hi,
after a botched update (https://access.redhat.com/solutions/7065748) and rolling back the changes, this service will not start:
# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 1 service(s) are not running
in journalctl I found this stdout/stderr messages:
May 24 11:40:35 kdc1.sub.domain.tld named[27437]: zone sub.domain.tld/IN: sending notifies (serial 1716543629) May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: ERROR: Unable to parse version number: "11.5.0" May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Traceback (most recent call last): May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line 41, in <module> May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: cli.execute(sys.argv) May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line 145, in execute May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: super().execute(args) May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, in execute May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: module.execute(module_args) May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 144, in execute May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: self.upgrade( May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 178, in upgrade May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: upgrader.upgrade() May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 481, in upgrade May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: versions = self.versions() May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 238, in versions May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: current_version = self.get_current_version() May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 341, in get_current_version May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: current_version = self.get_tracker().get_version() May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 141, in get_version May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: return pki.util.Version(version) May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/util.py", line 613, in __init__ May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: raise Exception('Unable to parse version number: %s' % obj) May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Exception: Unable to parse version number: "11.5.0" May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: pki-tomcatd@pki-tomcat.service: Control process exited, code=exited, status=1/FAILURE May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: pki-tomcatd@pki-tomcat.service: Failed with result 'exit-code'. May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: Failed to start PKI Tomcat Server pki-tomcat.
So it seems something is broken on this upgrade script. This is in in almalinux 9.3 ipa-server-4.10.2-5.el9_3.alma.1.x86_64
I cannot upgrade because I get bitten by the named ldap thing, even though the versions are newer.
I will create a replicat to a rhel host but first I need to get the CA up and running obviously :-).
Any ideas?
Thanks!
-- regards,
natxo
On Fri, 24 May 2024, Natxo Asenjo via FreeIPA-users wrote:
hi,
after a botched update (https://access.redhat.com/solutions/7065748) and rolling back the changes, this service will not start:
# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 1 service(s) are not running
in journalctl I found this stdout/stderr messages:
May 24 11:40:35 kdc1.sub.domain.tld named[27437]: zone sub.domain.tld/IN: sending notifies (serial 1716543629) May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: ERROR: Unable to parse version number: "11.5.0" May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Traceback (most recent call last): May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line 41, in
<module> May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: cli.execute(sys.argv) May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line 145, in execute May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: super().execute(args) May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, in execute May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: module.execute(module_args) May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 144, in execute May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: self.upgrade( May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 178, in upgrade May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: upgrader.upgrade() May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 481, in upgrade May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: versions = self.versions() May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 238, in versions May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: current_version = self.get_current_version() May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 341, in get_current_version May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: current_version = self.get_tracker().get_version() May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 141, in get_version May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: return pki.util.Version(version) May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/util.py", line 613, in __init__ May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: raise Exception('Unable to parse version number: %s' % obj) May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Exception: Unable to parse version number: "11.5.0"
What do you have in /etc/pki/pki.version file? Is it literally
# cat /etc/pki/pki.version Configuration-Version: "11.5.0"
? If so, then remove quotes around 11.5.0, they are not expected.
May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: pki-tomcatd@pki-tomcat.service: Control process exited, code=exited, status=1/FAILURE May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: pki-tomcatd@pki-tomcat.service: Failed with result 'exit-code'. May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: Failed to start PKI Tomcat Server pki-tomcat.
So it seems something is broken on this upgrade script. This is in in almalinux 9.3 ipa-server-4.10.2-5.el9_3.alma.1.x86_64
I cannot upgrade because I get bitten by the named ldap thing, even though the versions are newer.
I will create a replicat to a rhel host but first I need to get the CA up and running obviously :-).
Any ideas?
Thanks!
-- regards,
natxo
--
Groeten, natxo
hi,
no, it's without quotes but the rolledback version:
Configuration-Version: 11.4.2
I tried modifiying it to 11.5.0 and ipactl restart, but it does not help (reset it to the proper value 11.4.2 now)
On Fri, May 24, 2024 at 5:14 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On Fri, 24 May 2024, Natxo Asenjo via FreeIPA-users wrote:
hi,
after a botched update (https://access.redhat.com/solutions/7065748) and rolling back the changes, this service will not start:
# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 1 service(s) are not running
in journalctl I found this stdout/stderr messages:
May 24 11:40:35 kdc1.sub.domain.tld named[27437]: zone sub.domain.tld/IN: sending notifies (serial 1716543629) May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: ERROR: Unable to parse version number: "11.5.0" May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Traceback (most recent call last): May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line 41, in
<module> May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: cli.execute(sys.argv) May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line 145,
in
execute May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: super().execute(args) May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, in
execute
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: module.execute(module_args) May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 144, in execute May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: self.upgrade( May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 178, in upgrade May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: upgrader.upgrade() May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 481, in upgrade May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: versions = self.versions() May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 238, in versions May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: current_version = self.get_current_version() May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 341, in get_current_version May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: current_version = self.get_tracker().get_version() May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 141, in
get_version
May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: return pki.util.Version(version) May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File "/usr/lib/python3.9/site-packages/pki/util.py", line 613, in __init__ May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: raise Exception('Unable to parse version number: %s' % obj) May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Exception: Unable
to
parse version number: "11.5.0"
What do you have in /etc/pki/pki.version file? Is it literally
# cat /etc/pki/pki.version Configuration-Version: "11.5.0"
? If so, then remove quotes around 11.5.0, they are not expected.
May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: pki-tomcatd@pki-tomcat.service: Control process exited, code=exited, status=1/FAILURE May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: pki-tomcatd@pki-tomcat.service: Failed with result 'exit-code'. May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: Failed to start PKI Tomcat Server pki-tomcat.
So it seems something is broken on this upgrade script. This is in in almalinux 9.3 ipa-server-4.10.2-5.el9_3.alma.1.x86_64
I cannot upgrade because I get bitten by the named ldap thing, even though the versions are newer.
I will create a replicat to a rhel host but first I need to get the CA up and running obviously :-).
Any ideas?
Thanks!
-- regards,
natxo
--
Groeten, natxo
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
Natxo Asenjo via FreeIPA-users wrote:
hi,
no, it's without quotes but the rolledback version:
Configuration-Version: 11.4.2
I tried modifiying it to 11.5.0 and ipactl restart, but it does not help (reset it to the proper value 11.4.2 now)
Did the error change when you switched to 11.4.2? You didn't include a new traceback.
rob
On Fri, May 24, 2024 at 5:14 PM Alexander Bokovoy <abokovoy@redhat.com mailto:abokovoy@redhat.com> wrote:
On Fri, 24 May 2024, Natxo Asenjo via FreeIPA-users wrote: >hi, > >after a botched update (https://access.redhat.com/solutions/7065748) and >rolling back the changes, this service will not start: > ># ipactl status >Directory Service: RUNNING >krb5kdc Service: RUNNING >kadmin Service: RUNNING >named Service: RUNNING >httpd Service: RUNNING >ipa-custodia Service: RUNNING >pki-tomcatd Service: STOPPED >smb Service: RUNNING >winbind Service: RUNNING >ipa-otpd Service: RUNNING >ipa-dnskeysyncd Service: RUNNING >1 service(s) are not running > >in journalctl I found this stdout/stderr messages: > > >May 24 11:40:35 kdc1.sub.domain.tld named[27437]: zone sub.domain.tld/IN: >sending notifies (serial 1716543629) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: ERROR: Unable to >parse version number: "11.5.0" >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Traceback (most >recent call last): >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line 41, in ><module> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >cli.execute(sys.argv) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line 145, in >execute >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >super().execute(args) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, in execute >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >module.execute(module_args) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 144, in >execute >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: self.upgrade( >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 178, in >upgrade >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >upgrader.upgrade() >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 481, in upgrade >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: versions = >self.versions() >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 238, in versions >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: current_version >= self.get_current_version() >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 341, in >get_current_version >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: current_version >= self.get_tracker().get_version() >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 141, in get_version >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: return >pki.util.Version(version) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/util.py", line 613, in __init__ >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: raise >Exception('Unable to parse version number: %s' % obj) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Exception: Unable to >parse version number: "11.5.0" What do you have in /etc/pki/pki.version file? Is it literally # cat /etc/pki/pki.version Configuration-Version: "11.5.0" ? If so, then remove quotes around 11.5.0, they are not expected. >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: >pki-tomcatd@pki-tomcat.service: Control process exited, code=exited, >status=1/FAILURE >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: >pki-tomcatd@pki-tomcat.service: Failed with result 'exit-code'. >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: Failed to start PKI Tomcat >Server pki-tomcat. > >So it seems something is broken on this upgrade script. This is in in >almalinux 9.3 >ipa-server-4.10.2-5.el9_3.alma.1.x86_64 > >I cannot upgrade because I get bitten by the named ldap thing, even though >the versions are newer. > >I will create a replicat to a rhel host but first I need to get the CA up >and running obviously :-). > >Any ideas? > >Thanks! > >-- >regards, > >natxo > >-- >-- >Groeten, >natxo -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
--
Groeten, natxo
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
hi,
indeed, sorry.
# cat /etc/pki/pki.version │ Configuration-Version: 11.5.0
# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting pki-tomcatd Service Restarting smb Service Restarting winbind Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful
]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 1 service(s) are not running
May 29 12:12:34 kdc.sub.domain.tld systemd[1]: Starting PKI Tomcat Server pki-tomcat... May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: ERROR: Unable to parse version number: "11.5.0" May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: Traceback (most recent call last): May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line 41, in <module> May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: cli.execute(sys.argv) May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line 145, in execute May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: super().execute(args) May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, in execute May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: module.execute(module_args) May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 144, in execute May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: self.upgrade( May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 178, in upgrade May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: upgrader.upgrade() May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 481, in upgrade May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: versions = self.versions() May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 238, in versions May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: current_version = self.get_current_version() May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 341, in get_current_version May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: current_version = self.get_tracker().get_version() May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 141, in get_version May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: return pki.util.Version(version) May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/util.py", line 613, in __init__ May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: raise Exception('Unable to parse version number: %s' % obj) May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: Exception: Unable to parse version number: "11.5.0"
If I revert it to 11.4.2, so it looks as though it is not reading this file for getting this information.
# cat /etc/pki/pki.version Configuration-Version: 11.4.2
# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting pki-tomcatd Service Restarting smb Service Restarting winbind Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful
# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 1 service(s) are not running
May 29 12:17:08 kdc.sub.domain.tld systemd[1]: Starting PKI Tomcat Server pki-tomcat... May 29 12:17:08 kdc.sub.domain.tld pki-server[37297]: ERROR: Unable to parse version number: "11.5.0"
Strange.
On Tue, May 28, 2024 at 7:35 PM Rob Crittenden rcritten@redhat.com wrote:
Natxo Asenjo via FreeIPA-users wrote:
hi,
no, it's without quotes but the rolledback version:
Configuration-Version: 11.4.2
I tried modifiying it to 11.5.0 and ipactl restart, but it does not help (reset it to the proper value 11.4.2 now)
Did the error change when you switched to 11.4.2? You didn't include a new traceback.
rob
On Fri, May 24, 2024 at 5:14 PM Alexander Bokovoy <abokovoy@redhat.com mailto:abokovoy@redhat.com> wrote:
On Fri, 24 May 2024, Natxo Asenjo via FreeIPA-users wrote: >hi, > >after a botched update (https://access.redhat.com/solutions/7065748) and >rolling back the changes, this service will not start: > ># ipactl status >Directory Service: RUNNING >krb5kdc Service: RUNNING >kadmin Service: RUNNING >named Service: RUNNING >httpd Service: RUNNING >ipa-custodia Service: RUNNING >pki-tomcatd Service: STOPPED >smb Service: RUNNING >winbind Service: RUNNING >ipa-otpd Service: RUNNING >ipa-dnskeysyncd Service: RUNNING >1 service(s) are not running > >in journalctl I found this stdout/stderr messages: > > >May 24 11:40:35 kdc1.sub.domain.tld named[27437]: zone sub.domain.tld/IN: >sending notifies (serial 1716543629) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: ERROR:
Unable to
>parse version number: "11.5.0" >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Traceback
(most
>recent call last): >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line
41, in
><module> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >cli.execute(sys.argv) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line 145, in >execute >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >super().execute(args) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, in execute >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >module.execute(module_args) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 144, in >execute >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: self.upgrade( >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 178, in >upgrade >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >upgrader.upgrade() >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 481, in
upgrade
>May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: versions
=
>self.versions() >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 238, in versions >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: current_version >= self.get_current_version() >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 341, in >get_current_version >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: current_version >= self.get_tracker().get_version() >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 141, in get_version >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: return >pki.util.Version(version) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/util.py", line 613, in
__init__
>May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: raise >Exception('Unable to parse version number: %s' % obj) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Exception: Unable to >parse version number: "11.5.0" What do you have in /etc/pki/pki.version file? Is it literally # cat /etc/pki/pki.version Configuration-Version: "11.5.0" ? If so, then remove quotes around 11.5.0, they are not expected. >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: >pki-tomcatd@pki-tomcat.service: Control process exited,
code=exited,
>status=1/FAILURE >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: >pki-tomcatd@pki-tomcat.service: Failed with result 'exit-code'. >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: Failed to start PKI Tomcat >Server pki-tomcat. > >So it seems something is broken on this upgrade script. This is in
in
>almalinux 9.3 >ipa-server-4.10.2-5.el9_3.alma.1.x86_64 > >I cannot upgrade because I get bitten by the named ldap thing, even though >the versions are newer. > >I will create a replicat to a rhel host but first I need to get the CA up >and running obviously :-). > >Any ideas? > >Thanks! > >-- >regards, > >natxo > >-- >-- >Groeten, >natxo -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
--
Groeten, natxo
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it:
On Срд, 29 мая 2024, Natxo Asenjo wrote:
hi,
indeed, sorry.
# cat /etc/pki/pki.version │ Configuration-Version: 11.5.0
# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting pki-tomcatd Service Restarting smb Service Restarting winbind Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful
]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 1 service(s) are not running
May 29 12:12:34 kdc.sub.domain.tld systemd[1]: Starting PKI Tomcat Server pki-tomcat... May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: ERROR: Unable to parse version number: "11.5.0" May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: Traceback (most recent call last): May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line 41, in
<module> May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: cli.execute(sys.argv) May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line 145, in execute May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: super().execute(args) May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, in execute May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: module.execute(module_args) May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 144, in execute May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: self.upgrade( May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 178, in upgrade May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: upgrader.upgrade() May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 481, in upgrade May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: versions = self.versions() May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 238, in versions May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: current_version = self.get_current_version() May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 341, in get_current_version May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: current_version = self.get_tracker().get_version() May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 141, in get_version May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: return pki.util.Version(version) May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/util.py", line 613, in __init__ May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: raise Exception('Unable to parse version number: %s' % obj) May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: Exception: Unable to parse version number: "11.5.0"
The only way to get this string in double quotes is if it was in double quotes in the original file:
-----------------------------------------------------------------
obj = "11.5.0" m = re.match(r'^(\d+).(\d+).(\d+)', obj) m.group(2)
'5'
raise Exception('Unable to parse version number: %s' % obj)
Traceback (most recent call last): File "<stdin>", line 1, in <module> Exception: Unable to parse version number: 11.5.0
obj = '"11.5.0"' m = re.match(r'^(\d+).(\d+).(\d+)', obj) m.group(2)
Traceback (most recent call last): File "<stdin>", line 1, in <module> AttributeError: 'NoneType' object has no attribute 'group'
raise Exception('Unable to parse version number: %s' % obj)
Traceback (most recent call last): File "<stdin>", line 1, in <module> Exception: Unable to parse version number: "11.5.0" -----------------------------------------------------------------
So I still think there is something wrong with the file it reads...
If I revert it to 11.4.2, so it looks as though it is not reading this file for getting this information.
# cat /etc/pki/pki.version Configuration-Version: 11.4.2
# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting pki-tomcatd Service Restarting smb Service Restarting winbind Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful
# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 1 service(s) are not running
May 29 12:17:08 kdc.sub.domain.tld systemd[1]: Starting PKI Tomcat Server pki-tomcat... May 29 12:17:08 kdc.sub.domain.tld pki-server[37297]: ERROR: Unable to parse version number: "11.5.0"
Strange.
On Tue, May 28, 2024 at 7:35 PM Rob Crittenden rcritten@redhat.com wrote:
Natxo Asenjo via FreeIPA-users wrote:
hi,
no, it's without quotes but the rolledback version:
Configuration-Version: 11.4.2
I tried modifiying it to 11.5.0 and ipactl restart, but it does not help (reset it to the proper value 11.4.2 now)
Did the error change when you switched to 11.4.2? You didn't include a new traceback.
rob
On Fri, May 24, 2024 at 5:14 PM Alexander Bokovoy <abokovoy@redhat.com mailto:abokovoy@redhat.com> wrote:
On Fri, 24 May 2024, Natxo Asenjo via FreeIPA-users wrote: >hi, > >after a botched update (https://access.redhat.com/solutions/7065748) and >rolling back the changes, this service will not start: > ># ipactl status >Directory Service: RUNNING >krb5kdc Service: RUNNING >kadmin Service: RUNNING >named Service: RUNNING >httpd Service: RUNNING >ipa-custodia Service: RUNNING >pki-tomcatd Service: STOPPED >smb Service: RUNNING >winbind Service: RUNNING >ipa-otpd Service: RUNNING >ipa-dnskeysyncd Service: RUNNING >1 service(s) are not running > >in journalctl I found this stdout/stderr messages: > > >May 24 11:40:35 kdc1.sub.domain.tld named[27437]: zone sub.domain.tld/IN: >sending notifies (serial 1716543629) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: ERROR:
Unable to
>parse version number: "11.5.0" >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Traceback
(most
>recent call last): >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line
41, in
><module> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >cli.execute(sys.argv) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line 145, in >execute >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >super().execute(args) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, in execute >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >module.execute(module_args) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 144, in >execute >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: self.upgrade( >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 178, in >upgrade >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >upgrader.upgrade() >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 481, in
upgrade
>May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: versions
=
>self.versions() >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 238, in versions >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: current_version >= self.get_current_version() >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 341, in >get_current_version >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: current_version >= self.get_tracker().get_version() >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 141, in get_version >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: return >pki.util.Version(version) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/util.py", line 613, in
__init__
>May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: raise >Exception('Unable to parse version number: %s' % obj) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Exception: Unable to >parse version number: "11.5.0" What do you have in /etc/pki/pki.version file? Is it literally # cat /etc/pki/pki.version Configuration-Version: "11.5.0" ? If so, then remove quotes around 11.5.0, they are not expected. >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: >pki-tomcatd@pki-tomcat.service: Control process exited,
code=exited,
>status=1/FAILURE >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: >pki-tomcatd@pki-tomcat.service: Failed with result 'exit-code'. >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: Failed to start PKI Tomcat >Server pki-tomcat. > >So it seems something is broken on this upgrade script. This is in
in
>almalinux 9.3 >ipa-server-4.10.2-5.el9_3.alma.1.x86_64 > >I cannot upgrade because I get bitten by the named ldap thing, even though >the versions are newer. > >I will create a replicat to a rhel host but first I need to get the CA up >and running obviously :-). > >Any ideas? > >Thanks! > >-- >regards, > >natxo > >-- >-- >Groeten, >natxo -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
--
Groeten, natxo
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it:
--
Groeten, natxo
hi,
yes, there was something wrong with another file :-):
# grep -r "11.5.0" /etc/pki/ /etc/pki/pki-tomcat/tomcat.conf: PKI_VERSION="11.5.0"
So I modified that to
PKI_VERSION=11.4.2
And now I have another error :-), it fails to start because of this (I know I should not start this from systemctl, but from ipactl restart, debugging, it takes longer to run ipactl restart):
May 29 14:23:01 kdc.sub.domain.tld systemd[1]: Starting PKI Tomcat Server pki-tomcat... ░░ Subject: A start job for unit pki-tomcatd@pki-tomcat.service has begun execution ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit pki-tomcatd@pki-tomcat.service has begun execution. ░░ ░░ The job identifier is 35769. May 29 14:23:03 kdc.sub.domain.tld pki-server[43389]: NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=j> May 29 14:23:03 kdc.sub.domain.tld pki-server[43371]: AJP connector requiredSecret: None May 29 14:23:03 kdc.sub.domain.tld pki-server[43371]: AJP connector requiredSecret: None May 29 14:23:03 kdc.sub.domain.tld server[43423]: Java virtual machine used: /usr/lib/jvm/jre-17-openj> May 29 14:23:03 kdc.sub.domain.tld server[43423]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:> May 29 14:23:03 kdc.sub.domain.tld server[43423]: main class used: org.apache.catalina.startup.Bootstr> May 29 14:23:03 kdc.sub.domain.tld server[43423]: flags used: -Dcom.redhat.fips=false May 29 14:23:03 kdc.sub.domain.tld server[43423]: options used: -Dcatalina.base=/var/lib/pki/pki-tomca> May 29 14:23:03 kdc.sub.domain.tld server[43423]: arguments used: start May 29 14:23:03 kdc.sub.domain.tld server[43423]: NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.> May 29 14:23:03 kdc.sub.domain.tld server[43423]: WARNING: A command line option has enabled the Secur> May 29 14:23:03 kdc.sub.domain.tld server[43423]: WARNING: The Security Manager is deprecated and will> May 29 14:23:04 kdc.sub.domain.tld ipa-pki-wait-running[43424]: pki.client: /usr/libexec/ipa/ipa-pki-w> May 29 14:23:04 kdc.sub.domain.tld ipa-pki-wait-running[43424]: ipa-pki-wait-running: Created connecti> May 29 14:23:04 kdc.sub.domain.tld ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection faile> May 29 14:23:05 kdc.sub.domain.tld server[43423]: SEVERE: Protocol handler instantiation failed May 29 14:23:05 kdc.sub.domain.tld server[43423]: java.lang.ClassNotFoundException: org.dogtagpki.jss.> May 29 14:23:05 kdc.sub.domain.tld server[43423]: at java.base/java.net.URLClassLoader.findCla> May 29 14:23:05 kdc.sub.domain.tld server[43423]: at java.base/java.lang.ClassLoader.loadClass> lines 1094-1145/1353 80% ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit pki-tomcatd@pki-tomcat.service has begun execution. ░░ ░░ The job identifier is 35665. May 29 14:19:36 kdc.sub.domain.tld pki-server[43128]: NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=> May 29 14:19:36 kdc.sub.domain.tld pki-server[43109]: AJP connector requiredSecret: None May 29 14:19:36 kdc.sub.domain.tld pki-server[43109]: AJP connector requiredSecret: None May 29 14:19:36 kdc.sub.domain.tld server[43162]: Java virtual machine used: /usr/lib/jvm/jre-17-openjdk/bin/java May 29 14:19:36 kdc.sub.domain.tld server[43162]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar: May 29 14:19:36 kdc.sub.domain.tld server[43162]: main class used: org.apache.catalina.startup.Bootstrap May 29 14:19:36 kdc.sub.domain.tld server[43162]: flags used: -Dcom.redhat.fips=false May 29 14:19:36 kdc.sub.domain.tld server[43162]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -> May 29 14:19:36 kdc.sub.domain.tld server[43162]: arguments used: start May 29 14:19:36 kdc.sub.domain.tld server[43162]: NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-> May 29 14:19:36 kdc.sub.domain.tld server[43162]: WARNING: A command line option has enabled the Security Manager May 29 14:19:36 kdc.sub.domain.tld server[43162]: WARNING: The Security Manager is deprecated and will be removed in a future release May 29 14:19:37 kdc.sub.domain.tld ipa-pki-wait-running[43163]: pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in PKIConnection.__init__() has been deprecated (https://github.com/dogtagp%3E May 29 14:19:37 kdc.sub.domain.tld ipa-pki-wait-running[43163]: ipa-pki-wait-running: Created connection http://kdc.sub.domain.tld:8080/ca May 29 14:19:37 kdc.sub.domain.tld ipa-pki-wait-running[43163]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca> May 29 14:19:37 kdc.sub.domain.tld server[43162]: SEVERE: Protocol handler instantiation failed May 29 14:19:37 kdc.sub.domain.tld server[43162]: java.lang.ClassNotFoundException: org.dogtagpki.jss.tomcat.Http11NioProtocol May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:445) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:592) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:525) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.base/java.lang.Class.forName0(Native Method) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.base/java.lang.Class.forName(Class.java:375) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at org.apache.coyote.ProtocolHandler.create(ProtocolHandler.java:254) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at org.apache.catalina.connector.Connector.<init>(Connector.java:88) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at org.apache.catalina.startup.ConnectorCreateRule.begin(ConnectorCreateRule.java:65) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1293) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:518) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1407) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:272> May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:605) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:542) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:889) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:825) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1224) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:637) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at org.apache.tomcat.util.digester.Digester.p arse(Digester.java:1551) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at org.apache.catalina.startup.Catalina.parseServerXml(Catalina.java:617) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at org.apache.catalina.startup.Catalina.load(Catalina.java:709) lish a new connection: [Errno 111] Connection refused')) May 29 14:24:22 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd7fcee0>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:23 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd80dbe0>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:24 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd80d640>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:25 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd80da00>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:26 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd80d310>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:27 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd7a9310>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:28 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd80d880>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:29 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd80dee0>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:30 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd80d640>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:31 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd80d1c0>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:32 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd7fcee0>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:33 kdc1 systemd[1]: pki-tomcatd@pki-tomcat.service: start-post operation timed out. Terminating. May 29 14:24:33 kdc1 systemd[1]: pki-tomcatd@pki-tomcat.service: Control process exited, code=killed, status=15/TERM May 29 14:24:33 kdc1 systemd[1]: pki-tomcatd@pki-tomcat.service: Failed with result 'exit-code'. May 29 14:24:33 kdc1 systemd[1]: Failed to start PKI Tomcat Server pki-tomcat. May 29 14:24:33 kdc1 systemd[1]: pki-tomcatd@pki-tomcat.service: Consumed 3.677s CPU time.
What is interesting is that if I run the commands on the unit file, as root, it does start:
[root@kdc ~]# systemctl cat pki-tomcatd@pki-tomcat # /usr/lib/systemd/system/pki-tomcatd@.service [Unit] Description=PKI Tomcat Server %i PartOf=pki-tomcatd.target
[Service] Type=simple EnvironmentFile=/usr/share/pki/etc/tomcat.conf EnvironmentFile=/etc/tomcat/tomcat.conf Environment="NAME=%i" EnvironmentFile=-/etc/sysconfig/%i EnvironmentFile=/usr/share/pki/etc/pki.conf EnvironmentFile=/etc/pki/pki.conf
ExecStartPre=/usr/sbin/pki-server upgrade %i ExecStartPre=/usr/sbin/pki-server migrate %i ExecStartPre=/usr/bin/pkidaemon start %i ExecStart=/usr/libexec/tomcat/server start ExecStop=/usr/libexec/tomcat/server stop
SuccessExitStatus=143 User=pkiuser Group=pkiuser
[Install] WantedBy=pki-tomcatd.target
# /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf [Service] Environment=LC_ALL=C.UTF-8 ExecStartPost=/usr/libexec/ipa/ipa-pki-wait-running [root@kdc ~]# su - pkiuser This account is currently not available. [root@kdc ~]# source /usr/share/pki/etc/tomcat.conf [root@kdc ~]# source /etc/tomcat/tomcat.conf [root@kdc ~]# NAME=pki-tomcat [root@kdc ~]# source /etc/sysconfig/pki-tomcat [root@kdc ~]# source /usr/share/pki/etc/pki.conf [root@kdc ~]# source /etc/pki/pki.conf [root@kdc ~]# /usr/sbin/pki-server upgrade pki-tomcat [root@kdc ~]# /usr/sbin/pki-server migrate pki-tomcat NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED AJP connector requiredSecret: None AJP connector requiredSecret: None [root@kdc ~]# /usr/bin/pkidaemon start pki-tomcat [root@kdc ~]# /usr/libexec/tomcat/server start Java virtual machine used: /usr/lib/jvm/jre/bin/java classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar: main class used: org.apache.catalina.startup.Bootstrap flags used: -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory options used: -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager arguments used: start NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED 29-May-2024 14:36:36.689 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name: Apache Tomcat/9.0.62 29-May-2024 14:36:36.697 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Dec 30 1969 17:35:50 UTC 29-May-2024 14:36:36.698 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.62.0 29-May-2024 14:36:36.699 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux 29-May-2024 14:36:36.699 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 5.14.0-427.16.1.el9_4.x86_64 29-May-2024 14:36:36.699 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64 29-May-2024 14:36:36.699 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /usr/lib/jvm/java-11-openjdk-11.0.22.0.7-2.el9.x86_64 29-May-2024 14:36:36.700 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 11.0.22+7-LTS 29-May-2024 14:36:36.700 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Red Hat, Inc. 29-May-2024 14:36:36.700 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /usr/share/tomcat 29-May-2024 14:36:36.701 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /usr/share/tomcat 29-May-2024 14:36:36.727 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED 29-May-2024 14:36:36.728 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED 29-May-2024 14:36:36.728 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util=ALL-UNNAMED 29-May-2024 14:36:36.728 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util.concurrent=ALL-UNNAMED 29-May-2024 14:36:36.728 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED 29-May-2024 14:36:36.729 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory 29-May-2024 14:36:36.730 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/share/tomcat 29-May-2024 14:36:36.730 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/share/tomcat 29-May-2024 14:36:36.733 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.endorsed.dirs= 29-May-2024 14:36:36.733 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/var/cache/tomcat/temp 29-May-2024 14:36:36.733 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties 29-May-2024 14:36:36.733 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 29-May-2024 14:36:36.735 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib:/usr/lib64:/lib64:/lib:/usr/lib] 29-May-2024 14:36:37.550 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"] 29-May-2024 14:36:37.613 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [1379] milliseconds 29-May-2024 14:36:37.739 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina] 29-May-2024 14:36:37.740 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.62] 29-May-2024 14:36:37.756 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"] 29-May-2024 14:36:37.823 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [209] milliseconds
I will try rebooting later, although I do not think this will fix the problem.
On Wed, May 29, 2024 at 12:41 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On Срд, 29 мая 2024, Natxo Asenjo wrote:
hi,
indeed, sorry.
# cat /etc/pki/pki.version │ Configuration-Version: 11.5.0
# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting pki-tomcatd Service Restarting smb Service Restarting winbind Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful
]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 1 service(s) are not running
May 29 12:12:34 kdc.sub.domain.tld systemd[1]: Starting PKI Tomcat Server pki-tomcat... May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: ERROR: Unable to parse version number: "11.5.0" May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: Traceback (most recent call last): May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line 41, in
<module> May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: cli.execute(sys.argv) May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line 145,
in
execute May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: super().execute(args) May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, in
execute
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: module.execute(module_args) May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 144, in execute May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: self.upgrade( May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 178, in upgrade May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]:
upgrader.upgrade()
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 481, in upgrade May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: versions = self.versions() May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 238, in versions May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: current_version
=
self.get_current_version() May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 341, in get_current_version May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: current_version
=
self.get_tracker().get_version() May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/upgrade.py", line 141, in
get_version
May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: return pki.util.Version(version) May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File "/usr/lib/python3.9/site-packages/pki/util.py", line 613, in __init__ May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: raise Exception('Unable to parse version number: %s' % obj) May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: Exception: Unable to parse version number: "11.5.0"
The only way to get this string in double quotes is if it was in double quotes in the original file:
obj = "11.5.0" m = re.match(r'^(\d+).(\d+).(\d+)', obj) m.group(2)
'5'
raise Exception('Unable to parse version number: %s' % obj)
Traceback (most recent call last): File "<stdin>", line 1, in <module> Exception: Unable to parse version number: 11.5.0
obj = '"11.5.0"' m = re.match(r'^(\d+).(\d+).(\d+)', obj) m.group(2)
Traceback (most recent call last): File "<stdin>", line 1, in <module> AttributeError: 'NoneType' object has no attribute 'group'
raise Exception('Unable to parse version number: %s' % obj)
Traceback (most recent call last): File "<stdin>", line 1, in <module> Exception: Unable to parse version number: "11.5.0"
So I still think there is something wrong with the file it reads...
If I revert it to 11.4.2, so it looks as though it is not reading this
file
for getting this information.
# cat /etc/pki/pki.version Configuration-Version: 11.4.2
# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting pki-tomcatd Service Restarting smb Service Restarting winbind Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful
# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 1 service(s) are not running
May 29 12:17:08 kdc.sub.domain.tld systemd[1]: Starting PKI Tomcat Server pki-tomcat... May 29 12:17:08 kdc.sub.domain.tld pki-server[37297]: ERROR: Unable to parse version number: "11.5.0"
Strange.
On Tue, May 28, 2024 at 7:35 PM Rob Crittenden rcritten@redhat.com
wrote:
Natxo Asenjo via FreeIPA-users wrote:
hi,
no, it's without quotes but the rolledback version:
Configuration-Version: 11.4.2
I tried modifiying it to 11.5.0 and ipactl restart, but it does not
help
(reset it to the proper value 11.4.2 now)
Did the error change when you switched to 11.4.2? You didn't include a new traceback.
rob
On Fri, May 24, 2024 at 5:14 PM Alexander Bokovoy <
abokovoy@redhat.com
mailto:abokovoy@redhat.com> wrote:
On Fri, 24 May 2024, Natxo Asenjo via FreeIPA-users wrote: >hi, > >after a botched update (https://access.redhat.com/solutions/7065748) and >rolling back the changes, this service will not start: > ># ipactl status >Directory Service: RUNNING >krb5kdc Service: RUNNING >kadmin Service: RUNNING >named Service: RUNNING >httpd Service: RUNNING >ipa-custodia Service: RUNNING >pki-tomcatd Service: STOPPED >smb Service: RUNNING >winbind Service: RUNNING >ipa-otpd Service: RUNNING >ipa-dnskeysyncd Service: RUNNING >1 service(s) are not running > >in journalctl I found this stdout/stderr messages: > > >May 24 11:40:35 kdc1.sub.domain.tld named[27437]: zone sub.domain.tld/IN: >sending notifies (serial 1716543629) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: ERROR:
Unable to
>parse version number: "11.5.0" >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Traceback
(most
>recent call last): >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line
41, in
><module> >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >cli.execute(sys.argv) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py",
line
145, in >execute >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >super().execute(args) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, in execute >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >module.execute(module_args) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py",
line
144, in >execute >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: self.upgrade( >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py",
line
178, in >upgrade >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >upgrader.upgrade() >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 481, in
upgrade
>May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]:
versions
=
>self.versions() >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 238, in versions >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: current_version >= self.get_current_version() >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 341, in >get_current_version >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: current_version >= self.get_tracker().get_version() >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 141, in get_version >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: return >pki.util.Version(version) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >"/usr/lib/python3.9/site-packages/pki/util.py", line 613, in
__init__
>May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: raise >Exception('Unable to parse version number: %s' % obj) >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Exception: Unable to >parse version number: "11.5.0" What do you have in /etc/pki/pki.version file? Is it literally # cat /etc/pki/pki.version Configuration-Version: "11.5.0" ? If so, then remove quotes around 11.5.0, they are not expected. >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: >pki-tomcatd@pki-tomcat.service: Control process exited,
code=exited,
>status=1/FAILURE >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: >pki-tomcatd@pki-tomcat.service: Failed with result 'exit-code'. >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: Failed to start
PKI
Tomcat >Server pki-tomcat. > >So it seems something is broken on this upgrade script. This is
in
in
>almalinux 9.3 >ipa-server-4.10.2-5.el9_3.alma.1.x86_64 > >I cannot upgrade because I get bitten by the named ldap thing,
even
though >the versions are newer. > >I will create a replicat to a rhel host but first I need to get
the
CA up >and running obviously :-). > >Any ideas? > >Thanks! > >-- >regards, > >natxo > >-- >-- >Groeten, >natxo -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
--
Groeten, natxo
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it:
--
Groeten, natxo
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
Since it starts directly as root perhaps check for SELinux AVCs? Maybe a relabel would help (or try permissive to catch the full set).
rob
Natxo Asenjo wrote:
hi,
yes, there was something wrong with another file :-):
# grep -r "11.5.0" /etc/pki/ /etc/pki/pki-tomcat/tomcat.conf: PKI_VERSION="11.5.0"
So I modified that to
PKI_VERSION=11.4.2
And now I have another error :-), it fails to start because of this (I know I should not start this from systemctl, but from ipactl restart, debugging, it takes longer to run ipactl restart):
May 29 14:23:01 kdc.sub.domain.tld systemd[1]: Starting PKI Tomcat Server pki-tomcat... ░░ Subject: A start job for unit pki-tomcatd@pki-tomcat.service has begun execution ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit pki-tomcatd@pki-tomcat.service has begun execution. ░░ ░░ The job identifier is 35769. May 29 14:23:03 kdc.sub.domain.tld pki-server[43389]: NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=j> May 29 14:23:03 kdc.sub.domain.tld pki-server[43371]: AJP connector requiredSecret: None May 29 14:23:03 kdc.sub.domain.tld pki-server[43371]: AJP connector requiredSecret: None May 29 14:23:03 kdc.sub.domain.tld server[43423]: Java virtual machine used: /usr/lib/jvm/jre-17-openj> May 29 14:23:03 kdc.sub.domain.tld server[43423]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:> May 29 14:23:03 kdc.sub.domain.tld server[43423]: main class used: org.apache.catalina.startup.Bootstr> May 29 14:23:03 kdc.sub.domain.tld server[43423]: flags used: -Dcom.redhat.fips=false May 29 14:23:03 kdc.sub.domain.tld server[43423]: options used: -Dcatalina.base=/var/lib/pki/pki-tomca> May 29 14:23:03 kdc.sub.domain.tld server[43423]: arguments used: start May 29 14:23:03 kdc.sub.domain.tld server[43423]: NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.> May 29 14:23:03 kdc.sub.domain.tld server[43423]: WARNING: A command line option has enabled the Secur> May 29 14:23:03 kdc.sub.domain.tld server[43423]: WARNING: The Security Manager is deprecated and will> May 29 14:23:04 kdc.sub.domain.tld ipa-pki-wait-running[43424]: pki.client: /usr/libexec/ipa/ipa-pki-w> May 29 14:23:04 kdc.sub.domain.tld ipa-pki-wait-running[43424]: ipa-pki-wait-running: Created connecti> May 29 14:23:04 kdc.sub.domain.tld ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection faile> May 29 14:23:05 kdc.sub.domain.tld server[43423]: SEVERE: Protocol handler instantiation failed May 29 14:23:05 kdc.sub.domain.tld server[43423]: java.lang.ClassNotFoundException: org.dogtagpki.jss.> May 29 14:23:05 kdc.sub.domain.tld server[43423]: at java.base/java.net.URLClassLoader.findCla> May 29 14:23:05 kdc.sub.domain.tld server[43423]: at java.base/java.lang.ClassLoader.loadClass> lines 1094-1145/1353 80% ░░ Defined-By: systemd ░░ Support: https://access.redhat.com/support ░░ ░░ A start job for unit pki-tomcatd@pki-tomcat.service has begun execution. ░░ ░░ The job identifier is 35665. May 29 14:19:36 kdc.sub.domain.tld pki-server[43128]: NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io http://java.io=ALL-UNNAMED --add-opens=java.base/java.util=> May 29 14:19:36 kdc.sub.domain.tld pki-server[43109]: AJP connector requiredSecret: None May 29 14:19:36 kdc.sub.domain.tld pki-server[43109]: AJP connector requiredSecret: None May 29 14:19:36 kdc.sub.domain.tld server[43162]: Java virtual machine used: /usr/lib/jvm/jre-17-openjdk/bin/java May 29 14:19:36 kdc.sub.domain.tld server[43162]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar: May 29 14:19:36 kdc.sub.domain.tld server[43162]: main class used: org.apache.catalina.startup.Bootstrap May 29 14:19:36 kdc.sub.domain.tld server[43162]: flags used: -Dcom.redhat.fips=false May 29 14:19:36 kdc.sub.domain.tld server[43162]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -> May 29 14:19:36 kdc.sub.domain.tld server[43162]: arguments used: start May 29 14:19:36 kdc.sub.domain.tld server[43162]: NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io http://java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-> May 29 14:19:36 kdc.sub.domain.tld server[43162]: WARNING: A command line option has enabled the Security Manager May 29 14:19:36 kdc.sub.domain.tld server[43162]: WARNING: The Security Manager is deprecated and will be removed in a future release May 29 14:19:37 kdc.sub.domain.tld ipa-pki-wait-running[43163]: pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in PKIConnection.__init__() has been deprecated (https://github.com/dogtagp%3E May 29 14:19:37 kdc.sub.domain.tld ipa-pki-wait-running[43163]: ipa-pki-wait-running: Created connection http://kdc.sub.domain.tld:8080/ca May 29 14:19:37 kdc.sub.domain.tld ipa-pki-wait-running[43163]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca> May 29 14:19:37 kdc.sub.domain.tld server[43162]: SEVERE: Protocol handler instantiation failed May 29 14:19:37 kdc.sub.domain.tld server[43162]: java.lang.ClassNotFoundException: org.dogtagpki.jss.tomcat.Http11NioProtocol May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:445) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:592) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:525) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.base/java.lang.Class.forName0(Native Method) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.base/java.lang.Class.forName(Class.java:375) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at org.apache.coyote.ProtocolHandler.create(ProtocolHandler.java:254) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at org.apache.catalina.connector.Connector.<init>(Connector.java:88) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at org.apache.catalina.startup.ConnectorCreateRule.begin(ConnectorCreateRule.java:65) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1293) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:518) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1407) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:272> May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:605) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:542) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:889) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:825) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1224) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at java.xml/com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:637) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at org.apache.tomcat.util.digester.Digester.p arse(Digester.java:1551) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at org.apache.catalina.startup.Catalina.parseServerXml(Catalina.java:617) May 29 14:19:37 kdc.sub.domain.tld server[43162]: at org.apache.catalina.startup.Catalina.load(Catalina.java:709) lish a new connection: [Errno 111] Connection refused')) May 29 14:24:22 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd7fcee0>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:23 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd80dbe0>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:24 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd80d640>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:25 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd80da00>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:26 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd80d310>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:27 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd7a9310>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:28 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd80d880>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:29 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd80dee0>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:30 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd80d640>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:31 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd80d1c0>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:32 kdc1 ipa-pki-wait-running[43424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='kdc.sub.domain.tld', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6ddd7fcee0>: Failed to establish a new connection: [Errno 111] Connection refused')) May 29 14:24:33 kdc1 systemd[1]: pki-tomcatd@pki-tomcat.service: start-post operation timed out. Terminating. May 29 14:24:33 kdc1 systemd[1]: pki-tomcatd@pki-tomcat.service: Control process exited, code=killed, status=15/TERM May 29 14:24:33 kdc1 systemd[1]: pki-tomcatd@pki-tomcat.service: Failed with result 'exit-code'. May 29 14:24:33 kdc1 systemd[1]: Failed to start PKI Tomcat Server pki-tomcat. May 29 14:24:33 kdc1 systemd[1]: pki-tomcatd@pki-tomcat.service: Consumed 3.677s CPU time.
What is interesting is that if I run the commands on the unit file, as root, it does start:
[root@kdc ~]# systemctl cat pki-tomcatd@pki-tomcat # /usr/lib/systemd/system/pki-tomcatd@.service [Unit] Description=PKI Tomcat Server %i PartOf=pki-tomcatd.target
[Service] Type=simple EnvironmentFile=/usr/share/pki/etc/tomcat.conf EnvironmentFile=/etc/tomcat/tomcat.conf Environment="NAME=%i" EnvironmentFile=-/etc/sysconfig/%i EnvironmentFile=/usr/share/pki/etc/pki.conf EnvironmentFile=/etc/pki/pki.conf
ExecStartPre=/usr/sbin/pki-server upgrade %i ExecStartPre=/usr/sbin/pki-server migrate %i ExecStartPre=/usr/bin/pkidaemon start %i ExecStart=/usr/libexec/tomcat/server start ExecStop=/usr/libexec/tomcat/server stop
SuccessExitStatus=143 User=pkiuser Group=pkiuser
[Install] WantedBy=pki-tomcatd.target
# /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf [Service] Environment=LC_ALL=C.UTF-8 ExecStartPost=/usr/libexec/ipa/ipa-pki-wait-running [root@kdc ~]# su - pkiuser This account is currently not available. [root@kdc ~]# source /usr/share/pki/etc/tomcat.conf [root@kdc ~]# source /etc/tomcat/tomcat.conf [root@kdc ~]# NAME=pki-tomcat [root@kdc ~]# source /etc/sysconfig/pki-tomcat [root@kdc ~]# source /usr/share/pki/etc/pki.conf [root@kdc ~]# source /etc/pki/pki.conf [root@kdc ~]# /usr/sbin/pki-server upgrade pki-tomcat [root@kdc ~]# /usr/sbin/pki-server migrate pki-tomcat NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io http://java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED AJP connector requiredSecret: None AJP connector requiredSecret: None [root@kdc ~]# /usr/bin/pkidaemon start pki-tomcat [root@kdc ~]# /usr/libexec/tomcat/server start Java virtual machine used: /usr/lib/jvm/jre/bin/java classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar: main class used: org.apache.catalina.startup.Bootstrap flags used: -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory options used: -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager arguments used: start NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io http://java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED 29-May-2024 14:36:36.689 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name: Apache Tomcat/9.0.62 29-May-2024 14:36:36.697 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Dec 30 1969 17:35:50 UTC 29-May-2024 14:36:36.698 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.62.0 29-May-2024 14:36:36.699 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux 29-May-2024 14:36:36.699 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 5.14.0-427.16.1.el9_4.x86_64 29-May-2024 14:36:36.699 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64 29-May-2024 14:36:36.699 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /usr/lib/jvm/java-11-openjdk-11.0.22.0.7-2.el9.x86_64 29-May-2024 14:36:36.700 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 11.0.22+7-LTS 29-May-2024 14:36:36.700 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Red Hat, Inc. 29-May-2024 14:36:36.700 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /usr/share/tomcat 29-May-2024 14:36:36.701 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /usr/share/tomcat 29-May-2024 14:36:36.727 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED 29-May-2024 14:36:36.728 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io http://java.io=ALL-UNNAMED 29-May-2024 14:36:36.728 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util=ALL-UNNAMED 29-May-2024 14:36:36.728 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util.concurrent=ALL-UNNAMED 29-May-2024 14:36:36.728 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED 29-May-2024 14:36:36.729 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory 29-May-2024 14:36:36.730 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/share/tomcat 29-May-2024 14:36:36.730 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/share/tomcat 29-May-2024 14:36:36.733 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.endorsed.dirs= 29-May-2024 14:36:36.733 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/var/cache/tomcat/temp 29-May-2024 14:36:36.733 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties 29-May-2024 14:36:36.733 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 29-May-2024 14:36:36.735 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib:/usr/lib64:/lib64:/lib:/usr/lib] 29-May-2024 14:36:37.550 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"] 29-May-2024 14:36:37.613 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [1379] milliseconds 29-May-2024 14:36:37.739 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina] 29-May-2024 14:36:37.740 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.62] 29-May-2024 14:36:37.756 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"] 29-May-2024 14:36:37.823 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [209] milliseconds
I will try rebooting later, although I do not think this will fix the problem.
On Wed, May 29, 2024 at 12:41 PM Alexander Bokovoy <abokovoy@redhat.com mailto:abokovoy@redhat.com> wrote:
On Срд, 29 мая 2024, Natxo Asenjo wrote: >hi, > >indeed, sorry. > ># cat >/etc/pki/pki.version >│ >Configuration-Version: 11.5.0 > ># ipactl restart >Restarting Directory Service >Restarting krb5kdc Service >Restarting kadmin Service >Restarting named Service >Restarting httpd Service >Restarting ipa-custodia Service >Restarting pki-tomcatd Service >Restarting smb Service >Restarting winbind Service >Restarting ipa-otpd Service >Restarting ipa-dnskeysyncd Service >ipa: INFO: The ipactl command was successful > >]# ipactl status >Directory Service: RUNNING >krb5kdc Service: RUNNING >kadmin Service: RUNNING >named Service: RUNNING >httpd Service: RUNNING >ipa-custodia Service: RUNNING >pki-tomcatd Service: STOPPED >smb Service: RUNNING >winbind Service: RUNNING >ipa-otpd Service: RUNNING >ipa-dnskeysyncd Service: RUNNING >1 service(s) are not running > >May 29 12:12:34 kdc.sub.domain.tld systemd[1]: Starting PKI Tomcat Server >pki-tomcat... >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: ERROR: Unable to >parse version number: "11.5.0" >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: Traceback (most >recent call last): >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File >"/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line 41, in ><module> >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: >cli.execute(sys.argv) >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File >"/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line 145, in >execute >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: >super().execute(args) >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File >"/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, in execute >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: >module.execute(module_args) >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File >"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 144, in >execute >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: self.upgrade( >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File >"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line 178, in >upgrade >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: upgrader.upgrade() >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 481, in upgrade >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: versions = >self.versions() >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 238, in versions >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: current_version = >self.get_current_version() >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 341, in >get_current_version >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: current_version = >self.get_tracker().get_version() >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 141, in get_version >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: return >pki.util.Version(version) >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: File >"/usr/lib/python3.9/site-packages/pki/util.py", line 613, in __init__ >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: raise >Exception('Unable to parse version number: %s' % obj) >May 29 12:12:35 kdc.sub.domain.tld pki-server[36733]: Exception: Unable to >parse version number: "11.5.0" The only way to get this string in double quotes is if it was in double quotes in the original file: ----------------------------------------------------------------- >>> obj = "11.5.0" >>> m = re.match(r'^(\d+)\.(\d+)\.(\d+)', obj) >>> m.group(2) '5' >>> raise Exception('Unable to parse version number: %s' % obj) Traceback (most recent call last): File "<stdin>", line 1, in <module> Exception: Unable to parse version number: 11.5.0 >>> obj = '"11.5.0"' >>> m = re.match(r'^(\d+)\.(\d+)\.(\d+)', obj) >>> m.group(2) Traceback (most recent call last): File "<stdin>", line 1, in <module> AttributeError: 'NoneType' object has no attribute 'group' >>> raise Exception('Unable to parse version number: %s' % obj) Traceback (most recent call last): File "<stdin>", line 1, in <module> Exception: Unable to parse version number: "11.5.0" ----------------------------------------------------------------- So I still think there is something wrong with the file it reads... > >If I revert it to 11.4.2, so it looks as though it is not reading this file >for getting this information. > ># cat /etc/pki/pki.version >Configuration-Version: 11.4.2 > ># ipactl restart >Restarting Directory Service >Restarting krb5kdc Service >Restarting kadmin Service >Restarting named Service >Restarting httpd Service >Restarting ipa-custodia Service >Restarting pki-tomcatd Service >Restarting smb Service >Restarting winbind Service >Restarting ipa-otpd Service >Restarting ipa-dnskeysyncd Service >ipa: INFO: The ipactl command was successful > ># ipactl status >Directory Service: RUNNING >krb5kdc Service: RUNNING >kadmin Service: RUNNING >named Service: RUNNING >httpd Service: RUNNING >ipa-custodia Service: RUNNING >pki-tomcatd Service: STOPPED >smb Service: RUNNING >winbind Service: RUNNING >ipa-otpd Service: RUNNING >ipa-dnskeysyncd Service: RUNNING >1 service(s) are not running > >May 29 12:17:08 kdc.sub.domain.tld systemd[1]: Starting PKI Tomcat Server >pki-tomcat... >May 29 12:17:08 kdc.sub.domain.tld pki-server[37297]: ERROR: Unable to >parse version number: "11.5.0" > >Strange. > > >On Tue, May 28, 2024 at 7:35 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> wrote: > >> Natxo Asenjo via FreeIPA-users wrote: >> > hi, >> > >> > no, it's without quotes but the rolledback version: >> > >> > Configuration-Version: 11.4.2 >> > >> > I tried modifiying it to 11.5.0 and ipactl restart, but it does not help >> > (reset it to the proper value 11.4.2 now) >> >> Did the error change when you switched to 11.4.2? You didn't include a >> new traceback. >> >> rob >> >> > >> > >> > >> > On Fri, May 24, 2024 at 5:14 PM Alexander Bokovoy <abokovoy@redhat.com <mailto:abokovoy@redhat.com> >> > <mailto:abokovoy@redhat.com <mailto:abokovoy@redhat.com>>> wrote: >> > >> > On Fri, 24 May 2024, Natxo Asenjo via FreeIPA-users wrote: >> > >hi, >> > > >> > >after a botched update >> > (https://access.redhat.com/solutions/7065748) and >> > >rolling back the changes, this service will not start: >> > > >> > ># ipactl status >> > >Directory Service: RUNNING >> > >krb5kdc Service: RUNNING >> > >kadmin Service: RUNNING >> > >named Service: RUNNING >> > >httpd Service: RUNNING >> > >ipa-custodia Service: RUNNING >> > >pki-tomcatd Service: STOPPED >> > >smb Service: RUNNING >> > >winbind Service: RUNNING >> > >ipa-otpd Service: RUNNING >> > >ipa-dnskeysyncd Service: RUNNING >> > >1 service(s) are not running >> > > >> > >in journalctl I found this stdout/stderr messages: >> > > >> > > >> > >May 24 11:40:35 kdc1.sub.domain.tld named[27437]: zone >> > sub.domain.tld/IN: >> > >sending notifies (serial 1716543629) >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: ERROR: >> Unable to >> > >parse version number: "11.5.0" >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Traceback >> (most >> > >recent call last): >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >> > >"/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line >> 41, in >> > ><module> >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >> > >cli.execute(sys.argv) >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >> > >"/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line >> > 145, in >> > >execute >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >> > >super().execute(args) >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >> > >"/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, >> > in execute >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >> > >module.execute(module_args) >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >> > >"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line >> > 144, in >> > >execute >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >> > self.upgrade( >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >> > >"/usr/lib/python3.9/site-packages/pki/server/cli/upgrade.py", line >> > 178, in >> > >upgrade >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >> > >upgrader.upgrade() >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >> > >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 481, in >> upgrade >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: versions >> = >> > >self.versions() >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >> > >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 238, in >> > versions >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >> > current_version >> > >= self.get_current_version() >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >> > >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 341, in >> > >get_current_version >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: >> > current_version >> > >= self.get_tracker().get_version() >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >> > >"/usr/lib/python3.9/site-packages/pki/upgrade.py", line 141, in >> > get_version >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: return >> > >pki.util.Version(version) >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: File >> > >"/usr/lib/python3.9/site-packages/pki/util.py", line 613, in >> __init__ >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: raise >> > >Exception('Unable to parse version number: %s' % obj) >> > >May 24 11:40:35 kdc1.sub.domain.tld pki-server[27758]: Exception: >> > Unable to >> > >parse version number: "11.5.0" >> > >> > What do you have in /etc/pki/pki.version file? Is it literally >> > >> > # cat /etc/pki/pki.version >> > Configuration-Version: "11.5.0" >> > >> > ? If so, then remove quotes around 11.5.0, they are not expected. >> > >> > >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: >> > >pki-tomcatd@pki-tomcat.service: Control process exited, >> code=exited, >> > >status=1/FAILURE >> > >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: >> > >pki-tomcatd@pki-tomcat.service: Failed with result 'exit-code'. >> > >May 24 11:40:35 kdc1.sub.domain.tld systemd[1]: Failed to start PKI >> > Tomcat >> > >Server pki-tomcat. >> > > >> > >So it seems something is broken on this upgrade script. This is in >> in >> > >almalinux 9.3 >> > >ipa-server-4.10.2-5.el9_3.alma.1.x86_64 >> > > >> > >I cannot upgrade because I get bitten by the named ldap thing, even >> > though >> > >the versions are newer. >> > > >> > >I will create a replicat to a rhel host but first I need to get the >> > CA up >> > >and running obviously :-). >> > > >> > >Any ideas? >> > > >> > >Thanks! >> > > >> > >-- >> > >regards, >> > > >> > >natxo >> > > >> > >-- >> > >-- >> > >Groeten, >> > >natxo >> > >> > >> > >> > >> > -- >> > / Alexander Bokovoy >> > Sr. Principal Software Engineer >> > Security / Identity Management Engineering >> > Red Hat Limited, Finland >> > >> > >> > >> > -- >> > -- >> > Groeten, >> > natxo >> > >> > -- >> > _______________________________________________ >> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> >> > To unsubscribe send an email to >> freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> >> > Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> > Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > >> >> > >-- >-- >Groeten, >natxo -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
--
Groeten, natxo
On Wed, May 29, 2024 at 3:03 PM Rob Crittenden rcritten@redhat.com wrote:
Since it starts directly as root perhaps check for SELinux AVCs? Maybe a relabel would help (or try permissive to catch the full set).
rob
unfortunately selinux was already in permissive mode and no recent avcs: # ausearch -m avc -ts recent <no matches>
The latest avc is from a few days agoi regarding the ipa_custodia which we do not use.
I did a restorecon -rv / and it corrected some labels, but no difference so far.
hi,
digging further, the tomcat service does not start because the of this error:
server[48368]: org.xml.sax.SAXParseException; systemId: file:/var/lib/pki/pki-tomcat/conf/server.xml; lineNumber: 86; columnNumber: 861; Error at line [86] column [861]: [Cannot invoke "Object.getClass()" because the return value of "org.apache.catalina.connector.Connector.getProtocolHandler()" is null]
If I check the server.xml, there is no colum 861 in line 86, the last char is 860
<Connector name="Secure" port="8443" protocol="org.dogtagpki.jss.tomcat.Http11NioProtocol" SSLEnabled="true" sslImplementationName="org.dogtagpki.jss.tomcat.JSSImplementation" scheme="https" secure="true" connectionTimeout="80000" keepAliveTimeout="300000" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" enableOCSP="false" ocspResponderURL=" http://kdc.sub.domain.tld:8080/ca/ocsp" ocspResponderCertNickname="ocspSigningCert cert-pki-ca" ocspCacheSize="1000" ocspMinCacheEntryDuration="7200" ocspMaxCacheEntryDuration="14400" ocspTimeout="10" serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf" passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf" passwordClass="org.dogtagpki.jss.tomcat.PlainPasswordFile" certdbDir="/var/lib/pki/pki-tomcat/alias">
This line looks similar (replacying the ocsp url) to other ipa ca servers I manage, so I do not know where this is coming from.
If I run this as root it starts but apparently not well enough, because then the ExecStartPost command /usr/libexec/ipa/ipa-pki-wait-running fails with a 404
# /usr/libexec/ipa/ipa-pki-wait-running
pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in PKIConnection.__init__() has been deprecated ( https://github.com/dogtagpki/pki/wiki/PKI-10.8-Python-Changes). ipa-pki-wait-running: Created connection http://kdc.sub.domain.tld:8080/ca ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://kdc.sub.domain.tld:8080/ca/admin/ca/getStatus
Any clues?
Regards,
Natxo
On Wed, May 29, 2024 at 4:06 PM Natxo Asenjo natxo.asenjo@gmail.com wrote:
On Wed, May 29, 2024 at 3:03 PM Rob Crittenden rcritten@redhat.com wrote:
Since it starts directly as root perhaps check for SELinux AVCs? Maybe a relabel would help (or try permissive to catch the full set).
rob
unfortunately selinux was already in permissive mode and no recent avcs: # ausearch -m avc -ts recent
<no matches>
The latest avc is from a few days agoi regarding the ipa_custodia which we do not use.
I did a restorecon -rv / and it corrected some labels, but no difference so far.
What version of dogtag-jss and dogtag-tomcat-jss are you running? I wonder if there is some requirement that it be in sync with the rest of the dogtag packages.
rob
Natxo Asenjo wrote:
hi,
digging further, the tomcat service does not start because the of this error:
server[48368]: org.xml.sax.SAXParseException; systemId: file:/var/lib/pki/pki-tomcat/conf/server.xml; lineNumber: 86; columnNumber: 861; Error at line [86] column [861]: [Cannot invoke "Object.getClass()" because the return value of "org.apache.catalina.connector.Connector.getProtocolHandler()" is null]
If I check the server.xml, there is no colum 861 in line 86, the last char is 860
<Connector name="Secure" port="8443" protocol="org.dogtagpki.jss.tomcat.Http11NioProtocol" SSLEnabled="true" sslImplementationName="org.dogtagpki.jss.tomcat.JSSImplementation" scheme="https" secure="true" connectionTimeout="80000" keepAliveTimeout="300000" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" enableOCSP="false" ocspResponderURL="http://kdc.sub.domain.tld:8080/ca/ocsp" ocspResponderCertNickname="ocspSigningCert cert-pki-ca" ocspCacheSize="1000" ocspMinCacheEntryDuration="7200" ocspMaxCacheEntryDuration="14400" ocspTimeout="10" serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf" passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf" passwordClass="org.dogtagpki.jss.tomcat.PlainPasswordFile" certdbDir="/var/lib/pki/pki-tomcat/alias">
This line looks similar (replacying the ocsp url) to other ipa ca servers I manage, so I do not know where this is coming from.
If I run this as root it starts but apparently not well enough, because then the ExecStartPost command /usr/libexec/ipa/ipa-pki-wait-running fails with a 404
# /usr/libexec/ipa/ipa-pki-wait-running
pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in PKIConnection.__init__() has been deprecated (https://github.com/dogtagpki/pki/wiki/PKI-10.8-Python-Changes). ipa-pki-wait-running: Created connection http://kdc.sub.domain.tld:8080/ca ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://kdc.sub.domain.tld:8080/ca/admin/ca/getStatus
Any clues?
Regards,
Natxo
On Wed, May 29, 2024 at 4:06 PM Natxo Asenjo <natxo.asenjo@gmail.com mailto:natxo.asenjo@gmail.com> wrote:
On Wed, May 29, 2024 at 3:03 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> wrote: Since it starts directly as root perhaps check for SELinux AVCs? Maybe a relabel would help (or try permissive to catch the full set). rob unfortunately selinux was already in permissive mode and no recent avcs: # ausearch -m avc -ts recent <no matches> The latest avc is from a few days agoi regarding the ipa_custodia which we do not use. I did a restorecon -rv / and it corrected some labels, but no difference so far.
--
Groeten, natxo
hi,
a bit late, apologies.
I found that I do have a replica, so the pressure is off, so this is nice :-). Still, if you are still willing to investigate why this happened, I am too (just curious). Otherwise we can drop this issue.
I see no dogtag-jss or dogtag-tomcat-jss packages, but I guess those are id-jss and idm-tomcatjss
This is the output in the host with problems (running alma 9.3):
root@kdc1 ~]# rpm -qa | grep -i jss idm-jss-5.4.1-2.el9.x86_64 idm-tomcatjss-8.4.0-1.el9.noarch
And on the not yet updated replica, where it still runs (also alma 9.3): [root@kdc2 ~]# rpm -qa | grep jss idm-jss-5.4.1-2.el9.x86_64 idm-tomcatjss-8.4.0-1.el9.noarch
I created a third replica to have even better redundancy, and this one running alma 9.4 has this version:
idm-jss-5.5.0-1.el9.x86_64 idm-jss-tomcat-5.5.0-1.el9.x86_64
Regards, Natxo
On Thu, May 30, 2024 at 6:13 PM Rob Crittenden rcritten@redhat.com wrote:
What version of dogtag-jss and dogtag-tomcat-jss are you running? I wonder if there is some requirement that it be in sync with the rest of the dogtag packages.
rob
Natxo Asenjo wrote:
hi,
digging further, the tomcat service does not start because the of this error:
server[48368]: org.xml.sax.SAXParseException; systemId: file:/var/lib/pki/pki-tomcat/conf/server.xml; lineNumber: 86; columnNumber: 861; Error at line [86] column [861]: [Cannot invoke "Object.getClass()" because the return value of "org.apache.catalina.connector.Connector.getProtocolHandler()" is null]
If I check the server.xml, there is no colum 861 in line 86, the last char is 860
<Connector name="Secure" port="8443"
protocol="org.dogtagpki.jss.tomcat.Http11NioProtocol" SSLEnabled="true" sslImplementationName="org.dogtagpki.jss.tomcat.JSSImplementation" scheme="https" secure="true" connectionTimeout="80000" keepAliveTimeout="300000" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" enableOCSP="false" ocspResponderURL="http://kdc.sub.domain.tld:8080/ca/ocsp" ocspResponderCertNickname="ocspSigningCert cert-pki-ca" ocspCacheSize="1000" ocspMinCacheEntryDuration="7200" ocspMaxCacheEntryDuration="14400" ocspTimeout="10" serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf" passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf" passwordClass="org.dogtagpki.jss.tomcat.PlainPasswordFile" certdbDir="/var/lib/pki/pki-tomcat/alias">
This line looks similar (replacying the ocsp url) to other ipa ca servers I manage, so I do not know where this is coming from.
If I run this as root it starts but apparently not well enough, because then the ExecStartPost command /usr/libexec/ipa/ipa-pki-wait-running fails with a 404
# /usr/libexec/ipa/ipa-pki-wait-running
pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in PKIConnection.__init__() has been deprecated (https://github.com/dogtagpki/pki/wiki/PKI-10.8-Python-Changes). ipa-pki-wait-running: Created connection
http://kdc.sub.domain.tld:8080/ca
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://kdc.sub.domain.tld:8080/ca/admin/ca/getStatus
Any clues?
Regards,
Natxo
On Wed, May 29, 2024 at 4:06 PM Natxo Asenjo <natxo.asenjo@gmail.com mailto:natxo.asenjo@gmail.com> wrote:
On Wed, May 29, 2024 at 3:03 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> wrote: Since it starts directly as root perhaps check for SELinux AVCs? Maybe a relabel would help (or try permissive to catch the full set). rob unfortunately selinux was already in permissive mode and no recent
avcs:
# ausearch -m avc -ts recent <no matches> The latest avc is from a few days agoi regarding the ipa_custodia which we do not use. I did a restorecon -rv / and it corrected some labels, but no difference so far.
--
Groeten, natxo
freeipa-users@lists.fedorahosted.org