is supposed to be something on 8009?

catalina.out has this:

WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Valve} Setting property 
'resolveHosts' to 'false' did not find a matching property.
WARNING: The JSSE TLS 1.3 implementation does not support authentication after 
the initial handshake and is therefore incompatible with optional client 
authentication
SEVERE: Catalina.start
org.apache.catalina.LifecycleException: Failed to initialize component 
[StandardServer[8005]]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:113)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:662)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: java.lang.RuntimeException: java.lang.SecurityException: Unable to 
initialize security library
        at 
com.netscape.cms.tomcat.PKIListener.lifecycleEvent(PKIListener.java:64)
        at 
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:94)
        at 
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:395)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:108)
        ... 8 more
Caused by: java.lang.SecurityException: Unable to initialize security library
        at org.mozilla.jss.CryptoManager.initializeAllNative2(Native Method)
        at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:956)
        at org.apache.tomcat.util.net.jss.TomcatJSS.init(TomcatJSS.java:322)
        at 
com.netscape.cms.tomcat.PKIListener.lifecycleEvent(PKIListener.java:62)
        ... 11 more

SEVERE: The required Server component failed to start so Tomcat is unable to 
start.
org.apache.catalina.LifecycleException: Failed to stop component 
[StandardServer[8005]]
        at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:238)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:142)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:688)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:353)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:497)
Caused by: org.apache.catalina.LifecycleException: An invalid Lifecycle 
transition was attempted ([before_stop]) for component 
[StandardService[Catalina]] in state [INITIALIZED]
        at 
org.apache.catalina.util.LifecycleBase.invalidTransition(LifecycleBase.java:402)
        at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:213)
        at 
org.apache.catalina.core.StandardServer.stopInternal(StandardServer.java:814)
        at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:226)
        ... 8 more


and 

debug complains about two missing jar files:

[localhost-startStop-1] WARNING: Failed to scan 
[file:/usr/share/java/oscache.jar] from classloader hierarchy

[localhost-startStop-1] WARNING: Failed to scan 
[file:/usr/share/java/stax-api.jar] from classloader hierarchy


I suspect that that it's never been running properly—because of the problems I 
had before, I treated this server with kid-gloves and never updated it. I 
suspect that this is the reason I was never able to get a replica of it running 
either.

Any suggestions on how to deal with this? Is there anyway to get my data out of 
it and into a different server without using replication? Like I said, I would 
love nothing more than to get it off of this broken broken distro.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

Reply via email to