Manuel Gujo via FreeIPA-users wrote:
I moved the date before the expiring and restarted the services one by one as you listed (systemctl restart dirsrv@my-domain, systemctl restart krb5kdc etc.)
then: [root@ipa1 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: STOPPED (if I do systemctl status named it says running) httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED ipa: INFO: The ipactl command was successful
pki-tomcatd failed to start:
# systemctl restart pki-tomcatd@ITEC-LAB Job for pki-tomcatd@ITEC-LAB.service failed because the control process exited with error code. See "systemctl status pki-tomcatd@ITEC-LAB.service" and "journalctl -xe" for details.
# journalctl -xe nov 17 18:22:31 ipa1.itec.lab systemd[1]: Unit pki-tomcatd@ITEC-LAB.service entered failed state. nov 17 18:22:31 ipa1.itec.lab audispd[24456]: node=ipa1.itec.lab type=SERVICE_START msg=audit(1605637351.916:7091): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=pki-tomc nov 17 18:22:31 ipa1.itec.lab systemd[1]: pki-tomcatd@ITEC-LAB.service failed. nov 17 18:22:31 ipa1.itec.lab polkitd[30556]: Unregistered Authentication Agent for unix-process:17970:71502359 (system bus name :1.1719, object path /org/freedesktop/PolicyKit1
Look in /var/log/pki/pki-tomcat/ca/debug. Find where it tries to start the service and go down from there. Looking at the end of the log is almost always fruitless.
rob