Re: [Freeipa-users] Failed to start pki-tomcatd Service

[Lukas Slebodnik]

On (10/07/15 17:28), Alexandre Ellert wrote:
>
>> Le 30 juin 2015 à 10:16, Alexandre Ellert <aell...@numeezy.com> a écrit :
>> 
>> 
>>> Could you please provide the content of logfile:
>>> `/var/log/pki/pki-tomcat/ca/debug', around the time the error
>>> occurs?
>>> 
>>> Thanks,
>>> Fraser
>> 
>> When the pki-tomcatd service is trying to start, I see this message in 
>> /var/log/pki/pki-tomcat/ca/debug
>> 
>> [30/Jun/2015:10:02:13][localhost-startStop-1]: 
>> ============================================
>> [30/Jun/2015:10:02:13][localhost-startStop-1]: =====  DEBUG SUBSYSTEM 
>> INITIALIZED   =======
>> [30/Jun/2015:10:02:13][localhost-startStop-1]: 
>> ============================================
>> [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: done init id=debug
>> [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initialized debug
>> [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: initSubsystem 
>> id=log
>> [30/Jun/2015:10:02:13][localhost-startStop-1]: CMSEngine: ready to init 
>> id=log
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=log
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized log
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem 
>> id=jss
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init 
>> id=jss
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: done init id=jss
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initialized jss
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: initSubsystem 
>> id=dbs
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine: ready to init 
>> id=dbs
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: DBSubsystem: init()  
>> mEnableSerialMgmt=true
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapBoundConnFactory: init 
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: 
>> LdapBoundConnFactory:doCloning true
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init()
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init begins
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapAuthInfo: init ends
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: init: before makeConnection 
>> errorIfDown is true
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: makeConnection: errorIfDown 
>> true
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: LdapJssSSLSocket set client 
>> auth cert nicknamesubsystemCert cert-pki-ca
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMS:Caught EBaseException
>> Internal Database Error encountered: Could not connect to LDAP server host 
>> ipa.mydomain.org <http://ipa.mydomain.org/> port 636 Error 
>> netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
>>      at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:658)
>>      at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:934)
>>      at 
>> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:865)
>>      at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:362)
>>      at com.netscape.certsrv.apps.CMS.init(CMS.java:189)
>>      at com.netscape.certsrv.apps.CMS.start(CMS.java:1585)
>>      at 
>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:96)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>      at 
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>      at 
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>      at java.lang.reflect.Method.invoke(Method.java:606)
>>      at 
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
>>      at 
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
>>      at java.security.AccessController.doPrivileged(Native Method)
>>      at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
>>      at 
>> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
>>      at 
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
>>      at 
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
>>      at 
>> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
>>      at 
>> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
>>      at 
>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
>>      at 
>> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
>>      at 
>> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
>>      at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
>>      at 
>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
>>      at 
>> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
>>      at 
>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
>>      at 
>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
>>      at java.security.AccessController.doPrivileged(Native Method)
>>      at 
>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
>>      at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
>>      at 
>> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
>>      at 
>> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
>>      at 
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>>      at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>      at 
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>      at 
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>      at java.lang.Thread.run(Thread.java:745)
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: CMSEngine.shutdown()
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: LogFile:In log shutdown
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: SignedAuditEventFactory: 
>> create() 
>> message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] 
>> audit function shutdown
>> 
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: LogFile:In log shutdown
>> [30/Jun/2015:10:02:14][localhost-startStop-1]: SignedAuditEventFactory: 
>> create() 
>> message=[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] 
>> audit function shutdown
>> 
>> [30/Jun/2015:10:02:15][ajp-bio-127.0.0.1-8009-exec-1]: according to ccMode, 
>> authorization for servlet: caGetStatus is LDAP based, not XML {1}, use 
>> default authz mgr: {2}.
>> 
>> I checked that ns-slapd was running on port 636
>> # netstat -antp|grep 636
>> tcp6       0      0 :::636                  :::*                    LISTEN   
>>    22855/ns-slapd
>> 
>> After a quick search, I found this bug 
>> https://fedorahosted.org/freeipa/ticket/4666 
>> <https://fedorahosted.org/freeipa/ticket/4666> is quite similar.
>> Many workarounds are suggested there but I’m confused about which could be 
>> efficient for me.
>> 
>Up plz.
>
I had a similar issue on fedora 21 or fedora 22.
The workarounds from freeipa ticket #4666 did not help for me either.
I found out that there was some problem with upgrading dogtag configuration.

You can try up ru upgrade manually. It might help you.
[root@vm-114 ~]# rpm -q --scripts pki-server
postinstall scriptlet (using /bin/sh):
## NOTE:  At this time, NO attempt has been made to update ANY PKI subsystem
##        from EITHER 'sysVinit' OR previous 'systemd' processes to the new
##        PKI deployment process

    echo "Upgrading server at `/bin/date`." >>
    /var/log/pki/pki-server-upgrade-10.2.4.log 2>&1
    /sbin/pki-server-upgrade --silent >>
    /var/log/pki/pki-server-upgrade-10.2.4.log 2>&1
    echo >> /var/log/pki/pki-server-upgrade-10.2.4.log 2>&1

    systemctl daemon-reload


In my case, it didn't help. So I updated freeipa to the latest version.
then I install similar new freeipa on another machine. So I had functional
dogtag. Then I tried to fix broken dogtag configuration using functional
configuration from 2nd freeipa. I would definitely recommend to backup data
from old freeipa before any manual updates.

Maybe Fraser would have a better advice.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project