Manuel Gujo via FreeIPA-users wrote:
Hi Rob,
so in "/etc/dirsrv/slapd-ITEC-LAB/dse.ldif", nsslapd-port was '0' and nsslapd-security was off, I fixed it and now it's listening on port 389 and 636:
# netstat -tulpn | grep LISTEN | grep ns-slapd tcp6 0 0 :::636 :::* LISTEN 30606/ns-slapd tcp6 0 0 :::389 :::* LISTEN 30606/ns-slapd
Then I tried to restart all the ipactl services one by one. pki-tomcatd keeps failing and /var/log/pki/pki-tomcat/ca/debug does not log anymore (last log is the one i sent you above, 31 Dec 2019)
I resubmitted all the expired certs and restarting cermonger but certs keep being unreachable.
If the CA isn't running then there is no point in resubmitting the certmonger requests. It is guaranteed to fail with UNREACHABLE.
Check the journalctl output and the other logs, like catalina, in /var/log/pki/pki-tomcat for more information on why it failed to start.
from certmonger logs:
nov 17 18:11:47 ipa1.itec.lab dogtag-ipa-ca-renew-agent-submit[30764]: Forwarding request to dogtag-ipa-renew-agent nov 17 18:11:47 ipa1.itec.lab dogtag-ipa-renew-agent-submit[31183]: GET http://ipa1.itec.lab:8080/ca/ee/ca/profileSubmit?profileId=caServerCert&... nov 17 18:11:47 ipa1.itec.lab dogtag-ipa-renew-agent-submit[31183]: (null) nov 17 18:11:47 ipa1.itec.lab dogtag-ipa-ca-renew-agent-submit[30764]: dogtag-ipa-renew-agent returned 3 nov 17 18:11:47 ipa1.itec.lab certmonger[30685]: 2020-11-17 18:11:47 [30685] Error 7 connecting to http://ipa1.itec.lab:8080/ca/ee/ca/profileSubmit: Couldn't connect to server.
in certmonger's log I also saw these:
nov 17 18:11:01 ipa1.itec.lab dogtag-ipa-ca-renew-agent-submit[30741]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 533, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 495, in main api.finalize() File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 740, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 431, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 620, in load_plugins self.add_package(package) File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 647, in add_package module = importlib.import_module(name) File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module __import__(name) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/server.py", line 32, in <module> from ipaserver.install import bindinstance, dnskeysyncinstance File "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", line 17, in <module> from ipaserver import p11helper as _ipap11helper File "/usr/lib/python2.7/site-packages/ipaserver/p11helper.py", line 342, in <module> _libp11_kit = _ffi.dlopen(ctypes.util.find_library('p11-kit')) File "/usr/lib64/python2.7/ctypes/util.py", line 244, in find_library return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name)) File "/usr/lib64/python2.7/ctypes/util.py", line 233, in _findSoname_ldconfig f = os.popen('/sbin/ldconfig -p 2>/dev/null') OSError: [Errno 12] Cannot allocate memory
Is this host memory-constrained? How much RAM does it have?
rob