Hi, On Fri, Apr 12, 2024 at 10:52 PM Basile Pinsard via FreeIPA-users < [email protected]> wrote:
> Hi freeipa experts. > > I have been using freeipa for the past 5 years running in a docker > container, no replicas. > currently on VERSION: 4.9.6, API_VERSION: 2.245 > > I have the following issue, not sure what caused this: pki-tomcat service > is not starting, and it is no longer possible to login through the web-ui. > Auth through ldap (some websites) and through sssd on linux servers is > still working, kerberos tickets are generated when logging with password or > when running kinit, so critical operations are still possible. > > The messages in `systemctl status [email protected]` are > ``` > Apr 12 13:50:33 ipa.domain.com ipa-pki-wait-running[17869]: > ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for > url: http://ipa.domain.com:8080/ca/admin/ca/getStatus > Apr 12 13:50:34 ipa.domain.com systemd[1]: [email protected]: > start-post operation timed out. Terminating. > Apr 12 13:50:34 ipa.domain.com systemd[1]: [email protected]: > Control process exited, code=killed, status=15/TERM > Apr 12 13:50:34 ipa.domain.com systemd[1]: [email protected]: > Failed with result 'timeout'. > Apr 12 13:50:34 ipa.domain.com systemd[1]: Failed to start PKI Tomcat > Server pki-tomcat. > ``` > > journalctl give other errors (filtered what seems relevant). > ``` > Apr 12 13:49:05 ipa.domain.com server[17868]: WARNING: Problem with JAR > file [/usr/share/pki/server/common/lib/commons-collections.jar], exists: > [false], canRead: [false] > Apr 12 13:49:07 ipa.domain.com java[17868]: usr/lib/api/apiutil.c Could > not open /run/lock/opencryptoki/LCK..APIlock > The above error was a known issue in selinux, should have been fixed in RHEL 8.5 (Bug 1894132 <https://bugzilla.redhat.com/show_bug.cgi?id=1894132> - SELinux prevents 2 programs from accessing /run/lock/opencryptoki/LCK..APIlock). What are your exact versions of ipa, pki and selinux-policy? On which OS is your server running? flo Apr 12 13:49:18 ipa.domain.com server[17868]: SEVERE: Context [/acme] > startup failed due to previous errors > > ``` > > > `/var/log/pki/pki-tomcat/pki/debug.2024-04-12.log` > contains the following errors > ``` > 2024-04-12 15:01:12 [main] SEVERE: Exception initializing random number > generator using provider [Mozilla-JSS] > java.security.NoSuchProviderException: no such provider: Mozilla-JSS > at > java.base/sun.security.jca.GetInstance.getService(GetInstance.java:83) > at > java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:206) > .... > ``` > > `/var/log/pki/pki-tomcat/ca/debug.2024-04-12.log` > contains the following type of errors > > ``` > 2024-04-12 00:17:37 [main] SEVERE: Unable to start CA engine: Property > instanceRoot missing value > Property instanceRoot missing value > at > com.netscape.cmscore.base.PropConfigStore.getString(PropConfigStore.java:297) > at > com.netscape.cmscore.apps.EngineConfig.getInstanceDir(EngineConfig.java:55) > at > com.netscape.cmscore.apps.CMSEngine.loadConfig(CMSEngine.java:233) > at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1025) > .... > > 2024-04-12 17:49:21 [main] SEVERE: Exception sending context initialized > event to listener instance of class [org.dogtagpki.server.ca.CAEngine] > java.lang.RuntimeException: Unable to start CA engine: Property > instanceRoot missing value > at > com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine.java:1672) > at > org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4768) > at > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5230) > ``` > > `getcert list` reports all entries except the caCACert as expired. > > I tried pretty much everything I could find on the internet (though most > of the threads I found were never resolved). > Tried ipa-cert-fix. > Tried ipa-restoring a backup in a new container, same problem occurs. > > My guess is that an upgrade years back did break the certificate > auto-renewal and went undetected, and now everything is expired it's > failing. > > If you have any ideas of what to check/try I would be very grateful as I > am losing my sanity here. > Also, I am a bit scared of breaking what is currently working (ldap+sssd) > and critical to our operations, so if anything can be tested on a copy of > the data in a container that would be great. > > Thanks! > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
