From flo at redhat.com Mon Feb 8 12:53:29 2021 Content-Type: multipart/mixed; boundary="===============4761256149000178714==" MIME-Version: 1.0 From: Florence Blanc-Renaud To: freeipa-users at lists.fedorahosted.org Subject: [Freeipa-users] Re: IPA certs expired, pki-tomcatd fails to start Date: Mon, 08 Feb 2021 13:53:07 +0100 Message-ID: <1a01c8c7-1a97-0fc0-db36-07c08a37bb63@redhat.com> In-Reply-To: 20210208105936.31782.85508@mailman01.iad2.fedoraproject.org --===============4761256149000178714== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable On 2/8/21 11:59 AM, Manuel Gugliucci via FreeIPA-users wrote: > Hello, > = > I'm running a freeipa server over a cloudera cluster, on 2020-12-31 all t= he certs expired and did not renew by itself. > = > After I set the system date before the expiration date, I tried ipa-cacer= t-renew but returns an error saying that ca cert are not managed by certmon= ger so I did a getcert resubmit for every cert. Hi, the command "ipa-cacert-manage renew" is used to renew the CA = certificate (in case IPA was installed with an embedded CA), not the = other certs. Before giving any advice, I would like to know more about the = deployment. Are there a single or multiple IPA servers? Is the CA role = deployed on multiple servers? Which version is installed? # kinit admin; ipa server-role-find # rpm -qa *ipa-server Which certificates are valid or expired? # getcert list Thanks, flo > = > Almos all went on "Monitoring" state, except for one that says "NEED_CSR_= GEN_PIN". > = > If I try to do 'ipactl start', it starts to first upgrade IPA and fails b= ecause of the pki-tomcat service: > = > ``` > 2019-12-31T19:12:01Z DEBUG response body 'Apache Tomca= t/7.0.76 - Error report

HTTP Status 500 - S= ubsystem unavailable

type = Exception report

message Subsystem unavailable

description The server encountered an internal error that prevented= it from fulfilling this requ > est.

exception 

javax.ws.rs.ServiceUnavailableExce=
ption: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecu=
rityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.A=
uthenticatorBase.invoke(AuthenticatorBase.java:492)\n\torg.apache.catalina.=
valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.cat=
alina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.c=
atalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apac=
he.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.ja=
va:1091)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.pr=
ocess(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$=
SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoo=
lExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.T=
hreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tom=
cat.util.threads.TaskThrea
>   d$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thre=
ad.java:748)\n

note The full stack trace of the root = cause is available in the Apache Tomcat/7.0.76 logs.

Apache Tomcat/7.0.76

' > 2019-12-31T19:12:01Z DEBUG The CA status is: check interrupted due to err= or: Retrieving CA status failed with status 500 > 2019-12-31T19:12:01Z DEBUG Waiting for CA to start... > ``` > I also looked for the previous threads listed on this forum, but none of = them provided a solution > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.= org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code= -of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users= (a)lists.fedorahosted.org > = --===============4761256149000178714==--