Hi, On Mon, Jun 26, 2023 at 4:36 PM Tania Hagan via FreeIPA-users < [email protected]> wrote:
> Hi FreeIPA, > > I am currently using FreeIPA version 4.9.10 with 6 ipareaplicas. I went > to upgrade the server to 4.9.11 but the ipa-server-upgrade failed where it > attempted to start pki-tomcat. In the /var/log/pki/pki-tomcat/ca/debug.log > I see: > > Unable to connect to LDAP server: Unable to create socket: > java.net.ConnectException: Connection refused (Connection refused) > … > At netscape.ldap.LDAPConnection(Uknown Source) > > Unable to start CA engine: Unable to connect to LDAP server: Unable to > create socket: java.net.ConnectionExection: Connection refused (Connection > refused) > …. > > I've been through the guide > https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ > where I can confirm the /etc/pki/pki-tomcat/ca/CS.cfg is using: > internaldb.ldapauth.authtype=SslClientAuth > internaldb.ldapauth.bindDN=cn=Directory Manager > internaldb.ldapauth.bindPWPrompt=internaldb > internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca > internaldb.ldapconn.host=<servername> > internaldb.ldapconn.port=636 > internaldb.ldapconn.secureConn=true > > certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' > shows the cert with the correct Serial number and the cert does not expire > until next year. > > If I read the private key, I have checked the Nickname is correct and does > work on another ipareplica but not the one I'm troubleshooting. > grep internal /var/lib/pki/pki-tomcat/conf/password.conf | cut -d= -f2 > > /tmp/pwdfile.txt > certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n > 'subsystemCert cert-pki-ca' > certutil: Checking token "NSS Certificate DB" in slot "NSS User Private > Key and Certificate Services" > certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library: > invalid arguments. > > Sometimes the key alias starts with a prefix. Can you check the output of # certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt If the key is displayed in the output then there is no issue with it. The ldap server configuration looks to be using the correct certificate. > > I rolled back the server to my last known working server, and find that > commands such as ipa cert-find work fine, all my replicas have the same > cert, but the command certutil -K -d /etc/pki/pki-tomcat/alias -f > /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca' fails on 4 out of 6 > ipareplicas. 2 replicas see the correct result. > > Could any one help point me to how I might resolve this issue? > You may also be hitting https://pagure.io/freeipa/issue/9381. Please check if you have the drop-in file /etc/systemd/system/[email protected]/ipa.conf or otherwise manually create it and re-try the upgrade. flo > > Many Thanks, > Tania > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
