Manuel Gujo via FreeIPA-users wrote:
Hi Rob,
so in "/etc/dirsrv/slapd-ITEC-LAB/dse.ldif", nsslapd-port was '0' and
nsslapd-security was off, I fixed it and now it's listening on port 389 and 636:
# netstat -tulpn | grep LISTEN | grep ns-slapd
tcp6 0 0 :::636 :::* LISTEN
30606/ns-slapd
tcp6 0 0 :::389 :::* LISTEN
30606/ns-slapd
Then I tried to restart all the ipactl services one by one. pki-tomcatd keeps failing and
/var/log/pki/pki-tomcat/ca/debug does not log anymore (last log is the one i sent you
above, 31 Dec 2019)
I resubmitted all the expired certs and restarting cermonger but certs keep being
unreachable.
If the CA isn't running then there is no point in resubmitting the
certmonger requests. It is guaranteed to fail with UNREACHABLE.
Check the journalctl output and the other logs, like catalina, in
/var/log/pki/pki-tomcat for more information on why it failed to start.
from certmonger logs:
nov 17 18:11:47 ipa1.itec.lab dogtag-ipa-ca-renew-agent-submit[30764]: Forwarding request
to dogtag-ipa-renew-agent
nov 17 18:11:47 ipa1.itec.lab dogtag-ipa-renew-agent-submit[31183]: GET
http://ipa1.itec.lab:8080/ca/ee/ca/profileSubmit?profileId=caServerCert&a...
nov 17 18:11:47 ipa1.itec.lab dogtag-ipa-renew-agent-submit[31183]: (null)
nov 17 18:11:47 ipa1.itec.lab dogtag-ipa-ca-renew-agent-submit[30764]:
dogtag-ipa-renew-agent returned 3
nov 17 18:11:47 ipa1.itec.lab certmonger[30685]: 2020-11-17 18:11:47 [30685] Error 7
connecting to
http://ipa1.itec.lab:8080/ca/ee/ca/profileSubmit: Couldn't connect to
server.
in certmonger's log I also saw these:
nov 17 18:11:01 ipa1.itec.lab dogtag-ipa-ca-renew-agent-submit[30741]: Traceback (most
recent call last):
File
"/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 533, in
<module>
sys.exit(main())
File
"/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 495, in main
api.finalize()
File
"/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 740, in finalize
self.__do_if_not_done('load_plugins')
File
"/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 431, in
__do_if_not_done
getattr(self,
name)()
File
"/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 620, in
load_plugins
self.add_package(package)
File
"/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 647, in add_package
module =
importlib.import_module(name)
File
"/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module
__import__(name)
File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/server.py", line 32, in
<module>
from
ipaserver.install import bindinstance, dnskeysyncinstance
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", line
17, in <module>
from ipaserver
import p11helper as _ipap11helper
File
"/usr/lib/python2.7/site-packages/ipaserver/p11helper.py", line 342, in
<module>
_libp11_kit =
_ffi.dlopen(ctypes.util.find_library('p11-kit'))
File
"/usr/lib64/python2.7/ctypes/util.py", line 244, in find_library
return
_findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
File
"/usr/lib64/python2.7/ctypes/util.py", line 233, in _findSoname_ldconfig
f =
os.popen('/sbin/ldconfig -p 2>/dev/null')
OSError: [Errno
12] Cannot allocate memory
Is this host memory-constrained? How much RAM does it have?
rob