Hi,
some certificates on our freeipa-cluster (3 servers) are have been not renewed till now, 2 hours before expiring. Can this be a problem?
Some of the certificates, the ones expiring show "ca-error: Invalid cookie: '' in the "getcert list" output, what makes me nervous.
We also have the problem when certmonger can not reach the CA CA_UNREACHABLE after restarting a freeipa-server. But when we restart the certmonger.server after everything being up again everything looks good.
Maybe you can give me some advice what to check and which logs you else would need.
Thanks
Christof Schulze
On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,
some certificates on our freeipa-cluster (3 servers) are have been not renewed till now, 2 hours before expiring. Can this be a problem?
Some of the certificates, the ones expiring show "ca-error: Invalid cookie: '' in the "getcert list" output, what makes me nervous.
We also have the problem when certmonger can not reach the CA CA_UNREACHABLE after restarting a freeipa-server. But when we restart the certmonger.server after everything being up again everything looks good.
Maybe you can give me some advice what to check and which logs you else would need.
Thanks
Christof Schulze
Hi Christof,
Yes, it is a problem. They should have been renewed before now. The errors in `getcert list' output show that there has been a problem.
First, check that all certificates are valid, all certificates have been synced across all masters using `ipa-certupdate` on each master. You should also check that the userCertificate attribute in entry:
uid=ipara,ou=people,o=ipaca
matches the actual IPA RA certificate in /var/lib/ipa/ra-agent.pem
Also check that your topology has correct renewal master configuration. ldapsearch cn=masters,cn=ipa,cn=etc,dc=ipa,dc=local with filter (&(cn=CA)(ipaConfigString=caRenewalMaster)). It should return exactly one entry and it must be a valid, active master.
HTH, Fraser
-- Christof Schulze
Institute of Materials Simulation (WW8) Department of Materials Science Friedrich-Alexander-University Erlangen-Nürnberg Dr.-Mack-Str. 77, 90762 Fürth, Germany
Tel: 0911/65078-65069 Email: christof.schulze@ww.uni-erlangen.de
Number of certificates and requests being tracked: 9. Request ID '20170927064701': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,L=FUERTH subject: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,L=FUERTH expires: 2018-09-27 06:47:01 UTC principal name: krbtgt/XXXKD.FAU.DE@XXXKD.FAU.DE certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20171206120336': status: MONITORING ca-error: Invalid cookie: '' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:00:45 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120337': status: MONITORING ca-error: Invalid cookie: '' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120338': status: MONITORING ca-error: Invalid cookie: '' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120339': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2036-02-09 12:00:40 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120340': status: MONITORING ca-error: Invalid cookie: '' stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:01:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20171206120341': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-07-29 13:05:20 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120345': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-XXXKD-FAU-DE',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-XXXKD-FAU-DE/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-XXXKD-FAU-DE',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-08-09 13:01:15 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv XXXKD-FAU-DE track: yes auto-renew: yes Request ID '20171206120351': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-08-09 13:01:17 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
Now the roof is on fire, all certificates are synced on all masters since a long time ago.
The not renewing certificates in /etc/pki/pki-tomcat/alias have now expired "subsystemCert cert-pki-ca" , "ocspSigningCert cert-pki-ca" , "/var/lib/ipa/ra-agent.pem"
The "auditSigningCert cert-pki-ca" certificate is the only one which has been renewed. (Old Serial Number: 5 (0x5), New Serial Number: 536739845 (0x1ffe0005) valid till 2020)
The userCertificate in (uid=ipara,ou=people,o=ipaca) and the IPA RA certificate in /var/lib/ipa/ra-agent.pem are matching and expired.
pki-tomcat can no longer access the ldap.
slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)
Is there some way this situation can be solved?
Thanks
Christof Schulze
Request ID '20171206120336': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2020-01-19 13:22:53 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120337': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120338': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120340': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:01:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
On 30.01.2018 00:40, Fraser Tweedale via FreeIPA-users wrote:
On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,
some certificates on our freeipa-cluster (3 servers) are have been not renewed till now, 2 hours before expiring. Can this be a problem?
Some of the certificates, the ones expiring show "ca-error: Invalid cookie: '' in the "getcert list" output, what makes me nervous.
We also have the problem when certmonger can not reach the CA CA_UNREACHABLE after restarting a freeipa-server. But when we restart the certmonger.server after everything being up again everything looks good.
Maybe you can give me some advice what to check and which logs you else would need.
Thanks
Christof Schulze
Hi Christof,
Yes, it is a problem. They should have been renewed before now. The errors in `getcert list' output show that there has been a problem.
First, check that all certificates are valid, all certificates have been synced across all masters using `ipa-certupdate` on each master. You should also check that the userCertificate attribute in entry:
uid=ipara,ou=people,o=ipaca
matches the actual IPA RA certificate in /var/lib/ipa/ra-agent.pem
Also check that your topology has correct renewal master configuration. ldapsearch cn=masters,cn=ipa,cn=etc,dc=ipa,dc=local with filter (&(cn=CA)(ipaConfigString=caRenewalMaster)). It should return exactly one entry and it must be a valid, active master.
HTH, Fraser
On 01/30/2018 02:02 PM, Christof Schulze via FreeIPA-users wrote:
Hi,
Now the roof is on fire, all certificates are synced on all masters since a long time ago.
The not renewing certificates in /etc/pki/pki-tomcat/alias have now expired "subsystemCert cert-pki-ca" , "ocspSigningCert cert-pki-ca" , "/var/lib/ipa/ra-agent.pem"
The "auditSigningCert cert-pki-ca" certificate is the only one which has been renewed. (Old Serial Number: 5 (0x5), New Serial Number: 536739845 (0x1ffe0005) valid till 2020)
The userCertificate in (uid=ipara,ou=people,o=ipaca) and the IPA RA certificate in /var/lib/ipa/ra-agent.pem are matching and expired.
pki-tomcat can no longer access the ldap.
slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)
Is there some way this situation can be solved?
Hi,
you need first to identify who is your renewal master and start repairing this machine. You can use ipa config-show or a direct ldapsearch as described here (https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Iden...) to find the renewal master.
On the renewal master, check if the certificates have been properly renewed. If it is not the case, you will need to chase the failure by checking SE linux AVCs or errors in the journal produced by certmonger. The renewal master really needs to be repaired first, as it is the source containing some certs that will later be downloaded by the other masters.
Flo
Thanks
Christof Schulze
Request ID '20171206120336': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2020-01-19 13:22:53 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120337': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120338': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120340': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:01:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
On 30.01.2018 00:40, Fraser Tweedale via FreeIPA-users wrote:
On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,
some certificates on our freeipa-cluster (3 servers) are have been not renewed till now, 2 hours before expiring. Can this be a problem?
Some of the certificates, the ones expiring show "ca-error: Invalid cookie: '' in the "getcert list" output, what makes me nervous.
We also have the problem when certmonger can not reach the CA CA_UNREACHABLE after restarting a freeipa-server. But when we restart the certmonger.server after everything being up again everything looks good.
Maybe you can give me some advice what to check and which logs you else would need.
Thanks
Christof Schulze
Hi Christof,
Yes, it is a problem. They should have been renewed before now. The errors in `getcert list' output show that there has been a problem.
First, check that all certificates are valid, all certificates have been synced across all masters using `ipa-certupdate` on each master. You should also check that the userCertificate attribute in entry:
uid=ipara,ou=people,o=ipaca
matches the actual IPA RA certificate in /var/lib/ipa/ra-agent.pem
Also check that your topology has correct renewal master configuration. ldapsearch cn=masters,cn=ipa,cn=etc,dc=ipa,dc=local with filter (&(cn=CA)(ipaConfigString=caRenewalMaster)). It should return exactly one entry and it must be a valid, active master.
HTH, Fraser
Hi,
Here may be the problem, all are masters, the idm1 I am working on is the CA renewal master (checked ldap and config-show).
IPA masters: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA CA servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA NTP servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA CA renewal master: idm1.ww8kd.fau.de
But when checking the different points on the side linked by you. I can see: All off them have ca.crl.MasterCRL.enableCRLUpdates=false ca.crl.MasterCRL.enableCRLCache=false
And all of them have the RewriteRule in the /etc/httpd/conf.d/ipa-pki-proxy.conf.
I remember years ago the original idm1 got roasted by some electrical surge. And I think it got cloned by one of the others (documentation would be king).
So all of them are clones and we don't have a CRL generation master.
The renewed "auditSigningCert cert-pki-ca" on the master didn't get replicated to the others.
Can I just promote idm1 to become CRL generation master by setting ca.crl.MasterCRL.enableCRLUpdates=true ca.crl.MasterCRL.enableCRLCache=true
And how to get new certificates?
And Thanks for your patience.
On 30.01.2018 14:26, Florence Blanc-Renaud wrote:
On 01/30/2018 02:02 PM, Christof Schulze via FreeIPA-users wrote:
Hi,
Now the roof is on fire, all certificates are synced on all masters since a long time ago.
The not renewing certificates in /etc/pki/pki-tomcat/alias have now expired "subsystemCert cert-pki-ca" , "ocspSigningCert cert-pki-ca" , "/var/lib/ipa/ra-agent.pem"
The "auditSigningCert cert-pki-ca" certificate is the only one which has been renewed. (Old Serial Number: 5 (0x5), New Serial Number: 536739845 (0x1ffe0005) valid till 2020)
The userCertificate in (uid=ipara,ou=people,o=ipaca) and the IPA RA certificate in /var/lib/ipa/ra-agent.pem are matching and expired.
pki-tomcat can no longer access the ldap.
slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)
Is there some way this situation can be solved?
Hi,
you need first to identify who is your renewal master and start repairing this machine. You can use ipa config-show or a direct ldapsearch as described here (https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Iden...) to find the renewal master.
On the renewal master, check if the certificates have been properly renewed. If it is not the case, you will need to chase the failure by checking SE linux AVCs or errors in the journal produced by certmonger. The renewal master really needs to be repaired first, as it is the source containing some certs that will later be downloaded by the other masters.
Flo
Thanks
Christof Schulze
Request ID '20171206120336': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2020-01-19 13:22:53 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120337': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX)
- FAU,C=DE,E=guy@example.com,L=FUERTH
expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120338': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120340': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:01:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
On 30.01.2018 00:40, Fraser Tweedale via FreeIPA-users wrote:
On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,
some certificates on our freeipa-cluster (3 servers) are have been not renewed till now, 2 hours before expiring. Can this be a problem?
Some of the certificates, the ones expiring show "ca-error: Invalid cookie: '' in the "getcert list" output, what makes me nervous.
We also have the problem when certmonger can not reach the CA CA_UNREACHABLE after restarting a freeipa-server. But when we restart the certmonger.server after everything being up again everything looks good.
Maybe you can give me some advice what to check and which logs you else would need.
Thanks
Christof Schulze
Hi Christof,
Yes, it is a problem. They should have been renewed before now. The errors in `getcert list' output show that there has been a problem.
First, check that all certificates are valid, all certificates have been synced across all masters using `ipa-certupdate` on each master. You should also check that the userCertificate attribute in entry:
uid=ipara,ou=people,o=ipaca
matches the actual IPA RA certificate in /var/lib/ipa/ra-agent.pem
Also check that your topology has correct renewal master configuration. ldapsearch cn=masters,cn=ipa,cn=etc,dc=ipa,dc=local with filter (&(cn=CA)(ipaConfigString=caRenewalMaster)). It should return exactly one entry and it must be a valid, active master.
HTH, Fraser
Christof Schulze via FreeIPA-users wrote:
Hi,
Here may be the problem, all are masters, the idm1 I am working on is the CA renewal master (checked ldap and config-show).
IPA masters: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA CA servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA NTP servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA CA renewal master: idm1.ww8kd.fau.de
But when checking the different points on the side linked by you. I can see: All off them have ca.crl.MasterCRL.enableCRLUpdates=false ca.crl.MasterCRL.enableCRLCache=false
And all of them have the RewriteRule in the /etc/httpd/conf.d/ipa-pki-proxy.conf.
I remember years ago the original idm1 got roasted by some electrical surge. And I think it got cloned by one of the others (documentation would be king).
So all of them are clones and we don't have a CRL generation master.
The renewed "auditSigningCert cert-pki-ca" on the master didn't get replicated to the others.
Can I just promote idm1 to become CRL generation master by setting ca.crl.MasterCRL.enableCRLUpdates=true ca.crl.MasterCRL.enableCRLCache=true
Yes but that won't affect renewal.
And how to get new certificates?
As Flo suggested, check syslog for certmonger messages. Look for AVCs.
Look at the output of getcert list to see what the status and errors are.
rob
And Thanks for your patience.
On 30.01.2018 14:26, Florence Blanc-Renaud wrote:
On 01/30/2018 02:02 PM, Christof Schulze via FreeIPA-users wrote:
Hi,
Now the roof is on fire, all certificates are synced on all masters since a long time ago.
The not renewing certificates in /etc/pki/pki-tomcat/alias have now expired "subsystemCert cert-pki-ca" , "ocspSigningCert cert-pki-ca" , "/var/lib/ipa/ra-agent.pem"
The "auditSigningCert cert-pki-ca" certificate is the only one which has been renewed. (Old Serial Number: 5 (0x5), New Serial Number: 536739845 (0x1ffe0005) valid till 2020)
The userCertificate in (uid=ipara,ou=people,o=ipaca) and the IPA RA certificate in /var/lib/ipa/ra-agent.pem are matching and expired.
pki-tomcat can no longer access the ldap.
slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)
Is there some way this situation can be solved?
Hi,
you need first to identify who is your renewal master and start repairing this machine. You can use ipa config-show or a direct ldapsearch as described here (https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Iden...) to find the renewal master.
On the renewal master, check if the certificates have been properly renewed. If it is not the case, you will need to chase the failure by checking SE linux AVCs or errors in the journal produced by certmonger. The renewal master really needs to be repaired first, as it is the source containing some certs that will later be downloaded by the other masters.
Flo
Thanks
Christof Schulze
Request ID '20171206120336': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2020-01-19 13:22:53 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120337': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120338': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX)
- FAU,C=DE,E=guy@example.com,L=FUERTH
expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120340': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:01:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
On 30.01.2018 00:40, Fraser Tweedale via FreeIPA-users wrote:
On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,
some certificates on our freeipa-cluster (3 servers) are have been not renewed till now, 2 hours before expiring. Can this be a problem?
Some of the certificates, the ones expiring show "ca-error: Invalid cookie: '' in the "getcert list" output, what makes me nervous.
We also have the problem when certmonger can not reach the CA CA_UNREACHABLE after restarting a freeipa-server. But when we restart the certmonger.server after everything being up again everything looks good.
Maybe you can give me some advice what to check and which logs you else would need.
Thanks
Christof Schulze
Hi Christof,
Yes, it is a problem. They should have been renewed before now. The errors in `getcert list' output show that there has been a problem.
First, check that all certificates are valid, all certificates have been synced across all masters using `ipa-certupdate` on each master. You should also check that the userCertificate attribute in entry:
uid=ipara,ou=people,o=ipaca
matches the actual IPA RA certificate in /var/lib/ipa/ra-agent.pem
Also check that your topology has correct renewal master configuration. ldapsearch cn=masters,cn=ipa,cn=etc,dc=ipa,dc=local with filter (&(cn=CA)(ipaConfigString=caRenewalMaster)). It should return exactly one entry and it must be a valid, active master.
HTH, Fraser
Hi,
Checked AVCs first. Selinux is always a burden on our Fedora Clients.
Certmonger is still trying.
Does it make sense to make some timetravel for certificate renewal with the Renewal master, even if the renewal didn't work when the certificates where still valid?
On 30.01.2018 16:42, Rob Crittenden via FreeIPA-users wrote:
Christof Schulze via FreeIPA-users wrote:
Hi,
Here may be the problem, all are masters, the idm1 I am working on is the CA renewal master (checked ldap and config-show).
IPA masters: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA CA servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA NTP servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA CA renewal master: idm1.ww8kd.fau.de
But when checking the different points on the side linked by you. I can see: All off them have ca.crl.MasterCRL.enableCRLUpdates=false ca.crl.MasterCRL.enableCRLCache=false
And all of them have the RewriteRule in the /etc/httpd/conf.d/ipa-pki-proxy.conf.
I remember years ago the original idm1 got roasted by some electrical surge. And I think it got cloned by one of the others (documentation would be king).
So all of them are clones and we don't have a CRL generation master.
The renewed "auditSigningCert cert-pki-ca" on the master didn't get replicated to the others.
Can I just promote idm1 to become CRL generation master by setting ca.crl.MasterCRL.enableCRLUpdates=true ca.crl.MasterCRL.enableCRLCache=true
Yes but that won't affect renewal.
And how to get new certificates?
As Flo suggested, check syslog for certmonger messages. Look for AVCs.
Look at the output of getcert list to see what the status and errors are.
rob
And Thanks for your patience.
On 30.01.2018 14:26, Florence Blanc-Renaud wrote:
On 01/30/2018 02:02 PM, Christof Schulze via FreeIPA-users wrote:
Hi,
Now the roof is on fire, all certificates are synced on all masters since a long time ago.
The not renewing certificates in /etc/pki/pki-tomcat/alias have now expired "subsystemCert cert-pki-ca" , "ocspSigningCert cert-pki-ca" , "/var/lib/ipa/ra-agent.pem"
The "auditSigningCert cert-pki-ca" certificate is the only one which has been renewed. (Old Serial Number: 5 (0x5), New Serial Number: 536739845 (0x1ffe0005) valid till 2020)
The userCertificate in (uid=ipara,ou=people,o=ipaca) and the IPA RA certificate in /var/lib/ipa/ra-agent.pem are matching and expired.
pki-tomcat can no longer access the ldap.
slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)
Is there some way this situation can be solved?
Hi,
you need first to identify who is your renewal master and start repairing this machine. You can use ipa config-show or a direct ldapsearch as described here (https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Iden...) to find the renewal master.
On the renewal master, check if the certificates have been properly renewed. If it is not the case, you will need to chase the failure by checking SE linux AVCs or errors in the journal produced by certmonger. The renewal master really needs to be repaired first, as it is the source containing some certs that will later be downloaded by the other masters.
Flo
Thanks
Christof Schulze
Request ID '20171206120336': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2020-01-19 13:22:53 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120337': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120338': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX)
- FAU,C=DE,E=guy@example.com,L=FUERTH
expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120340': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:01:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
On 30.01.2018 00:40, Fraser Tweedale via FreeIPA-users wrote:
On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,
some certificates on our freeipa-cluster (3 servers) are have been not renewed till now, 2 hours before expiring. Can this be a problem?
Some of the certificates, the ones expiring show "ca-error: Invalid cookie: '' in the "getcert list" output, what makes me nervous.
We also have the problem when certmonger can not reach the CA CA_UNREACHABLE after restarting a freeipa-server. But when we restart the certmonger.server after everything being up again everything looks good.
Maybe you can give me some advice what to check and which logs you else would need.
Thanks
Christof Schulze
Hi Christof,
Yes, it is a problem. They should have been renewed before now. The errors in `getcert list' output show that there has been a problem.
First, check that all certificates are valid, all certificates have been synced across all masters using `ipa-certupdate` on each master. You should also check that the userCertificate attribute in entry:
uid=ipara,ou=people,o=ipaca
matches the actual IPA RA certificate in /var/lib/ipa/ra-agent.pem
Also check that your topology has correct renewal master configuration. ldapsearch cn=masters,cn=ipa,cn=etc,dc=ipa,dc=local with filter (&(cn=CA)(ipaConfigString=caRenewalMaster)). It should return exactly one entry and it must be a valid, active master.
HTH, Fraser
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Tue, Jan 30, 2018 at 05:29:46PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,
Checked AVCs first. Selinux is always a burden on our Fedora Clients.
Certmonger is still trying.
Does it make sense to make some timetravel for certificate renewal with the Renewal master, even if the renewal didn't work when the certificates where still valid?
Time travel will be necessary.
Wind the clock back on the renewal master to a time when all certs are valid, and then investigate why renewal was failing.
Please check that the userCertificate attributes of the following entries are in sync with their corresponding certificates:
- uid=ipara,ou=people,o=ipaca must match /var/lib/ipa/ra-agent.pem
- uid=pkidbuser,ou=people,o=ipaca must match /etc/pki/pki-tomcat/alias : 'subsystemCert cert-pki-ca'
Cheers, Fraser
On 30.01.2018 16:42, Rob Crittenden via FreeIPA-users wrote:
Christof Schulze via FreeIPA-users wrote:
Hi,
Here may be the problem, all are masters, the idm1 I am working on is the CA renewal master (checked ldap and config-show).
IPA masters: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA CA servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA NTP servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA CA renewal master: idm1.ww8kd.fau.de
But when checking the different points on the side linked by you. I can see: All off them have ca.crl.MasterCRL.enableCRLUpdates=false ca.crl.MasterCRL.enableCRLCache=false
And all of them have the RewriteRule in the /etc/httpd/conf.d/ipa-pki-proxy.conf.
I remember years ago the original idm1 got roasted by some electrical surge. And I think it got cloned by one of the others (documentation would be king).
So all of them are clones and we don't have a CRL generation master.
The renewed "auditSigningCert cert-pki-ca" on the master didn't get replicated to the others.
Can I just promote idm1 to become CRL generation master by setting ca.crl.MasterCRL.enableCRLUpdates=true ca.crl.MasterCRL.enableCRLCache=true
Yes but that won't affect renewal.
And how to get new certificates?
As Flo suggested, check syslog for certmonger messages. Look for AVCs.
Look at the output of getcert list to see what the status and errors are.
rob
And Thanks for your patience.
On 30.01.2018 14:26, Florence Blanc-Renaud wrote:
On 01/30/2018 02:02 PM, Christof Schulze via FreeIPA-users wrote:
Hi,
Now the roof is on fire, all certificates are synced on all masters since a long time ago.
The not renewing certificates in /etc/pki/pki-tomcat/alias have now expired "subsystemCert cert-pki-ca" , "ocspSigningCert cert-pki-ca" , "/var/lib/ipa/ra-agent.pem"
The "auditSigningCert cert-pki-ca" certificate is the only one which has been renewed. (Old Serial Number: 5 (0x5), New Serial Number: 536739845 (0x1ffe0005) valid till 2020)
The userCertificate in (uid=ipara,ou=people,o=ipaca) and the IPA RA certificate in /var/lib/ipa/ra-agent.pem are matching and expired.
pki-tomcat can no longer access the ldap.
slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)
Is there some way this situation can be solved?
Hi,
you need first to identify who is your renewal master and start repairing this machine. You can use ipa config-show or a direct ldapsearch as described here (https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Iden...) to find the renewal master.
On the renewal master, check if the certificates have been properly renewed. If it is not the case, you will need to chase the failure by checking SE linux AVCs or errors in the journal produced by certmonger. The renewal master really needs to be repaired first, as it is the source containing some certs that will later be downloaded by the other masters.
Flo
Thanks
Christof Schulze
Request ID '20171206120336': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2020-01-19 13:22:53 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120337': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120338': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX)
- FAU,C=DE,E=guy@example.com,L=FUERTH
expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120340': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:01:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
On 30.01.2018 00:40, Fraser Tweedale via FreeIPA-users wrote:
On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via FreeIPA-users wrote: > Hi, > > some certificates on our freeipa-cluster (3 servers) are have been not > renewed till now, 2 hours before expiring. Can this be a problem? > > Some of the certificates, the ones expiring show "ca-error: > Invalid cookie: > '' in the "getcert list" output, what makes me nervous. > > We also have the problem when certmonger can not reach the CA > CA_UNREACHABLE > after restarting a freeipa-server. But when we restart the > certmonger.server > after everything being up again everything looks good. > > Maybe you can give me some advice what to check and which logs you > else > would need. > > > Thanks > > Christof Schulze > Hi Christof,
Yes, it is a problem. They should have been renewed before now. The errors in `getcert list' output show that there has been a problem.
First, check that all certificates are valid, all certificates have been synced across all masters using `ipa-certupdate` on each master. You should also check that the userCertificate attribute in entry:
uid=ipara,ou=people,o=ipaca
matches the actual IPA RA certificate in /var/lib/ipa/ra-agent.pem
Also check that your topology has correct renewal master configuration. ldapsearch cn=masters,cn=ipa,cn=etc,dc=ipa,dc=local with filter (&(cn=CA)(ipaConfigString=caRenewalMaster)). It should return exactly one entry and it must be a valid, active master.
HTH, Fraser
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- Christof Schulze
Institute of Materials Simulation (WW8) Department of Materials Science Friedrich-Alexander-University Erlangen-Nürnberg Dr.-Mack-Str. 77, 90762 Fürth, Germany
Tel: 0911/65078-65069 Email: christof.schulze@ww.uni-erlangen.de
journalctl -u certmonger.service
Jan 29 20:43:46 idm1.ww8kd.fau.de certmonger[13223]: Certificate in file "/var/lib/ipa/ra-agent.pem" is no longer valid. Jan 29 20:43:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13225]: Forwarding request to dogtag-ipa-renew-agent Jan 29 20:43:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13225]: dogtag-ipa-renew-agent returned 2
.... repeating till...
Jan 29 20:45:10 idm1.ww8kd.fau.de certmonger[13328]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 29 20:45:13 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13330]: Forwarding request to dogtag-ipa-renew-agent
.... repeating till...
Jan 29 20:53:36 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13943]: dogtag-ipa-renew-agent returned 2 Jan 29 20:53:47 idm1.ww8kd.fau.de certmonger[13954]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 29 20:53:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13956]: Forwarding request to dogtag-ipa-renew-agent Jan 29 20:53:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13956]: dogtag-ipa-renew-agent returned 2
.... repeating till...
Jan 29 20:55:57 idm1.ww8kd.fau.de certmonger[14110]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 29 20:55:59 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[14112]: Forwarding request to dogtag-ipa-renew-agent Jan 29 20:55:59 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[14112]: dogtag-ipa-renew-agent returned 2
.... repeating
Then suddenly:
Jan 30 16:09:31 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27370]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE' Jan 30 16:09:31 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:31 [15905] Internal error Jan 30 16:09:50 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27500]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE' Jan 30 16:09:50 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:50 [15905] Internal error Jan 30 16:09:51 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27509]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE' Jan 30 16:09:51 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:51 [15905] Internal error Jan 30 16:15:03 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[28056]: Forwarding request to dogtag-ipa-renew-agent Jan 30 16:15:03 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[28056]: dogtag-ipa-renew-agent returned 2
.... repeating till end...
an 30 17:10:18 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 30 17:10:20 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:20 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:24 idm1 server: Jan 30, 2018 5:10:24 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:24 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:24 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:24 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:24 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:26 idm1 certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" is no longer valid. Jan 30 17:10:28 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:28 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:34 idm1 server: Jan 30, 2018 5:10:34 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:34 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:34 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:34 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:34 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:44 idm1 server: Jan 30, 2018 5:10:44 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:44 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:44 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:44 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:44 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:44 idm1 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 30 17:10:46 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:46 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:50 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 30 17:10:53 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:53 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:54 idm1 server: Jan 30, 2018 5:10:54 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:54 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:54 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:54 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:54 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:58 idm1 certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" is no longer valid. Jan 30 17:11:01 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:11:01 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
did time roll back. Does look like the pki-tomcatd is not running, and can not be restared.
Checked the userCertificates, they look identical to me.
The Certificate requests for the three expiring certificates are now in SUBMITTING-state. Cant see any other Errors than:
Jan 26 20:23:59 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16805]: dogtag-ipa-renew-agent returned 2 Jan 26 20:30:36 idm1.XXXkd.fau.de systemd[1]: Stopping Certificate monitoring and PKI enrollment... Jan 26 20:30:36 idm1.XXXkd.fau.de systemd[1]: Starting Certificate monitoring and PKI enrollment...
Is there some way to start certmonger and maybe the pki-tomcatd in debugging mode?
On 31.01.2018 00:27, Fraser Tweedale via FreeIPA-users wrote:
On Tue, Jan 30, 2018 at 05:29:46PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,
Checked AVCs first. Selinux is always a burden on our Fedora Clients.
Certmonger is still trying.
Does it make sense to make some timetravel for certificate renewal with the Renewal master, even if the renewal didn't work when the certificates where still valid?
Time travel will be necessary.
Wind the clock back on the renewal master to a time when all certs are valid, and then investigate why renewal was failing.
Please check that the userCertificate attributes of the following entries are in sync with their corresponding certificates:
- uid=ipara,ou=people,o=ipaca must match /var/lib/ipa/ra-agent.pem - uid=pkidbuser,ou=people,o=ipaca must match /etc/pki/pki-tomcat/alias : 'subsystemCert cert-pki-ca'Cheers, Fraser
On 30.01.2018 16:42, Rob Crittenden via FreeIPA-users wrote:
Christof Schulze via FreeIPA-users wrote:
Hi,
Here may be the problem, all are masters, the idm1 I am working on is the CA renewal master (checked ldap and config-show).
IPA masters: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA CA servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA NTP servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA CA renewal master: idm1.ww8kd.fau.de
But when checking the different points on the side linked by you. I can see: All off them have ca.crl.MasterCRL.enableCRLUpdates=false ca.crl.MasterCRL.enableCRLCache=false
And all of them have the RewriteRule in the /etc/httpd/conf.d/ipa-pki-proxy.conf.
I remember years ago the original idm1 got roasted by some electrical surge. And I think it got cloned by one of the others (documentation would be king).
So all of them are clones and we don't have a CRL generation master.
The renewed "auditSigningCert cert-pki-ca" on the master didn't get replicated to the others.
Can I just promote idm1 to become CRL generation master by setting ca.crl.MasterCRL.enableCRLUpdates=true ca.crl.MasterCRL.enableCRLCache=true
Yes but that won't affect renewal.
And how to get new certificates?
As Flo suggested, check syslog for certmonger messages. Look for AVCs.
Look at the output of getcert list to see what the status and errors are.
rob
And Thanks for your patience.
On 30.01.2018 14:26, Florence Blanc-Renaud wrote:
On 01/30/2018 02:02 PM, Christof Schulze via FreeIPA-users wrote:
Hi,
Now the roof is on fire, all certificates are synced on all masters since a long time ago.
The not renewing certificates in /etc/pki/pki-tomcat/alias have now expired "subsystemCert cert-pki-ca" , "ocspSigningCert cert-pki-ca" , "/var/lib/ipa/ra-agent.pem"
The "auditSigningCert cert-pki-ca" certificate is the only one which has been renewed. (Old Serial Number: 5 (0x5), New Serial Number: 536739845 (0x1ffe0005) valid till 2020)
The userCertificate in (uid=ipara,ou=people,o=ipaca) and the IPA RA certificate in /var/lib/ipa/ra-agent.pem are matching and expired.
pki-tomcat can no longer access the ldap.
slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)
Is there some way this situation can be solved?
Hi,
you need first to identify who is your renewal master and start repairing this machine. You can use ipa config-show or a direct ldapsearch as described here (https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Iden...) to find the renewal master.
On the renewal master, check if the certificates have been properly renewed. If it is not the case, you will need to chase the failure by checking SE linux AVCs or errors in the journal produced by certmonger. The renewal master really needs to be repaired first, as it is the source containing some certs that will later be downloaded by the other masters.
Flo
Thanks
Christof Schulze
Request ID '20171206120336': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2020-01-19 13:22:53 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120337': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120338': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX)
- FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120340': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2018-01-29 12:01:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
On 30.01.2018 00:40, Fraser Tweedale via FreeIPA-users wrote: > On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via > FreeIPA-users wrote: >> Hi, >> >> some certificates on our freeipa-cluster (3 servers) are have been not >> renewed till now, 2 hours before expiring. Can this be a problem? >> >> Some of the certificates, the ones expiring show "ca-error: >> Invalid cookie: >> '' in the "getcert list" output, what makes me nervous. >> >> We also have the problem when certmonger can not reach the CA >> CA_UNREACHABLE >> after restarting a freeipa-server. But when we restart the >> certmonger.server >> after everything being up again everything looks good. >> >> Maybe you can give me some advice what to check and which logs you >> else >> would need. >> >> >> Thanks >> >> Christof Schulze >> > Hi Christof, > > Yes, it is a problem. They should have been renewed before now. > The errors in `getcert list' output show that there has been a > problem. > > First, check that all certificates are valid, all certificates have > been synced across all masters using `ipa-certupdate` on each > master. You should also check that the userCertificate attribute in > entry: > > uid=ipara,ou=people,o=ipaca > > matches the actual IPA RA certificate in /var/lib/ipa/ra-agent.pem > > Also check that your topology has correct renewal master > configuration. ldapsearch cn=masters,cn=ipa,cn=etc,dc=ipa,dc=local > with filter (&(cn=CA)(ipaConfigString=caRenewalMaster)). It should > return exactly one entry and it must be a valid, active master. > > HTH, > Fraser
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
journalctl -u certmonger.service
Jan 29 20:43:46 idm1.ww8kd.fau.de certmonger[13223]: Certificate in file "/var/lib/ipa/ra-agent.pem" is no longer valid. Jan 29 20:43:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13225]: Forwarding request to dogtag-ipa-renew-agent Jan 29 20:43:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13225]: dogtag-ipa-renew-agent returned 2
.... repeating till...
Jan 29 20:45:10 idm1.ww8kd.fau.de certmonger[13328]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 29 20:45:13 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13330]: Forwarding request to dogtag-ipa-renew-agent
.... repeating till...
Jan 29 20:53:36 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13943]: dogtag-ipa-renew-agent returned 2 Jan 29 20:53:47 idm1.ww8kd.fau.de certmonger[13954]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 29 20:53:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13956]: Forwarding request to dogtag-ipa-renew-agent Jan 29 20:53:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13956]: dogtag-ipa-renew-agent returned 2
.... repeating till...
Jan 29 20:55:57 idm1.ww8kd.fau.de certmonger[14110]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 29 20:55:59 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[14112]: Forwarding request to dogtag-ipa-renew-agent Jan 29 20:55:59 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[14112]: dogtag-ipa-renew-agent returned 2
.... repeating
Then suddenly:
Jan 30 16:09:31 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27370]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE' Jan 30 16:09:31 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:31 [15905] Internal error Jan 30 16:09:50 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27500]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE' Jan 30 16:09:50 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:50 [15905] Internal error Jan 30 16:09:51 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27509]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE' Jan 30 16:09:51 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:51 [15905] Internal error Jan 30 16:15:03 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[28056]: Forwarding request to dogtag-ipa-renew-agent Jan 30 16:15:03 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[28056]: dogtag-ipa-renew-agent returned 2
.... repeating till end...
an 30 17:10:18 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 30 17:10:20 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:20 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:24 idm1 server: Jan 30, 2018 5:10:24 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:24 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:24 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:24 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:24 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:26 idm1 certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" is no longer valid. Jan 30 17:10:28 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:28 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:34 idm1 server: Jan 30, 2018 5:10:34 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:34 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:34 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:34 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:34 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:44 idm1 server: Jan 30, 2018 5:10:44 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:44 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:44 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:44 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:44 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:44 idm1 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 30 17:10:46 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:46 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:50 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 30 17:10:53 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:53 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:54 idm1 server: Jan 30, 2018 5:10:54 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:54 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:54 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:54 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:54 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:58 idm1 certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" is no longer valid. Jan 30 17:11:01 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:11:01 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Wed, Jan 31, 2018 at 04:58:30PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,
did time roll back. Does look like the pki-tomcatd is not running, and can not be restared.
Checked the userCertificates, they look identical to me.
The Certificate requests for the three expiring certificates are now in SUBMITTING-state. Cant see any other Errors than:
Jan 26 20:23:59 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16805]: dogtag-ipa-renew-agent returned 2 Jan 26 20:30:36 idm1.XXXkd.fau.de systemd[1]: Stopping Certificate monitoring and PKI enrollment... Jan 26 20:30:36 idm1.XXXkd.fau.de systemd[1]: Starting Certificate monitoring and PKI enrollment...
Is there some way to start certmonger and maybe the pki-tomcatd in debugging mode?
What is is /var/log/pki/pki-tomcat/ca/debug? If it is not starting properly, there should be some output in there related to that.
Thanks, Fraser
On 31.01.2018 00:27, Fraser Tweedale via FreeIPA-users wrote:
On Tue, Jan 30, 2018 at 05:29:46PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,
Checked AVCs first. Selinux is always a burden on our Fedora Clients.
Certmonger is still trying.
Does it make sense to make some timetravel for certificate renewal with the Renewal master, even if the renewal didn't work when the certificates where still valid?
Time travel will be necessary.
Wind the clock back on the renewal master to a time when all certs are valid, and then investigate why renewal was failing.
Please check that the userCertificate attributes of the following entries are in sync with their corresponding certificates:
- uid=ipara,ou=people,o=ipaca must match /var/lib/ipa/ra-agent.pem - uid=pkidbuser,ou=people,o=ipaca must match /etc/pki/pki-tomcat/alias : 'subsystemCert cert-pki-ca'Cheers, Fraser
On 30.01.2018 16:42, Rob Crittenden via FreeIPA-users wrote:
Christof Schulze via FreeIPA-users wrote:
Hi,
Here may be the problem, all are masters, the idm1 I am working on is the CA renewal master (checked ldap and config-show).
IPA masters: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA CA servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA NTP servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA CA renewal master: idm1.ww8kd.fau.de
But when checking the different points on the side linked by you. I can see: All off them have ca.crl.MasterCRL.enableCRLUpdates=false ca.crl.MasterCRL.enableCRLCache=false
And all of them have the RewriteRule in the /etc/httpd/conf.d/ipa-pki-proxy.conf.
I remember years ago the original idm1 got roasted by some electrical surge. And I think it got cloned by one of the others (documentation would be king).
So all of them are clones and we don't have a CRL generation master.
The renewed "auditSigningCert cert-pki-ca" on the master didn't get replicated to the others.
Can I just promote idm1 to become CRL generation master by setting ca.crl.MasterCRL.enableCRLUpdates=true ca.crl.MasterCRL.enableCRLCache=true
Yes but that won't affect renewal.
And how to get new certificates?
As Flo suggested, check syslog for certmonger messages. Look for AVCs.
Look at the output of getcert list to see what the status and errors are.
rob
And Thanks for your patience.
On 30.01.2018 14:26, Florence Blanc-Renaud wrote:
On 01/30/2018 02:02 PM, Christof Schulze via FreeIPA-users wrote: > Hi, > > Now the roof is on fire, all certificates are synced on all masters > since a long time ago. > > The not renewing certificates in /etc/pki/pki-tomcat/alias have now > expired > "subsystemCert cert-pki-ca" , "ocspSigningCert cert-pki-ca" , > "/var/lib/ipa/ra-agent.pem" > > The "auditSigningCert cert-pki-ca" certificate is the only one which > has been renewed. (Old Serial Number: 5 (0x5), New Serial Number: > 536739845 (0x1ffe0005) valid till 2020) > > The userCertificate in (uid=ipara,ou=people,o=ipaca) and the IPA RA > certificate in /var/lib/ipa/ra-agent.pem are matching and expired. > > > pki-tomcat can no longer access the ldap. > > slapi_ldap_bind - Error: could not send startTLS request: error > -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not > connected) > > > Is there some way this situation can be solved? Hi,
you need first to identify who is your renewal master and start repairing this machine. You can use ipa config-show or a direct ldapsearch as described here (https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Iden...) to find the renewal master.
On the renewal master, check if the certificates have been properly renewed. If it is not the case, you will need to chase the failure by checking SE linux AVCs or errors in the journal produced by certmonger. The renewal master really needs to be repaired first, as it is the source containing some certs that will later be downloaded by the other masters.
Flo
> > Thanks > > Christof Schulze > > > > Request ID '20171206120336': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some > Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH > subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - > FAU,C=DE,E=guy@example.com,L=FUERTH > expires: 2020-01-19 13:22:53 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20171206120337': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some > Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH > subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute > (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH > expires: 2018-01-29 12:00:44 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20171206120338': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some > Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH > subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) > - FAU,C=DE,E=guy@example.com,L=FUERTH > expires: 2018-01-29 12:00:44 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20171206120340': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some > Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH > subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - > FAU,C=DE,E=guy@example.com,L=FUERTH > expires: 2018-01-29 12:01:11 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > > > On 30.01.2018 00:40, Fraser Tweedale via FreeIPA-users wrote: > > On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via > > FreeIPA-users wrote: > > > Hi, > > > > > > some certificates on our freeipa-cluster (3 servers) are have been not > > > renewed till now, 2 hours before expiring. Can this be a problem? > > > > > > Some of the certificates, the ones expiring show "ca-error: > > > Invalid cookie: > > > '' in the "getcert list" output, what makes me nervous. > > > > > > We also have the problem when certmonger can not reach the CA > > > CA_UNREACHABLE > > > after restarting a freeipa-server. But when we restart the > > > certmonger.server > > > after everything being up again everything looks good. > > > > > > Maybe you can give me some advice what to check and which logs you > > > else > > > would need. > > > > > > > > > Thanks > > > > > > Christof Schulze > > > > > Hi Christof, > > > > Yes, it is a problem. They should have been renewed before now. > > The errors in `getcert list' output show that there has been a > > problem. > > > > First, check that all certificates are valid, all certificates have > > been synced across all masters using `ipa-certupdate` on each > > master. You should also check that the userCertificate attribute in > > entry: > > > > uid=ipara,ou=people,o=ipaca > > > > matches the actual IPA RA certificate in /var/lib/ipa/ra-agent.pem > > > > Also check that your topology has correct renewal master > > configuration. ldapsearch cn=masters,cn=ipa,cn=etc,dc=ipa,dc=local > > with filter (&(cn=CA)(ipaConfigString=caRenewalMaster)). It should > > return exactly one entry and it must be a valid, active master. > > > > HTH, > > Fraser >
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
journalctl -u certmonger.service
Jan 29 20:43:46 idm1.ww8kd.fau.de certmonger[13223]: Certificate in file "/var/lib/ipa/ra-agent.pem" is no longer valid. Jan 29 20:43:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13225]: Forwarding request to dogtag-ipa-renew-agent Jan 29 20:43:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13225]: dogtag-ipa-renew-agent returned 2
.... repeating till...
Jan 29 20:45:10 idm1.ww8kd.fau.de certmonger[13328]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 29 20:45:13 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13330]: Forwarding request to dogtag-ipa-renew-agent
.... repeating till...
Jan 29 20:53:36 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13943]: dogtag-ipa-renew-agent returned 2 Jan 29 20:53:47 idm1.ww8kd.fau.de certmonger[13954]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 29 20:53:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13956]: Forwarding request to dogtag-ipa-renew-agent Jan 29 20:53:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13956]: dogtag-ipa-renew-agent returned 2
.... repeating till...
Jan 29 20:55:57 idm1.ww8kd.fau.de certmonger[14110]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 29 20:55:59 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[14112]: Forwarding request to dogtag-ipa-renew-agent Jan 29 20:55:59 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[14112]: dogtag-ipa-renew-agent returned 2
.... repeating
Then suddenly:
Jan 30 16:09:31 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27370]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE' Jan 30 16:09:31 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:31 [15905] Internal error Jan 30 16:09:50 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27500]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE' Jan 30 16:09:50 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:50 [15905] Internal error Jan 30 16:09:51 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27509]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE' Jan 30 16:09:51 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:51 [15905] Internal error Jan 30 16:15:03 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[28056]: Forwarding request to dogtag-ipa-renew-agent Jan 30 16:15:03 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[28056]: dogtag-ipa-renew-agent returned 2
.... repeating till end...
an 30 17:10:18 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 30 17:10:20 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:20 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:24 idm1 server: Jan 30, 2018 5:10:24 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:24 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:24 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:24 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:24 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:26 idm1 certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" is no longer valid. Jan 30 17:10:28 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:28 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:34 idm1 server: Jan 30, 2018 5:10:34 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:34 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:34 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:34 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:34 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:44 idm1 server: Jan 30, 2018 5:10:44 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:44 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:44 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:44 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:44 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:44 idm1 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 30 17:10:46 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:46 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:50 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 30 17:10:53 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:53 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:54 idm1 server: Jan 30, 2018 5:10:54 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:54 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:54 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:54 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:54 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:58 idm1 certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" is no longer valid. Jan 30 17:11:01 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:11:01 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- Christof Schulze
Institute of Materials Simulation (WW8) Department of Materials Science Friedrich-Alexander-University Erlangen-Nürnberg Dr.-Mack-Str. 77, 90762 Fürth, Germany
Tel: 0911/65078-65069 Email: christof.schulze@ww.uni-erlangen.de
journalctl -u certmonger.service
Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 1 Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 1 Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 1 Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 1 Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 2 Jan 26 20:03:59 idm1.XXXkd.fau.de certmonger[15838]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20180129120044. Jan 26 20:04:32 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15860]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:32 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15860]: dogtag-ipa-renew-agent returned 2 Jan 26 20:04:42 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15853]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:42 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15853]: dogtag-ipa-renew-agent returned 2 Jan 26 20:04:52 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15851]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:52 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15851]: dogtag-ipa-renew-agent returned 2 Jan 26 20:06:08 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16044]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:06:08 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16044]: dogtag-ipa-renew-agent returned 2 Jan 26 20:16:36 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16726]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:16:37 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16726]: dogtag-ipa-renew-agent returned 2 Jan 26 20:17:37 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16746]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:17:37 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16746]: dogtag-ipa-renew-agent returned 2 Jan 26 20:23:59 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16805]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:23:59 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16805]: dogtag-ipa-renew-agent returned 2
equest ID '20171206120337': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120338': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120340': status: SUBMITTING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH expires: 2018-01-29 12:01:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
ldapsearch -x -h localhost -b uid=pkidbuser,ou=people,o=ipaca # extended LDIF # # LDAPv3 # base <uid=pkidbuser,ou=people,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# pkidbuser, people, ipaca dn: uid=pkidbuser,ou=people,o=ipaca objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser uid: pkidbuser sn: pkidbuser cn: pkidbuser mail: usertype: agentType userstate: 1 description: 2;4;CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Institute of Mater ials Simulation (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH;CN=CA Sub system,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E =christof.schulze@fau.de,L=FUERTH userCertificate:: MIIEcz ................. seeAlso: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute ( XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Jan 26 20:00:00 idm1 systemd: Time has been changed Jan 26 20:00:05 idm1 server: Jan 26, 2018 8:00:05 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:05 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:05 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:05 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:05 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:10 idm1 ns-slapd: [26/Jan/2018:20:00:10.040578826 +0100] - WARN - csngen_new_csn - Too much time skew (-416592 secs). Current seqnum=4 Jan 26 20:00:10 idm1 ns-slapd: [26/Jan/2018:20:00:10.061165225 +0100] - WARN - csngen_new_csn - Too much time skew (-416593 secs). Current seqnum=5 Jan 26 20:00:10 idm1 ns-slapd: [26/Jan/2018:20:00:10.087176808 +0100] - WARN - csngen_new_csn - Too much time skew (-416594 secs). Current seqnum=6 Jan 26 20:00:10 idm1 ns-slapd: [26/Jan/2018:20:00:10.093683659 +0100] - WARN - csngen_new_csn - Too much time skew (-416595 secs). Current seqnum=7 Jan 26 20:00:15 idm1 server: Jan 26, 2018 8:00:15 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:15 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:15 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:15 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:15 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:25 idm1 server: Jan 26, 2018 8:00:25 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:25 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:25 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:25 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:25 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:26 idm1 systemd: Starting PKI Tomcat Server tomcatd... Jan 26 20:00:26 idm1 pkidaemon: tomcatd is an invalid 'tomcat' instance Jan 26 20:00:26 idm1 systemd: pki-tomcatd@tomcatd.service: control process exited, code=exited status=5 Jan 26 20:00:26 idm1 systemd: Failed to start PKI Tomcat Server tomcatd. Jan 26 20:00:26 idm1 systemd: Unit pki-tomcatd@tomcatd.service entered failed state. Jan 26 20:00:26 idm1 systemd: pki-tomcatd@tomcatd.service failed. Jan 26 20:00:30 idm1 ns-slapd: [26/Jan/2018:20:00:30.030350069 +0100] - WARN - csngen_new_csn - Too much time skew (-416576 secs). Current seqnum=8 Jan 26 20:00:30 idm1 ns-slapd: [26/Jan/2018:20:00:30.036532171 +0100] - WARN - csngen_new_csn - Too much time skew (-416577 secs). Current seqnum=9 Jan 26 20:00:30 idm1 ns-slapd: [26/Jan/2018:20:00:30.054084481 +0100] - WARN - csngen_new_csn - Too much time skew (-416578 secs). Current seqnum=a Jan 26 20:00:30 idm1 ns-slapd: [26/Jan/2018:20:00:30.072843629 +0100] - WARN - csngen_new_csn - Too much time skew (-416579 secs). Current seqnum=b Jan 26 20:00:35 idm1 server: Jan 26, 2018 8:00:35 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:35 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:35 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:35 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:35 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:45 idm1 server: Jan 26, 2018 8:00:45 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:45 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:45 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:45 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:45 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:48 idm1 ns-slapd: [26/Jan/2018:20:00:48.030570760 +0100] - WARN - csngen_new_csn - Too much time skew (-416562 secs). Current seqnum=4 Jan 26 20:00:48 idm1 ns-slapd: [26/Jan/2018:20:00:48.035772779 +0100] - WARN - csngen_new_csn - Too much time skew (-416563 secs). Current seqnum=5 Jan 26 20:00:48 idm1 ns-slapd: [26/Jan/2018:20:00:48.053399054 +0100] - WARN - csngen_new_csn - Too much time skew (-416564 secs). Current seqnum=6 Jan 26 20:00:48 idm1 ns-slapd: [26/Jan/2018:20:00:48.058488375 +0100] - WARN - csngen_new_csn - Too much time skew (-416565 secs). Current seqnum=7 Jan 26 20:00:54 idm1 systemd: Stopped target PKI Tomcat Server. Jan 26 20:00:54 idm1 systemd: Stopping PKI Tomcat Server. Jan 26 20:00:54 idm1 systemd: Stopping PKI Tomcat Server pki-tomcat... Jan 26 20:00:54 idm1 systemd: Stopping 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:00:54 idm1 ns-slapd: [26/Jan/2018:20:00:54.631434461 +0100] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 19 max work q size 6 max work q stack size 6 Jan 26 20:00:54 idm1 ns-slapd: [26/Jan/2018:20:00:54.662944402 +0100] - INFO - slapd_daemon - slapd shutting down - waiting for 14 threads to terminate Jan 26 20:00:54 idm1 ns-slapd: [26/Jan/2018:20:00:54.693612476 +0100] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Jan 26 20:00:55 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:00:55 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:00:55 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:00:55 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:00:55 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Jan 26 20:00:55 idm1 server: arguments used: stop Jan 26 20:00:55 idm1 ns-slapd: [26/Jan/2018:20:00:55.269159082 +0100] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop Jan 26 20:00:55 idm1 server: Jan 26, 2018 8:00:55 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:55 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:55 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:55 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:55 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:56 idm1 ns-slapd: [26/Jan/2018:20:00:56.047222363 +0100] - INFO - dblayer_pre_close - All database threads now stopped Jan 26 20:00:56 idm1 ns-slapd: [26/Jan/2018:20:00:56.136143475 +0100] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Jan 26 20:00:56 idm1 ns-slapd: [26/Jan/2018:20:00:56.250499625 +0100] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 6 work q stack objects - freed 19 op stack objects Jan 26 20:00:56 idm1 ns-slapd: [26/Jan/2018:20:00:56.466290546 +0100] - INFO - main - slapd stopped. Jan 26 20:00:57 idm1 systemd: Starting 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:00:57 idm1 server: Jan 26, 2018 8:00:57 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:00:57 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:00:59 idm1 server: Jan 26, 2018 8:00:59 PM org.apache.catalina.core.StandardServer await Jan 26 20:00:59 idm1 server: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Jan 26 20:00:59 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Jan 26 20:00:59 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[stop] Jan 26 20:00:59 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Jan 26 20:00:59 idm1 server: Jan 26, 2018 8:00:59 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:00:59 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.166056006 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.192768272 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.194054627 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.195443005 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.196488030 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.197471823 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.198476669 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.199408370 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.200335494 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.201269623 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.202187620 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.203076746 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:01:00 idm1 systemd: Stopped PKI Tomcat Server pki-tomcat. Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.212403223 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.213802057 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.214320583 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.215664034 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.216287901 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.216973776 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.217398701 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.217909449 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.218369168 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.218796504 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.219235985 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.220009250 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.220862707 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.221671302 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.222376985 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.223115430 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.223989576 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.224808605 +0100] - INFO - Security Initialization - SSL info: #011TLS_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.225509347 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.251261397 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.252601147 +0100] - INFO - main - 389-Directory/1.3.6.1 B2018.025.1550 starting up Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.267546859 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.271447152 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.275981745 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.283140403 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.289336025 +0100] - NOTICE - ldbm_back_start - found 1532164k physical memory Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.290187342 +0100] - NOTICE - ldbm_back_start - found 588692k available Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.291044337 +0100] - NOTICE - ldbm_back_start - cache autosizing: db cache: 61286k Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.291982935 +0100] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 65536k Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.294255028 +0100] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 65536k Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.296509006 +0100] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 65536k Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.298844301 +0100] - NOTICE - ldbm_back_start - total cache size: 282989821 B; Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.208240370 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.256911972 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.258221666 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.259183606 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.260299224 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.261345202 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.262389108 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.263438748 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.264619539 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.265661588 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.266617305 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.267503563 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.268386977 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.269339542 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.270164213 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.271060127 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.271880025 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.272730680 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.273618472 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.274598861 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.275455547 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.276441760 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.283273623 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.284297934 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 systemd: Started Session 84 of user root. Jan 26 20:01:01 idm1 systemd: Starting Session 84 of user root. Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.396213753 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.399323317 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.399986425 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.400970832 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.636616613 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.639886286 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idm1.XXXkd.fau.de@XXXKD.FAU.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.644711700 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.645973404 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.659963996 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-XXXKD-FAU-DE.socket for LDAPI requests Jan 26 20:01:01 idm1 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_993)) Jan 26 20:01:01 idm1 systemd: Started 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:01:01 idm1 systemd: Stopping Kerberos 5 KDC... Jan 26 20:01:01 idm1 systemd: Starting Kerberos 5 KDC... Jan 26 20:01:02 idm1 systemd: PID file /var/run/krb5kdc.pid not readable (yet?) after start. Jan 26 20:01:02 idm1 systemd: Started Kerberos 5 KDC. Jan 26 20:01:02 idm1 systemd: Stopping Kerberos 5 Password-changing and Administration... Jan 26 20:01:02 idm1 systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jan 26 20:01:02 idm1 systemd: Unit kadmin.service entered failed state. Jan 26 20:01:02 idm1 systemd: kadmin.service failed. Jan 26 20:01:02 idm1 systemd: Starting Kerberos 5 Password-changing and Administration... Jan 26 20:01:02 idm1 systemd: Started Kerberos 5 Password-changing and Administration. Jan 26 20:01:02 idm1 systemd: Stopping The Apache HTTP Server... Jan 26 20:01:04 idm1 kernel: httpd[27874]: segfault at 8 ip 00007ff9ffbd2a90 sp 00007ff9dbc05d70 error 4 in libpython2.7.so.1.0[7ff9ffad3000+17d000] Jan 26 20:01:04 idm1 ns-slapd: [26/Jan/2018:20:01:04.672339153 +0100] - WARN - csngen_new_csn - Too much time skew (-416549 secs). Current seqnum=8 Jan 26 20:01:05 idm1 ns-slapd: [26/Jan/2018:20:01:05.044521936 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToidm2.XXXkd.fau.de" (idm2:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () Jan 26 20:01:05 idm1 systemd: Starting The Apache HTTP Server... Jan 26 20:01:05 idm1 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Jan 26 20:01:06 idm1 systemd: Started The Apache HTTP Server. Jan 26 20:01:07 idm1 systemd: Stopping IPA Custodia Service... Jan 26 20:01:07 idm1 systemd: Starting IPA Custodia Service... Jan 26 20:01:07 idm1 ns-slapd: [26/Jan/2018:20:01:07.739422386 +0100] - ERR - schema-compat-plugin - Finished plugin initialization. Jan 26 20:01:08 idm1 ipa-custodia: 2018-01-26 20:01:08 - server - Serving on Unix socket /run/httpd/ipa-custodia.sock Jan 26 20:01:08 idm1 systemd: Started IPA Custodia Service. Jan 26 20:01:08 idm1 systemd: Starting Network Time Service... Jan 26 20:01:08 idm1 ntpd[15428]: ntpd 4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1) Jan 26 20:01:08 idm1 ntpd[15429]: proto: precision = 0.087 usec Jan 26 20:01:08 idm1 ntpd[15429]: 0.0.0.0 c01d 0d kern kernel time sync enabled Jan 26 20:01:08 idm1 systemd: Started Network Time Service. Jan 26 20:01:08 idm1 ntpd[15429]: getaddrinfo: "2001:638:a000:b201::/64" invalid host address, ignored Jan 26 20:01:08 idm1 systemd: Starting PKI Tomcat Server pki-tomcat... Jan 26 20:01:08 idm1 ntpd[15429]: restrict: error in address '2001:638:a000:b201::/64' on line 21. Ignoring... Jan 26 20:01:08 idm1 ntpd[15429]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen and drop on 1 v6wildcard :: UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 3 eth0 10.188.220.100 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 4 lo ::1 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 5 eth0 fe80::5054:ff:fe4e:b270 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 6 eth0 2001:638:a000:b201::220:100 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listening on routing socket on fd #23 for interface updates Jan 26 20:01:08 idm1 ntpd[15429]: 0.0.0.0 c016 06 restart Jan 26 20:01:08 idm1 ntpd[15429]: 0.0.0.0 c012 02 freq_set ntpd -11.506 PPM Jan 26 20:01:09 idm1 pkidaemon: ----------------------- Jan 26 20:01:09 idm1 pkidaemon: Banner is not installed Jan 26 20:01:09 idm1 pkidaemon: ----------------------- Jan 26 20:01:09 idm1 pkidaemon: ---------------------- Jan 26 20:01:09 idm1 pkidaemon: Enabled all subsystems Jan 26 20:01:09 idm1 pkidaemon: ---------------------- Jan 26 20:01:10 idm1 systemd: Started PKI Tomcat Server pki-tomcat. Jan 26 20:01:10 idm1 systemd: Reached target PKI Tomcat Server. Jan 26 20:01:10 idm1 systemd: Starting PKI Tomcat Server. Jan 26 20:01:10 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:01:10 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:01:10 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:01:10 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:01:10 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Jan 26 20:01:10 idm1 server: arguments used: start Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:01:11 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:01:11 idm1 ns-slapd: [26/Jan/2018:20:01:11.084620256 +0100] - WARN - csngen_new_csn - Too much time skew (-416544 secs). Current seqnum=9 Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm1.XXXkd.fau.de:9080/ca/ocsp' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Jan 26 20:01:11 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.coyote.AbstractProtocol init Jan 26 20:01:12 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.coyote.AbstractProtocol init Jan 26 20:01:12 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Jan 26 20:01:12 idm1 server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:01:12 idm1 server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.coyote.AbstractProtocol init Jan 26 20:01:12 idm1 server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:01:12 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.catalina.startup.Catalina load Jan 26 20:01:12 idm1 server: INFO: Initialization processed in 1363 ms Jan 26 20:01:12 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Jan 26 20:01:12 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Jan 26 20:01:12 idm1 ns-slapd: [26/Jan/2018:20:01:12.623763048 +0100] - WARN - csngen_new_csn - Too much time skew (-416544 secs). Current seqnum=a Jan 26 20:01:12 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[start] Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.catalina.core.StandardService startInternal Jan 26 20:01:12 idm1 server: INFO: Starting service Catalina Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.catalina.core.StandardEngine startInternal Jan 26 20:01:12 idm1 server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.76 Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:12 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Jan 26 20:01:12 idm1 ns-slapd: [26/Jan/2018:20:01:12.731562409 +0100] - WARN - csngen_new_csn - Too much time skew (-416544 secs). Current seqnum=b Jan 26 20:01:12 idm1 server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Jan 26 20:01:12 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:01:13 idm1 ntpd[15429]: 0.0.0.0 c515 05 clock_sync Jan 26 20:01:15 idm1 server: Jan 26, 2018 8:01:15 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:01:15 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:01:15 idm1 server: SSLAuthenticatorWithFallback: Initializing authenticators Jan 26 20:01:15 idm1 server: SSLAuthenticatorWithFallback: Starting authenticators Jan 26 20:01:15 idm1 server: CMSEngine.initializePasswordStore() begins Jan 26 20:01:15 idm1 server: CMSEngine.initializePasswordStore(): tag=internaldb Jan 26 20:01:15 idm1 server: CMSEngine.initializePasswordStore(): tag=replicationdb Jan 26 20:01:18 idm1 server: SelfTestSubsystem: Disabling "ca" subsystem due to selftest failure. Jan 26 20:01:18 idm1 server: ----------------------- Jan 26 20:01:18 idm1 server: Disabled "ca" subsystem Jan 26 20:01:18 idm1 server: ----------------------- Jan 26 20:01:18 idm1 server: Subsystem ID: ca Jan 26 20:01:18 idm1 server: Instance ID: pki-tomcat Jan 26 20:01:18 idm1 server: Enabled: False Jan 26 20:01:18 idm1 server: Invalid class name repositorytop Jan 26 20:01:19 idm1 server: Invalid class name repositorytop Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1378) Jan 26 20:01:19 idm1 server: at com.netscape.certsrv.apps.CMS.startup(CMS.java:202) Jan 26 20:01:19 idm1 server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1632) Jan 26 20:01:19 idm1 server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) Jan 26 20:01:19 idm1 server: at javax.servlet.GenericServlet.init(GenericServlet.java:158) Jan 26 20:01:19 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:01:19 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:01:19 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:01:19 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) Jan 26 20:01:19 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:01:19 idm1 server: at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) Jan 26 20:01:19 idm1 server: at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) Jan 26 20:01:19 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) Jan 26 20:01:19 idm1 server: at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) Jan 26 20:01:19 idm1 server: at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) Jan 26 20:01:19 idm1 server: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) Jan 26 20:01:19 idm1 server: at java.util.concurrent.FutureTask.run(FutureTask.java:266) Jan 26 20:01:19 idm1 server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) Jan 26 20:01:19 idm1 server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) Jan 26 20:01:19 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:01:19 idm1 server: Jan 26, 2018 8:01:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:19 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 6,698 ms Jan 26 20:01:19 idm1 server: Jan 26, 2018 8:01:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:19 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Jan 26 20:01:20 idm1 server: Jan 26, 2018 8:01:20 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:01:20 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:01:20 idm1 server: Jan 26, 2018 8:01:20 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:20 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 857 ms Jan 26 20:01:20 idm1 server: Jan 26, 2018 8:01:20 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:20 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:01:21 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:21 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has finished in 1,161 ms Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.coyote.AbstractProtocol start Jan 26 20:01:21 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8080"] Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.coyote.AbstractProtocol start Jan 26 20:01:21 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8443"] Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.coyote.AbstractProtocol start Jan 26 20:01:21 idm1 server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:01:21 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Jan 26 20:01:21 idm1 ntpd[15429]: 0.0.0.0 0613 03 spike_detect +416608.985992 s Jan 26 20:01:21 idm1 server: PKIListener: Subsystem CA is disabled. Jan 26 20:01:21 idm1 server: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. Jan 26 20:01:21 idm1 server: PKIListener: To enable the subsystem: Jan 26 20:01:21 idm1 server: PKIListener: pki-server subsystem-enable -i pki-tomcat ca Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.catalina.startup.Catalina start Jan 26 20:01:21 idm1 server: INFO: Server startup in 8856 ms Jan 26 20:01:23 idm1 ns-slapd: [26/Jan/2018:20:01:23.234040056 +0100] - WARN - csngen_new_csn - Too much time skew (-416535 secs). Current seqnum=c Jan 26 20:01:31 idm1 ns-slapd: [26/Jan/2018:20:01:31.761653163 +0100] - WARN - csngen_new_csn - Too much time skew (-416527 secs). Current seqnum=d Jan 26 20:01:31 idm1 ns-slapd: [26/Jan/2018:20:01:31.782442210 +0100] - WARN - csngen_new_csn - Too much time skew (-416528 secs). Current seqnum=e Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.startup.HostConfig undeploy Jan 26 20:01:31 idm1 server: INFO: Undeploying context [/ca] Jan 26 20:01:31 idm1 server: SSLAuthenticatorWithFallback: Stopping authenticators Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-0 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-2 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:01:32 idm1 ns-slapd: [26/Jan/2018:20:01:32.298667463 +0100] - WARN - csngen_new_csn - Too much time skew (-416529 secs). Current seqnum=f Jan 26 20:01:32 idm1 ns-slapd: [26/Jan/2018:20:01:32.678832654 +0100] - WARN - csngen_new_csn - Too much time skew (-416530 secs). Current seqnum=10 Jan 26 20:01:33 idm1 ns-slapd: [26/Jan/2018:20:01:33.028623160 +0100] - WARN - csngen_new_csn - Too much time skew (-416530 secs). Current seqnum=11 Jan 26 20:01:33 idm1 ns-slapd: [26/Jan/2018:20:01:33.048763804 +0100] - WARN - csngen_new_csn - Too much time skew (-416531 secs). Current seqnum=12 Jan 26 20:01:47 idm1 ns-slapd: [26/Jan/2018:20:01:47.701332510 +0100] - WARN - csngen_new_csn - Too much time skew (-416517 secs). Current seqnum=13 Jan 26 20:02:04 idm1 ns-slapd: [26/Jan/2018:20:02:04.380427048 +0100] - WARN - csngen_new_csn - Too much time skew (-416502 secs). Current seqnum=14 Jan 26 20:02:04 idm1 ns-slapd: [26/Jan/2018:20:02:04.405310477 +0100] - WARN - csngen_new_csn - Too much time skew (-416503 secs). Current seqnum=15 Jan 26 20:02:34 idm1 ns-slapd: [26/Jan/2018:20:02:34.796622396 +0100] - WARN - csngen_new_csn - Too much time skew (-416473 secs). Current seqnum=16 Jan 26 20:02:37 idm1 ns-slapd: [26/Jan/2018:20:02:37.454779669 +0100] - WARN - csngen_new_csn - Too much time skew (-416472 secs). Current seqnum=17 Jan 26 20:02:37 idm1 ns-slapd: [26/Jan/2018:20:02:37.476249201 +0100] - WARN - csngen_new_csn - Too much time skew (-416473 secs). Current seqnum=18 Jan 26 20:02:37 idm1 ns-slapd: [26/Jan/2018:20:02:37.517017269 +0100] - WARN - csngen_new_csn - Too much time skew (-416474 secs). Current seqnum=19 Jan 26 20:02:37 idm1 ns-slapd: [26/Jan/2018:20:02:37.539991754 +0100] - WARN - csngen_new_csn - Too much time skew (-416475 secs). Current seqnum=1a Jan 26 20:02:48 idm1 systemd: Stopping Network Time Service... Jan 26 20:02:48 idm1 ntpd[15429]: ntpd exiting on signal 15 Jan 26 20:02:48 idm1 systemd: Stopped Network Time Service. Jan 26 20:03:01 idm1 ns-slapd: [26/Jan/2018:20:03:01.034768459 +0100] - WARN - csngen_new_csn - Too much time skew (-416452 secs). Current seqnum=1b Jan 26 20:03:01 idm1 ns-slapd: [26/Jan/2018:20:03:01.055043214 +0100] - WARN - csngen_new_csn - Too much time skew (-416453 secs). Current seqnum=1c Jan 26 20:03:03 idm1 ns-slapd: [26/Jan/2018:20:03:03.375580834 +0100] - WARN - csngen_new_csn - Too much time skew (-416452 secs). Current seqnum=1d Jan 26 20:03:03 idm1 ns-slapd: [26/Jan/2018:20:03:03.399395635 +0100] - WARN - csngen_new_csn - Too much time skew (-416453 secs). Current seqnum=1e Jan 26 20:03:10 idm1 ns-slapd: [26/Jan/2018:20:03:10.279455298 +0100] - WARN - csngen_new_csn - Too much time skew (-416447 secs). Current seqnum=1f Jan 26 20:03:10 idm1 ns-slapd: [26/Jan/2018:20:03:10.320874031 +0100] - WARN - csngen_new_csn - Too much time skew (-416448 secs). Current seqnum=20 Jan 26 20:03:45 idm1 systemd: Stopping Certificate monitoring and PKI enrollment... Jan 26 20:03:45 idm1 systemd: Stopped Certificate monitoring and PKI enrollment. Jan 26 20:03:56 idm1 systemd: Starting Certificate monitoring and PKI enrollment... Jan 26 20:03:57 idm1 systemd: Started Certificate monitoring and PKI enrollment. Jan 26 20:03:58 idm1 ns-slapd: [26/Jan/2018:20:03:58.111287110 +0100] - WARN - csngen_new_csn - Too much time skew (-416401 secs). Current seqnum=21 Jan 26 20:03:58 idm1 ns-slapd: [26/Jan/2018:20:03:58.390628999 +0100] - WARN - csngen_new_csn - Too much time skew (-416402 secs). Current seqnum=22 Jan 26 20:03:59 idm1 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20180129120044. Jan 26 20:03:59 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20180129120044. Jan 26 20:03:59 idm1 certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20180129120111. Jan 26 20:04:01 idm1 ns-slapd: [26/Jan/2018:20:04:01.082324882 +0100] - WARN - csngen_new_csn - Too much time skew (-416400 secs). Current seqnum=23 Jan 26 20:04:06 idm1 ns-slapd: [26/Jan/2018:20:04:06.245845741 +0100] - WARN - csngen_new_csn - Too much time skew (-416396 secs). Current seqnum=24 Jan 26 20:04:17 idm1 ns-slapd: [26/Jan/2018:20:04:17.377907663 +0100] - WARN - csngen_new_csn - Too much time skew (-416385 secs). Current seqnum=25 Jan 26 20:04:32 idm1 ns-slapd: [26/Jan/2018:20:04:32.296003137 +0100] - WARN - csngen_new_csn - Too much time skew (-416372 secs). Current seqnum=26 Jan 26 20:04:32 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:32 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:04:42 idm1 ns-slapd: [26/Jan/2018:20:04:42.139493501 +0100] - WARN - csngen_new_csn - Too much time skew (-416363 secs). Current seqnum=27 Jan 26 20:04:42 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:42 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:04:52 idm1 ns-slapd: [26/Jan/2018:20:04:52.130303926 +0100] - WARN - csngen_new_csn - Too much time skew (-416354 secs). Current seqnum=28 Jan 26 20:04:52 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:52 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:05:15 idm1 systemd: Reloading. Jan 26 20:05:16 idm1 systemd: [/usr/lib/systemd/system/ip6tables.service:3] Failed to add dependency on syslog.target,iptables.service, ignoring: Invalid argument Jan 26 20:06:08 idm1 ns-slapd: [26/Jan/2018:20:06:08.075349646 +0100] - WARN - csngen_new_csn - Too much time skew (-416279 secs). Current seqnum=29 Jan 26 20:06:08 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:06:08 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:06:10 idm1 systemd: Stopping Kerberos 5 KDC... Jan 26 20:06:10 idm1 systemd: Stopped Kerberos 5 KDC. Jan 26 20:06:10 idm1 systemd: Stopping Kerberos 5 Password-changing and Administration... Jan 26 20:06:10 idm1 systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jan 26 20:06:10 idm1 systemd: Stopped Kerberos 5 Password-changing and Administration. Jan 26 20:06:10 idm1 systemd: Unit kadmin.service entered failed state. Jan 26 20:06:10 idm1 systemd: kadmin.service failed. Jan 26 20:06:10 idm1 systemd: Stopping The Apache HTTP Server... Jan 26 20:06:43 idm1 systemd: Stopped The Apache HTTP Server. Jan 26 20:06:44 idm1 systemd: Stopping IPA Custodia Service... Jan 26 20:06:44 idm1 systemd: Stopped IPA Custodia Service. Jan 26 20:06:44 idm1 systemd: Stopped target PKI Tomcat Server. Jan 26 20:06:44 idm1 systemd: Stopping PKI Tomcat Server. Jan 26 20:06:44 idm1 systemd: Stopping PKI Tomcat Server pki-tomcat... Jan 26 20:06:44 idm1 systemd: Stopping Samba SMB Daemon... Jan 26 20:06:44 idm1 smbd[28030]: [2018/01/26 20:06:44.275355, 0] ../source3/rpc_server/lsasd.c:139(lsasd_sig_term_handler) Jan 26 20:06:44 idm1 smbd[28030]: termination signal Jan 26 20:06:44 idm1 systemd: Stopped Samba SMB Daemon. Jan 26 20:06:44 idm1 systemd: Stopping Samba Winbind Daemon... Jan 26 20:06:44 idm1 winbindd[28044]: [2018/01/26 20:06:44.476018, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Jan 26 20:06:44 idm1 winbindd[28044]: Got sig[15] terminate (is_parent=1) Jan 26 20:06:44 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:06:44 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:06:44 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:06:44 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:06:44 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Jan 26 20:06:44 idm1 server: arguments used: stop Jan 26 20:06:44 idm1 winbindd[28045]: [2018/01/26 20:06:44.508730, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Jan 26 20:06:44 idm1 systemd: Stopped Samba Winbind Daemon. Jan 26 20:06:44 idm1 winbindd[28045]: Got sig[15] terminate (is_parent=0) Jan 26 20:06:44 idm1 systemd: Closed ipa-otpd socket. Jan 26 20:06:44 idm1 systemd: Stopping ipa-otpd socket. Jan 26 20:06:44 idm1 systemd: Stopping 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:06:44 idm1 ns-slapd: [26/Jan/2018:20:06:44.721155688 +0100] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 5 max work q size 2 max work q stack size 2 Jan 26 20:06:44 idm1 ns-slapd: [26/Jan/2018:20:06:44.735943820 +0100] - INFO - slapd_daemon - slapd shutting down - waiting for 18 threads to terminate Jan 26 20:06:44 idm1 ns-slapd: [26/Jan/2018:20:06:44.825965094 +0100] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Jan 26 20:06:45 idm1 ns-slapd: [26/Jan/2018:20:06:45.381054379 +0100] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop Jan 26 20:06:45 idm1 ns-slapd: [26/Jan/2018:20:06:45.927329520 +0100] - INFO - dblayer_pre_close - All database threads now stopped Jan 26 20:06:46 idm1 ns-slapd: [26/Jan/2018:20:06:46.117991206 +0100] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Jan 26 20:06:46 idm1 ns-slapd: [26/Jan/2018:20:06:46.172299744 +0100] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 2 work q stack objects - freed 7 op stack objects Jan 26 20:06:46 idm1 server: Jan 26, 2018 8:06:46 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:06:46 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:06:46 idm1 ns-slapd: [26/Jan/2018:20:06:46.752180768 +0100] - INFO - main - slapd stopped. Jan 26 20:06:47 idm1 systemd: Stopped 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:06:47 idm1 server: Jan 26, 2018 8:06:47 PM org.apache.catalina.core.StandardServer await Jan 26 20:06:47 idm1 server: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Jan 26 20:06:47 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Jan 26 20:06:47 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[stop] Jan 26 20:06:47 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Jan 26 20:06:47 idm1 server: Jan 26, 2018 8:06:47 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:06:47 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Jan 26 20:06:47 idm1 server: Jan 26, 2018 8:06:47 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:06:47 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8443"] Jan 26 20:06:48 idm1 server: Jan 26, 2018 8:06:48 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:06:48 idm1 server: INFO: Pausing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:06:48 idm1 systemd: Stopped PKI Tomcat Server pki-tomcat. Jan 26 20:07:15 idm1 systemd: Starting 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.478325959 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.480593865 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.481219973 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.481824600 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.482318301 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.482871806 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.483404678 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.483877775 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.484356724 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.485086617 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.485626013 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.486222706 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.486720917 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.487170422 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.487651590 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.488120831 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.488616154 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.489101124 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.489614588 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.490132278 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.490638790 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.491050535 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.491551374 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.491963122 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.492404036 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.492844912 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.493331259 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.493865506 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.494373239 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.494856356 +0100] - INFO - Security Initialization - SSL info: #011TLS_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.495379801 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.504713771 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.505720965 +0100] - INFO - main - 389-Directory/1.3.6.1 B2018.025.1550 starting up Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.519359109 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.522754168 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.527038258 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.533380854 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.539571019 +0100] - NOTICE - ldbm_back_start - found 1532164k physical memory Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.540267898 +0100] - NOTICE - ldbm_back_start - found 1210532k available Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.540903052 +0100] - NOTICE - ldbm_back_start - cache autosizing: db cache: 61286k Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.541531113 +0100] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 65536k Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.543313364 +0100] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 65536k Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.544960676 +0100] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 65536k Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.546649579 +0100] - NOTICE - ldbm_back_start - total cache size: 282989821 B; Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.188126082 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.254545220 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.255636672 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.256464414 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.257250650 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.258164746 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.258863403 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.259511799 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.260127161 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.260803146 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.261498596 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.262204544 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.262929674 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.263636127 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.264272729 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.265176992 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.265924764 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.266565141 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.267196538 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.267799261 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.268432799 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.269320406 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.277180952 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.277931491 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.394597339 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.397664334 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.398357312 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.398994945 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.437779220 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idm1.XXXkd.fau.de@XXXKD.FAU.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.450559118 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jan 26 20:07:17 idm1 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_993)) Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.457942893 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.459144092 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.460493541 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-XXXKD-FAU-DE.socket for LDAPI requests Jan 26 20:07:17 idm1 systemd: Started 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:07:17 idm1 systemd: Starting Kerberos 5 KDC... Jan 26 20:07:18 idm1 systemd: PID file /var/run/krb5kdc.pid not readable (yet?) after start. Jan 26 20:07:18 idm1 systemd: Started Kerberos 5 KDC. Jan 26 20:07:18 idm1 systemd: Starting Kerberos 5 Password-changing and Administration... Jan 26 20:07:18 idm1 systemd: Started Kerberos 5 Password-changing and Administration. Jan 26 20:07:18 idm1 systemd: Starting The Apache HTTP Server... Jan 26 20:07:18 idm1 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Jan 26 20:07:19 idm1 systemd: Started The Apache HTTP Server. Jan 26 20:07:19 idm1 systemd: Starting IPA Custodia Service... Jan 26 20:07:20 idm1 ipa-custodia: 2018-01-26 20:07:20 - server - Serving on Unix socket /run/httpd/ipa-custodia.sock Jan 26 20:07:20 idm1 systemd: Started IPA Custodia Service. Jan 26 20:07:20 idm1 ns-slapd: [26/Jan/2018:20:07:20.562156820 +0100] - WARN - csngen_new_csn - Too much time skew (-416207 secs). Current seqnum=2a Jan 26 20:07:20 idm1 systemd: Starting Network Time Service... Jan 26 20:07:20 idm1 ns-slapd: [26/Jan/2018:20:07:20.753895497 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToidm2.XXXkd.fau.de" (idm2:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () Jan 26 20:07:20 idm1 ntpd[16369]: ntpd 4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1) Jan 26 20:07:20 idm1 systemd: Started Network Time Service. Jan 26 20:07:20 idm1 ntpd[16370]: proto: precision = 0.087 usec Jan 26 20:07:20 idm1 ntpd[16370]: 0.0.0.0 c01d 0d kern kernel time sync enabled Jan 26 20:07:20 idm1 ntpd[16370]: getaddrinfo: "2001:638:a000:b201::/64" invalid host address, ignored Jan 26 20:07:20 idm1 ntpd[16370]: restrict: error in address '2001:638:a000:b201::/64' on line 21. Ignoring... Jan 26 20:07:20 idm1 ntpd[16370]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Jan 26 20:07:20 idm1 systemd: Starting PKI Tomcat Server pki-tomcat... Jan 26 20:07:20 idm1 ntpd[16370]: Listen and drop on 1 v6wildcard :: UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 3 eth0 10.188.220.100 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 4 lo ::1 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 5 eth0 fe80::5054:ff:fe4e:b270 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 6 eth0 2001:638:a000:b201::220:100 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listening on routing socket on fd #23 for interface updates Jan 26 20:07:20 idm1 ntpd[16370]: 0.0.0.0 c016 06 restart Jan 26 20:07:20 idm1 ntpd[16370]: 0.0.0.0 c012 02 freq_set ntpd -11.506 PPM Jan 26 20:07:23 idm1 ns-slapd: [26/Jan/2018:20:07:23.040493392 +0100] - ERR - schema-compat-plugin - Finished plugin initialization. Jan 26 20:07:23 idm1 pkidaemon: ----------------------- Jan 26 20:07:23 idm1 pkidaemon: Banner is not installed Jan 26 20:07:23 idm1 pkidaemon: ----------------------- Jan 26 20:07:23 idm1 pkidaemon: ---------------------- Jan 26 20:07:23 idm1 pkidaemon: Enabled all subsystems Jan 26 20:07:23 idm1 pkidaemon: ---------------------- Jan 26 20:07:23 idm1 systemd: Started PKI Tomcat Server pki-tomcat. Jan 26 20:07:23 idm1 systemd: Reached target PKI Tomcat Server. Jan 26 20:07:23 idm1 systemd: Starting PKI Tomcat Server. Jan 26 20:07:23 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:07:23 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:07:23 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:07:23 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:07:23 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Jan 26 20:07:23 idm1 server: arguments used: start Jan 26 20:07:23 idm1 server: Jan 26, 2018 8:07:23 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:07:23 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm1.XXXkd.fau.de:9080/ca/ocsp' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Jan 26 20:07:24 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.coyote.AbstractProtocol init Jan 26 20:07:25 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.coyote.AbstractProtocol init Jan 26 20:07:25 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Jan 26 20:07:25 idm1 server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:07:25 idm1 server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.coyote.AbstractProtocol init Jan 26 20:07:25 idm1 server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:07:25 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.catalina.startup.Catalina load Jan 26 20:07:25 idm1 server: INFO: Initialization processed in 1535 ms Jan 26 20:07:25 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Jan 26 20:07:25 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Jan 26 20:07:25 idm1 ntpd[16370]: 0.0.0.0 c515 05 clock_sync Jan 26 20:07:25 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[start] Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.catalina.core.StandardService startInternal Jan 26 20:07:25 idm1 server: INFO: Starting service Catalina Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.catalina.core.StandardEngine startInternal Jan 26 20:07:25 idm1 server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.76 Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:25 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Jan 26 20:07:25 idm1 server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Jan 26 20:07:25 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:07:26 idm1 ns-slapd: [26/Jan/2018:20:07:26.811402672 +0100] - WARN - csngen_new_csn - Too much time skew (-416202 secs). Current seqnum=2b Jan 26 20:07:27 idm1 server: Jan 26, 2018 8:07:27 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:07:27 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:07:27 idm1 server: SSLAuthenticatorWithFallback: Initializing authenticators Jan 26 20:07:27 idm1 server: SSLAuthenticatorWithFallback: Starting authenticators Jan 26 20:07:28 idm1 server: CMSEngine.initializePasswordStore() begins Jan 26 20:07:28 idm1 server: CMSEngine.initializePasswordStore(): tag=internaldb Jan 26 20:07:28 idm1 server: CMSEngine.initializePasswordStore(): tag=replicationdb Jan 26 20:07:30 idm1 server: SelfTestSubsystem: Disabling "ca" subsystem due to selftest failure. Jan 26 20:07:31 idm1 server: ----------------------- Jan 26 20:07:31 idm1 server: Disabled "ca" subsystem Jan 26 20:07:31 idm1 server: ----------------------- Jan 26 20:07:31 idm1 server: Subsystem ID: ca Jan 26 20:07:31 idm1 server: Instance ID: pki-tomcat Jan 26 20:07:31 idm1 server: Enabled: False Jan 26 20:07:31 idm1 server: Invalid class name repositorytop Jan 26 20:07:31 idm1 server: Invalid class name repositorytop Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1378) Jan 26 20:07:31 idm1 server: at com.netscape.certsrv.apps.CMS.startup(CMS.java:202) Jan 26 20:07:31 idm1 server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1632) Jan 26 20:07:31 idm1 server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) Jan 26 20:07:31 idm1 server: at javax.servlet.GenericServlet.init(GenericServlet.java:158) Jan 26 20:07:31 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:07:31 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:07:31 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:07:31 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) Jan 26 20:07:31 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:07:31 idm1 server: at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) Jan 26 20:07:31 idm1 server: at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) Jan 26 20:07:31 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) Jan 26 20:07:31 idm1 server: at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) Jan 26 20:07:31 idm1 server: at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) Jan 26 20:07:31 idm1 server: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) Jan 26 20:07:31 idm1 server: at java.util.concurrent.FutureTask.run(FutureTask.java:266) Jan 26 20:07:31 idm1 server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) Jan 26 20:07:31 idm1 server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) Jan 26 20:07:31 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:07:31 idm1 server: Jan 26, 2018 8:07:31 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:31 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 5,520 ms Jan 26 20:07:31 idm1 server: Jan 26, 2018 8:07:31 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:31 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Jan 26 20:07:32 idm1 server: Jan 26, 2018 8:07:32 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:07:32 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:07:32 idm1 server: Jan 26, 2018 8:07:32 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:32 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 790 ms Jan 26 20:07:32 idm1 server: Jan 26, 2018 8:07:32 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:32 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:07:33 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:33 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has finished in 1,064 ms Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.coyote.AbstractProtocol start Jan 26 20:07:33 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8080"] Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.coyote.AbstractProtocol start Jan 26 20:07:33 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8443"] Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.coyote.AbstractProtocol start Jan 26 20:07:33 idm1 server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:07:33 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Jan 26 20:07:33 idm1 server: PKIListener: Subsystem CA is disabled. Jan 26 20:07:33 idm1 server: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. Jan 26 20:07:33 idm1 server: PKIListener: To enable the subsystem: Jan 26 20:07:33 idm1 server: PKIListener: pki-server subsystem-enable -i pki-tomcat ca Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.catalina.startup.Catalina start Jan 26 20:07:33 idm1 server: INFO: Server startup in 7515 ms Jan 26 20:07:39 idm1 ns-slapd: [26/Jan/2018:20:07:39.035843722 +0100] - WARN - csngen_new_csn - Too much time skew (-416191 secs). Current seqnum=2c Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.startup.HostConfig undeploy Jan 26 20:07:43 idm1 server: INFO: Undeploying context [/ca] Jan 26 20:07:43 idm1 server: SSLAuthenticatorWithFallback: Stopping authenticators Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-0 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-2 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:07:47 idm1 ns-slapd: [26/Jan/2018:20:07:47.844329850 +0100] - WARN - csngen_new_csn - Too much time skew (-416183 secs). Current seqnum=2d
Jan 26 20:08:09 idm1 ns-slapd: [26/Jan/2018:20:08:09.059172306 +0100] - WARN - csngen_new_csn - Too much time skew (-416174 secs). Current seqnum=1 Jan 26 20:08:27 idm1 ntpd[16370]: ntpd exiting on signal 15 Jan 26 20:08:27 idm1 systemd: Stopping Network Time Service... Jan 26 20:08:27 idm1 systemd: Stopped Network Time Service. Jan 26 20:08:49 idm1 ns-slapd: [26/Jan/2018:20:08:49.052101605 +0100] - WARN - csngen_new_csn - Too much time skew (-416135 secs). Current seqnum=1 Jan 26 20:08:49 idm1 ns-slapd: [26/Jan/2018:20:08:49.075642776 +0100] - WARN - csngen_new_csn - Too much time skew (-416136 secs). Current seqnum=1 Jan 26 20:08:51 idm1 ns-slapd: [26/Jan/2018:20:08:51.298345097 +0100] - WARN - csngen_new_csn - Too much time skew (-416135 secs). Current seqnum=1 Jan 26 20:09:25 idm1 ns-slapd: [26/Jan/2018:20:09:25.093696262 +0100] - WARN - csngen_new_csn - Too much time skew (-416102 secs). Current seqnum=1 Jan 26 20:09:25 idm1 ns-slapd: [26/Jan/2018:20:09:25.115607333 +0100] - WARN - csngen_new_csn - Too much time skew (-416103 secs). Current seqnum=1 Jan 26 20:10:27 idm1 ns-slapd: [26/Jan/2018:20:10:27.371866302 +0100] - WARN - csngen_new_csn - Too much time skew (-416042 secs). Current seqnum=1 Jan 26 20:11:11 idm1 ns-slapd: [26/Jan/2018:20:11:11.185235999 +0100] - WARN - csngen_new_csn - Too much time skew (-415999 secs). Current seqnum=1 Jan 26 20:12:24 idm1 systemd: Starting Samba SMB Daemon... Jan 26 20:12:24 idm1 smbd[16684]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid) Jan 26 20:12:24 idm1 ns-slapd: [26/Jan/2018:20:12:24.338023606 +0100] - WARN - csngen_new_csn - Too much time skew (-415927 secs). Current seqnum=1 Jan 26 20:12:24 idm1 ns-slapd: [26/Jan/2018:20:12:24.492918154 +0100] - WARN - csngen_new_csn - Too much time skew (-415928 secs). Current seqnum=1 Jan 26 20:12:24 idm1 smbd[16684]: [2018/01/26 20:12:24.644663, 0] ../lib/util/become_daemon.c:124(daemon_ready) Jan 26 20:12:24 idm1 systemd: Started Samba SMB Daemon. Jan 26 20:12:24 idm1 smbd[16684]: STATUS=daemon 'smbd' finished starting up and ready to serve connections Jan 26 20:12:24 idm1 systemd: Starting Samba Winbind Daemon... Jan 26 20:12:24 idm1 winbindd[16702]: [2018/01/26 20:12:24.744499, 0] ../source3/winbindd/winbindd_cache.c:3171(initialize_winbindd_cache) Jan 26 20:12:24 idm1 systemd: winbind.service: Supervising process 16702 which is not our child. We'll most likely not notice when it exits. Jan 26 20:12:24 idm1 winbindd[16702]: initialize_winbindd_cache: clearing cache and re-creating with version number 2 Jan 26 20:12:24 idm1 winbindd[16702]: [2018/01/26 20:12:24.788607, 0] ../lib/util/become_daemon.c:124(daemon_ready) Jan 26 20:12:24 idm1 systemd: Started Samba Winbind Daemon. Jan 26 20:12:24 idm1 winbindd[16702]: STATUS=daemon 'winbindd' finished starting up and ready to serve connections Jan 26 20:12:24 idm1 systemd: Listening on ipa-otpd socket. Jan 26 20:12:24 idm1 systemd: Starting ipa-otpd socket. Jan 26 20:12:24 idm1 ns-slapd: [26/Jan/2018:20:12:24.835355417 +0100] - WARN - csngen_new_csn - Too much time skew (-415928 secs). Current seqnum=1
Jan 26 20:16:36 idm1 ns-slapd: [26/Jan/2018:20:16:36.642664215 +0100] - WARN - csngen_new_csn - Too much time skew (-415688 secs). Current seqnum=1 Jan 26 20:16:36 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:16:37 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:17:24 idm1 ns-slapd: [26/Jan/2018:20:17:24.820564227 +0100] - WARN - csngen_new_csn - Too much time skew (-415641 secs). Current seqnum=1 Jan 26 20:17:37 idm1 ns-slapd: [26/Jan/2018:20:17:37.625304230 +0100] - WARN - csngen_new_csn - Too much time skew (-415629 secs). Current seqnum=1 Jan 26 20:17:37 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:17:37 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:18:01 idm1 logrotate: ALERT exited abnormally with [1] Jan 26 20:18:38 idm1 ns-slapd: [26/Jan/2018:20:18:38.792663979 +0100] - WARN - csngen_new_csn - Too much time skew (-415569 secs). Current seqnum=1 Jan 26 20:22:24 idm1 ns-slapd: [26/Jan/2018:20:22:24.817110632 +0100] - WARN - csngen_new_csn - Too much time skew (-415344 secs). Current seqnum=1
Jan 26 20:23:59 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:23:59 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:24:45 idm1 stop_pkicad: Stopping pki_tomcatd Jan 26 20:24:45 idm1 systemd: Stopping PKI Tomcat Server pki-tomcat... Jan 26 20:24:45 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:24:45 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:24:45 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:24:45 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:24:45 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Jan 26 20:24:45 idm1 server: arguments used: stop Jan 26 20:24:45 idm1 server: Jan 26, 2018 8:24:45 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:24:45 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:24:46 idm1 server: Jan 26, 2018 8:24:46 PM org.apache.catalina.core.StandardServer await Jan 26 20:24:46 idm1 server: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Jan 26 20:24:46 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Jan 26 20:24:46 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[stop] Jan 26 20:24:46 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Jan 26 20:24:46 idm1 server: Jan 26, 2018 8:24:46 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:24:46 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Jan 26 20:24:46 idm1 systemd: Stopped PKI Tomcat Server pki-tomcat. Jan 26 20:24:46 idm1 stop_pkicad: Stopped pki_tomcatd Jan 26 20:27:24 idm1 ns-slapd: [26/Jan/2018:20:27:24.817184276 +0100] - WARN - csngen_new_csn - Too much time skew (-415053 secs). Current seqnum=1 Jan 26 20:28:39 idm1 ns-slapd: [26/Jan/2018:20:28:39.388139879 +0100] - WARN - csngen_new_csn - Too much time skew (-414980 secs). Current seqnum=1 Jan 26 20:28:45 idm1 systemd: Reloading. Jan 26 20:28:45 idm1 systemd: [/usr/lib/systemd/system/ip6tables.service:3] Failed to add dependency on syslog.target,iptables.service, ignoring: Invalid argument Jan 26 20:28:45 idm1 yum[17021]: Installed: pki-server-10.4.1-17.el7_4.noarch
Jan 26 20:30:09 idm1 yum[17100]: Installed: pki-symkey-10.4.1-17.el7_4.x86_64 Jan 26 20:30:10 idm1 ns-slapd: [26/Jan/2018:20:30:10.056412100 +0100] - WARN - csngen_new_csn - Too much time skew (-414902 secs). Current seqnum=1 Jan 26 20:30:10 idm1 ns-slapd: [26/Jan/2018:20:30:10.112492509 +0100] - WARN - csngen_new_csn - Too much time skew (-414903 secs). Current seqnum=1 Jan 26 20:30:36 idm1 systemd: Stopping Certificate monitoring and PKI enrollment... Jan 26 20:30:36 idm1 systemd: Starting Certificate monitoring and PKI enrollment... Jan 26 20:30:36 idm1 systemd: Started Certificate monitoring and PKI enrollment. Jan 26 20:30:51 idm1 ns-slapd: [26/Jan/2018:20:30:51.459575928 +0100] - WARN - csngen_new_csn - Too much time skew (-414862 secs). Current seqnum=1 Jan 26 20:30:53 idm1 ns-slapd: [26/Jan/2018:20:30:53.004542140 +0100] - WARN - csngen_new_csn - Too much time skew (-414862 secs). Current seqnum=1
Jan 26 20:32:53 idm1 ns-slapd: [26/Jan/2018:20:32:53.104794576 +0100] - WARN - csngen_new_csn - Too much time skew (-414747 secs). Current seqnum=1 Jan 26 20:33:38 idm1 ns-slapd: [26/Jan/2018:20:33:38.708156346 +0100] - WARN - csngen_new_csn - Too much time skew (-414702 secs). Current seqnum=1 Jan 26 20:35:26 idm1 systemd: Starting PKI Tomcat Server tomcatd... Jan 26 20:35:27 idm1 pkidaemon: tomcatd is an invalid 'tomcat' instance Jan 26 20:35:27 idm1 systemd: pki-tomcatd@tomcatd.service: control process exited, code=exited status=5 Jan 26 20:35:27 idm1 systemd: Failed to start PKI Tomcat Server tomcatd. Jan 26 20:35:27 idm1 systemd: Unit pki-tomcatd@tomcatd.service entered failed state. Jan 26 20:35:27 idm1 systemd: pki-tomcatd@tomcatd.service failed. Jan 26 20:38:15 idm1 systemd: Stopping Certificate monitoring and PKI enrollment... Jan 26 20:38:15 idm1 systemd: Starting Certificate monitoring and PKI enrollment... Jan 26 20:38:16 idm1 systemd: Started Certificate monitoring and PKI enrollment.
Jan 26 20:38:50 idm1 systemd: Stopped target PKI Tomcat Server. Jan 26 20:38:50 idm1 systemd: Stopping PKI Tomcat Server. Jan 26 20:38:50 idm1 systemd: Stopping 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:38:50 idm1 ns-slapd: [26/Jan/2018:20:38:50.930128624 +0100] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 7 max work q size 3 max work q stack size 3 Jan 26 20:38:50 idm1 ns-slapd: [26/Jan/2018:20:38:50.938738333 +0100] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Jan 26 20:38:51 idm1 ns-slapd: [26/Jan/2018:20:38:51.491982395 +0100] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop Jan 26 20:38:52 idm1 ns-slapd: [26/Jan/2018:20:38:52.643000430 +0100] - INFO - dblayer_pre_close - All database threads now stopped Jan 26 20:38:52 idm1 ns-slapd: [26/Jan/2018:20:38:52.843193691 +0100] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Jan 26 20:38:52 idm1 ns-slapd: [26/Jan/2018:20:38:52.845431711 +0100] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 3 work q stack objects - freed 7 op stack objects Jan 26 20:38:52 idm1 ns-slapd: [26/Jan/2018:20:38:52.949112608 +0100] - INFO - main - slapd stopped. Jan 26 20:38:53 idm1 systemd: Starting 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.798684376 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.802136681 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.803482731 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.804571447 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.805584219 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.806587975 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.807433596 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.808344028 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.809263480 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.810258405 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.811278159 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.812279895 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.813211722 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.814155963 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.815027810 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.815884935 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.816664023 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.817588461 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.820002292 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.820921200 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.821848282 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.822790429 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.823796031 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.824792858 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.825834646 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.826645719 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.827439967 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.828388576 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.829379262 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.830270347 +0100] - INFO - Security Initialization - SSL info: #011TLS_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.831112791 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.842425631 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.844467130 +0100] - INFO - main - 389-Directory/1.3.6.1 B2018.025.1550 starting up Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.862148344 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.866723860 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.872029440 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.880396494 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.887683843 +0100] - NOTICE - ldbm_back_start - found 1532164k physical memory Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.889387846 +0100] - NOTICE - ldbm_back_start - found 957616k available Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.890401127 +0100] - NOTICE - ldbm_back_start - cache autosizing: db cache: 61286k Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.891282794 +0100] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 65536k Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.893673995 +0100] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 65536k Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.896279383 +0100] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 65536k Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.899099347 +0100] - NOTICE - ldbm_back_start - total cache size: 282989821 B; Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.288606109 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.356204866 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.357475508 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.358533489 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.359655614 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.360824909 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.361929056 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.362916495 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.363933986 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.364863852 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.365773801 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.366715005 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.367657233 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.368620393 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.369654121 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.370568017 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.371627613 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.372549625 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.373548074 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.374515489 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.375468905 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.376417537 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.384105365 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.385229794 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.489142376 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.492165481 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.493230810 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.494325526 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.533752266 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.538206222 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idm1.XXXkd.fau.de@XXXKD.FAU.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.542196033 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.550911263 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Jan 26 20:38:55 idm1 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_993)) Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.552234132 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-XXXKD-FAU-DE.socket for LDAPI requests Jan 26 20:38:55 idm1 systemd: Started 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:38:55 idm1 systemd: Stopping Kerberos 5 KDC... Jan 26 20:38:55 idm1 systemd: Starting Kerberos 5 KDC... Jan 26 20:38:55 idm1 systemd: PID file /var/run/krb5kdc.pid not readable (yet?) after start. Jan 26 20:38:55 idm1 systemd: Started Kerberos 5 KDC. Jan 26 20:38:55 idm1 systemd: Stopping Kerberos 5 Password-changing and Administration... Jan 26 20:38:55 idm1 systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jan 26 20:38:55 idm1 systemd: Unit kadmin.service entered failed state. Jan 26 20:38:55 idm1 systemd: kadmin.service failed. Jan 26 20:38:55 idm1 systemd: Starting Kerberos 5 Password-changing and Administration... Jan 26 20:38:56 idm1 systemd: Started Kerberos 5 Password-changing and Administration. Jan 26 20:38:56 idm1 systemd: Stopping The Apache HTTP Server... Jan 26 20:38:58 idm1 ns-slapd: [26/Jan/2018:20:38:58.564805340 +0100] - WARN - csngen_new_csn - Too much time skew (-414396 secs). Current seqnum=1 Jan 26 20:38:58 idm1 ns-slapd: [26/Jan/2018:20:38:58.641081747 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToidm2.XXXkd.fau.de" (idm2:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () Jan 26 20:39:00 idm1 systemd: Starting The Apache HTTP Server... Jan 26 20:39:00 idm1 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Jan 26 20:39:00 idm1 ns-slapd: [26/Jan/2018:20:39:00.943662244 +0100] - ERR - schema-compat-plugin - Finished plugin initialization. Jan 26 20:39:01 idm1 systemd: Started The Apache HTTP Server. Jan 26 20:39:01 idm1 systemd: Stopping IPA Custodia Service... Jan 26 20:39:01 idm1 systemd: Starting IPA Custodia Service... Jan 26 20:39:02 idm1 systemd: Started IPA Custodia Service. Jan 26 20:39:02 idm1 ipa-custodia: 2018-01-26 20:39:02 - server - Serving on Unix socket /run/httpd/ipa-custodia.sock Jan 26 20:39:02 idm1 systemd: Starting Network Time Service... Jan 26 20:39:02 idm1 ntpd[17985]: ntpd 4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1) Jan 26 20:39:02 idm1 systemd: Started Network Time Service. Jan 26 20:39:02 idm1 ntpd[17986]: proto: precision = 0.097 usec Jan 26 20:39:02 idm1 ntpd[17986]: 0.0.0.0 c01d 0d kern kernel time sync enabled Jan 26 20:39:02 idm1 systemd: Starting PKI Tomcat Server pki-tomcat... Jan 26 20:39:03 idm1 ntpd[17986]: getaddrinfo: "2001:638:a000:b201::/64" invalid host address, ignored Jan 26 20:39:03 idm1 ntpd[17986]: restrict: error in address '2001:638:a000:b201::/64' on line 21. Ignoring... Jan 26 20:39:03 idm1 ntpd[17986]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen and drop on 1 v6wildcard :: UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 3 eth0 10.188.220.100 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 4 lo ::1 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 5 eth0 fe80::5054:ff:fe4e:b270 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 6 eth0 2001:638:a000:b201::220:100 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listening on routing socket on fd #23 for interface updates Jan 26 20:39:03 idm1 ntpd[17986]: 0.0.0.0 c016 06 restart Jan 26 20:39:03 idm1 ntpd[17986]: 0.0.0.0 c012 02 freq_set ntpd -11.506 PPM Jan 26 20:39:04 idm1 ns-slapd: [26/Jan/2018:20:39:04.677894447 +0100] - WARN - csngen_new_csn - Too much time skew (-414391 secs). Current seqnum=1 Jan 26 20:39:05 idm1 pkidaemon: ----------------------- Jan 26 20:39:05 idm1 pkidaemon: Banner is not installed Jan 26 20:39:05 idm1 pkidaemon: ----------------------- Jan 26 20:39:05 idm1 pkidaemon: ---------------------- Jan 26 20:39:05 idm1 pkidaemon: Enabled all subsystems Jan 26 20:39:05 idm1 pkidaemon: ---------------------- Jan 26 20:39:05 idm1 systemd: Started PKI Tomcat Server pki-tomcat. Jan 26 20:39:05 idm1 systemd: Reached target PKI Tomcat Server. Jan 26 20:39:05 idm1 systemd: Starting PKI Tomcat Server. Jan 26 20:39:05 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:39:05 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:39:05 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:39:05 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:39:05 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Jan 26 20:39:05 idm1 server: arguments used: start Jan 26 20:39:07 idm1 ntpd[17986]: 0.0.0.0 c515 05 clock_sync Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm1.XXXkd.fau.de:9080/ca/ocsp' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Jan 26 20:39:07 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.coyote.AbstractProtocol init Jan 26 20:39:08 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.coyote.AbstractProtocol init Jan 26 20:39:08 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Jan 26 20:39:08 idm1 server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:39:08 idm1 server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.coyote.AbstractProtocol init Jan 26 20:39:08 idm1 server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:39:08 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.catalina.startup.Catalina load Jan 26 20:39:08 idm1 server: INFO: Initialization processed in 1254 ms Jan 26 20:39:08 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Jan 26 20:39:08 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Jan 26 20:39:08 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[start] Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.catalina.core.StandardService startInternal Jan 26 20:39:08 idm1 server: INFO: Starting service Catalina Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.catalina.core.StandardEngine startInternal Jan 26 20:39:08 idm1 server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.76 Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:08 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Jan 26 20:39:08 idm1 server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Jan 26 20:39:08 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:39:10 idm1 server: Jan 26, 2018 8:39:10 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:39:10 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:39:10 idm1 server: SSLAuthenticatorWithFallback: Initializing authenticators Jan 26 20:39:10 idm1 server: SSLAuthenticatorWithFallback: Starting authenticators Jan 26 20:39:10 idm1 server: CMSEngine.initializePasswordStore() begins Jan 26 20:39:10 idm1 server: CMSEngine.initializePasswordStore(): tag=internaldb Jan 26 20:39:10 idm1 server: CMSEngine.initializePasswordStore(): tag=replicationdb Jan 26 20:39:13 idm1 server: SelfTestSubsystem: Disabling "ca" subsystem due to selftest failure. Jan 26 20:39:13 idm1 server: ----------------------- Jan 26 20:39:13 idm1 server: Disabled "ca" subsystem Jan 26 20:39:13 idm1 server: ----------------------- Jan 26 20:39:13 idm1 server: Subsystem ID: ca Jan 26 20:39:13 idm1 server: Instance ID: pki-tomcat Jan 26 20:39:13 idm1 server: Enabled: False Jan 26 20:39:13 idm1 server: Invalid class name repositorytop Jan 26 20:39:14 idm1 server: Invalid class name repositorytop Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1378) Jan 26 20:39:14 idm1 server: at com.netscape.certsrv.apps.CMS.startup(CMS.java:202) Jan 26 20:39:14 idm1 server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1632) Jan 26 20:39:14 idm1 server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) Jan 26 20:39:14 idm1 server: at javax.servlet.GenericServlet.init(GenericServlet.java:158) Jan 26 20:39:14 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:39:14 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:39:14 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:39:14 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) Jan 26 20:39:14 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:39:14 idm1 server: at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) Jan 26 20:39:14 idm1 server: at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) Jan 26 20:39:14 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) Jan 26 20:39:14 idm1 server: at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) Jan 26 20:39:14 idm1 server: at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) Jan 26 20:39:14 idm1 server: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) Jan 26 20:39:14 idm1 server: at java.util.concurrent.FutureTask.run(FutureTask.java:266) Jan 26 20:39:14 idm1 server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) Jan 26 20:39:14 idm1 server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) Jan 26 20:39:14 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:14 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 5,603 ms Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:14 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:39:14 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:14 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 724 ms Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:14 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:39:15 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:15 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has finished in 1,041 ms Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.coyote.AbstractProtocol start Jan 26 20:39:15 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8080"] Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.coyote.AbstractProtocol start Jan 26 20:39:15 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8443"] Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.coyote.AbstractProtocol start Jan 26 20:39:15 idm1 server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:39:15 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Jan 26 20:39:15 idm1 server: PKIListener: Subsystem CA is disabled. Jan 26 20:39:15 idm1 server: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. Jan 26 20:39:15 idm1 server: PKIListener: To enable the subsystem: Jan 26 20:39:15 idm1 server: PKIListener: pki-server subsystem-enable -i pki-tomcat ca Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.catalina.startup.Catalina start Jan 26 20:39:15 idm1 server: INFO: Server startup in 7480 ms Jan 26 20:39:17 idm1 ns-slapd: [26/Jan/2018:20:39:17.236299024 +0100] - WARN - csngen_new_csn - Too much time skew (-414380 secs). Current seqnum=1 Jan 26 20:39:22 idm1 ns-slapd: [26/Jan/2018:20:39:22.056843883 +0100] - WARN - csngen_new_csn - Too much time skew (-414376 secs). Current seqnum=1 Jan 26 20:39:22 idm1 ns-slapd: [26/Jan/2018:20:39:22.084016470 +0100] - WARN - csngen_new_csn - Too much time skew (-414377 secs). Current seqnum=1 Jan 26 20:39:26 idm1 ns-slapd: [26/Jan/2018:20:39:26.282879120 +0100] - WARN - csngen_new_csn - Too much time skew (-414374 secs). Current seqnum=1 Jan 26 20:39:26 idm1 ns-slapd: [26/Jan/2018:20:39:26.321619015 +0100] - WARN - csngen_new_csn - Too much time skew (-414375 secs). Current seqnum=1 Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.startup.HostConfig undeploy Jan 26 20:39:26 idm1 server: INFO: Undeploying context [/ca] Jan 26 20:39:26 idm1 server: SSLAuthenticatorWithFallback: Stopping authenticators Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-0 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-2 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: SSLAuthenticatorWithFallback: Setting container J
Jan 26 20:42:16 idm1 systemd: Closed ipa-otpd socket. Jan 26 20:42:16 idm1 systemd: Stopping ipa-otpd socket. Jan 26 20:42:16 idm1 systemd: Stopping Samba Winbind Daemon... Jan 26 20:42:16 idm1 winbindd[16702]: [2018/01/26 20:42:16.696807, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Jan 26 20:42:16 idm1 winbindd[16702]: Got sig[15] terminate (is_parent=1) Jan 26 20:42:16 idm1 winbindd[16703]: [2018/01/26 20:42:16.841466, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Jan 26 20:42:16 idm1 winbindd[16703]: Got sig[15] terminate (is_parent=0) Jan 26 20:42:16 idm1 systemd: Stopped Samba Winbind Daemon. Jan 26 20:42:16 idm1 systemd: Stopping Samba SMB Daemon... Jan 26 20:42:16 idm1 smbd[16688]: [2018/01/26 20:42:16.916550, 0] ../source3/rpc_server/lsasd.c:139(lsasd_sig_term_handler) Jan 26 20:42:16 idm1 smbd[16688]: termination signal Jan 26 20:42:16 idm1 systemd: Stopped Samba SMB Daemon. Jan 26 20:42:17 idm1 systemd: Stopping IPA Custodia Service... Jan 26 20:42:17 idm1 systemd: Stopped IPA Custodia Service. Jan 26 20:42:17 idm1 systemd: Stopping The Apache HTTP Server... Jan 26 20:42:18 idm1 systemd: Stopped The Apache HTTP Server. Jan 26 20:42:18 idm1 systemd: Stopping Kerberos 5 Password-changing and Administration... Jan 26 20:42:18 idm1 systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jan 26 20:42:18 idm1 systemd: Stopped Kerberos 5 Password-changing and Administration. Jan 26 20:42:18 idm1 systemd: Unit kadmin.service entered failed state. Jan 26 20:42:18 idm1 systemd: kadmin.service failed. Jan 26 20:42:18 idm1 systemd: Stopping Kerberos 5 KDC... Jan 26 20:42:18 idm1 systemd: Stopped Kerberos 5 KDC. Jan 26 20:42:18 idm1 systemd: Stopping 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:42:18 idm1 ns-slapd: [26/Jan/2018:20:42:18.368608160 +0100] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 6 max work q size 2 max work q stack size 2 Jan 26 20:42:18 idm1 ns-slapd: [26/Jan/2018:20:42:18.372309172 +0100] - INFO - slapd_daemon - slapd shutting down - waiting for 15 threads to terminate Jan 26 20:42:18 idm1 ns-slapd: [26/Jan/2018:20:42:18.374142668 +0100] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Jan 26 20:42:18 idm1 ns-slapd: [26/Jan/2018:20:42:18.726004813 +0100] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop Jan 26 20:42:19 idm1 ns-slapd: [26/Jan/2018:20:42:19.258064040 +0100] - INFO - dblayer_pre_close - All database threads now stopped Jan 26 20:42:19 idm1 ns-slapd: [26/Jan/2018:20:42:19.286571363 +0100] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Jan 26 20:42:19 idm1 ns-slapd: [26/Jan/2018:20:42:19.288632006 +0100] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 2 work q stack objects - freed 7 op stack objects Jan 26 20:42:19 idm1 ns-slapd: [26/Jan/2018:20:42:19.803231467 +0100] - INFO - main - slapd stopped. Jan 26 20:42:19 idm1 systemd: Stopped 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[stop] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:42:30 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:42:30 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8443"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:42:30 idm1 server: INFO: Pausing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.catalina.core.StandardService stopInternal Jan 26 20:42:30 idm1 server: INFO: Stopping service Catalina Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol stop Jan 26 20:42:30 idm1 server: INFO: Stopping ProtocolHandler ["http-bio-8080"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol stop Jan 26 20:42:30 idm1 server: INFO: Stopping ProtocolHandler ["http-bio-8443"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol stop Jan 26 20:42:30 idm1 server: INFO: Stopping ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_stop] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_destroy] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol destroy Jan 26 20:42:30 idm1 server: INFO: Destroying ProtocolHandler ["http-bio-8080"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol destroy Jan 26 20:42:30 idm1 server: INFO: Destroying ProtocolHandler ["http-bio-8443"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol destroy Jan 26 20:42:30 idm1 server: INFO: Destroying ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_destroy] Jan 26 20:42:30 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:42:30 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:42:30 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:42:30 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:42:30 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Jan 26 20:42:30 idm1 server: arguments used: stop Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.catalina.startup.Catalina stopServer Jan 26 20:42:30 idm1 server: SEVERE: Could not contact localhost:8005. Tomcat may not be running. Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.catalina.startup.Catalina stopServer Jan 26 20:42:30 idm1 server: SEVERE: Catalina.stop: Jan 26 20:42:30 idm1 server: java.net.ConnectException: Connection refused (Connection refused) Jan 26 20:42:30 idm1 server: at java.net.PlainSocketImpl.socketConnect(Native Method) Jan 26 20:42:30 idm1 server: at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) Jan 26 20:42:30 idm1 server: at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) Jan 26 20:42:30 idm1 server: at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) Jan 26 20:42:30 idm1 server: at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) Jan 26 20:42:30 idm1 server: at java.net.Socket.connect(Socket.java:589) Jan 26 20:42:30 idm1 server: at java.net.Socket.connect(Socket.java:538) Jan 26 20:42:30 idm1 server: at java.net.Socket.<init>(Socket.java:434) Jan 26 20:42:30 idm1 server: at java.net.Socket.<init>(Socket.java:211) Jan 26 20:42:30 idm1 server: at org.apache.catalina.startup.Catalina.stopServer(Catalina.java:498) Jan 26 20:42:30 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:42:30 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:42:30 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:42:30 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:42:30 idm1 server: at org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:343) Jan 26 20:42:30 idm1 server: at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:430) Jan 26 20:42:30 idm1 systemd: pki-tomcatd@pki-tomcat.service: control process exited, code=exited status=1 Jan 26 20:42:30 idm1 systemd: Unit pki-tomcatd@pki-tomcat.service entered failed state. Jan 26 20:42:30 idm1 systemd: pki-tomcatd@pki-tomcat.service failed. Jan 26 20:43:06 idm1 systemd: Starting 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.135519647 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.137896015 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.138653476 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.139362471 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.139997617 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.140969886 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.141763790 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.142425874 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.143128669 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.143876111 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.144506089 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.145128275 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.145681866 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.146327021 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.146946087 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.147538973 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.148175269 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.148809308 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.149468022 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.150081883 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.150700313 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.151358604 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.151978602 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.152607727 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.153363369 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.153985935 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.154615624 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.155162346 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.155751837 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.156407344 +0100] - INFO - Security Initialization - SSL info: #011TLS_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.157006854 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.166751450 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.167990669 +0100] - INFO - main - 389-Directory/1.3.6.1 B2018.025.1550 starting up Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.182152260 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.186165063 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.190789757 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.197372415 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.203502167 +0100] - NOTICE - ldbm_back_start - found 1532164k physical memory Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.204358115 +0100] - NOTICE - ldbm_back_start - found 945032k available Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.205099201 +0100] - NOTICE - ldbm_back_start - cache autosizing: db cache: 61286k Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.205772172 +0100] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 65536k Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.207976581 +0100] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 65536k Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.209935120 +0100] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 65536k Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.211955092 +0100] - NOTICE - ldbm_back_start - total cache size: 282989821 B; Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.268450630 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.282669243 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.283853676 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.284750958 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.285646359 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.286462970 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.287349607 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.288118043 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.289095649 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.289876366 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.290752671 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.291856781 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.292684559 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.293502496 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.294411988 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.295131467 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.295944190 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.296675050 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.297436245 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.298242490 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.299012600 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.299921149 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.307173136 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.308050707 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.414161967 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.417370681 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.418164001 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.419003673 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.451898960 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.454077292 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idm1.XXXkd.fau.de@XXXKD.FAU.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.459158890 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Jan 26 20:43:07 idm1 systemd: Started 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.461550924 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.462589374 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-XXXKD-FAU-DE.socket for LDAPI requests Jan 26 20:43:07 idm1 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_993)) Jan 26 20:43:07 idm1 systemd: Starting Kerberos 5 KDC... Jan 26 20:43:07 idm1 systemd: Started Kerberos 5 KDC. Jan 26 20:43:07 idm1 systemd: Starting Kerberos 5 Password-changing and Administration... Jan 26 20:43:07 idm1 systemd: Started Kerberos 5 Password-changing and Administration. Jan 26 20:43:08 idm1 systemd: Starting The Apache HTTP Server... Jan 26 20:43:08 idm1 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Jan 26 20:43:08 idm1 systemd: Started The Apache HTTP Server. Jan 26 20:43:09 idm1 systemd: Starting IPA Custodia Service... Jan 26 20:43:09 idm1 ipa-custodia: 2018-01-26 20:43:09 - server - Serving on Unix socket /run/httpd/ipa-custodia.sock Jan 26 20:43:09 idm1 systemd: Started IPA Custodia Service. Jan 26 20:43:09 idm1 systemd: Starting Network Time Service... Jan 26 20:43:09 idm1 ntpd[18606]: ntpd 4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1) Jan 26 20:43:09 idm1 ntpd[18607]: proto: precision = 0.092 usec Jan 26 20:43:09 idm1 ntpd[18607]: 0.0.0.0 c01d 0d kern kernel time sync enabled Jan 26 20:43:09 idm1 systemd: Started Network Time Service. Jan 26 20:43:09 idm1 ntpd[18607]: getaddrinfo: "2001:638:a000:b201::/64" invalid host address, ignored Jan 26 20:43:09 idm1 ntpd[18607]: restrict: error in address '2001:638:a000:b201::/64' on line 21. Ignoring... Jan 26 20:43:09 idm1 ntpd[18607]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen and drop on 1 v6wildcard :: UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 3 eth0 10.188.220.100 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 4 lo ::1 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 5 eth0 fe80::5054:ff:fe4e:b270 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 6 eth0 2001:638:a000:b201::220:100 UDP 123 Jan 26 20:43:10 idm1 ntpd[18607]: Listening on routing socket on fd #23 for interface updates Jan 26 20:43:10 idm1 ntpd[18607]: 0.0.0.0 c016 06 restart Jan 26 20:43:10 idm1 ntpd[18607]: 0.0.0.0 c012 02 freq_set ntpd -11.506 PPM Jan 26 20:43:10 idm1 systemd: Starting PKI Tomcat Server pki-tomcat... Jan 26 20:43:10 idm1 ns-slapd: [26/Jan/2018:20:43:10.654518701 +0100] - WARN - csngen_new_csn - Too much time skew (-414240 secs). Current seqnum=1 Jan 26 20:43:10 idm1 ns-slapd: [26/Jan/2018:20:43:10.903986761 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToidm2.XXXkd.fau.de" (idm2:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () Jan 26 20:43:11 idm1 ns-slapd: [26/Jan/2018:20:43:11.090525190 +0100] - WARN - csngen_new_csn - Too much time skew (-414241 secs). Current seqnum=1 Jan 26 20:43:11 idm1 ns-slapd: [26/Jan/2018:20:43:11.418472466 +0100] - WARN - csngen_new_csn - Too much time skew (-414242 secs). Current seqnum=1 Jan 26 20:43:11 idm1 ns-slapd: [26/Jan/2018:20:43:11.690552308 +0100] - WARN - csngen_new_csn - Too much time skew (-414242 secs). Current seqnum=1 Jan 26 20:43:11 idm1 ns-slapd: [26/Jan/2018:20:43:11.913216706 +0100] - WARN - csngen_new_csn - Too much time skew (-414243 secs). Current seqnum=1 Jan 26 20:43:12 idm1 pkidaemon: ----------------------- Jan 26 20:43:12 idm1 pkidaemon: Banner is not installed Jan 26 20:43:12 idm1 pkidaemon: ----------------------- Jan 26 20:43:12 idm1 pkidaemon: ---------------------- Jan 26 20:43:12 idm1 pkidaemon: Enabled all subsystems Jan 26 20:43:12 idm1 pkidaemon: ---------------------- Jan 26 20:43:12 idm1 systemd: Started PKI Tomcat Server pki-tomcat. Jan 26 20:43:12 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:43:12 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:43:12 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:43:12 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:43:12 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Jan 26 20:43:12 idm1 server: arguments used: start Jan 26 20:43:12 idm1 ns-slapd: [26/Jan/2018:20:43:12.856244489 +0100] - ERR - schema-compat-plugin - Finished plugin initialization. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm1.XXXkd.fau.de:9080/ca/ocsp' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.coyote.AbstractProtocol init Jan 26 20:43:13 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.coyote.AbstractProtocol init Jan 26 20:43:13 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Jan 26 20:43:13 idm1 server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:43:13 idm1 server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.coyote.AbstractProtocol init Jan 26 20:43:13 idm1 server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.Catalina load Jan 26 20:43:13 idm1 server: INFO: Initialization processed in 887 ms Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[start] Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.core.StandardService startInternal Jan 26 20:43:13 idm1 server: INFO: Starting service Catalina Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.core.StandardEngine startInternal Jan 26 20:43:13 idm1 server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.76 Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:13 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Jan 26 20:43:13 idm1 server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Jan 26 20:43:13 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:43:14 idm1 ntpd[18607]: 0.0.0.0 c515 05 clock_sync Jan 26 20:43:15 idm1 server: Jan 26, 2018 8:43:15 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:43:15 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:43:15 idm1 server: SSLAuthenticatorWithFallback: Initializing authenticators Jan 26 20:43:15 idm1 server: SSLAuthenticatorWithFallback: Starting authenticators Jan 26 20:43:15 idm1 server: CMSEngine.initializePasswordStore() begins Jan 26 20:43:15 idm1 server: CMSEngine.initializePasswordStore(): tag=internaldb Jan 26 20:43:15 idm1 server: CMSEngine.initializePasswordStore(): tag=replicationdb Jan 26 20:43:16 idm1 ns-slapd: [26/Jan/2018:20:43:16.928242338 +0100] - WARN - csngen_new_csn - Too much time skew (-414239 secs). Current seqnum=1 Jan 26 20:43:17 idm1 ns-slapd: [26/Jan/2018:20:43:17.631952903 +0100] - WARN - csngen_new_csn - Too much time skew (-414239 secs). Current seqnum=1 Jan 26 20:43:17 idm1 ns-slapd: [26/Jan/2018:20:43:17.654048776 +0100] - WARN - csngen_new_csn - Too much time skew (-414240 secs). Current seqnum=1 Jan 26 20:43:18 idm1 server: SelfTestSubsystem: Disabling "ca" subsystem due to selftest failure. Jan 26 20:43:18 idm1 server: ----------------------- Jan 26 20:43:18 idm1 server: Disabled "ca" subsystem Jan 26 20:43:18 idm1 server: ----------------------- Jan 26 20:43:18 idm1 server: Subsystem ID: ca Jan 26 20:43:18 idm1 server: Instance ID: pki-tomcat Jan 26 20:43:18 idm1 server: Enabled: False Jan 26 20:43:18 idm1 server: Invalid class name repositorytop Jan 26 20:43:19 idm1 server: Invalid class name repositorytop Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1378) Jan 26 20:43:19 idm1 server: at com.netscape.certsrv.apps.CMS.startup(CMS.java:202) Jan 26 20:43:19 idm1 server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1632) Jan 26 20:43:19 idm1 server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) Jan 26 20:43:19 idm1 server: at javax.servlet.GenericServlet.init(GenericServlet.java:158) Jan 26 20:43:19 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:43:19 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:43:19 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:43:19 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) Jan 26 20:43:19 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:43:19 idm1 server: at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) Jan 26 20:43:19 idm1 server: at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) Jan 26 20:43:19 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) Jan 26 20:43:19 idm1 server: at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) Jan 26 20:43:19 idm1 server: at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) Jan 26 20:43:19 idm1 server: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) Jan 26 20:43:19 idm1 server: at java.util.concurrent.FutureTask.run(FutureTask.java:266) Jan 26 20:43:19 idm1 server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) Jan 26 20:43:19 idm1 server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) Jan 26 20:43:19 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:19 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 5,274 ms Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:19 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:43:19 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:19 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 738 ms Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:19 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:43:20 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:20 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has finished in 1,088 ms Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.coyote.AbstractProtocol start Jan 26 20:43:20 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8080"] Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.coyote.AbstractProtocol start Jan 26 20:43:20 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8443"] Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.coyote.AbstractProtocol start Jan 26 20:43:20 idm1 server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:43:20 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Jan 26 20:43:20 idm1 server: PKIListener: Subsystem CA is disabled. Jan 26 20:43:20 idm1 server: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. Jan 26 20:43:20 idm1 server: PKIListener: To enable the subsystem: Jan 26 20:43:20 idm1 server: PKIListener: pki-server subsystem-enable -i pki-tomcat ca Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.catalina.startup.Catalina start Jan 26 20:43:20 idm1 server: INFO: Server startup in 7197 ms Jan 26 20:43:21 idm1 ns-slapd: [26/Jan/2018:20:43:21.078383741 +0100] - WARN - csngen_new_csn - Too much time skew (-414238 secs). Current seqnum=1 Jan 26 20:43:21 idm1 ns-slapd: [26/Jan/2018:20:43:21.369142943 +0100] - WARN - csngen_new_csn - Too much time skew (-414239 secs). Current seqnum=1 Jan 26 20:43:29 idm1 ns-slapd: [26/Jan/2018:20:43:29.176587570 +0100] - WARN - csngen_new_csn - Too much time skew (-414232 secs). Current seqnum=1 Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.startup.HostConfig undeploy Jan 26 20:43:31 idm1 server: INFO: Undeploying context [/ca] Jan 26 20:43:31 idm1 server: SSLAuthenticatorWithFallback: Stopping authenticators Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-0 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-2 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:43:38 idm1 ns-slapd: [26/Jan/2018:20:43:38.212105934 +0100] - WARN - csngen_new_csn - Too much time skew (-414224 secs). Current seqnum=1 Jan 26 20:43:38 idm1 ns-slapd: [26/Jan/2018:20:43:38.221564490 +0100] - WARN - csngen_new_csn - Too much time skew (-414225 secs). Current seqnum=1 Jan 26 20:43:50 idm1 ns-slapd: [26/Jan/2018:20:43:50.895768971 +0100] - WARN - csngen_new_csn - Too much time skew (-414213 secs). Current seqnum=1 Jan 26 20:43:50 idm1 ns-slapd: [26/Jan/2018:20:43:50.928585085 +0100] - WARN - csngen_new_csn - Too much time skew (-414214 secs). Current seqnum=1 Jan 26 20:43:50 idm1 ns-slapd: [26/Jan/2018:20:43:50.973568568 +0100] - WARN - csngen_new_csn - Too much time skew (-414215 secs). Current seqnum=1 Jan 26 20:43:50 idm1 ns-slapd: [26/Jan/2018:20:43:50.996767806 +0100] - WARN - csngen_new_csn - Too much time skew (-414216 secs). Current seqnum=1 Jan 26 20:43:53 idm1 ns-slapd: [26/Jan/2018:20:43:53.245471011 +0100] - WARN - csngen_new_csn - Too much time skew (-414215 secs). Current seqnum=1 Jan 26 20:44:09 idm1 ns-slapd: [26/Jan/2018:20:44:09.057455395 +0100] - WARN - csngen_new_csn - Too much time skew (-414200 secs). Current seqnum=1 Jan 26 20:44:09 idm1 ns-slapd: [26/Jan/2018:20:44:09.080883041 +0100] - WARN - csngen_new_csn - Too much time skew (-414201 secs). Current seqnum=1 Jan 26 20:44:22 idm1 ns-slapd: [26/Jan/2018:20:44:22.056086120 +0100] - WARN - csngen_new_csn - Too much time skew (-414189 secs). Current seqnum=1 Jan 26 20:44:22 idm1 ns-slapd: [26/Jan/2018:20:44:22.083244850 +0100] - WARN - csngen_new_csn - Too much time skew (-414190 secs). Current seqnum=1 Jan 26 20:44:22 idm1 ns-slapd: [26/Jan/2018:20:44:22.090879226 +0100] - WARN - csngen_new_csn - Too much time skew (-414191 secs). Current seqnum=1
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
It looks like the "auditSigningCert cert-pki-ca" is invalid.
26/Jan/2018:20:43:16][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling verifyCertificate(auditSigningCert cert-pki-ca, true, ObjectSigner) [26/Jan/2018:20:43:16][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() failed: java.lang.Exception: Certificate auditSigningCert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. [26/Jan/2018:20:43:16][localhost-startStop-1]: CertUtils: verifySystemCertsByTag() failed: java.lang.Exception: Certificate auditSigningCert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired.
The "auditSigningCert cert-pki-ca" got recently renewed:
Request ID '20171206120336': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH expires: 2020-01-19 13:22:53 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes
All the expired certificates, this one too, have expired on '2018-01-29 12:00:xx', this one too. But it got renewed 1 hour after it expired.
Request ID '20171206120336': status: MONITORING ca-error: Invalid cookie: '' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=WW8KD.FAU.DE,OU=Institute of Materials Simulation (WW8) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH subject: CN=CA Audit,O=WW8KD.FAU.DE,OU=Institute of Materials Simulation (WW8) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH expires: 2018-01-29 12:00:45 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes
So when going back the new 'auditSigningCert cert-pki-ca' is not.
Am 01.02.2018 um 01:48 schrieb Fraser Tweedale via FreeIPA-users:
On Wed, Jan 31, 2018 at 04:58:30PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,
did time roll back. Does look like the pki-tomcatd is not running, and can not be restared.
Checked the userCertificates, they look identical to me.
The Certificate requests for the three expiring certificates are now in SUBMITTING-state. Cant see any other Errors than:
Jan 26 20:23:59 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16805]: dogtag-ipa-renew-agent returned 2 Jan 26 20:30:36 idm1.XXXkd.fau.de systemd[1]: Stopping Certificate monitoring and PKI enrollment... Jan 26 20:30:36 idm1.XXXkd.fau.de systemd[1]: Starting Certificate monitoring and PKI enrollment...
Is there some way to start certmonger and maybe the pki-tomcatd in debugging mode?
What is is /var/log/pki/pki-tomcat/ca/debug? If it is not starting properly, there should be some output in there related to that.
Thanks, Fraser
On 31.01.2018 00:27, Fraser Tweedale via FreeIPA-users wrote:
On Tue, Jan 30, 2018 at 05:29:46PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,
Checked AVCs first. Selinux is always a burden on our Fedora Clients.
Certmonger is still trying.
Does it make sense to make some timetravel for certificate renewal with the Renewal master, even if the renewal didn't work when the certificates where still valid?
Time travel will be necessary.
Wind the clock back on the renewal master to a time when all certs are valid, and then investigate why renewal was failing.
Please check that the userCertificate attributes of the following entries are in sync with their corresponding certificates:
- uid=ipara,ou=people,o=ipaca must match /var/lib/ipa/ra-agent.pem - uid=pkidbuser,ou=people,o=ipaca must match /etc/pki/pki-tomcat/alias : 'subsystemCert cert-pki-ca'Cheers, Fraser
On 30.01.2018 16:42, Rob Crittenden via FreeIPA-users wrote:
Christof Schulze via FreeIPA-users wrote:
Hi,
Here may be the problem, all are masters, the idm1 I am working on is the CA renewal master (checked ldap and config-show).
IPA masters: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA CA servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA NTP servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA CA renewal master: idm1.ww8kd.fau.de
But when checking the different points on the side linked by you. I can see: All off them have ca.crl.MasterCRL.enableCRLUpdates=false ca.crl.MasterCRL.enableCRLCache=false
And all of them have the RewriteRule in the /etc/httpd/conf.d/ipa-pki-proxy.conf.
I remember years ago the original idm1 got roasted by some electrical surge. And I think it got cloned by one of the others (documentation would be king).
So all of them are clones and we don't have a CRL generation master.
The renewed "auditSigningCert cert-pki-ca" on the master didn't get replicated to the others.
Can I just promote idm1 to become CRL generation master by setting ca.crl.MasterCRL.enableCRLUpdates=true ca.crl.MasterCRL.enableCRLCache=true
Yes but that won't affect renewal.
And how to get new certificates?
As Flo suggested, check syslog for certmonger messages. Look for AVCs.
Look at the output of getcert list to see what the status and errors are.
rob
And Thanks for your patience.
On 30.01.2018 14:26, Florence Blanc-Renaud wrote: > On 01/30/2018 02:02 PM, Christof Schulze via FreeIPA-users wrote: >> Hi, >> >> Now the roof is on fire, all certificates are synced on all masters >> since a long time ago. >> >> The not renewing certificates in /etc/pki/pki-tomcat/alias have now >> expired >> "subsystemCert cert-pki-ca" , "ocspSigningCert cert-pki-ca" , >> "/var/lib/ipa/ra-agent.pem" >> >> The "auditSigningCert cert-pki-ca" certificate is the only one which >> has been renewed. (Old Serial Number: 5 (0x5), New Serial Number: >> 536739845 (0x1ffe0005) valid till 2020) >> >> The userCertificate in (uid=ipara,ou=people,o=ipaca) and the IPA RA >> certificate in /var/lib/ipa/ra-agent.pem are matching and expired. >> >> >> pki-tomcat can no longer access the ldap. >> >> slapi_ldap_bind - Error: could not send startTLS request: error >> -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not >> connected) >> >> >> Is there some way this situation can be solved? > Hi, > > you need first to identify who is your renewal master and start > repairing this machine. You can use ipa config-show or a direct > ldapsearch as described here > (https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Iden...) > to find the renewal master. > > On the renewal master, check if the certificates have been properly > renewed. If it is not the case, you will need to chase the failure by > checking SE linux AVCs or errors in the journal produced by certmonger. > The renewal master really needs to be repaired first, as it is the > source containing some certs that will later be downloaded by the > other masters. > > Flo > >> Thanks >> >> Christof Schulze >> >> >> >> Request ID '20171206120336': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some >> Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH >> subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - >> FAU,C=DE,E=guy@example.com,L=FUERTH >> expires: 2020-01-19 13:22:53 UTC >> key usage: digitalSignature,nonRepudiation >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20171206120337': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some >> Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH >> subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute >> (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH >> expires: 2018-01-29 12:00:44 UTC >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> eku: id-kp-OCSPSigning >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20171206120338': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some >> Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH >> subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) >> - FAU,C=DE,E=guy@example.com,L=FUERTH >> expires: 2018-01-29 12:00:44 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20171206120340': >> status: MONITORING >> stuck: no >> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' >> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some >> Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH >> subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - >> FAU,C=DE,E=guy@example.com,L=FUERTH >> expires: 2018-01-29 12:01:11 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >> track: yes >> auto-renew: yes >> >> >> On 30.01.2018 00:40, Fraser Tweedale via FreeIPA-users wrote: >>> On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via >>> FreeIPA-users wrote: >>>> Hi, >>>> >>>> some certificates on our freeipa-cluster (3 servers) are have been not >>>> renewed till now, 2 hours before expiring. Can this be a problem? >>>> >>>> Some of the certificates, the ones expiring show "ca-error: >>>> Invalid cookie: >>>> '' in the "getcert list" output, what makes me nervous. >>>> >>>> We also have the problem when certmonger can not reach the CA >>>> CA_UNREACHABLE >>>> after restarting a freeipa-server. But when we restart the >>>> certmonger.server >>>> after everything being up again everything looks good. >>>> >>>> Maybe you can give me some advice what to check and which logs you >>>> else >>>> would need. >>>> >>>> >>>> Thanks >>>> >>>> Christof Schulze >>>> >>> Hi Christof, >>> >>> Yes, it is a problem. They should have been renewed before now. >>> The errors in `getcert list' output show that there has been a >>> problem. >>> >>> First, check that all certificates are valid, all certificates have >>> been synced across all masters using `ipa-certupdate` on each >>> master. You should also check that the userCertificate attribute in >>> entry: >>> >>> uid=ipara,ou=people,o=ipaca >>> >>> matches the actual IPA RA certificate in /var/lib/ipa/ra-agent.pem >>> >>> Also check that your topology has correct renewal master >>> configuration. ldapsearch cn=masters,cn=ipa,cn=etc,dc=ipa,dc=local >>> with filter (&(cn=CA)(ipaConfigString=caRenewalMaster)). It should >>> return exactly one entry and it must be a valid, active master. >>> >>> HTH, >>> Fraser
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org To unsubscribe send an email tofreeipa-users-leave@lists.fedorahosted.org
journalctl -u certmonger.service
Jan 29 20:43:46 idm1.ww8kd.fau.de certmonger[13223]: Certificate in file "/var/lib/ipa/ra-agent.pem" is no longer valid. Jan 29 20:43:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13225]: Forwarding request to dogtag-ipa-renew-agent Jan 29 20:43:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13225]: dogtag-ipa-renew-agent returned 2
.... repeating till...
Jan 29 20:45:10 idm1.ww8kd.fau.de certmonger[13328]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 29 20:45:13 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13330]: Forwarding request to dogtag-ipa-renew-agent
.... repeating till...
Jan 29 20:53:36 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13943]: dogtag-ipa-renew-agent returned 2 Jan 29 20:53:47 idm1.ww8kd.fau.de certmonger[13954]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 29 20:53:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13956]: Forwarding request to dogtag-ipa-renew-agent Jan 29 20:53:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13956]: dogtag-ipa-renew-agent returned 2
.... repeating till...
Jan 29 20:55:57 idm1.ww8kd.fau.de certmonger[14110]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 29 20:55:59 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[14112]: Forwarding request to dogtag-ipa-renew-agent Jan 29 20:55:59 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[14112]: dogtag-ipa-renew-agent returned 2
.... repeating
Then suddenly:
Jan 30 16:09:31 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27370]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE' Jan 30 16:09:31 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:31 [15905] Internal error Jan 30 16:09:50 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27500]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE' Jan 30 16:09:50 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:50 [15905] Internal error Jan 30 16:09:51 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27509]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE' Jan 30 16:09:51 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:51 [15905] Internal error Jan 30 16:15:03 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[28056]: Forwarding request to dogtag-ipa-renew-agent Jan 30 16:15:03 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[28056]: dogtag-ipa-renew-agent returned 2
.... repeating till end... an 30 17:10:18 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 30 17:10:20 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:20 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:24 idm1 server: Jan 30, 2018 5:10:24 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:24 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:24 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:24 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:24 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:26 idm1 certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" is no longer valid. Jan 30 17:10:28 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:28 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:34 idm1 server: Jan 30, 2018 5:10:34 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:34 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:34 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:34 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:34 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:44 idm1 server: Jan 30, 2018 5:10:44 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:44 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:44 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:44 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:44 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:44 idm1 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 30 17:10:46 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:46 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:50 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 30 17:10:53 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:53 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:54 idm1 server: Jan 30, 2018 5:10:54 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:54 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:54 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:54 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:54 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:58 idm1 certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" is no longer valid. Jan 30 17:11:01 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:11:01 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 _______________________________________________ FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org To unsubscribe send an email tofreeipa-users-leave@lists.fedorahosted.org
-- Christof Schulze
Institute of Materials Simulation (WW8) Department of Materials Science Friedrich-Alexander-University Erlangen-Nürnberg Dr.-Mack-Str. 77, 90762 Fürth, Germany
Tel: 0911/65078-65069 Email:christof.schulze@ww.uni-erlangen.de journalctl -u certmonger.service
Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 1 Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 1 Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 1 Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 1 Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 2 Jan 26 20:03:59 idm1.XXXkd.fau.de certmonger[15838]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20180129120044. Jan 26 20:04:32 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15860]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:32 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15860]: dogtag-ipa-renew-agent returned 2 Jan 26 20:04:42 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15853]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:42 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15853]: dogtag-ipa-renew-agent returned 2 Jan 26 20:04:52 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15851]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:52 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15851]: dogtag-ipa-renew-agent returned 2 Jan 26 20:06:08 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16044]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:06:08 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16044]: dogtag-ipa-renew-agent returned 2 Jan 26 20:16:36 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16726]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:16:37 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16726]: dogtag-ipa-renew-agent returned 2 Jan 26 20:17:37 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16746]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:17:37 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16746]: dogtag-ipa-renew-agent returned 2 Jan 26 20:23:59 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16805]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:23:59 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16805]: dogtag-ipa-renew-agent returned 2 equest ID '20171206120337': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120338': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120340': status: SUBMITTING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH expires: 2018-01-29 12:01:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes ldapsearch -x -h localhost -b uid=pkidbuser,ou=people,o=ipaca # extended LDIF # # LDAPv3 # base <uid=pkidbuser,ou=people,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# pkidbuser, people, ipaca dn: uid=pkidbuser,ou=people,o=ipaca objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser uid: pkidbuser sn: pkidbuser cn: pkidbuser mail: usertype: agentType userstate: 1 description: 2;4;CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Institute of Mater ials Simulation (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH;CN=CA Sub system,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E =christof.schulze@fau.de,L=FUERTH userCertificate:: MIIEcz ................. seeAlso: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute ( XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 Jan 26 20:00:00 idm1 systemd: Time has been changed Jan 26 20:00:05 idm1 server: Jan 26, 2018 8:00:05 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:05 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:05 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:05 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:05 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:10 idm1 ns-slapd: [26/Jan/2018:20:00:10.040578826 +0100] - WARN - csngen_new_csn - Too much time skew (-416592 secs). Current seqnum=4 Jan 26 20:00:10 idm1 ns-slapd: [26/Jan/2018:20:00:10.061165225 +0100] - WARN - csngen_new_csn - Too much time skew (-416593 secs). Current seqnum=5 Jan 26 20:00:10 idm1 ns-slapd: [26/Jan/2018:20:00:10.087176808 +0100] - WARN - csngen_new_csn - Too much time skew (-416594 secs). Current seqnum=6 Jan 26 20:00:10 idm1 ns-slapd: [26/Jan/2018:20:00:10.093683659 +0100] - WARN - csngen_new_csn - Too much time skew (-416595 secs). Current seqnum=7 Jan 26 20:00:15 idm1 server: Jan 26, 2018 8:00:15 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:15 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:15 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:15 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:15 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:25 idm1 server: Jan 26, 2018 8:00:25 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:25 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:25 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:25 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:25 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:26 idm1 systemd: Starting PKI Tomcat Server tomcatd... Jan 26 20:00:26 idm1 pkidaemon: tomcatd is an invalid 'tomcat' instance Jan 26 20:00:26 idm1 systemd:pki-tomcatd@tomcatd.service: control process exited, code=exited status=5 Jan 26 20:00:26 idm1 systemd: Failed to start PKI Tomcat Server tomcatd. Jan 26 20:00:26 idm1 systemd: Unitpki-tomcatd@tomcatd.service entered failed state. Jan 26 20:00:26 idm1 systemd:pki-tomcatd@tomcatd.service failed. Jan 26 20:00:30 idm1 ns-slapd: [26/Jan/2018:20:00:30.030350069 +0100] - WARN - csngen_new_csn - Too much time skew (-416576 secs). Current seqnum=8 Jan 26 20:00:30 idm1 ns-slapd: [26/Jan/2018:20:00:30.036532171 +0100] - WARN - csngen_new_csn - Too much time skew (-416577 secs). Current seqnum=9 Jan 26 20:00:30 idm1 ns-slapd: [26/Jan/2018:20:00:30.054084481 +0100] - WARN - csngen_new_csn - Too much time skew (-416578 secs). Current seqnum=a Jan 26 20:00:30 idm1 ns-slapd: [26/Jan/2018:20:00:30.072843629 +0100] - WARN - csngen_new_csn - Too much time skew (-416579 secs). Current seqnum=b Jan 26 20:00:35 idm1 server: Jan 26, 2018 8:00:35 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:35 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:35 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:35 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:35 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:45 idm1 server: Jan 26, 2018 8:00:45 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:45 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:45 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:45 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:45 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:48 idm1 ns-slapd: [26/Jan/2018:20:00:48.030570760 +0100] - WARN - csngen_new_csn - Too much time skew (-416562 secs). Current seqnum=4 Jan 26 20:00:48 idm1 ns-slapd: [26/Jan/2018:20:00:48.035772779 +0100] - WARN - csngen_new_csn - Too much time skew (-416563 secs). Current seqnum=5 Jan 26 20:00:48 idm1 ns-slapd: [26/Jan/2018:20:00:48.053399054 +0100] - WARN - csngen_new_csn - Too much time skew (-416564 secs). Current seqnum=6 Jan 26 20:00:48 idm1 ns-slapd: [26/Jan/2018:20:00:48.058488375 +0100] - WARN - csngen_new_csn - Too much time skew (-416565 secs). Current seqnum=7 Jan 26 20:00:54 idm1 systemd: Stopped target PKI Tomcat Server. Jan 26 20:00:54 idm1 systemd: Stopping PKI Tomcat Server. Jan 26 20:00:54 idm1 systemd: Stopping PKI Tomcat Server pki-tomcat... Jan 26 20:00:54 idm1 systemd: Stopping 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:00:54 idm1 ns-slapd: [26/Jan/2018:20:00:54.631434461 +0100] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 19 max work q size 6 max work q stack size 6 Jan 26 20:00:54 idm1 ns-slapd: [26/Jan/2018:20:00:54.662944402 +0100] - INFO - slapd_daemon - slapd shutting down - waiting for 14 threads to terminate Jan 26 20:00:54 idm1 ns-slapd: [26/Jan/2018:20:00:54.693612476 +0100] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Jan 26 20:00:55 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:00:55 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:00:55 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:00:55 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:00:55 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Jan 26 20:00:55 idm1 server: arguments used: stop Jan 26 20:00:55 idm1 ns-slapd: [26/Jan/2018:20:00:55.269159082 +0100] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop Jan 26 20:00:55 idm1 server: Jan 26, 2018 8:00:55 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:55 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:55 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:55 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:55 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:56 idm1 ns-slapd: [26/Jan/2018:20:00:56.047222363 +0100] - INFO - dblayer_pre_close - All database threads now stopped Jan 26 20:00:56 idm1 ns-slapd: [26/Jan/2018:20:00:56.136143475 +0100] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Jan 26 20:00:56 idm1 ns-slapd: [26/Jan/2018:20:00:56.250499625 +0100] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 6 work q stack objects - freed 19 op stack objects Jan 26 20:00:56 idm1 ns-slapd: [26/Jan/2018:20:00:56.466290546 +0100] - INFO - main - slapd stopped. Jan 26 20:00:57 idm1 systemd: Starting 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:00:57 idm1 server: Jan 26, 2018 8:00:57 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:00:57 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:00:59 idm1 server: Jan 26, 2018 8:00:59 PM org.apache.catalina.core.StandardServer await Jan 26 20:00:59 idm1 server: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Jan 26 20:00:59 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Jan 26 20:00:59 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[stop] Jan 26 20:00:59 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Jan 26 20:00:59 idm1 server: Jan 26, 2018 8:00:59 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:00:59 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.166056006 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.192768272 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.194054627 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.195443005 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.196488030 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.197471823 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.198476669 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.199408370 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.200335494 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.201269623 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.202187620 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.203076746 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:01:00 idm1 systemd: Stopped PKI Tomcat Server pki-tomcat. Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.212403223 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.213802057 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.214320583 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.215664034 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.216287901 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.216973776 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.217398701 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.217909449 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.218369168 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.218796504 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.219235985 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.220009250 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.220862707 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.221671302 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.222376985 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.223115430 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.223989576 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.224808605 +0100] - INFO - Security Initialization - SSL info: #011TLS_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.225509347 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.251261397 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.252601147 +0100] - INFO - main - 389-Directory/1.3.6.1 B2018.025.1550 starting up Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.267546859 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.271447152 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.275981745 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.283140403 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.289336025 +0100] - NOTICE - ldbm_back_start - found 1532164k physical memory Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.290187342 +0100] - NOTICE - ldbm_back_start - found 588692k available Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.291044337 +0100] - NOTICE - ldbm_back_start - cache autosizing: db cache: 61286k Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.291982935 +0100] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 65536k Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.294255028 +0100] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 65536k Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.296509006 +0100] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 65536k Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.298844301 +0100] - NOTICE - ldbm_back_start - total cache size: 282989821 B; Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.208240370 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.256911972 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.258221666 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.259183606 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.260299224 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.261345202 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.262389108 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.263438748 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.264619539 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.265661588 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.266617305 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.267503563 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.268386977 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.269339542 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.270164213 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.271060127 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.271880025 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.272730680 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.273618472 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.274598861 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.275455547 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.276441760 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.283273623 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.284297934 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 systemd: Started Session 84 of user root. Jan 26 20:01:01 idm1 systemd: Starting Session 84 of user root. Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.396213753 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.399323317 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.399986425 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.400970832 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.636616613 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.639886286 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idm1.XXXkd.fau.de@XXXKD.FAU.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.644711700 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.645973404 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.659963996 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-XXXKD-FAU-DE.socket for LDAPI requests Jan 26 20:01:01 idm1 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_993)) Jan 26 20:01:01 idm1 systemd: Started 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:01:01 idm1 systemd: Stopping Kerberos 5 KDC... Jan 26 20:01:01 idm1 systemd: Starting Kerberos 5 KDC... Jan 26 20:01:02 idm1 systemd: PID file /var/run/krb5kdc.pid not readable (yet?) after start. Jan 26 20:01:02 idm1 systemd: Started Kerberos 5 KDC. Jan 26 20:01:02 idm1 systemd: Stopping Kerberos 5 Password-changing and Administration... Jan 26 20:01:02 idm1 systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jan 26 20:01:02 idm1 systemd: Unit kadmin.service entered failed state. Jan 26 20:01:02 idm1 systemd: kadmin.service failed. Jan 26 20:01:02 idm1 systemd: Starting Kerberos 5 Password-changing and Administration... Jan 26 20:01:02 idm1 systemd: Started Kerberos 5 Password-changing and Administration. Jan 26 20:01:02 idm1 systemd: Stopping The Apache HTTP Server... Jan 26 20:01:04 idm1 kernel: httpd[27874]: segfault at 8 ip 00007ff9ffbd2a90 sp 00007ff9dbc05d70 error 4 in libpython2.7.so.1.0[7ff9ffad3000+17d000] Jan 26 20:01:04 idm1 ns-slapd: [26/Jan/2018:20:01:04.672339153 +0100] - WARN - csngen_new_csn - Too much time skew (-416549 secs). Current seqnum=8 Jan 26 20:01:05 idm1 ns-slapd: [26/Jan/2018:20:01:05.044521936 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToidm2.XXXkd.fau.de" (idm2:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () Jan 26 20:01:05 idm1 systemd: Starting The Apache HTTP Server... Jan 26 20:01:05 idm1 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Jan 26 20:01:06 idm1 systemd: Started The Apache HTTP Server. Jan 26 20:01:07 idm1 systemd: Stopping IPA Custodia Service... Jan 26 20:01:07 idm1 systemd: Starting IPA Custodia Service... Jan 26 20:01:07 idm1 ns-slapd: [26/Jan/2018:20:01:07.739422386 +0100] - ERR - schema-compat-plugin - Finished plugin initialization. Jan 26 20:01:08 idm1 ipa-custodia: 2018-01-26 20:01:08 - server - Serving on Unix socket /run/httpd/ipa-custodia.sock Jan 26 20:01:08 idm1 systemd: Started IPA Custodia Service. Jan 26 20:01:08 idm1 systemd: Starting Network Time Service... Jan 26 20:01:08 idm1 ntpd[15428]: ntpd4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1) Jan 26 20:01:08 idm1 ntpd[15429]: proto: precision = 0.087 usec Jan 26 20:01:08 idm1 ntpd[15429]: 0.0.0.0 c01d 0d kern kernel time sync enabled Jan 26 20:01:08 idm1 systemd: Started Network Time Service. Jan 26 20:01:08 idm1 ntpd[15429]: getaddrinfo: "2001:638:a000:b201::/64" invalid host address, ignored Jan 26 20:01:08 idm1 systemd: Starting PKI Tomcat Server pki-tomcat... Jan 26 20:01:08 idm1 ntpd[15429]: restrict: error in address '2001:638:a000:b201::/64' on line 21. Ignoring... Jan 26 20:01:08 idm1 ntpd[15429]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen and drop on 1 v6wildcard :: UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 3 eth0 10.188.220.100 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 4 lo ::1 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 5 eth0 fe80::5054:ff:fe4e:b270 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 6 eth0 2001:638:a000:b201::220:100 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listening on routing socket on fd #23 for interface updates Jan 26 20:01:08 idm1 ntpd[15429]: 0.0.0.0 c016 06 restart Jan 26 20:01:08 idm1 ntpd[15429]: 0.0.0.0 c012 02 freq_set ntpd -11.506 PPM Jan 26 20:01:09 idm1 pkidaemon: ----------------------- Jan 26 20:01:09 idm1 pkidaemon: Banner is not installed Jan 26 20:01:09 idm1 pkidaemon: ----------------------- Jan 26 20:01:09 idm1 pkidaemon: ---------------------- Jan 26 20:01:09 idm1 pkidaemon: Enabled all subsystems Jan 26 20:01:09 idm1 pkidaemon: ---------------------- Jan 26 20:01:10 idm1 systemd: Started PKI Tomcat Server pki-tomcat. Jan 26 20:01:10 idm1 systemd: Reached target PKI Tomcat Server. Jan 26 20:01:10 idm1 systemd: Starting PKI Tomcat Server. Jan 26 20:01:10 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:01:10 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:01:10 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:01:10 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:01:10 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Jan 26 20:01:10 idm1 server: arguments used: start Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:01:11 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:01:11 idm1 ns-slapd: [26/Jan/2018:20:01:11.084620256 +0100] - WARN - csngen_new_csn - Too much time skew (-416544 secs). Current seqnum=9 Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm1.XXXkd.fau.de:9080/ca/ocsp' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Jan 26 20:01:11 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.coyote.AbstractProtocol init Jan 26 20:01:12 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.coyote.AbstractProtocol init Jan 26 20:01:12 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Jan 26 20:01:12 idm1 server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:01:12 idm1 server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.coyote.AbstractProtocol init Jan 26 20:01:12 idm1 server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:01:12 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.catalina.startup.Catalina load Jan 26 20:01:12 idm1 server: INFO: Initialization processed in 1363 ms Jan 26 20:01:12 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Jan 26 20:01:12 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Jan 26 20:01:12 idm1 ns-slapd: [26/Jan/2018:20:01:12.623763048 +0100] - WARN - csngen_new_csn - Too much time skew (-416544 secs). Current seqnum=a Jan 26 20:01:12 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[start] Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.catalina.core.StandardService startInternal Jan 26 20:01:12 idm1 server: INFO: Starting service Catalina Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.catalina.core.StandardEngine startInternal Jan 26 20:01:12 idm1 server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.76 Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:12 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Jan 26 20:01:12 idm1 ns-slapd: [26/Jan/2018:20:01:12.731562409 +0100] - WARN - csngen_new_csn - Too much time skew (-416544 secs). Current seqnum=b Jan 26 20:01:12 idm1 server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Jan 26 20:01:12 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:01:13 idm1 ntpd[15429]: 0.0.0.0 c515 05 clock_sync Jan 26 20:01:15 idm1 server: Jan 26, 2018 8:01:15 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:01:15 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:01:15 idm1 server: SSLAuthenticatorWithFallback: Initializing authenticators Jan 26 20:01:15 idm1 server: SSLAuthenticatorWithFallback: Starting authenticators Jan 26 20:01:15 idm1 server: CMSEngine.initializePasswordStore() begins Jan 26 20:01:15 idm1 server: CMSEngine.initializePasswordStore(): tag=internaldb Jan 26 20:01:15 idm1 server: CMSEngine.initializePasswordStore(): tag=replicationdb Jan 26 20:01:18 idm1 server: SelfTestSubsystem: Disabling "ca" subsystem due to selftest failure. Jan 26 20:01:18 idm1 server: ----------------------- Jan 26 20:01:18 idm1 server: Disabled "ca" subsystem Jan 26 20:01:18 idm1 server: ----------------------- Jan 26 20:01:18 idm1 server: Subsystem ID: ca Jan 26 20:01:18 idm1 server: Instance ID: pki-tomcat Jan 26 20:01:18 idm1 server: Enabled: False Jan 26 20:01:18 idm1 server: Invalid class name repositorytop Jan 26 20:01:19 idm1 server: Invalid class name repositorytop Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1378) Jan 26 20:01:19 idm1 server: at com.netscape.certsrv.apps.CMS.startup(CMS.java:202) Jan 26 20:01:19 idm1 server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1632) Jan 26 20:01:19 idm1 server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) Jan 26 20:01:19 idm1 server: at javax.servlet.GenericServlet.init(GenericServlet.java:158) Jan 26 20:01:19 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:01:19 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:01:19 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:01:19 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) Jan 26 20:01:19 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:01:19 idm1 server: at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) Jan 26 20:01:19 idm1 server: at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) Jan 26 20:01:19 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) Jan 26 20:01:19 idm1 server: at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) Jan 26 20:01:19 idm1 server: at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) Jan 26 20:01:19 idm1 server: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) Jan 26 20:01:19 idm1 server: at java.util.concurrent.FutureTask.run(FutureTask.java:266) Jan 26 20:01:19 idm1 server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) Jan 26 20:01:19 idm1 server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) Jan 26 20:01:19 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:01:19 idm1 server: Jan 26, 2018 8:01:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:19 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 6,698 ms Jan 26 20:01:19 idm1 server: Jan 26, 2018 8:01:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:19 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Jan 26 20:01:20 idm1 server: Jan 26, 2018 8:01:20 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:01:20 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:01:20 idm1 server: Jan 26, 2018 8:01:20 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:20 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 857 ms Jan 26 20:01:20 idm1 server: Jan 26, 2018 8:01:20 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:20 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:01:21 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:21 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has finished in 1,161 ms Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.coyote.AbstractProtocol start Jan 26 20:01:21 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8080"] Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.coyote.AbstractProtocol start Jan 26 20:01:21 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8443"] Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.coyote.AbstractProtocol start Jan 26 20:01:21 idm1 server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:01:21 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Jan 26 20:01:21 idm1 ntpd[15429]: 0.0.0.0 0613 03 spike_detect +416608.985992 s Jan 26 20:01:21 idm1 server: PKIListener: Subsystem CA is disabled. Jan 26 20:01:21 idm1 server: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. Jan 26 20:01:21 idm1 server: PKIListener: To enable the subsystem: Jan 26 20:01:21 idm1 server: PKIListener: pki-server subsystem-enable -i pki-tomcat ca Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.catalina.startup.Catalina start Jan 26 20:01:21 idm1 server: INFO: Server startup in 8856 ms Jan 26 20:01:23 idm1 ns-slapd: [26/Jan/2018:20:01:23.234040056 +0100] - WARN - csngen_new_csn - Too much time skew (-416535 secs). Current seqnum=c Jan 26 20:01:31 idm1 ns-slapd: [26/Jan/2018:20:01:31.761653163 +0100] - WARN - csngen_new_csn - Too much time skew (-416527 secs). Current seqnum=d Jan 26 20:01:31 idm1 ns-slapd: [26/Jan/2018:20:01:31.782442210 +0100] - WARN - csngen_new_csn - Too much time skew (-416528 secs). Current seqnum=e Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.startup.HostConfig undeploy Jan 26 20:01:31 idm1 server: INFO: Undeploying context [/ca] Jan 26 20:01:31 idm1 server: SSLAuthenticatorWithFallback: Stopping authenticators Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-0ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-2ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:01:32 idm1 ns-slapd: [26/Jan/2018:20:01:32.298667463 +0100] - WARN - csngen_new_csn - Too much time skew (-416529 secs). Current seqnum=f Jan 26 20:01:32 idm1 ns-slapd: [26/Jan/2018:20:01:32.678832654 +0100] - WARN - csngen_new_csn - Too much time skew (-416530 secs). Current seqnum=10 Jan 26 20:01:33 idm1 ns-slapd: [26/Jan/2018:20:01:33.028623160 +0100] - WARN - csngen_new_csn - Too much time skew (-416530 secs). Current seqnum=11 Jan 26 20:01:33 idm1 ns-slapd: [26/Jan/2018:20:01:33.048763804 +0100] - WARN - csngen_new_csn - Too much time skew (-416531 secs). Current seqnum=12 Jan 26 20:01:47 idm1 ns-slapd: [26/Jan/2018:20:01:47.701332510 +0100] - WARN - csngen_new_csn - Too much time skew (-416517 secs). Current seqnum=13 Jan 26 20:02:04 idm1 ns-slapd: [26/Jan/2018:20:02:04.380427048 +0100] - WARN - csngen_new_csn - Too much time skew (-416502 secs). Current seqnum=14 Jan 26 20:02:04 idm1 ns-slapd: [26/Jan/2018:20:02:04.405310477 +0100] - WARN - csngen_new_csn - Too much time skew (-416503 secs). Current seqnum=15 Jan 26 20:02:34 idm1 ns-slapd: [26/Jan/2018:20:02:34.796622396 +0100] - WARN - csngen_new_csn - Too much time skew (-416473 secs). Current seqnum=16 Jan 26 20:02:37 idm1 ns-slapd: [26/Jan/2018:20:02:37.454779669 +0100] - WARN - csngen_new_csn - Too much time skew (-416472 secs). Current seqnum=17 Jan 26 20:02:37 idm1 ns-slapd: [26/Jan/2018:20:02:37.476249201 +0100] - WARN - csngen_new_csn - Too much time skew (-416473 secs). Current seqnum=18 Jan 26 20:02:37 idm1 ns-slapd: [26/Jan/2018:20:02:37.517017269 +0100] - WARN - csngen_new_csn - Too much time skew (-416474 secs). Current seqnum=19 Jan 26 20:02:37 idm1 ns-slapd: [26/Jan/2018:20:02:37.539991754 +0100] - WARN - csngen_new_csn - Too much time skew (-416475 secs). Current seqnum=1a Jan 26 20:02:48 idm1 systemd: Stopping Network Time Service... Jan 26 20:02:48 idm1 ntpd[15429]: ntpd exiting on signal 15 Jan 26 20:02:48 idm1 systemd: Stopped Network Time Service. Jan 26 20:03:01 idm1 ns-slapd: [26/Jan/2018:20:03:01.034768459 +0100] - WARN - csngen_new_csn - Too much time skew (-416452 secs). Current seqnum=1b Jan 26 20:03:01 idm1 ns-slapd: [26/Jan/2018:20:03:01.055043214 +0100] - WARN - csngen_new_csn - Too much time skew (-416453 secs). Current seqnum=1c Jan 26 20:03:03 idm1 ns-slapd: [26/Jan/2018:20:03:03.375580834 +0100] - WARN - csngen_new_csn - Too much time skew (-416452 secs). Current seqnum=1d Jan 26 20:03:03 idm1 ns-slapd: [26/Jan/2018:20:03:03.399395635 +0100] - WARN - csngen_new_csn - Too much time skew (-416453 secs). Current seqnum=1e Jan 26 20:03:10 idm1 ns-slapd: [26/Jan/2018:20:03:10.279455298 +0100] - WARN - csngen_new_csn - Too much time skew (-416447 secs). Current seqnum=1f Jan 26 20:03:10 idm1 ns-slapd: [26/Jan/2018:20:03:10.320874031 +0100] - WARN - csngen_new_csn - Too much time skew (-416448 secs). Current seqnum=20 Jan 26 20:03:45 idm1 systemd: Stopping Certificate monitoring and PKI enrollment... Jan 26 20:03:45 idm1 systemd: Stopped Certificate monitoring and PKI enrollment. Jan 26 20:03:56 idm1 systemd: Starting Certificate monitoring and PKI enrollment... Jan 26 20:03:57 idm1 systemd: Started Certificate monitoring and PKI enrollment. Jan 26 20:03:58 idm1 ns-slapd: [26/Jan/2018:20:03:58.111287110 +0100] - WARN - csngen_new_csn - Too much time skew (-416401 secs). Current seqnum=21 Jan 26 20:03:58 idm1 ns-slapd: [26/Jan/2018:20:03:58.390628999 +0100] - WARN - csngen_new_csn - Too much time skew (-416402 secs). Current seqnum=22 Jan 26 20:03:59 idm1 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20180129120044. Jan 26 20:03:59 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20180129120044. Jan 26 20:03:59 idm1 certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20180129120111. Jan 26 20:04:01 idm1 ns-slapd: [26/Jan/2018:20:04:01.082324882 +0100] - WARN - csngen_new_csn - Too much time skew (-416400 secs). Current seqnum=23 Jan 26 20:04:06 idm1 ns-slapd: [26/Jan/2018:20:04:06.245845741 +0100] - WARN - csngen_new_csn - Too much time skew (-416396 secs). Current seqnum=24 Jan 26 20:04:17 idm1 ns-slapd: [26/Jan/2018:20:04:17.377907663 +0100] - WARN - csngen_new_csn - Too much time skew (-416385 secs). Current seqnum=25 Jan 26 20:04:32 idm1 ns-slapd: [26/Jan/2018:20:04:32.296003137 +0100] - WARN - csngen_new_csn - Too much time skew (-416372 secs). Current seqnum=26 Jan 26 20:04:32 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:32 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:04:42 idm1 ns-slapd: [26/Jan/2018:20:04:42.139493501 +0100] - WARN - csngen_new_csn - Too much time skew (-416363 secs). Current seqnum=27 Jan 26 20:04:42 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:42 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:04:52 idm1 ns-slapd: [26/Jan/2018:20:04:52.130303926 +0100] - WARN - csngen_new_csn - Too much time skew (-416354 secs). Current seqnum=28 Jan 26 20:04:52 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:52 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:05:15 idm1 systemd: Reloading. Jan 26 20:05:16 idm1 systemd: [/usr/lib/systemd/system/ip6tables.service:3] Failed to add dependency on syslog.target,iptables.service, ignoring: Invalid argument Jan 26 20:06:08 idm1 ns-slapd: [26/Jan/2018:20:06:08.075349646 +0100] - WARN - csngen_new_csn - Too much time skew (-416279 secs). Current seqnum=29 Jan 26 20:06:08 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:06:08 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:06:10 idm1 systemd: Stopping Kerberos 5 KDC... Jan 26 20:06:10 idm1 systemd: Stopped Kerberos 5 KDC. Jan 26 20:06:10 idm1 systemd: Stopping Kerberos 5 Password-changing and Administration... Jan 26 20:06:10 idm1 systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jan 26 20:06:10 idm1 systemd: Stopped Kerberos 5 Password-changing and Administration. Jan 26 20:06:10 idm1 systemd: Unit kadmin.service entered failed state. Jan 26 20:06:10 idm1 systemd: kadmin.service failed. Jan 26 20:06:10 idm1 systemd: Stopping The Apache HTTP Server... Jan 26 20:06:43 idm1 systemd: Stopped The Apache HTTP Server. Jan 26 20:06:44 idm1 systemd: Stopping IPA Custodia Service... Jan 26 20:06:44 idm1 systemd: Stopped IPA Custodia Service. Jan 26 20:06:44 idm1 systemd: Stopped target PKI Tomcat Server. Jan 26 20:06:44 idm1 systemd: Stopping PKI Tomcat Server. Jan 26 20:06:44 idm1 systemd: Stopping PKI Tomcat Server pki-tomcat... Jan 26 20:06:44 idm1 systemd: Stopping Samba SMB Daemon... Jan 26 20:06:44 idm1 smbd[28030]: [2018/01/26 20:06:44.275355, 0] ../source3/rpc_server/lsasd.c:139(lsasd_sig_term_handler) Jan 26 20:06:44 idm1 smbd[28030]: termination signal Jan 26 20:06:44 idm1 systemd: Stopped Samba SMB Daemon. Jan 26 20:06:44 idm1 systemd: Stopping Samba Winbind Daemon... Jan 26 20:06:44 idm1 winbindd[28044]: [2018/01/26 20:06:44.476018, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Jan 26 20:06:44 idm1 winbindd[28044]: Got sig[15] terminate (is_parent=1) Jan 26 20:06:44 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:06:44 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:06:44 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:06:44 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:06:44 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Jan 26 20:06:44 idm1 server: arguments used: stop Jan 26 20:06:44 idm1 winbindd[28045]: [2018/01/26 20:06:44.508730, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Jan 26 20:06:44 idm1 systemd: Stopped Samba Winbind Daemon. Jan 26 20:06:44 idm1 winbindd[28045]: Got sig[15] terminate (is_parent=0) Jan 26 20:06:44 idm1 systemd: Closed ipa-otpd socket. Jan 26 20:06:44 idm1 systemd: Stopping ipa-otpd socket. Jan 26 20:06:44 idm1 systemd: Stopping 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:06:44 idm1 ns-slapd: [26/Jan/2018:20:06:44.721155688 +0100] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 5 max work q size 2 max work q stack size 2 Jan 26 20:06:44 idm1 ns-slapd: [26/Jan/2018:20:06:44.735943820 +0100] - INFO - slapd_daemon - slapd shutting down - waiting for 18 threads to terminate Jan 26 20:06:44 idm1 ns-slapd: [26/Jan/2018:20:06:44.825965094 +0100] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Jan 26 20:06:45 idm1 ns-slapd: [26/Jan/2018:20:06:45.381054379 +0100] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop Jan 26 20:06:45 idm1 ns-slapd: [26/Jan/2018:20:06:45.927329520 +0100] - INFO - dblayer_pre_close - All database threads now stopped Jan 26 20:06:46 idm1 ns-slapd: [26/Jan/2018:20:06:46.117991206 +0100] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Jan 26 20:06:46 idm1 ns-slapd: [26/Jan/2018:20:06:46.172299744 +0100] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 2 work q stack objects - freed 7 op stack objects Jan 26 20:06:46 idm1 server: Jan 26, 2018 8:06:46 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:06:46 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:06:46 idm1 ns-slapd: [26/Jan/2018:20:06:46.752180768 +0100] - INFO - main - slapd stopped. Jan 26 20:06:47 idm1 systemd: Stopped 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:06:47 idm1 server: Jan 26, 2018 8:06:47 PM org.apache.catalina.core.StandardServer await Jan 26 20:06:47 idm1 server: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Jan 26 20:06:47 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Jan 26 20:06:47 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[stop] Jan 26 20:06:47 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Jan 26 20:06:47 idm1 server: Jan 26, 2018 8:06:47 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:06:47 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Jan 26 20:06:47 idm1 server: Jan 26, 2018 8:06:47 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:06:47 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8443"] Jan 26 20:06:48 idm1 server: Jan 26, 2018 8:06:48 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:06:48 idm1 server: INFO: Pausing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:06:48 idm1 systemd: Stopped PKI Tomcat Server pki-tomcat. Jan 26 20:07:15 idm1 systemd: Starting 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.478325959 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.480593865 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.481219973 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.481824600 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.482318301 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.482871806 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.483404678 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.483877775 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.484356724 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.485086617 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.485626013 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.486222706 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.486720917 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.487170422 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.487651590 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.488120831 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.488616154 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.489101124 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.489614588 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.490132278 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.490638790 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.491050535 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.491551374 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.491963122 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.492404036 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.492844912 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.493331259 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.493865506 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.494373239 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.494856356 +0100] - INFO - Security Initialization - SSL info: #011TLS_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.495379801 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.504713771 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.505720965 +0100] - INFO - main - 389-Directory/1.3.6.1 B2018.025.1550 starting up Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.519359109 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.522754168 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.527038258 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.533380854 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.539571019 +0100] - NOTICE - ldbm_back_start - found 1532164k physical memory Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.540267898 +0100] - NOTICE - ldbm_back_start - found 1210532k available Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.540903052 +0100] - NOTICE - ldbm_back_start - cache autosizing: db cache: 61286k Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.541531113 +0100] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 65536k Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.543313364 +0100] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 65536k Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.544960676 +0100] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 65536k Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.546649579 +0100] - NOTICE - ldbm_back_start - total cache size: 282989821 B; Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.188126082 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.254545220 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.255636672 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.256464414 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.257250650 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.258164746 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.258863403 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.259511799 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.260127161 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.260803146 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.261498596 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.262204544 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.262929674 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.263636127 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.264272729 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.265176992 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.265924764 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.266565141 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.267196538 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.267799261 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.268432799 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.269320406 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.277180952 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.277931491 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.394597339 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.397664334 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.398357312 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.398994945 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.437779220 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idm1.XXXkd.fau.de@XXXKD.FAU.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.450559118 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jan 26 20:07:17 idm1 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_993)) Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.457942893 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.459144092 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.460493541 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-XXXKD-FAU-DE.socket for LDAPI requests Jan 26 20:07:17 idm1 systemd: Started 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:07:17 idm1 systemd: Starting Kerberos 5 KDC... Jan 26 20:07:18 idm1 systemd: PID file /var/run/krb5kdc.pid not readable (yet?) after start. Jan 26 20:07:18 idm1 systemd: Started Kerberos 5 KDC. Jan 26 20:07:18 idm1 systemd: Starting Kerberos 5 Password-changing and Administration... Jan 26 20:07:18 idm1 systemd: Started Kerberos 5 Password-changing and Administration. Jan 26 20:07:18 idm1 systemd: Starting The Apache HTTP Server... Jan 26 20:07:18 idm1 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Jan 26 20:07:19 idm1 systemd: Started The Apache HTTP Server. Jan 26 20:07:19 idm1 systemd: Starting IPA Custodia Service... Jan 26 20:07:20 idm1 ipa-custodia: 2018-01-26 20:07:20 - server - Serving on Unix socket /run/httpd/ipa-custodia.sock Jan 26 20:07:20 idm1 systemd: Started IPA Custodia Service. Jan 26 20:07:20 idm1 ns-slapd: [26/Jan/2018:20:07:20.562156820 +0100] - WARN - csngen_new_csn - Too much time skew (-416207 secs). Current seqnum=2a Jan 26 20:07:20 idm1 systemd: Starting Network Time Service... Jan 26 20:07:20 idm1 ns-slapd: [26/Jan/2018:20:07:20.753895497 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToidm2.XXXkd.fau.de" (idm2:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () Jan 26 20:07:20 idm1 ntpd[16369]: ntpd4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1) Jan 26 20:07:20 idm1 systemd: Started Network Time Service. Jan 26 20:07:20 idm1 ntpd[16370]: proto: precision = 0.087 usec Jan 26 20:07:20 idm1 ntpd[16370]: 0.0.0.0 c01d 0d kern kernel time sync enabled Jan 26 20:07:20 idm1 ntpd[16370]: getaddrinfo: "2001:638:a000:b201::/64" invalid host address, ignored Jan 26 20:07:20 idm1 ntpd[16370]: restrict: error in address '2001:638:a000:b201::/64' on line 21. Ignoring... Jan 26 20:07:20 idm1 ntpd[16370]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Jan 26 20:07:20 idm1 systemd: Starting PKI Tomcat Server pki-tomcat... Jan 26 20:07:20 idm1 ntpd[16370]: Listen and drop on 1 v6wildcard :: UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 3 eth0 10.188.220.100 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 4 lo ::1 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 5 eth0 fe80::5054:ff:fe4e:b270 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 6 eth0 2001:638:a000:b201::220:100 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listening on routing socket on fd #23 for interface updates Jan 26 20:07:20 idm1 ntpd[16370]: 0.0.0.0 c016 06 restart Jan 26 20:07:20 idm1 ntpd[16370]: 0.0.0.0 c012 02 freq_set ntpd -11.506 PPM Jan 26 20:07:23 idm1 ns-slapd: [26/Jan/2018:20:07:23.040493392 +0100] - ERR - schema-compat-plugin - Finished plugin initialization. Jan 26 20:07:23 idm1 pkidaemon: ----------------------- Jan 26 20:07:23 idm1 pkidaemon: Banner is not installed Jan 26 20:07:23 idm1 pkidaemon: ----------------------- Jan 26 20:07:23 idm1 pkidaemon: ---------------------- Jan 26 20:07:23 idm1 pkidaemon: Enabled all subsystems Jan 26 20:07:23 idm1 pkidaemon: ---------------------- Jan 26 20:07:23 idm1 systemd: Started PKI Tomcat Server pki-tomcat. Jan 26 20:07:23 idm1 systemd: Reached target PKI Tomcat Server. Jan 26 20:07:23 idm1 systemd: Starting PKI Tomcat Server. Jan 26 20:07:23 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:07:23 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:07:23 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:07:23 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:07:23 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Jan 26 20:07:23 idm1 server: arguments used: start Jan 26 20:07:23 idm1 server: Jan 26, 2018 8:07:23 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:07:23 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm1.XXXkd.fau.de:9080/ca/ocsp' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Jan 26 20:07:24 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.coyote.AbstractProtocol init Jan 26 20:07:25 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.coyote.AbstractProtocol init Jan 26 20:07:25 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Jan 26 20:07:25 idm1 server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:07:25 idm1 server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.coyote.AbstractProtocol init Jan 26 20:07:25 idm1 server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:07:25 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.catalina.startup.Catalina load Jan 26 20:07:25 idm1 server: INFO: Initialization processed in 1535 ms Jan 26 20:07:25 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Jan 26 20:07:25 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Jan 26 20:07:25 idm1 ntpd[16370]: 0.0.0.0 c515 05 clock_sync Jan 26 20:07:25 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[start] Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.catalina.core.StandardService startInternal Jan 26 20:07:25 idm1 server: INFO: Starting service Catalina Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.catalina.core.StandardEngine startInternal Jan 26 20:07:25 idm1 server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.76 Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:25 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Jan 26 20:07:25 idm1 server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Jan 26 20:07:25 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:07:26 idm1 ns-slapd: [26/Jan/2018:20:07:26.811402672 +0100] - WARN - csngen_new_csn - Too much time skew (-416202 secs). Current seqnum=2b Jan 26 20:07:27 idm1 server: Jan 26, 2018 8:07:27 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:07:27 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:07:27 idm1 server: SSLAuthenticatorWithFallback: Initializing authenticators Jan 26 20:07:27 idm1 server: SSLAuthenticatorWithFallback: Starting authenticators Jan 26 20:07:28 idm1 server: CMSEngine.initializePasswordStore() begins Jan 26 20:07:28 idm1 server: CMSEngine.initializePasswordStore(): tag=internaldb Jan 26 20:07:28 idm1 server: CMSEngine.initializePasswordStore(): tag=replicationdb Jan 26 20:07:30 idm1 server: SelfTestSubsystem: Disabling "ca" subsystem due to selftest failure. Jan 26 20:07:31 idm1 server: ----------------------- Jan 26 20:07:31 idm1 server: Disabled "ca" subsystem Jan 26 20:07:31 idm1 server: ----------------------- Jan 26 20:07:31 idm1 server: Subsystem ID: ca Jan 26 20:07:31 idm1 server: Instance ID: pki-tomcat Jan 26 20:07:31 idm1 server: Enabled: False Jan 26 20:07:31 idm1 server: Invalid class name repositorytop Jan 26 20:07:31 idm1 server: Invalid class name repositorytop Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1378) Jan 26 20:07:31 idm1 server: at com.netscape.certsrv.apps.CMS.startup(CMS.java:202) Jan 26 20:07:31 idm1 server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1632) Jan 26 20:07:31 idm1 server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) Jan 26 20:07:31 idm1 server: at javax.servlet.GenericServlet.init(GenericServlet.java:158) Jan 26 20:07:31 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:07:31 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:07:31 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:07:31 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) Jan 26 20:07:31 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:07:31 idm1 server: at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) Jan 26 20:07:31 idm1 server: at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) Jan 26 20:07:31 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) Jan 26 20:07:31 idm1 server: at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) Jan 26 20:07:31 idm1 server: at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) Jan 26 20:07:31 idm1 server: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) Jan 26 20:07:31 idm1 server: at java.util.concurrent.FutureTask.run(FutureTask.java:266) Jan 26 20:07:31 idm1 server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) Jan 26 20:07:31 idm1 server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) Jan 26 20:07:31 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:07:31 idm1 server: Jan 26, 2018 8:07:31 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:31 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 5,520 ms Jan 26 20:07:31 idm1 server: Jan 26, 2018 8:07:31 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:31 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Jan 26 20:07:32 idm1 server: Jan 26, 2018 8:07:32 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:07:32 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:07:32 idm1 server: Jan 26, 2018 8:07:32 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:32 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 790 ms Jan 26 20:07:32 idm1 server: Jan 26, 2018 8:07:32 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:32 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:07:33 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:33 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has finished in 1,064 ms Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.coyote.AbstractProtocol start Jan 26 20:07:33 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8080"] Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.coyote.AbstractProtocol start Jan 26 20:07:33 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8443"] Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.coyote.AbstractProtocol start Jan 26 20:07:33 idm1 server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:07:33 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Jan 26 20:07:33 idm1 server: PKIListener: Subsystem CA is disabled. Jan 26 20:07:33 idm1 server: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. Jan 26 20:07:33 idm1 server: PKIListener: To enable the subsystem: Jan 26 20:07:33 idm1 server: PKIListener: pki-server subsystem-enable -i pki-tomcat ca Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.catalina.startup.Catalina start Jan 26 20:07:33 idm1 server: INFO: Server startup in 7515 ms Jan 26 20:07:39 idm1 ns-slapd: [26/Jan/2018:20:07:39.035843722 +0100] - WARN - csngen_new_csn - Too much time skew (-416191 secs). Current seqnum=2c Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.startup.HostConfig undeploy Jan 26 20:07:43 idm1 server: INFO: Undeploying context [/ca] Jan 26 20:07:43 idm1 server: SSLAuthenticatorWithFallback: Stopping authenticators Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-0ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-2ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:07:47 idm1 ns-slapd: [26/Jan/2018:20:07:47.844329850 +0100] - WARN - csngen_new_csn - Too much time skew (-416183 secs). Current seqnum=2d
Jan 26 20:08:09 idm1 ns-slapd: [26/Jan/2018:20:08:09.059172306 +0100] - WARN - csngen_new_csn - Too much time skew (-416174 secs). Current seqnum=1 Jan 26 20:08:27 idm1 ntpd[16370]: ntpd exiting on signal 15 Jan 26 20:08:27 idm1 systemd: Stopping Network Time Service... Jan 26 20:08:27 idm1 systemd: Stopped Network Time Service. Jan 26 20:08:49 idm1 ns-slapd: [26/Jan/2018:20:08:49.052101605 +0100] - WARN - csngen_new_csn - Too much time skew (-416135 secs). Current seqnum=1 Jan 26 20:08:49 idm1 ns-slapd: [26/Jan/2018:20:08:49.075642776 +0100] - WARN - csngen_new_csn - Too much time skew (-416136 secs). Current seqnum=1 Jan 26 20:08:51 idm1 ns-slapd: [26/Jan/2018:20:08:51.298345097 +0100] - WARN - csngen_new_csn - Too much time skew (-416135 secs). Current seqnum=1 Jan 26 20:09:25 idm1 ns-slapd: [26/Jan/2018:20:09:25.093696262 +0100] - WARN - csngen_new_csn - Too much time skew (-416102 secs). Current seqnum=1 Jan 26 20:09:25 idm1 ns-slapd: [26/Jan/2018:20:09:25.115607333 +0100] - WARN - csngen_new_csn - Too much time skew (-416103 secs). Current seqnum=1 Jan 26 20:10:27 idm1 ns-slapd: [26/Jan/2018:20:10:27.371866302 +0100] - WARN - csngen_new_csn - Too much time skew (-416042 secs). Current seqnum=1 Jan 26 20:11:11 idm1 ns-slapd: [26/Jan/2018:20:11:11.185235999 +0100] - WARN - csngen_new_csn - Too much time skew (-415999 secs). Current seqnum=1 Jan 26 20:12:24 idm1 systemd: Starting Samba SMB Daemon... Jan 26 20:12:24 idm1 smbd[16684]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid) Jan 26 20:12:24 idm1 ns-slapd: [26/Jan/2018:20:12:24.338023606 +0100] - WARN - csngen_new_csn - Too much time skew (-415927 secs). Current seqnum=1 Jan 26 20:12:24 idm1 ns-slapd: [26/Jan/2018:20:12:24.492918154 +0100] - WARN - csngen_new_csn - Too much time skew (-415928 secs). Current seqnum=1 Jan 26 20:12:24 idm1 smbd[16684]: [2018/01/26 20:12:24.644663, 0] ../lib/util/become_daemon.c:124(daemon_ready) Jan 26 20:12:24 idm1 systemd: Started Samba SMB Daemon. Jan 26 20:12:24 idm1 smbd[16684]: STATUS=daemon 'smbd' finished starting up and ready to serve connections Jan 26 20:12:24 idm1 systemd: Starting Samba Winbind Daemon... Jan 26 20:12:24 idm1 winbindd[16702]: [2018/01/26 20:12:24.744499, 0] ../source3/winbindd/winbindd_cache.c:3171(initialize_winbindd_cache) Jan 26 20:12:24 idm1 systemd: winbind.service: Supervising process 16702 which is not our child. We'll most likely not notice when it exits. Jan 26 20:12:24 idm1 winbindd[16702]: initialize_winbindd_cache: clearing cache and re-creating with version number 2 Jan 26 20:12:24 idm1 winbindd[16702]: [2018/01/26 20:12:24.788607, 0] ../lib/util/become_daemon.c:124(daemon_ready) Jan 26 20:12:24 idm1 systemd: Started Samba Winbind Daemon. Jan 26 20:12:24 idm1 winbindd[16702]: STATUS=daemon 'winbindd' finished starting up and ready to serve connections Jan 26 20:12:24 idm1 systemd: Listening on ipa-otpd socket. Jan 26 20:12:24 idm1 systemd: Starting ipa-otpd socket. Jan 26 20:12:24 idm1 ns-slapd: [26/Jan/2018:20:12:24.835355417 +0100] - WARN - csngen_new_csn - Too much time skew (-415928 secs). Current seqnum=1
Jan 26 20:16:36 idm1 ns-slapd: [26/Jan/2018:20:16:36.642664215 +0100] - WARN - csngen_new_csn - Too much time skew (-415688 secs). Current seqnum=1 Jan 26 20:16:36 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:16:37 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:17:24 idm1 ns-slapd: [26/Jan/2018:20:17:24.820564227 +0100] - WARN - csngen_new_csn - Too much time skew (-415641 secs). Current seqnum=1 Jan 26 20:17:37 idm1 ns-slapd: [26/Jan/2018:20:17:37.625304230 +0100] - WARN - csngen_new_csn - Too much time skew (-415629 secs). Current seqnum=1 Jan 26 20:17:37 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:17:37 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:18:01 idm1 logrotate: ALERT exited abnormally with [1] Jan 26 20:18:38 idm1 ns-slapd: [26/Jan/2018:20:18:38.792663979 +0100] - WARN - csngen_new_csn - Too much time skew (-415569 secs). Current seqnum=1 Jan 26 20:22:24 idm1 ns-slapd: [26/Jan/2018:20:22:24.817110632 +0100] - WARN - csngen_new_csn - Too much time skew (-415344 secs). Current seqnum=1
Jan 26 20:23:59 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:23:59 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:24:45 idm1 stop_pkicad: Stopping pki_tomcatd Jan 26 20:24:45 idm1 systemd: Stopping PKI Tomcat Server pki-tomcat... Jan 26 20:24:45 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:24:45 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:24:45 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:24:45 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:24:45 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Jan 26 20:24:45 idm1 server: arguments used: stop Jan 26 20:24:45 idm1 server: Jan 26, 2018 8:24:45 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:24:45 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:24:46 idm1 server: Jan 26, 2018 8:24:46 PM org.apache.catalina.core.StandardServer await Jan 26 20:24:46 idm1 server: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Jan 26 20:24:46 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Jan 26 20:24:46 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[stop] Jan 26 20:24:46 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Jan 26 20:24:46 idm1 server: Jan 26, 2018 8:24:46 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:24:46 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Jan 26 20:24:46 idm1 systemd: Stopped PKI Tomcat Server pki-tomcat. Jan 26 20:24:46 idm1 stop_pkicad: Stopped pki_tomcatd Jan 26 20:27:24 idm1 ns-slapd: [26/Jan/2018:20:27:24.817184276 +0100] - WARN - csngen_new_csn - Too much time skew (-415053 secs). Current seqnum=1 Jan 26 20:28:39 idm1 ns-slapd: [26/Jan/2018:20:28:39.388139879 +0100] - WARN - csngen_new_csn - Too much time skew (-414980 secs). Current seqnum=1 Jan 26 20:28:45 idm1 systemd: Reloading. Jan 26 20:28:45 idm1 systemd: [/usr/lib/systemd/system/ip6tables.service:3] Failed to add dependency on syslog.target,iptables.service, ignoring: Invalid argument Jan 26 20:28:45 idm1 yum[17021]: Installed: pki-server-10.4.1-17.el7_4.noarch
Jan 26 20:30:09 idm1 yum[17100]: Installed: pki-symkey-10.4.1-17.el7_4.x86_64 Jan 26 20:30:10 idm1 ns-slapd: [26/Jan/2018:20:30:10.056412100 +0100] - WARN - csngen_new_csn - Too much time skew (-414902 secs). Current seqnum=1 Jan 26 20:30:10 idm1 ns-slapd: [26/Jan/2018:20:30:10.112492509 +0100] - WARN - csngen_new_csn - Too much time skew (-414903 secs). Current seqnum=1 Jan 26 20:30:36 idm1 systemd: Stopping Certificate monitoring and PKI enrollment... Jan 26 20:30:36 idm1 systemd: Starting Certificate monitoring and PKI enrollment... Jan 26 20:30:36 idm1 systemd: Started Certificate monitoring and PKI enrollment. Jan 26 20:30:51 idm1 ns-slapd: [26/Jan/2018:20:30:51.459575928 +0100] - WARN - csngen_new_csn - Too much time skew (-414862 secs). Current seqnum=1 Jan 26 20:30:53 idm1 ns-slapd: [26/Jan/2018:20:30:53.004542140 +0100] - WARN - csngen_new_csn - Too much time skew (-414862 secs). Current seqnum=1
Jan 26 20:32:53 idm1 ns-slapd: [26/Jan/2018:20:32:53.104794576 +0100] - WARN - csngen_new_csn - Too much time skew (-414747 secs). Current seqnum=1 Jan 26 20:33:38 idm1 ns-slapd: [26/Jan/2018:20:33:38.708156346 +0100] - WARN - csngen_new_csn - Too much time skew (-414702 secs). Current seqnum=1 Jan 26 20:35:26 idm1 systemd: Starting PKI Tomcat Server tomcatd... Jan 26 20:35:27 idm1 pkidaemon: tomcatd is an invalid 'tomcat' instance Jan 26 20:35:27 idm1 systemd:pki-tomcatd@tomcatd.service: control process exited, code=exited status=5 Jan 26 20:35:27 idm1 systemd: Failed to start PKI Tomcat Server tomcatd. Jan 26 20:35:27 idm1 systemd: Unitpki-tomcatd@tomcatd.service entered failed state. Jan 26 20:35:27 idm1 systemd:pki-tomcatd@tomcatd.service failed. Jan 26 20:38:15 idm1 systemd: Stopping Certificate monitoring and PKI enrollment... Jan 26 20:38:15 idm1 systemd: Starting Certificate monitoring and PKI enrollment... Jan 26 20:38:16 idm1 systemd: Started Certificate monitoring and PKI enrollment.
Jan 26 20:38:50 idm1 systemd: Stopped target PKI Tomcat Server. Jan 26 20:38:50 idm1 systemd: Stopping PKI Tomcat Server. Jan 26 20:38:50 idm1 systemd: Stopping 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:38:50 idm1 ns-slapd: [26/Jan/2018:20:38:50.930128624 +0100] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 7 max work q size 3 max work q stack size 3 Jan 26 20:38:50 idm1 ns-slapd: [26/Jan/2018:20:38:50.938738333 +0100] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Jan 26 20:38:51 idm1 ns-slapd: [26/Jan/2018:20:38:51.491982395 +0100] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop Jan 26 20:38:52 idm1 ns-slapd: [26/Jan/2018:20:38:52.643000430 +0100] - INFO - dblayer_pre_close - All database threads now stopped Jan 26 20:38:52 idm1 ns-slapd: [26/Jan/2018:20:38:52.843193691 +0100] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Jan 26 20:38:52 idm1 ns-slapd: [26/Jan/2018:20:38:52.845431711 +0100] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 3 work q stack objects - freed 7 op stack objects Jan 26 20:38:52 idm1 ns-slapd: [26/Jan/2018:20:38:52.949112608 +0100] - INFO - main - slapd stopped. Jan 26 20:38:53 idm1 systemd: Starting 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.798684376 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.802136681 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.803482731 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.804571447 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.805584219 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.806587975 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.807433596 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.808344028 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.809263480 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.810258405 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.811278159 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.812279895 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.813211722 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.814155963 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.815027810 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.815884935 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.816664023 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.817588461 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.820002292 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.820921200 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.821848282 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.822790429 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.823796031 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.824792858 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.825834646 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.826645719 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.827439967 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.828388576 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.829379262 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.830270347 +0100] - INFO - Security Initialization - SSL info: #011TLS_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.831112791 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.842425631 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.844467130 +0100] - INFO - main - 389-Directory/1.3.6.1 B2018.025.1550 starting up Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.862148344 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.866723860 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.872029440 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.880396494 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.887683843 +0100] - NOTICE - ldbm_back_start - found 1532164k physical memory Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.889387846 +0100] - NOTICE - ldbm_back_start - found 957616k available Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.890401127 +0100] - NOTICE - ldbm_back_start - cache autosizing: db cache: 61286k Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.891282794 +0100] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 65536k Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.893673995 +0100] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 65536k Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.896279383 +0100] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 65536k Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.899099347 +0100] - NOTICE - ldbm_back_start - total cache size: 282989821 B; Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.288606109 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.356204866 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.357475508 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.358533489 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.359655614 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.360824909 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.361929056 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.362916495 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.363933986 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.364863852 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.365773801 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.366715005 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.367657233 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.368620393 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.369654121 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.370568017 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.371627613 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.372549625 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.373548074 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.374515489 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.375468905 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.376417537 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.384105365 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.385229794 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.489142376 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.492165481 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.493230810 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.494325526 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.533752266 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.538206222 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idm1.XXXkd.fau.de@XXXKD.FAU.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.542196033 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.550911263 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Jan 26 20:38:55 idm1 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_993)) Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.552234132 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-XXXKD-FAU-DE.socket for LDAPI requests Jan 26 20:38:55 idm1 systemd: Started 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:38:55 idm1 systemd: Stopping Kerberos 5 KDC... Jan 26 20:38:55 idm1 systemd: Starting Kerberos 5 KDC... Jan 26 20:38:55 idm1 systemd: PID file /var/run/krb5kdc.pid not readable (yet?) after start. Jan 26 20:38:55 idm1 systemd: Started Kerberos 5 KDC. Jan 26 20:38:55 idm1 systemd: Stopping Kerberos 5 Password-changing and Administration... Jan 26 20:38:55 idm1 systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jan 26 20:38:55 idm1 systemd: Unit kadmin.service entered failed state. Jan 26 20:38:55 idm1 systemd: kadmin.service failed. Jan 26 20:38:55 idm1 systemd: Starting Kerberos 5 Password-changing and Administration... Jan 26 20:38:56 idm1 systemd: Started Kerberos 5 Password-changing and Administration. Jan 26 20:38:56 idm1 systemd: Stopping The Apache HTTP Server... Jan 26 20:38:58 idm1 ns-slapd: [26/Jan/2018:20:38:58.564805340 +0100] - WARN - csngen_new_csn - Too much time skew (-414396 secs). Current seqnum=1 Jan 26 20:38:58 idm1 ns-slapd: [26/Jan/2018:20:38:58.641081747 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToidm2.XXXkd.fau.de" (idm2:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () Jan 26 20:39:00 idm1 systemd: Starting The Apache HTTP Server... Jan 26 20:39:00 idm1 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Jan 26 20:39:00 idm1 ns-slapd: [26/Jan/2018:20:39:00.943662244 +0100] - ERR - schema-compat-plugin - Finished plugin initialization. Jan 26 20:39:01 idm1 systemd: Started The Apache HTTP Server. Jan 26 20:39:01 idm1 systemd: Stopping IPA Custodia Service... Jan 26 20:39:01 idm1 systemd: Starting IPA Custodia Service... Jan 26 20:39:02 idm1 systemd: Started IPA Custodia Service. Jan 26 20:39:02 idm1 ipa-custodia: 2018-01-26 20:39:02 - server - Serving on Unix socket /run/httpd/ipa-custodia.sock Jan 26 20:39:02 idm1 systemd: Starting Network Time Service... Jan 26 20:39:02 idm1 ntpd[17985]: ntpd4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1) Jan 26 20:39:02 idm1 systemd: Started Network Time Service. Jan 26 20:39:02 idm1 ntpd[17986]: proto: precision = 0.097 usec Jan 26 20:39:02 idm1 ntpd[17986]: 0.0.0.0 c01d 0d kern kernel time sync enabled Jan 26 20:39:02 idm1 systemd: Starting PKI Tomcat Server pki-tomcat... Jan 26 20:39:03 idm1 ntpd[17986]: getaddrinfo: "2001:638:a000:b201::/64" invalid host address, ignored Jan 26 20:39:03 idm1 ntpd[17986]: restrict: error in address '2001:638:a000:b201::/64' on line 21. Ignoring... Jan 26 20:39:03 idm1 ntpd[17986]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen and drop on 1 v6wildcard :: UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 3 eth0 10.188.220.100 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 4 lo ::1 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 5 eth0 fe80::5054:ff:fe4e:b270 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 6 eth0 2001:638:a000:b201::220:100 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listening on routing socket on fd #23 for interface updates Jan 26 20:39:03 idm1 ntpd[17986]: 0.0.0.0 c016 06 restart Jan 26 20:39:03 idm1 ntpd[17986]: 0.0.0.0 c012 02 freq_set ntpd -11.506 PPM Jan 26 20:39:04 idm1 ns-slapd: [26/Jan/2018:20:39:04.677894447 +0100] - WARN - csngen_new_csn - Too much time skew (-414391 secs). Current seqnum=1 Jan 26 20:39:05 idm1 pkidaemon: ----------------------- Jan 26 20:39:05 idm1 pkidaemon: Banner is not installed Jan 26 20:39:05 idm1 pkidaemon: ----------------------- Jan 26 20:39:05 idm1 pkidaemon: ---------------------- Jan 26 20:39:05 idm1 pkidaemon: Enabled all subsystems Jan 26 20:39:05 idm1 pkidaemon: ---------------------- Jan 26 20:39:05 idm1 systemd: Started PKI Tomcat Server pki-tomcat. Jan 26 20:39:05 idm1 systemd: Reached target PKI Tomcat Server. Jan 26 20:39:05 idm1 systemd: Starting PKI Tomcat Server. Jan 26 20:39:05 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:39:05 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:39:05 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:39:05 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:39:05 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Jan 26 20:39:05 idm1 server: arguments used: start Jan 26 20:39:07 idm1 ntpd[17986]: 0.0.0.0 c515 05 clock_sync Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm1.XXXkd.fau.de:9080/ca/ocsp' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Jan 26 20:39:07 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.coyote.AbstractProtocol init Jan 26 20:39:08 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.coyote.AbstractProtocol init Jan 26 20:39:08 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Jan 26 20:39:08 idm1 server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:39:08 idm1 server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.coyote.AbstractProtocol init Jan 26 20:39:08 idm1 server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:39:08 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.catalina.startup.Catalina load Jan 26 20:39:08 idm1 server: INFO: Initialization processed in 1254 ms Jan 26 20:39:08 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Jan 26 20:39:08 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Jan 26 20:39:08 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[start] Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.catalina.core.StandardService startInternal Jan 26 20:39:08 idm1 server: INFO: Starting service Catalina Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.catalina.core.StandardEngine startInternal Jan 26 20:39:08 idm1 server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.76 Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:08 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Jan 26 20:39:08 idm1 server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Jan 26 20:39:08 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:39:10 idm1 server: Jan 26, 2018 8:39:10 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:39:10 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:39:10 idm1 server: SSLAuthenticatorWithFallback: Initializing authenticators Jan 26 20:39:10 idm1 server: SSLAuthenticatorWithFallback: Starting authenticators Jan 26 20:39:10 idm1 server: CMSEngine.initializePasswordStore() begins Jan 26 20:39:10 idm1 server: CMSEngine.initializePasswordStore(): tag=internaldb Jan 26 20:39:10 idm1 server: CMSEngine.initializePasswordStore(): tag=replicationdb Jan 26 20:39:13 idm1 server: SelfTestSubsystem: Disabling "ca" subsystem due to selftest failure. Jan 26 20:39:13 idm1 server: ----------------------- Jan 26 20:39:13 idm1 server: Disabled "ca" subsystem Jan 26 20:39:13 idm1 server: ----------------------- Jan 26 20:39:13 idm1 server: Subsystem ID: ca Jan 26 20:39:13 idm1 server: Instance ID: pki-tomcat Jan 26 20:39:13 idm1 server: Enabled: False Jan 26 20:39:13 idm1 server: Invalid class name repositorytop Jan 26 20:39:14 idm1 server: Invalid class name repositorytop Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1378) Jan 26 20:39:14 idm1 server: at com.netscape.certsrv.apps.CMS.startup(CMS.java:202) Jan 26 20:39:14 idm1 server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1632) Jan 26 20:39:14 idm1 server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) Jan 26 20:39:14 idm1 server: at javax.servlet.GenericServlet.init(GenericServlet.java:158) Jan 26 20:39:14 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:39:14 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:39:14 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:39:14 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) Jan 26 20:39:14 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:39:14 idm1 server: at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) Jan 26 20:39:14 idm1 server: at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) Jan 26 20:39:14 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) Jan 26 20:39:14 idm1 server: at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) Jan 26 20:39:14 idm1 server: at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) Jan 26 20:39:14 idm1 server: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) Jan 26 20:39:14 idm1 server: at java.util.concurrent.FutureTask.run(FutureTask.java:266) Jan 26 20:39:14 idm1 server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) Jan 26 20:39:14 idm1 server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) Jan 26 20:39:14 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:14 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 5,603 ms Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:14 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:39:14 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:14 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 724 ms Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:14 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:39:15 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:15 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has finished in 1,041 ms Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.coyote.AbstractProtocol start Jan 26 20:39:15 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8080"] Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.coyote.AbstractProtocol start Jan 26 20:39:15 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8443"] Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.coyote.AbstractProtocol start Jan 26 20:39:15 idm1 server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:39:15 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Jan 26 20:39:15 idm1 server: PKIListener: Subsystem CA is disabled. Jan 26 20:39:15 idm1 server: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. Jan 26 20:39:15 idm1 server: PKIListener: To enable the subsystem: Jan 26 20:39:15 idm1 server: PKIListener: pki-server subsystem-enable -i pki-tomcat ca Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.catalina.startup.Catalina start Jan 26 20:39:15 idm1 server: INFO: Server startup in 7480 ms Jan 26 20:39:17 idm1 ns-slapd: [26/Jan/2018:20:39:17.236299024 +0100] - WARN - csngen_new_csn - Too much time skew (-414380 secs). Current seqnum=1 Jan 26 20:39:22 idm1 ns-slapd: [26/Jan/2018:20:39:22.056843883 +0100] - WARN - csngen_new_csn - Too much time skew (-414376 secs). Current seqnum=1 Jan 26 20:39:22 idm1 ns-slapd: [26/Jan/2018:20:39:22.084016470 +0100] - WARN - csngen_new_csn - Too much time skew (-414377 secs). Current seqnum=1 Jan 26 20:39:26 idm1 ns-slapd: [26/Jan/2018:20:39:26.282879120 +0100] - WARN - csngen_new_csn - Too much time skew (-414374 secs). Current seqnum=1 Jan 26 20:39:26 idm1 ns-slapd: [26/Jan/2018:20:39:26.321619015 +0100] - WARN - csngen_new_csn - Too much time skew (-414375 secs). Current seqnum=1 Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.startup.HostConfig undeploy Jan 26 20:39:26 idm1 server: INFO: Undeploying context [/ca] Jan 26 20:39:26 idm1 server: SSLAuthenticatorWithFallback: Stopping authenticators Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-0ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-2ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: SSLAuthenticatorWithFallback: Setting container J
Jan 26 20:42:16 idm1 systemd: Closed ipa-otpd socket. Jan 26 20:42:16 idm1 systemd: Stopping ipa-otpd socket. Jan 26 20:42:16 idm1 systemd: Stopping Samba Winbind Daemon... Jan 26 20:42:16 idm1 winbindd[16702]: [2018/01/26 20:42:16.696807, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Jan 26 20:42:16 idm1 winbindd[16702]: Got sig[15] terminate (is_parent=1) Jan 26 20:42:16 idm1 winbindd[16703]: [2018/01/26 20:42:16.841466, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Jan 26 20:42:16 idm1 winbindd[16703]: Got sig[15] terminate (is_parent=0) Jan 26 20:42:16 idm1 systemd: Stopped Samba Winbind Daemon. Jan 26 20:42:16 idm1 systemd: Stopping Samba SMB Daemon... Jan 26 20:42:16 idm1 smbd[16688]: [2018/01/26 20:42:16.916550, 0] ../source3/rpc_server/lsasd.c:139(lsasd_sig_term_handler) Jan 26 20:42:16 idm1 smbd[16688]: termination signal Jan 26 20:42:16 idm1 systemd: Stopped Samba SMB Daemon. Jan 26 20:42:17 idm1 systemd: Stopping IPA Custodia Service... Jan 26 20:42:17 idm1 systemd: Stopped IPA Custodia Service. Jan 26 20:42:17 idm1 systemd: Stopping The Apache HTTP Server... Jan 26 20:42:18 idm1 systemd: Stopped The Apache HTTP Server. Jan 26 20:42:18 idm1 systemd: Stopping Kerberos 5 Password-changing and Administration... Jan 26 20:42:18 idm1 systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jan 26 20:42:18 idm1 systemd: Stopped Kerberos 5 Password-changing and Administration. Jan 26 20:42:18 idm1 systemd: Unit kadmin.service entered failed state. Jan 26 20:42:18 idm1 systemd: kadmin.service failed. Jan 26 20:42:18 idm1 systemd: Stopping Kerberos 5 KDC... Jan 26 20:42:18 idm1 systemd: Stopped Kerberos 5 KDC. Jan 26 20:42:18 idm1 systemd: Stopping 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:42:18 idm1 ns-slapd: [26/Jan/2018:20:42:18.368608160 +0100] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 6 max work q size 2 max work q stack size 2 Jan 26 20:42:18 idm1 ns-slapd: [26/Jan/2018:20:42:18.372309172 +0100] - INFO - slapd_daemon - slapd shutting down - waiting for 15 threads to terminate Jan 26 20:42:18 idm1 ns-slapd: [26/Jan/2018:20:42:18.374142668 +0100] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Jan 26 20:42:18 idm1 ns-slapd: [26/Jan/2018:20:42:18.726004813 +0100] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop Jan 26 20:42:19 idm1 ns-slapd: [26/Jan/2018:20:42:19.258064040 +0100] - INFO - dblayer_pre_close - All database threads now stopped Jan 26 20:42:19 idm1 ns-slapd: [26/Jan/2018:20:42:19.286571363 +0100] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Jan 26 20:42:19 idm1 ns-slapd: [26/Jan/2018:20:42:19.288632006 +0100] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 2 work q stack objects - freed 7 op stack objects Jan 26 20:42:19 idm1 ns-slapd: [26/Jan/2018:20:42:19.803231467 +0100] - INFO - main - slapd stopped. Jan 26 20:42:19 idm1 systemd: Stopped 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[stop] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:42:30 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:42:30 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8443"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:42:30 idm1 server: INFO: Pausing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.catalina.core.StandardService stopInternal Jan 26 20:42:30 idm1 server: INFO: Stopping service Catalina Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol stop Jan 26 20:42:30 idm1 server: INFO: Stopping ProtocolHandler ["http-bio-8080"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol stop Jan 26 20:42:30 idm1 server: INFO: Stopping ProtocolHandler ["http-bio-8443"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol stop Jan 26 20:42:30 idm1 server: INFO: Stopping ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_stop] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_destroy] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol destroy Jan 26 20:42:30 idm1 server: INFO: Destroying ProtocolHandler ["http-bio-8080"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol destroy Jan 26 20:42:30 idm1 server: INFO: Destroying ProtocolHandler ["http-bio-8443"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol destroy Jan 26 20:42:30 idm1 server: INFO: Destroying ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_destroy] Jan 26 20:42:30 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:42:30 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:42:30 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:42:30 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:42:30 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Jan 26 20:42:30 idm1 server: arguments used: stop Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.catalina.startup.Catalina stopServer Jan 26 20:42:30 idm1 server: SEVERE: Could not contact localhost:8005. Tomcat may not be running. Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.catalina.startup.Catalina stopServer Jan 26 20:42:30 idm1 server: SEVERE: Catalina.stop: Jan 26 20:42:30 idm1 server: java.net.ConnectException: Connection refused (Connection refused) Jan 26 20:42:30 idm1 server: at java.net.PlainSocketImpl.socketConnect(Native Method) Jan 26 20:42:30 idm1 server: at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) Jan 26 20:42:30 idm1 server: at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) Jan 26 20:42:30 idm1 server: at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) Jan 26 20:42:30 idm1 server: at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) Jan 26 20:42:30 idm1 server: at java.net.Socket.connect(Socket.java:589) Jan 26 20:42:30 idm1 server: at java.net.Socket.connect(Socket.java:538) Jan 26 20:42:30 idm1 server: at java.net.Socket.<init>(Socket.java:434) Jan 26 20:42:30 idm1 server: at java.net.Socket.<init>(Socket.java:211) Jan 26 20:42:30 idm1 server: at org.apache.catalina.startup.Catalina.stopServer(Catalina.java:498) Jan 26 20:42:30 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:42:30 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:42:30 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:42:30 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:42:30 idm1 server: at org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:343) Jan 26 20:42:30 idm1 server: at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:430) Jan 26 20:42:30 idm1 systemd:pki-tomcatd@pki-tomcat.service: control process exited, code=exited status=1 Jan 26 20:42:30 idm1 systemd: Unitpki-tomcatd@pki-tomcat.service entered failed state. Jan 26 20:42:30 idm1 systemd:pki-tomcatd@pki-tomcat.service failed. Jan 26 20:43:06 idm1 systemd: Starting 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.135519647 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.137896015 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.138653476 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.139362471 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.139997617 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.140969886 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.141763790 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.142425874 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.143128669 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.143876111 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.144506089 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.145128275 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.145681866 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.146327021 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.146946087 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.147538973 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.148175269 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.148809308 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.149468022 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.150081883 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.150700313 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.151358604 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.151978602 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.152607727 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.153363369 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.153985935 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.154615624 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.155162346 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.155751837 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.156407344 +0100] - INFO - Security Initialization - SSL info: #011TLS_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.157006854 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.166751450 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.167990669 +0100] - INFO - main - 389-Directory/1.3.6.1 B2018.025.1550 starting up Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.182152260 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.186165063 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.190789757 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.197372415 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.203502167 +0100] - NOTICE - ldbm_back_start - found 1532164k physical memory Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.204358115 +0100] - NOTICE - ldbm_back_start - found 945032k available Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.205099201 +0100] - NOTICE - ldbm_back_start - cache autosizing: db cache: 61286k Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.205772172 +0100] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 65536k Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.207976581 +0100] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 65536k Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.209935120 +0100] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 65536k Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.211955092 +0100] - NOTICE - ldbm_back_start - total cache size: 282989821 B; Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.268450630 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.282669243 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.283853676 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.284750958 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.285646359 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.286462970 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.287349607 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.288118043 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.289095649 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.289876366 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.290752671 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.291856781 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.292684559 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.293502496 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.294411988 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.295131467 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.295944190 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.296675050 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.297436245 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.298242490 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.299012600 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.299921149 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.307173136 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.308050707 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.414161967 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.417370681 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.418164001 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.419003673 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.451898960 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.454077292 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idm1.XXXkd.fau.de@XXXKD.FAU.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.459158890 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Jan 26 20:43:07 idm1 systemd: Started 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.461550924 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.462589374 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-XXXKD-FAU-DE.socket for LDAPI requests Jan 26 20:43:07 idm1 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_993)) Jan 26 20:43:07 idm1 systemd: Starting Kerberos 5 KDC... Jan 26 20:43:07 idm1 systemd: Started Kerberos 5 KDC. Jan 26 20:43:07 idm1 systemd: Starting Kerberos 5 Password-changing and Administration... Jan 26 20:43:07 idm1 systemd: Started Kerberos 5 Password-changing and Administration. Jan 26 20:43:08 idm1 systemd: Starting The Apache HTTP Server... Jan 26 20:43:08 idm1 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Jan 26 20:43:08 idm1 systemd: Started The Apache HTTP Server. Jan 26 20:43:09 idm1 systemd: Starting IPA Custodia Service... Jan 26 20:43:09 idm1 ipa-custodia: 2018-01-26 20:43:09 - server - Serving on Unix socket /run/httpd/ipa-custodia.sock Jan 26 20:43:09 idm1 systemd: Started IPA Custodia Service. Jan 26 20:43:09 idm1 systemd: Starting Network Time Service... Jan 26 20:43:09 idm1 ntpd[18606]: ntpd4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1) Jan 26 20:43:09 idm1 ntpd[18607]: proto: precision = 0.092 usec Jan 26 20:43:09 idm1 ntpd[18607]: 0.0.0.0 c01d 0d kern kernel time sync enabled Jan 26 20:43:09 idm1 systemd: Started Network Time Service. Jan 26 20:43:09 idm1 ntpd[18607]: getaddrinfo: "2001:638:a000:b201::/64" invalid host address, ignored Jan 26 20:43:09 idm1 ntpd[18607]: restrict: error in address '2001:638:a000:b201::/64' on line 21. Ignoring... Jan 26 20:43:09 idm1 ntpd[18607]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen and drop on 1 v6wildcard :: UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 3 eth0 10.188.220.100 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 4 lo ::1 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 5 eth0 fe80::5054:ff:fe4e:b270 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 6 eth0 2001:638:a000:b201::220:100 UDP 123 Jan 26 20:43:10 idm1 ntpd[18607]: Listening on routing socket on fd #23 for interface updates Jan 26 20:43:10 idm1 ntpd[18607]: 0.0.0.0 c016 06 restart Jan 26 20:43:10 idm1 ntpd[18607]: 0.0.0.0 c012 02 freq_set ntpd -11.506 PPM Jan 26 20:43:10 idm1 systemd: Starting PKI Tomcat Server pki-tomcat... Jan 26 20:43:10 idm1 ns-slapd: [26/Jan/2018:20:43:10.654518701 +0100] - WARN - csngen_new_csn - Too much time skew (-414240 secs). Current seqnum=1 Jan 26 20:43:10 idm1 ns-slapd: [26/Jan/2018:20:43:10.903986761 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToidm2.XXXkd.fau.de" (idm2:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () Jan 26 20:43:11 idm1 ns-slapd: [26/Jan/2018:20:43:11.090525190 +0100] - WARN - csngen_new_csn - Too much time skew (-414241 secs). Current seqnum=1 Jan 26 20:43:11 idm1 ns-slapd: [26/Jan/2018:20:43:11.418472466 +0100] - WARN - csngen_new_csn - Too much time skew (-414242 secs). Current seqnum=1 Jan 26 20:43:11 idm1 ns-slapd: [26/Jan/2018:20:43:11.690552308 +0100] - WARN - csngen_new_csn - Too much time skew (-414242 secs). Current seqnum=1 Jan 26 20:43:11 idm1 ns-slapd: [26/Jan/2018:20:43:11.913216706 +0100] - WARN - csngen_new_csn - Too much time skew (-414243 secs). Current seqnum=1 Jan 26 20:43:12 idm1 pkidaemon: ----------------------- Jan 26 20:43:12 idm1 pkidaemon: Banner is not installed Jan 26 20:43:12 idm1 pkidaemon: ----------------------- Jan 26 20:43:12 idm1 pkidaemon: ---------------------- Jan 26 20:43:12 idm1 pkidaemon: Enabled all subsystems Jan 26 20:43:12 idm1 pkidaemon: ---------------------- Jan 26 20:43:12 idm1 systemd: Started PKI Tomcat Server pki-tomcat. Jan 26 20:43:12 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:43:12 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:43:12 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:43:12 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:43:12 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Jan 26 20:43:12 idm1 server: arguments used: start Jan 26 20:43:12 idm1 ns-slapd: [26/Jan/2018:20:43:12.856244489 +0100] - ERR - schema-compat-plugin - Finished plugin initialization. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm1.XXXkd.fau.de:9080/ca/ocsp' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.coyote.AbstractProtocol init Jan 26 20:43:13 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.coyote.AbstractProtocol init Jan 26 20:43:13 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Jan 26 20:43:13 idm1 server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:43:13 idm1 server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.coyote.AbstractProtocol init Jan 26 20:43:13 idm1 server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.Catalina load Jan 26 20:43:13 idm1 server: INFO: Initialization processed in 887 ms Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[start] Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.core.StandardService startInternal Jan 26 20:43:13 idm1 server: INFO: Starting service Catalina Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.core.StandardEngine startInternal Jan 26 20:43:13 idm1 server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.76 Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:13 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Jan 26 20:43:13 idm1 server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Jan 26 20:43:13 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:43:14 idm1 ntpd[18607]: 0.0.0.0 c515 05 clock_sync Jan 26 20:43:15 idm1 server: Jan 26, 2018 8:43:15 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:43:15 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:43:15 idm1 server: SSLAuthenticatorWithFallback: Initializing authenticators Jan 26 20:43:15 idm1 server: SSLAuthenticatorWithFallback: Starting authenticators Jan 26 20:43:15 idm1 server: CMSEngine.initializePasswordStore() begins Jan 26 20:43:15 idm1 server: CMSEngine.initializePasswordStore(): tag=internaldb Jan 26 20:43:15 idm1 server: CMSEngine.initializePasswordStore(): tag=replicationdb Jan 26 20:43:16 idm1 ns-slapd: [26/Jan/2018:20:43:16.928242338 +0100] - WARN - csngen_new_csn - Too much time skew (-414239 secs). Current seqnum=1 Jan 26 20:43:17 idm1 ns-slapd: [26/Jan/2018:20:43:17.631952903 +0100] - WARN - csngen_new_csn - Too much time skew (-414239 secs). Current seqnum=1 Jan 26 20:43:17 idm1 ns-slapd: [26/Jan/2018:20:43:17.654048776 +0100] - WARN - csngen_new_csn - Too much time skew (-414240 secs). Current seqnum=1 Jan 26 20:43:18 idm1 server: SelfTestSubsystem: Disabling "ca" subsystem due to selftest failure. Jan 26 20:43:18 idm1 server: ----------------------- Jan 26 20:43:18 idm1 server: Disabled "ca" subsystem Jan 26 20:43:18 idm1 server: ----------------------- Jan 26 20:43:18 idm1 server: Subsystem ID: ca Jan 26 20:43:18 idm1 server: Instance ID: pki-tomcat Jan 26 20:43:18 idm1 server: Enabled: False Jan 26 20:43:18 idm1 server: Invalid class name repositorytop Jan 26 20:43:19 idm1 server: Invalid class name repositorytop Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1378) Jan 26 20:43:19 idm1 server: at com.netscape.certsrv.apps.CMS.startup(CMS.java:202) Jan 26 20:43:19 idm1 server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1632) Jan 26 20:43:19 idm1 server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) Jan 26 20:43:19 idm1 server: at javax.servlet.GenericServlet.init(GenericServlet.java:158) Jan 26 20:43:19 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:43:19 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:43:19 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:43:19 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) Jan 26 20:43:19 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:43:19 idm1 server: at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) Jan 26 20:43:19 idm1 server: at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) Jan 26 20:43:19 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) Jan 26 20:43:19 idm1 server: at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) Jan 26 20:43:19 idm1 server: at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) Jan 26 20:43:19 idm1 server: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) Jan 26 20:43:19 idm1 server: at java.util.concurrent.FutureTask.run(FutureTask.java:266) Jan 26 20:43:19 idm1 server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) Jan 26 20:43:19 idm1 server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) Jan 26 20:43:19 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:19 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 5,274 ms Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:19 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:43:19 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:19 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 738 ms Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:19 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:43:20 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:20 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has finished in 1,088 ms Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.coyote.AbstractProtocol start Jan 26 20:43:20 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8080"] Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.coyote.AbstractProtocol start Jan 26 20:43:20 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8443"] Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.coyote.AbstractProtocol start Jan 26 20:43:20 idm1 server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:43:20 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Jan 26 20:43:20 idm1 server: PKIListener: Subsystem CA is disabled. Jan 26 20:43:20 idm1 server: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. Jan 26 20:43:20 idm1 server: PKIListener: To enable the subsystem: Jan 26 20:43:20 idm1 server: PKIListener: pki-server subsystem-enable -i pki-tomcat ca Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.catalina.startup.Catalina start Jan 26 20:43:20 idm1 server: INFO: Server startup in 7197 ms Jan 26 20:43:21 idm1 ns-slapd: [26/Jan/2018:20:43:21.078383741 +0100] - WARN - csngen_new_csn - Too much time skew (-414238 secs). Current seqnum=1 Jan 26 20:43:21 idm1 ns-slapd: [26/Jan/2018:20:43:21.369142943 +0100] - WARN - csngen_new_csn - Too much time skew (-414239 secs). Current seqnum=1 Jan 26 20:43:29 idm1 ns-slapd: [26/Jan/2018:20:43:29.176587570 +0100] - WARN - csngen_new_csn - Too much time skew (-414232 secs). Current seqnum=1 Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.startup.HostConfig undeploy Jan 26 20:43:31 idm1 server: INFO: Undeploying context [/ca] Jan 26 20:43:31 idm1 server: SSLAuthenticatorWithFallback: Stopping authenticators Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-0ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-2ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:43:38 idm1 ns-slapd: [26/Jan/2018:20:43:38.212105934 +0100] - WARN - csngen_new_csn - Too much time skew (-414224 secs). Current seqnum=1 Jan 26 20:43:38 idm1 ns-slapd: [26/Jan/2018:20:43:38.221564490 +0100] - WARN - csngen_new_csn - Too much time skew (-414225 secs). Current seqnum=1 Jan 26 20:43:50 idm1 ns-slapd: [26/Jan/2018:20:43:50.895768971 +0100] - WARN - csngen_new_csn - Too much time skew (-414213 secs). Current seqnum=1 Jan 26 20:43:50 idm1 ns-slapd: [26/Jan/2018:20:43:50.928585085 +0100] - WARN - csngen_new_csn - Too much time skew (-414214 secs). Current seqnum=1 Jan 26 20:43:50 idm1 ns-slapd: [26/Jan/2018:20:43:50.973568568 +0100] - WARN - csngen_new_csn - Too much time skew (-414215 secs). Current seqnum=1 Jan 26 20:43:50 idm1 ns-slapd: [26/Jan/2018:20:43:50.996767806 +0100] - WARN - csngen_new_csn - Too much time skew (-414216 secs). Current seqnum=1 Jan 26 20:43:53 idm1 ns-slapd: [26/Jan/2018:20:43:53.245471011 +0100] - WARN - csngen_new_csn - Too much time skew (-414215 secs). Current seqnum=1 Jan 26 20:44:09 idm1 ns-slapd: [26/Jan/2018:20:44:09.057455395 +0100] - WARN - csngen_new_csn - Too much time skew (-414200 secs). Current seqnum=1 Jan 26 20:44:09 idm1 ns-slapd: [26/Jan/2018:20:44:09.080883041 +0100] - WARN - csngen_new_csn - Too much time skew (-414201 secs). Current seqnum=1 Jan 26 20:44:22 idm1 ns-slapd: [26/Jan/2018:20:44:22.056086120 +0100] - WARN - csngen_new_csn - Too much time skew (-414189 secs). Current seqnum=1 Jan 26 20:44:22 idm1 ns-slapd: [26/Jan/2018:20:44:22.083244850 +0100] - WARN - csngen_new_csn - Too much time skew (-414190 secs). Current seqnum=1 Jan 26 20:44:22 idm1 ns-slapd: [26/Jan/2018:20:44:22.090879226 +0100] - WARN - csngen_new_csn - Too much time skew (-414191 secs). Current seqnum=1 _______________________________________________ FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org To unsubscribe send an email tofreeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org To unsubscribe send an email tofreeipa-users-leave@lists.fedorahosted.org
pki-tomcatd does not start because the 'auditSigningCert cert-pki-ca' is always invalid (expired or not valid now)
Old one Not Before: Feb 9 12:01:11 2016 GMT Not After : Jan 29 12:01:11 2018 GMT
New one Not Before: Jan 29 13:22:53 2018 GMT Not After : Jan 19 13:22:53 2020 GMT
Can I just restore this certificate from an old backup and try to resubmit it long before it is expiring?
Or do I have to do an ipa-restore from the old backup.
This certificate is also already replicated to the replicas.
On 01.02.2018 01:48, Fraser Tweedale via FreeIPA-users wrote:
On Wed, Jan 31, 2018 at 04:58:30PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,
did time roll back. Does look like the pki-tomcatd is not running, and can not be restared.
Checked the userCertificates, they look identical to me.
The Certificate requests for the three expiring certificates are now in SUBMITTING-state. Cant see any other Errors than:
Jan 26 20:23:59 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16805]: dogtag-ipa-renew-agent returned 2 Jan 26 20:30:36 idm1.XXXkd.fau.de systemd[1]: Stopping Certificate monitoring and PKI enrollment... Jan 26 20:30:36 idm1.XXXkd.fau.de systemd[1]: Starting Certificate monitoring and PKI enrollment...
Is there some way to start certmonger and maybe the pki-tomcatd in debugging mode?
What is is /var/log/pki/pki-tomcat/ca/debug? If it is not starting properly, there should be some output in there related to that.
Thanks, Fraser
On 31.01.2018 00:27, Fraser Tweedale via FreeIPA-users wrote:
On Tue, Jan 30, 2018 at 05:29:46PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,
Checked AVCs first. Selinux is always a burden on our Fedora Clients.
Certmonger is still trying.
Does it make sense to make some timetravel for certificate renewal with the Renewal master, even if the renewal didn't work when the certificates where still valid?
Time travel will be necessary.
Wind the clock back on the renewal master to a time when all certs are valid, and then investigate why renewal was failing.
Please check that the userCertificate attributes of the following entries are in sync with their corresponding certificates:
- uid=ipara,ou=people,o=ipaca must match /var/lib/ipa/ra-agent.pem - uid=pkidbuser,ou=people,o=ipaca must match /etc/pki/pki-tomcat/alias : 'subsystemCert cert-pki-ca'Cheers, Fraser
On 30.01.2018 16:42, Rob Crittenden via FreeIPA-users wrote:
Christof Schulze via FreeIPA-users wrote:
Hi,
Here may be the problem, all are masters, the idm1 I am working on is the CA renewal master (checked ldap and config-show).
IPA masters: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA CA servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA NTP servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de IPA CA renewal master: idm1.ww8kd.fau.de
But when checking the different points on the side linked by you. I can see: All off them have ca.crl.MasterCRL.enableCRLUpdates=false ca.crl.MasterCRL.enableCRLCache=false
And all of them have the RewriteRule in the /etc/httpd/conf.d/ipa-pki-proxy.conf.
I remember years ago the original idm1 got roasted by some electrical surge. And I think it got cloned by one of the others (documentation would be king).
So all of them are clones and we don't have a CRL generation master.
The renewed "auditSigningCert cert-pki-ca" on the master didn't get replicated to the others.
Can I just promote idm1 to become CRL generation master by setting ca.crl.MasterCRL.enableCRLUpdates=true ca.crl.MasterCRL.enableCRLCache=true
Yes but that won't affect renewal.
And how to get new certificates?
As Flo suggested, check syslog for certmonger messages. Look for AVCs.
Look at the output of getcert list to see what the status and errors are.
rob
And Thanks for your patience.
On 30.01.2018 14:26, Florence Blanc-Renaud wrote: > On 01/30/2018 02:02 PM, Christof Schulze via FreeIPA-users wrote: >> Hi, >> >> Now the roof is on fire, all certificates are synced on all masters >> since a long time ago. >> >> The not renewing certificates in /etc/pki/pki-tomcat/alias have now >> expired >> "subsystemCert cert-pki-ca" , "ocspSigningCert cert-pki-ca" , >> "/var/lib/ipa/ra-agent.pem" >> >> The "auditSigningCert cert-pki-ca" certificate is the only one which >> has been renewed. (Old Serial Number: 5 (0x5), New Serial Number: >> 536739845 (0x1ffe0005) valid till 2020) >> >> The userCertificate in (uid=ipara,ou=people,o=ipaca) and the IPA RA >> certificate in /var/lib/ipa/ra-agent.pem are matching and expired. >> >> >> pki-tomcat can no longer access the ldap. >> >> slapi_ldap_bind - Error: could not send startTLS request: error >> -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not >> connected) >> >> >> Is there some way this situation can be solved? > Hi, > > you need first to identify who is your renewal master and start > repairing this machine. You can use ipa config-show or a direct > ldapsearch as described here > (https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Iden...) > to find the renewal master. > > On the renewal master, check if the certificates have been properly > renewed. If it is not the case, you will need to chase the failure by > checking SE linux AVCs or errors in the journal produced by certmonger. > The renewal master really needs to be repaired first, as it is the > source containing some certs that will later be downloaded by the > other masters. > > Flo > >> >> Thanks >> >> Christof Schulze >> >> >> >> Request ID '20171206120336': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some >> Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH >> subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - >> FAU,C=DE,E=guy@example.com,L=FUERTH >> expires: 2020-01-19 13:22:53 UTC >> key usage: digitalSignature,nonRepudiation >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20171206120337': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some >> Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH >> subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute >> (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH >> expires: 2018-01-29 12:00:44 UTC >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> eku: id-kp-OCSPSigning >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20171206120338': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some >> Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH >> subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) >> - FAU,C=DE,E=guy@example.com,L=FUERTH >> expires: 2018-01-29 12:00:44 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20171206120340': >> status: MONITORING >> stuck: no >> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' >> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some >> Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH >> subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - >> FAU,C=DE,E=guy@example.com,L=FUERTH >> expires: 2018-01-29 12:01:11 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >> track: yes >> auto-renew: yes >> >> >> On 30.01.2018 00:40, Fraser Tweedale via FreeIPA-users wrote: >>> On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via >>> FreeIPA-users wrote: >>>> Hi, >>>> >>>> some certificates on our freeipa-cluster (3 servers) are have been not >>>> renewed till now, 2 hours before expiring. Can this be a problem? >>>> >>>> Some of the certificates, the ones expiring show "ca-error: >>>> Invalid cookie: >>>> '' in the "getcert list" output, what makes me nervous. >>>> >>>> We also have the problem when certmonger can not reach the CA >>>> CA_UNREACHABLE >>>> after restarting a freeipa-server. But when we restart the >>>> certmonger.server >>>> after everything being up again everything looks good. >>>> >>>> Maybe you can give me some advice what to check and which logs you >>>> else >>>> would need. >>>> >>>> >>>> Thanks >>>> >>>> Christof Schulze >>>> >>> Hi Christof, >>> >>> Yes, it is a problem. They should have been renewed before now. >>> The errors in `getcert list' output show that there has been a >>> problem. >>> >>> First, check that all certificates are valid, all certificates have >>> been synced across all masters using `ipa-certupdate` on each >>> master. You should also check that the userCertificate attribute in >>> entry: >>> >>> uid=ipara,ou=people,o=ipaca >>> >>> matches the actual IPA RA certificate in /var/lib/ipa/ra-agent.pem >>> >>> Also check that your topology has correct renewal master >>> configuration. ldapsearch cn=masters,cn=ipa,cn=etc,dc=ipa,dc=local >>> with filter (&(cn=CA)(ipaConfigString=caRenewalMaster)). It should >>> return exactly one entry and it must be a valid, active master. >>> >>> HTH, >>> Fraser >> >
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
journalctl -u certmonger.service
Jan 29 20:43:46 idm1.ww8kd.fau.de certmonger[13223]: Certificate in file "/var/lib/ipa/ra-agent.pem" is no longer valid. Jan 29 20:43:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13225]: Forwarding request to dogtag-ipa-renew-agent Jan 29 20:43:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13225]: dogtag-ipa-renew-agent returned 2
.... repeating till...
Jan 29 20:45:10 idm1.ww8kd.fau.de certmonger[13328]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 29 20:45:13 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13330]: Forwarding request to dogtag-ipa-renew-agent
.... repeating till...
Jan 29 20:53:36 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13943]: dogtag-ipa-renew-agent returned 2 Jan 29 20:53:47 idm1.ww8kd.fau.de certmonger[13954]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 29 20:53:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13956]: Forwarding request to dogtag-ipa-renew-agent Jan 29 20:53:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13956]: dogtag-ipa-renew-agent returned 2
.... repeating till...
Jan 29 20:55:57 idm1.ww8kd.fau.de certmonger[14110]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 29 20:55:59 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[14112]: Forwarding request to dogtag-ipa-renew-agent Jan 29 20:55:59 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[14112]: dogtag-ipa-renew-agent returned 2
.... repeating
Then suddenly:
Jan 30 16:09:31 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27370]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE' Jan 30 16:09:31 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:31 [15905] Internal error Jan 30 16:09:50 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27500]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE' Jan 30 16:09:50 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:50 [15905] Internal error Jan 30 16:09:51 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27509]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE' Jan 30 16:09:51 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:51 [15905] Internal error Jan 30 16:15:03 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[28056]: Forwarding request to dogtag-ipa-renew-agent Jan 30 16:15:03 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[28056]: dogtag-ipa-renew-agent returned 2
.... repeating till end...
an 30 17:10:18 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 30 17:10:20 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:20 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:24 idm1 server: Jan 30, 2018 5:10:24 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:24 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:24 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:24 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:24 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:26 idm1 certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" is no longer valid. Jan 30 17:10:28 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:28 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:34 idm1 server: Jan 30, 2018 5:10:34 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:34 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:34 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:34 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:34 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:44 idm1 server: Jan 30, 2018 5:10:44 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:44 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:44 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:44 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:44 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:44 idm1 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 30 17:10:46 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:46 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:50 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 30 17:10:53 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:53 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:54 idm1 server: Jan 30, 2018 5:10:54 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:54 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:54 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:54 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:54 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:58 idm1 certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" is no longer valid. Jan 30 17:11:01 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:11:01 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- Christof Schulze
Institute of Materials Simulation (WW8) Department of Materials Science Friedrich-Alexander-University Erlangen-Nürnberg Dr.-Mack-Str. 77, 90762 Fürth, Germany
Tel: 0911/65078-65069 Email: christof.schulze@ww.uni-erlangen.de
journalctl -u certmonger.service
Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 1 Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 1 Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 1 Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 1 Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 2 Jan 26 20:03:59 idm1.XXXkd.fau.de certmonger[15838]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20180129120044. Jan 26 20:04:32 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15860]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:32 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15860]: dogtag-ipa-renew-agent returned 2 Jan 26 20:04:42 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15853]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:42 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15853]: dogtag-ipa-renew-agent returned 2 Jan 26 20:04:52 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15851]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:52 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15851]: dogtag-ipa-renew-agent returned 2 Jan 26 20:06:08 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16044]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:06:08 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16044]: dogtag-ipa-renew-agent returned 2 Jan 26 20:16:36 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16726]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:16:37 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16726]: dogtag-ipa-renew-agent returned 2 Jan 26 20:17:37 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16746]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:17:37 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16746]: dogtag-ipa-renew-agent returned 2 Jan 26 20:23:59 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16805]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:23:59 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16805]: dogtag-ipa-renew-agent returned 2
equest ID '20171206120337': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120338': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120340': status: SUBMITTING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH expires: 2018-01-29 12:01:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
ldapsearch -x -h localhost -b uid=pkidbuser,ou=people,o=ipaca # extended LDIF # # LDAPv3 # base <uid=pkidbuser,ou=people,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# pkidbuser, people, ipaca dn: uid=pkidbuser,ou=people,o=ipaca objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser uid: pkidbuser sn: pkidbuser cn: pkidbuser mail: usertype: agentType userstate: 1 description: 2;4;CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Institute of Mater ials Simulation (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH;CN=CA Sub system,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E =christof.schulze@fau.de,L=FUERTH userCertificate:: MIIEcz ................. seeAlso: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute ( XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Jan 26 20:00:00 idm1 systemd: Time has been changed Jan 26 20:00:05 idm1 server: Jan 26, 2018 8:00:05 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:05 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:05 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:05 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:05 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:10 idm1 ns-slapd: [26/Jan/2018:20:00:10.040578826 +0100] - WARN - csngen_new_csn - Too much time skew (-416592 secs). Current seqnum=4 Jan 26 20:00:10 idm1 ns-slapd: [26/Jan/2018:20:00:10.061165225 +0100] - WARN - csngen_new_csn - Too much time skew (-416593 secs). Current seqnum=5 Jan 26 20:00:10 idm1 ns-slapd: [26/Jan/2018:20:00:10.087176808 +0100] - WARN - csngen_new_csn - Too much time skew (-416594 secs). Current seqnum=6 Jan 26 20:00:10 idm1 ns-slapd: [26/Jan/2018:20:00:10.093683659 +0100] - WARN - csngen_new_csn - Too much time skew (-416595 secs). Current seqnum=7 Jan 26 20:00:15 idm1 server: Jan 26, 2018 8:00:15 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:15 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:15 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:15 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:15 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:25 idm1 server: Jan 26, 2018 8:00:25 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:25 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:25 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:25 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:25 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:26 idm1 systemd: Starting PKI Tomcat Server tomcatd... Jan 26 20:00:26 idm1 pkidaemon: tomcatd is an invalid 'tomcat' instance Jan 26 20:00:26 idm1 systemd: pki-tomcatd@tomcatd.service: control process exited, code=exited status=5 Jan 26 20:00:26 idm1 systemd: Failed to start PKI Tomcat Server tomcatd. Jan 26 20:00:26 idm1 systemd: Unit pki-tomcatd@tomcatd.service entered failed state. Jan 26 20:00:26 idm1 systemd: pki-tomcatd@tomcatd.service failed. Jan 26 20:00:30 idm1 ns-slapd: [26/Jan/2018:20:00:30.030350069 +0100] - WARN - csngen_new_csn - Too much time skew (-416576 secs). Current seqnum=8 Jan 26 20:00:30 idm1 ns-slapd: [26/Jan/2018:20:00:30.036532171 +0100] - WARN - csngen_new_csn - Too much time skew (-416577 secs). Current seqnum=9 Jan 26 20:00:30 idm1 ns-slapd: [26/Jan/2018:20:00:30.054084481 +0100] - WARN - csngen_new_csn - Too much time skew (-416578 secs). Current seqnum=a Jan 26 20:00:30 idm1 ns-slapd: [26/Jan/2018:20:00:30.072843629 +0100] - WARN - csngen_new_csn - Too much time skew (-416579 secs). Current seqnum=b Jan 26 20:00:35 idm1 server: Jan 26, 2018 8:00:35 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:35 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:35 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:35 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:35 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:45 idm1 server: Jan 26, 2018 8:00:45 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:45 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:45 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:45 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:45 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:48 idm1 ns-slapd: [26/Jan/2018:20:00:48.030570760 +0100] - WARN - csngen_new_csn - Too much time skew (-416562 secs). Current seqnum=4 Jan 26 20:00:48 idm1 ns-slapd: [26/Jan/2018:20:00:48.035772779 +0100] - WARN - csngen_new_csn - Too much time skew (-416563 secs). Current seqnum=5 Jan 26 20:00:48 idm1 ns-slapd: [26/Jan/2018:20:00:48.053399054 +0100] - WARN - csngen_new_csn - Too much time skew (-416564 secs). Current seqnum=6 Jan 26 20:00:48 idm1 ns-slapd: [26/Jan/2018:20:00:48.058488375 +0100] - WARN - csngen_new_csn - Too much time skew (-416565 secs). Current seqnum=7 Jan 26 20:00:54 idm1 systemd: Stopped target PKI Tomcat Server. Jan 26 20:00:54 idm1 systemd: Stopping PKI Tomcat Server. Jan 26 20:00:54 idm1 systemd: Stopping PKI Tomcat Server pki-tomcat... Jan 26 20:00:54 idm1 systemd: Stopping 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:00:54 idm1 ns-slapd: [26/Jan/2018:20:00:54.631434461 +0100] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 19 max work q size 6 max work q stack size 6 Jan 26 20:00:54 idm1 ns-slapd: [26/Jan/2018:20:00:54.662944402 +0100] - INFO - slapd_daemon - slapd shutting down - waiting for 14 threads to terminate Jan 26 20:00:54 idm1 ns-slapd: [26/Jan/2018:20:00:54.693612476 +0100] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Jan 26 20:00:55 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:00:55 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:00:55 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:00:55 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:00:55 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Jan 26 20:00:55 idm1 server: arguments used: stop Jan 26 20:00:55 idm1 ns-slapd: [26/Jan/2018:20:00:55.269159082 +0100] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop Jan 26 20:00:55 idm1 server: Jan 26, 2018 8:00:55 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:55 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:55 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:55 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:55 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:56 idm1 ns-slapd: [26/Jan/2018:20:00:56.047222363 +0100] - INFO - dblayer_pre_close - All database threads now stopped Jan 26 20:00:56 idm1 ns-slapd: [26/Jan/2018:20:00:56.136143475 +0100] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Jan 26 20:00:56 idm1 ns-slapd: [26/Jan/2018:20:00:56.250499625 +0100] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 6 work q stack objects - freed 19 op stack objects Jan 26 20:00:56 idm1 ns-slapd: [26/Jan/2018:20:00:56.466290546 +0100] - INFO - main - slapd stopped. Jan 26 20:00:57 idm1 systemd: Starting 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:00:57 idm1 server: Jan 26, 2018 8:00:57 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:00:57 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:00:59 idm1 server: Jan 26, 2018 8:00:59 PM org.apache.catalina.core.StandardServer await Jan 26 20:00:59 idm1 server: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Jan 26 20:00:59 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Jan 26 20:00:59 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[stop] Jan 26 20:00:59 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Jan 26 20:00:59 idm1 server: Jan 26, 2018 8:00:59 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:00:59 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.166056006 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.192768272 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.194054627 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.195443005 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.196488030 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.197471823 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.198476669 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.199408370 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.200335494 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.201269623 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.202187620 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.203076746 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:01:00 idm1 systemd: Stopped PKI Tomcat Server pki-tomcat. Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.212403223 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.213802057 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.214320583 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.215664034 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.216287901 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.216973776 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.217398701 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.217909449 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.218369168 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.218796504 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.219235985 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.220009250 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.220862707 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.221671302 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.222376985 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.223115430 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.223989576 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.224808605 +0100] - INFO - Security Initialization - SSL info: #011TLS_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.225509347 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.251261397 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.252601147 +0100] - INFO - main - 389-Directory/1.3.6.1 B2018.025.1550 starting up Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.267546859 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.271447152 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.275981745 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.283140403 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.289336025 +0100] - NOTICE - ldbm_back_start - found 1532164k physical memory Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.290187342 +0100] - NOTICE - ldbm_back_start - found 588692k available Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.291044337 +0100] - NOTICE - ldbm_back_start - cache autosizing: db cache: 61286k Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.291982935 +0100] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 65536k Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.294255028 +0100] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 65536k Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.296509006 +0100] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 65536k Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.298844301 +0100] - NOTICE - ldbm_back_start - total cache size: 282989821 B; Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.208240370 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.256911972 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.258221666 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.259183606 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.260299224 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.261345202 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.262389108 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.263438748 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.264619539 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.265661588 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.266617305 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.267503563 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.268386977 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.269339542 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.270164213 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.271060127 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.271880025 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.272730680 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.273618472 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.274598861 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.275455547 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.276441760 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.283273623 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.284297934 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 systemd: Started Session 84 of user root. Jan 26 20:01:01 idm1 systemd: Starting Session 84 of user root. Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.396213753 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.399323317 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.399986425 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.400970832 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.636616613 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.639886286 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idm1.XXXkd.fau.de@XXXKD.FAU.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.644711700 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.645973404 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.659963996 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-XXXKD-FAU-DE.socket for LDAPI requests Jan 26 20:01:01 idm1 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_993)) Jan 26 20:01:01 idm1 systemd: Started 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:01:01 idm1 systemd: Stopping Kerberos 5 KDC... Jan 26 20:01:01 idm1 systemd: Starting Kerberos 5 KDC... Jan 26 20:01:02 idm1 systemd: PID file /var/run/krb5kdc.pid not readable (yet?) after start. Jan 26 20:01:02 idm1 systemd: Started Kerberos 5 KDC. Jan 26 20:01:02 idm1 systemd: Stopping Kerberos 5 Password-changing and Administration... Jan 26 20:01:02 idm1 systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jan 26 20:01:02 idm1 systemd: Unit kadmin.service entered failed state. Jan 26 20:01:02 idm1 systemd: kadmin.service failed. Jan 26 20:01:02 idm1 systemd: Starting Kerberos 5 Password-changing and Administration... Jan 26 20:01:02 idm1 systemd: Started Kerberos 5 Password-changing and Administration. Jan 26 20:01:02 idm1 systemd: Stopping The Apache HTTP Server... Jan 26 20:01:04 idm1 kernel: httpd[27874]: segfault at 8 ip 00007ff9ffbd2a90 sp 00007ff9dbc05d70 error 4 in libpython2.7.so.1.0[7ff9ffad3000+17d000] Jan 26 20:01:04 idm1 ns-slapd: [26/Jan/2018:20:01:04.672339153 +0100] - WARN - csngen_new_csn - Too much time skew (-416549 secs). Current seqnum=8 Jan 26 20:01:05 idm1 ns-slapd: [26/Jan/2018:20:01:05.044521936 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToidm2.XXXkd.fau.de" (idm2:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () Jan 26 20:01:05 idm1 systemd: Starting The Apache HTTP Server... Jan 26 20:01:05 idm1 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Jan 26 20:01:06 idm1 systemd: Started The Apache HTTP Server. Jan 26 20:01:07 idm1 systemd: Stopping IPA Custodia Service... Jan 26 20:01:07 idm1 systemd: Starting IPA Custodia Service... Jan 26 20:01:07 idm1 ns-slapd: [26/Jan/2018:20:01:07.739422386 +0100] - ERR - schema-compat-plugin - Finished plugin initialization. Jan 26 20:01:08 idm1 ipa-custodia: 2018-01-26 20:01:08 - server - Serving on Unix socket /run/httpd/ipa-custodia.sock Jan 26 20:01:08 idm1 systemd: Started IPA Custodia Service. Jan 26 20:01:08 idm1 systemd: Starting Network Time Service... Jan 26 20:01:08 idm1 ntpd[15428]: ntpd 4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1) Jan 26 20:01:08 idm1 ntpd[15429]: proto: precision = 0.087 usec Jan 26 20:01:08 idm1 ntpd[15429]: 0.0.0.0 c01d 0d kern kernel time sync enabled Jan 26 20:01:08 idm1 systemd: Started Network Time Service. Jan 26 20:01:08 idm1 ntpd[15429]: getaddrinfo: "2001:638:a000:b201::/64" invalid host address, ignored Jan 26 20:01:08 idm1 systemd: Starting PKI Tomcat Server pki-tomcat... Jan 26 20:01:08 idm1 ntpd[15429]: restrict: error in address '2001:638:a000:b201::/64' on line 21. Ignoring... Jan 26 20:01:08 idm1 ntpd[15429]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen and drop on 1 v6wildcard :: UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 3 eth0 10.188.220.100 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 4 lo ::1 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 5 eth0 fe80::5054:ff:fe4e:b270 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 6 eth0 2001:638:a000:b201::220:100 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listening on routing socket on fd #23 for interface updates Jan 26 20:01:08 idm1 ntpd[15429]: 0.0.0.0 c016 06 restart Jan 26 20:01:08 idm1 ntpd[15429]: 0.0.0.0 c012 02 freq_set ntpd -11.506 PPM Jan 26 20:01:09 idm1 pkidaemon: ----------------------- Jan 26 20:01:09 idm1 pkidaemon: Banner is not installed Jan 26 20:01:09 idm1 pkidaemon: ----------------------- Jan 26 20:01:09 idm1 pkidaemon: ---------------------- Jan 26 20:01:09 idm1 pkidaemon: Enabled all subsystems Jan 26 20:01:09 idm1 pkidaemon: ---------------------- Jan 26 20:01:10 idm1 systemd: Started PKI Tomcat Server pki-tomcat. Jan 26 20:01:10 idm1 systemd: Reached target PKI Tomcat Server. Jan 26 20:01:10 idm1 systemd: Starting PKI Tomcat Server. Jan 26 20:01:10 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:01:10 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:01:10 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:01:10 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:01:10 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Jan 26 20:01:10 idm1 server: arguments used: start Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:01:11 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:01:11 idm1 ns-slapd: [26/Jan/2018:20:01:11.084620256 +0100] - WARN - csngen_new_csn - Too much time skew (-416544 secs). Current seqnum=9 Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm1.XXXkd.fau.de:9080/ca/ocsp' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Jan 26 20:01:11 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.coyote.AbstractProtocol init Jan 26 20:01:12 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.coyote.AbstractProtocol init Jan 26 20:01:12 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Jan 26 20:01:12 idm1 server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:01:12 idm1 server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.coyote.AbstractProtocol init Jan 26 20:01:12 idm1 server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:01:12 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.catalina.startup.Catalina load Jan 26 20:01:12 idm1 server: INFO: Initialization processed in 1363 ms Jan 26 20:01:12 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Jan 26 20:01:12 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Jan 26 20:01:12 idm1 ns-slapd: [26/Jan/2018:20:01:12.623763048 +0100] - WARN - csngen_new_csn - Too much time skew (-416544 secs). Current seqnum=a Jan 26 20:01:12 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[start] Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.catalina.core.StandardService startInternal Jan 26 20:01:12 idm1 server: INFO: Starting service Catalina Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.catalina.core.StandardEngine startInternal Jan 26 20:01:12 idm1 server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.76 Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:12 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Jan 26 20:01:12 idm1 ns-slapd: [26/Jan/2018:20:01:12.731562409 +0100] - WARN - csngen_new_csn - Too much time skew (-416544 secs). Current seqnum=b Jan 26 20:01:12 idm1 server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Jan 26 20:01:12 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:01:13 idm1 ntpd[15429]: 0.0.0.0 c515 05 clock_sync Jan 26 20:01:15 idm1 server: Jan 26, 2018 8:01:15 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:01:15 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:01:15 idm1 server: SSLAuthenticatorWithFallback: Initializing authenticators Jan 26 20:01:15 idm1 server: SSLAuthenticatorWithFallback: Starting authenticators Jan 26 20:01:15 idm1 server: CMSEngine.initializePasswordStore() begins Jan 26 20:01:15 idm1 server: CMSEngine.initializePasswordStore(): tag=internaldb Jan 26 20:01:15 idm1 server: CMSEngine.initializePasswordStore(): tag=replicationdb Jan 26 20:01:18 idm1 server: SelfTestSubsystem: Disabling "ca" subsystem due to selftest failure. Jan 26 20:01:18 idm1 server: ----------------------- Jan 26 20:01:18 idm1 server: Disabled "ca" subsystem Jan 26 20:01:18 idm1 server: ----------------------- Jan 26 20:01:18 idm1 server: Subsystem ID: ca Jan 26 20:01:18 idm1 server: Instance ID: pki-tomcat Jan 26 20:01:18 idm1 server: Enabled: False Jan 26 20:01:18 idm1 server: Invalid class name repositorytop Jan 26 20:01:19 idm1 server: Invalid class name repositorytop Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1378) Jan 26 20:01:19 idm1 server: at com.netscape.certsrv.apps.CMS.startup(CMS.java:202) Jan 26 20:01:19 idm1 server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1632) Jan 26 20:01:19 idm1 server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) Jan 26 20:01:19 idm1 server: at javax.servlet.GenericServlet.init(GenericServlet.java:158) Jan 26 20:01:19 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:01:19 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:01:19 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:01:19 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) Jan 26 20:01:19 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:01:19 idm1 server: at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) Jan 26 20:01:19 idm1 server: at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) Jan 26 20:01:19 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) Jan 26 20:01:19 idm1 server: at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) Jan 26 20:01:19 idm1 server: at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) Jan 26 20:01:19 idm1 server: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) Jan 26 20:01:19 idm1 server: at java.util.concurrent.FutureTask.run(FutureTask.java:266) Jan 26 20:01:19 idm1 server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) Jan 26 20:01:19 idm1 server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) Jan 26 20:01:19 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:01:19 idm1 server: Jan 26, 2018 8:01:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:19 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 6,698 ms Jan 26 20:01:19 idm1 server: Jan 26, 2018 8:01:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:19 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Jan 26 20:01:20 idm1 server: Jan 26, 2018 8:01:20 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:01:20 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:01:20 idm1 server: Jan 26, 2018 8:01:20 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:20 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 857 ms Jan 26 20:01:20 idm1 server: Jan 26, 2018 8:01:20 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:20 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:01:21 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:21 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has finished in 1,161 ms Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.coyote.AbstractProtocol start Jan 26 20:01:21 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8080"] Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.coyote.AbstractProtocol start Jan 26 20:01:21 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8443"] Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.coyote.AbstractProtocol start Jan 26 20:01:21 idm1 server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:01:21 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Jan 26 20:01:21 idm1 ntpd[15429]: 0.0.0.0 0613 03 spike_detect +416608.985992 s Jan 26 20:01:21 idm1 server: PKIListener: Subsystem CA is disabled. Jan 26 20:01:21 idm1 server: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. Jan 26 20:01:21 idm1 server: PKIListener: To enable the subsystem: Jan 26 20:01:21 idm1 server: PKIListener: pki-server subsystem-enable -i pki-tomcat ca Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.catalina.startup.Catalina start Jan 26 20:01:21 idm1 server: INFO: Server startup in 8856 ms Jan 26 20:01:23 idm1 ns-slapd: [26/Jan/2018:20:01:23.234040056 +0100] - WARN - csngen_new_csn - Too much time skew (-416535 secs). Current seqnum=c Jan 26 20:01:31 idm1 ns-slapd: [26/Jan/2018:20:01:31.761653163 +0100] - WARN - csngen_new_csn - Too much time skew (-416527 secs). Current seqnum=d Jan 26 20:01:31 idm1 ns-slapd: [26/Jan/2018:20:01:31.782442210 +0100] - WARN - csngen_new_csn - Too much time skew (-416528 secs). Current seqnum=e Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.startup.HostConfig undeploy Jan 26 20:01:31 idm1 server: INFO: Undeploying context [/ca] Jan 26 20:01:31 idm1 server: SSLAuthenticatorWithFallback: Stopping authenticators Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-0 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-2 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:01:32 idm1 ns-slapd: [26/Jan/2018:20:01:32.298667463 +0100] - WARN - csngen_new_csn - Too much time skew (-416529 secs). Current seqnum=f Jan 26 20:01:32 idm1 ns-slapd: [26/Jan/2018:20:01:32.678832654 +0100] - WARN - csngen_new_csn - Too much time skew (-416530 secs). Current seqnum=10 Jan 26 20:01:33 idm1 ns-slapd: [26/Jan/2018:20:01:33.028623160 +0100] - WARN - csngen_new_csn - Too much time skew (-416530 secs). Current seqnum=11 Jan 26 20:01:33 idm1 ns-slapd: [26/Jan/2018:20:01:33.048763804 +0100] - WARN - csngen_new_csn - Too much time skew (-416531 secs). Current seqnum=12 Jan 26 20:01:47 idm1 ns-slapd: [26/Jan/2018:20:01:47.701332510 +0100] - WARN - csngen_new_csn - Too much time skew (-416517 secs). Current seqnum=13 Jan 26 20:02:04 idm1 ns-slapd: [26/Jan/2018:20:02:04.380427048 +0100] - WARN - csngen_new_csn - Too much time skew (-416502 secs). Current seqnum=14 Jan 26 20:02:04 idm1 ns-slapd: [26/Jan/2018:20:02:04.405310477 +0100] - WARN - csngen_new_csn - Too much time skew (-416503 secs). Current seqnum=15 Jan 26 20:02:34 idm1 ns-slapd: [26/Jan/2018:20:02:34.796622396 +0100] - WARN - csngen_new_csn - Too much time skew (-416473 secs). Current seqnum=16 Jan 26 20:02:37 idm1 ns-slapd: [26/Jan/2018:20:02:37.454779669 +0100] - WARN - csngen_new_csn - Too much time skew (-416472 secs). Current seqnum=17 Jan 26 20:02:37 idm1 ns-slapd: [26/Jan/2018:20:02:37.476249201 +0100] - WARN - csngen_new_csn - Too much time skew (-416473 secs). Current seqnum=18 Jan 26 20:02:37 idm1 ns-slapd: [26/Jan/2018:20:02:37.517017269 +0100] - WARN - csngen_new_csn - Too much time skew (-416474 secs). Current seqnum=19 Jan 26 20:02:37 idm1 ns-slapd: [26/Jan/2018:20:02:37.539991754 +0100] - WARN - csngen_new_csn - Too much time skew (-416475 secs). Current seqnum=1a Jan 26 20:02:48 idm1 systemd: Stopping Network Time Service... Jan 26 20:02:48 idm1 ntpd[15429]: ntpd exiting on signal 15 Jan 26 20:02:48 idm1 systemd: Stopped Network Time Service. Jan 26 20:03:01 idm1 ns-slapd: [26/Jan/2018:20:03:01.034768459 +0100] - WARN - csngen_new_csn - Too much time skew (-416452 secs). Current seqnum=1b Jan 26 20:03:01 idm1 ns-slapd: [26/Jan/2018:20:03:01.055043214 +0100] - WARN - csngen_new_csn - Too much time skew (-416453 secs). Current seqnum=1c Jan 26 20:03:03 idm1 ns-slapd: [26/Jan/2018:20:03:03.375580834 +0100] - WARN - csngen_new_csn - Too much time skew (-416452 secs). Current seqnum=1d Jan 26 20:03:03 idm1 ns-slapd: [26/Jan/2018:20:03:03.399395635 +0100] - WARN - csngen_new_csn - Too much time skew (-416453 secs). Current seqnum=1e Jan 26 20:03:10 idm1 ns-slapd: [26/Jan/2018:20:03:10.279455298 +0100] - WARN - csngen_new_csn - Too much time skew (-416447 secs). Current seqnum=1f Jan 26 20:03:10 idm1 ns-slapd: [26/Jan/2018:20:03:10.320874031 +0100] - WARN - csngen_new_csn - Too much time skew (-416448 secs). Current seqnum=20 Jan 26 20:03:45 idm1 systemd: Stopping Certificate monitoring and PKI enrollment... Jan 26 20:03:45 idm1 systemd: Stopped Certificate monitoring and PKI enrollment. Jan 26 20:03:56 idm1 systemd: Starting Certificate monitoring and PKI enrollment... Jan 26 20:03:57 idm1 systemd: Started Certificate monitoring and PKI enrollment. Jan 26 20:03:58 idm1 ns-slapd: [26/Jan/2018:20:03:58.111287110 +0100] - WARN - csngen_new_csn - Too much time skew (-416401 secs). Current seqnum=21 Jan 26 20:03:58 idm1 ns-slapd: [26/Jan/2018:20:03:58.390628999 +0100] - WARN - csngen_new_csn - Too much time skew (-416402 secs). Current seqnum=22 Jan 26 20:03:59 idm1 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20180129120044. Jan 26 20:03:59 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20180129120044. Jan 26 20:03:59 idm1 certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20180129120111. Jan 26 20:04:01 idm1 ns-slapd: [26/Jan/2018:20:04:01.082324882 +0100] - WARN - csngen_new_csn - Too much time skew (-416400 secs). Current seqnum=23 Jan 26 20:04:06 idm1 ns-slapd: [26/Jan/2018:20:04:06.245845741 +0100] - WARN - csngen_new_csn - Too much time skew (-416396 secs). Current seqnum=24 Jan 26 20:04:17 idm1 ns-slapd: [26/Jan/2018:20:04:17.377907663 +0100] - WARN - csngen_new_csn - Too much time skew (-416385 secs). Current seqnum=25 Jan 26 20:04:32 idm1 ns-slapd: [26/Jan/2018:20:04:32.296003137 +0100] - WARN - csngen_new_csn - Too much time skew (-416372 secs). Current seqnum=26 Jan 26 20:04:32 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:32 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:04:42 idm1 ns-slapd: [26/Jan/2018:20:04:42.139493501 +0100] - WARN - csngen_new_csn - Too much time skew (-416363 secs). Current seqnum=27 Jan 26 20:04:42 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:42 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:04:52 idm1 ns-slapd: [26/Jan/2018:20:04:52.130303926 +0100] - WARN - csngen_new_csn - Too much time skew (-416354 secs). Current seqnum=28 Jan 26 20:04:52 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:52 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:05:15 idm1 systemd: Reloading. Jan 26 20:05:16 idm1 systemd: [/usr/lib/systemd/system/ip6tables.service:3] Failed to add dependency on syslog.target,iptables.service, ignoring: Invalid argument Jan 26 20:06:08 idm1 ns-slapd: [26/Jan/2018:20:06:08.075349646 +0100] - WARN - csngen_new_csn - Too much time skew (-416279 secs). Current seqnum=29 Jan 26 20:06:08 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:06:08 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:06:10 idm1 systemd: Stopping Kerberos 5 KDC... Jan 26 20:06:10 idm1 systemd: Stopped Kerberos 5 KDC. Jan 26 20:06:10 idm1 systemd: Stopping Kerberos 5 Password-changing and Administration... Jan 26 20:06:10 idm1 systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jan 26 20:06:10 idm1 systemd: Stopped Kerberos 5 Password-changing and Administration. Jan 26 20:06:10 idm1 systemd: Unit kadmin.service entered failed state. Jan 26 20:06:10 idm1 systemd: kadmin.service failed. Jan 26 20:06:10 idm1 systemd: Stopping The Apache HTTP Server... Jan 26 20:06:43 idm1 systemd: Stopped The Apache HTTP Server. Jan 26 20:06:44 idm1 systemd: Stopping IPA Custodia Service... Jan 26 20:06:44 idm1 systemd: Stopped IPA Custodia Service. Jan 26 20:06:44 idm1 systemd: Stopped target PKI Tomcat Server. Jan 26 20:06:44 idm1 systemd: Stopping PKI Tomcat Server. Jan 26 20:06:44 idm1 systemd: Stopping PKI Tomcat Server pki-tomcat... Jan 26 20:06:44 idm1 systemd: Stopping Samba SMB Daemon... Jan 26 20:06:44 idm1 smbd[28030]: [2018/01/26 20:06:44.275355, 0] ../source3/rpc_server/lsasd.c:139(lsasd_sig_term_handler) Jan 26 20:06:44 idm1 smbd[28030]: termination signal Jan 26 20:06:44 idm1 systemd: Stopped Samba SMB Daemon. Jan 26 20:06:44 idm1 systemd: Stopping Samba Winbind Daemon... Jan 26 20:06:44 idm1 winbindd[28044]: [2018/01/26 20:06:44.476018, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Jan 26 20:06:44 idm1 winbindd[28044]: Got sig[15] terminate (is_parent=1) Jan 26 20:06:44 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:06:44 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:06:44 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:06:44 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:06:44 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Jan 26 20:06:44 idm1 server: arguments used: stop Jan 26 20:06:44 idm1 winbindd[28045]: [2018/01/26 20:06:44.508730, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Jan 26 20:06:44 idm1 systemd: Stopped Samba Winbind Daemon. Jan 26 20:06:44 idm1 winbindd[28045]: Got sig[15] terminate (is_parent=0) Jan 26 20:06:44 idm1 systemd: Closed ipa-otpd socket. Jan 26 20:06:44 idm1 systemd: Stopping ipa-otpd socket. Jan 26 20:06:44 idm1 systemd: Stopping 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:06:44 idm1 ns-slapd: [26/Jan/2018:20:06:44.721155688 +0100] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 5 max work q size 2 max work q stack size 2 Jan 26 20:06:44 idm1 ns-slapd: [26/Jan/2018:20:06:44.735943820 +0100] - INFO - slapd_daemon - slapd shutting down - waiting for 18 threads to terminate Jan 26 20:06:44 idm1 ns-slapd: [26/Jan/2018:20:06:44.825965094 +0100] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Jan 26 20:06:45 idm1 ns-slapd: [26/Jan/2018:20:06:45.381054379 +0100] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop Jan 26 20:06:45 idm1 ns-slapd: [26/Jan/2018:20:06:45.927329520 +0100] - INFO - dblayer_pre_close - All database threads now stopped Jan 26 20:06:46 idm1 ns-slapd: [26/Jan/2018:20:06:46.117991206 +0100] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Jan 26 20:06:46 idm1 ns-slapd: [26/Jan/2018:20:06:46.172299744 +0100] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 2 work q stack objects - freed 7 op stack objects Jan 26 20:06:46 idm1 server: Jan 26, 2018 8:06:46 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:06:46 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:06:46 idm1 ns-slapd: [26/Jan/2018:20:06:46.752180768 +0100] - INFO - main - slapd stopped. Jan 26 20:06:47 idm1 systemd: Stopped 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:06:47 idm1 server: Jan 26, 2018 8:06:47 PM org.apache.catalina.core.StandardServer await Jan 26 20:06:47 idm1 server: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Jan 26 20:06:47 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Jan 26 20:06:47 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[stop] Jan 26 20:06:47 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Jan 26 20:06:47 idm1 server: Jan 26, 2018 8:06:47 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:06:47 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Jan 26 20:06:47 idm1 server: Jan 26, 2018 8:06:47 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:06:47 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8443"] Jan 26 20:06:48 idm1 server: Jan 26, 2018 8:06:48 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:06:48 idm1 server: INFO: Pausing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:06:48 idm1 systemd: Stopped PKI Tomcat Server pki-tomcat. Jan 26 20:07:15 idm1 systemd: Starting 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.478325959 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.480593865 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.481219973 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.481824600 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.482318301 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.482871806 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.483404678 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.483877775 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.484356724 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.485086617 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.485626013 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.486222706 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.486720917 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.487170422 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.487651590 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.488120831 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.488616154 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.489101124 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.489614588 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.490132278 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.490638790 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.491050535 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.491551374 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.491963122 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.492404036 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.492844912 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.493331259 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.493865506 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.494373239 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.494856356 +0100] - INFO - Security Initialization - SSL info: #011TLS_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.495379801 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.504713771 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.505720965 +0100] - INFO - main - 389-Directory/1.3.6.1 B2018.025.1550 starting up Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.519359109 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.522754168 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.527038258 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.533380854 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.539571019 +0100] - NOTICE - ldbm_back_start - found 1532164k physical memory Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.540267898 +0100] - NOTICE - ldbm_back_start - found 1210532k available Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.540903052 +0100] - NOTICE - ldbm_back_start - cache autosizing: db cache: 61286k Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.541531113 +0100] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 65536k Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.543313364 +0100] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 65536k Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.544960676 +0100] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 65536k Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.546649579 +0100] - NOTICE - ldbm_back_start - total cache size: 282989821 B; Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.188126082 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.254545220 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.255636672 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.256464414 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.257250650 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.258164746 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.258863403 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.259511799 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.260127161 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.260803146 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.261498596 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.262204544 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.262929674 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.263636127 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.264272729 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.265176992 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.265924764 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.266565141 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.267196538 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.267799261 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.268432799 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.269320406 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.277180952 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.277931491 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.394597339 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.397664334 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.398357312 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.398994945 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.437779220 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idm1.XXXkd.fau.de@XXXKD.FAU.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.450559118 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jan 26 20:07:17 idm1 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_993)) Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.457942893 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.459144092 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.460493541 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-XXXKD-FAU-DE.socket for LDAPI requests Jan 26 20:07:17 idm1 systemd: Started 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:07:17 idm1 systemd: Starting Kerberos 5 KDC... Jan 26 20:07:18 idm1 systemd: PID file /var/run/krb5kdc.pid not readable (yet?) after start. Jan 26 20:07:18 idm1 systemd: Started Kerberos 5 KDC. Jan 26 20:07:18 idm1 systemd: Starting Kerberos 5 Password-changing and Administration... Jan 26 20:07:18 idm1 systemd: Started Kerberos 5 Password-changing and Administration. Jan 26 20:07:18 idm1 systemd: Starting The Apache HTTP Server... Jan 26 20:07:18 idm1 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Jan 26 20:07:19 idm1 systemd: Started The Apache HTTP Server. Jan 26 20:07:19 idm1 systemd: Starting IPA Custodia Service... Jan 26 20:07:20 idm1 ipa-custodia: 2018-01-26 20:07:20 - server - Serving on Unix socket /run/httpd/ipa-custodia.sock Jan 26 20:07:20 idm1 systemd: Started IPA Custodia Service. Jan 26 20:07:20 idm1 ns-slapd: [26/Jan/2018:20:07:20.562156820 +0100] - WARN - csngen_new_csn - Too much time skew (-416207 secs). Current seqnum=2a Jan 26 20:07:20 idm1 systemd: Starting Network Time Service... Jan 26 20:07:20 idm1 ns-slapd: [26/Jan/2018:20:07:20.753895497 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToidm2.XXXkd.fau.de" (idm2:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () Jan 26 20:07:20 idm1 ntpd[16369]: ntpd 4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1) Jan 26 20:07:20 idm1 systemd: Started Network Time Service. Jan 26 20:07:20 idm1 ntpd[16370]: proto: precision = 0.087 usec Jan 26 20:07:20 idm1 ntpd[16370]: 0.0.0.0 c01d 0d kern kernel time sync enabled Jan 26 20:07:20 idm1 ntpd[16370]: getaddrinfo: "2001:638:a000:b201::/64" invalid host address, ignored Jan 26 20:07:20 idm1 ntpd[16370]: restrict: error in address '2001:638:a000:b201::/64' on line 21. Ignoring... Jan 26 20:07:20 idm1 ntpd[16370]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Jan 26 20:07:20 idm1 systemd: Starting PKI Tomcat Server pki-tomcat... Jan 26 20:07:20 idm1 ntpd[16370]: Listen and drop on 1 v6wildcard :: UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 3 eth0 10.188.220.100 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 4 lo ::1 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 5 eth0 fe80::5054:ff:fe4e:b270 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 6 eth0 2001:638:a000:b201::220:100 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listening on routing socket on fd #23 for interface updates Jan 26 20:07:20 idm1 ntpd[16370]: 0.0.0.0 c016 06 restart Jan 26 20:07:20 idm1 ntpd[16370]: 0.0.0.0 c012 02 freq_set ntpd -11.506 PPM Jan 26 20:07:23 idm1 ns-slapd: [26/Jan/2018:20:07:23.040493392 +0100] - ERR - schema-compat-plugin - Finished plugin initialization. Jan 26 20:07:23 idm1 pkidaemon: ----------------------- Jan 26 20:07:23 idm1 pkidaemon: Banner is not installed Jan 26 20:07:23 idm1 pkidaemon: ----------------------- Jan 26 20:07:23 idm1 pkidaemon: ---------------------- Jan 26 20:07:23 idm1 pkidaemon: Enabled all subsystems Jan 26 20:07:23 idm1 pkidaemon: ---------------------- Jan 26 20:07:23 idm1 systemd: Started PKI Tomcat Server pki-tomcat. Jan 26 20:07:23 idm1 systemd: Reached target PKI Tomcat Server. Jan 26 20:07:23 idm1 systemd: Starting PKI Tomcat Server. Jan 26 20:07:23 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:07:23 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:07:23 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:07:23 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:07:23 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Jan 26 20:07:23 idm1 server: arguments used: start Jan 26 20:07:23 idm1 server: Jan 26, 2018 8:07:23 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:07:23 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm1.XXXkd.fau.de:9080/ca/ocsp' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Jan 26 20:07:24 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.coyote.AbstractProtocol init Jan 26 20:07:25 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.coyote.AbstractProtocol init Jan 26 20:07:25 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Jan 26 20:07:25 idm1 server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:07:25 idm1 server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.coyote.AbstractProtocol init Jan 26 20:07:25 idm1 server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:07:25 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.catalina.startup.Catalina load Jan 26 20:07:25 idm1 server: INFO: Initialization processed in 1535 ms Jan 26 20:07:25 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Jan 26 20:07:25 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Jan 26 20:07:25 idm1 ntpd[16370]: 0.0.0.0 c515 05 clock_sync Jan 26 20:07:25 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[start] Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.catalina.core.StandardService startInternal Jan 26 20:07:25 idm1 server: INFO: Starting service Catalina Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.catalina.core.StandardEngine startInternal Jan 26 20:07:25 idm1 server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.76 Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:25 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Jan 26 20:07:25 idm1 server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Jan 26 20:07:25 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:07:26 idm1 ns-slapd: [26/Jan/2018:20:07:26.811402672 +0100] - WARN - csngen_new_csn - Too much time skew (-416202 secs). Current seqnum=2b Jan 26 20:07:27 idm1 server: Jan 26, 2018 8:07:27 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:07:27 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:07:27 idm1 server: SSLAuthenticatorWithFallback: Initializing authenticators Jan 26 20:07:27 idm1 server: SSLAuthenticatorWithFallback: Starting authenticators Jan 26 20:07:28 idm1 server: CMSEngine.initializePasswordStore() begins Jan 26 20:07:28 idm1 server: CMSEngine.initializePasswordStore(): tag=internaldb Jan 26 20:07:28 idm1 server: CMSEngine.initializePasswordStore(): tag=replicationdb Jan 26 20:07:30 idm1 server: SelfTestSubsystem: Disabling "ca" subsystem due to selftest failure. Jan 26 20:07:31 idm1 server: ----------------------- Jan 26 20:07:31 idm1 server: Disabled "ca" subsystem Jan 26 20:07:31 idm1 server: ----------------------- Jan 26 20:07:31 idm1 server: Subsystem ID: ca Jan 26 20:07:31 idm1 server: Instance ID: pki-tomcat Jan 26 20:07:31 idm1 server: Enabled: False Jan 26 20:07:31 idm1 server: Invalid class name repositorytop Jan 26 20:07:31 idm1 server: Invalid class name repositorytop Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1378) Jan 26 20:07:31 idm1 server: at com.netscape.certsrv.apps.CMS.startup(CMS.java:202) Jan 26 20:07:31 idm1 server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1632) Jan 26 20:07:31 idm1 server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) Jan 26 20:07:31 idm1 server: at javax.servlet.GenericServlet.init(GenericServlet.java:158) Jan 26 20:07:31 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:07:31 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:07:31 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:07:31 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) Jan 26 20:07:31 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:07:31 idm1 server: at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) Jan 26 20:07:31 idm1 server: at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) Jan 26 20:07:31 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) Jan 26 20:07:31 idm1 server: at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) Jan 26 20:07:31 idm1 server: at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) Jan 26 20:07:31 idm1 server: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) Jan 26 20:07:31 idm1 server: at java.util.concurrent.FutureTask.run(FutureTask.java:266) Jan 26 20:07:31 idm1 server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) Jan 26 20:07:31 idm1 server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) Jan 26 20:07:31 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:07:31 idm1 server: Jan 26, 2018 8:07:31 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:31 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 5,520 ms Jan 26 20:07:31 idm1 server: Jan 26, 2018 8:07:31 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:31 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Jan 26 20:07:32 idm1 server: Jan 26, 2018 8:07:32 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:07:32 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:07:32 idm1 server: Jan 26, 2018 8:07:32 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:32 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 790 ms Jan 26 20:07:32 idm1 server: Jan 26, 2018 8:07:32 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:32 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:07:33 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:33 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has finished in 1,064 ms Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.coyote.AbstractProtocol start Jan 26 20:07:33 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8080"] Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.coyote.AbstractProtocol start Jan 26 20:07:33 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8443"] Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.coyote.AbstractProtocol start Jan 26 20:07:33 idm1 server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:07:33 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Jan 26 20:07:33 idm1 server: PKIListener: Subsystem CA is disabled. Jan 26 20:07:33 idm1 server: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. Jan 26 20:07:33 idm1 server: PKIListener: To enable the subsystem: Jan 26 20:07:33 idm1 server: PKIListener: pki-server subsystem-enable -i pki-tomcat ca Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.catalina.startup.Catalina start Jan 26 20:07:33 idm1 server: INFO: Server startup in 7515 ms Jan 26 20:07:39 idm1 ns-slapd: [26/Jan/2018:20:07:39.035843722 +0100] - WARN - csngen_new_csn - Too much time skew (-416191 secs). Current seqnum=2c Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.startup.HostConfig undeploy Jan 26 20:07:43 idm1 server: INFO: Undeploying context [/ca] Jan 26 20:07:43 idm1 server: SSLAuthenticatorWithFallback: Stopping authenticators Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-0 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-2 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:07:47 idm1 ns-slapd: [26/Jan/2018:20:07:47.844329850 +0100] - WARN - csngen_new_csn - Too much time skew (-416183 secs). Current seqnum=2d
Jan 26 20:08:09 idm1 ns-slapd: [26/Jan/2018:20:08:09.059172306 +0100] - WARN - csngen_new_csn - Too much time skew (-416174 secs). Current seqnum=1 Jan 26 20:08:27 idm1 ntpd[16370]: ntpd exiting on signal 15 Jan 26 20:08:27 idm1 systemd: Stopping Network Time Service... Jan 26 20:08:27 idm1 systemd: Stopped Network Time Service. Jan 26 20:08:49 idm1 ns-slapd: [26/Jan/2018:20:08:49.052101605 +0100] - WARN - csngen_new_csn - Too much time skew (-416135 secs). Current seqnum=1 Jan 26 20:08:49 idm1 ns-slapd: [26/Jan/2018:20:08:49.075642776 +0100] - WARN - csngen_new_csn - Too much time skew (-416136 secs). Current seqnum=1 Jan 26 20:08:51 idm1 ns-slapd: [26/Jan/2018:20:08:51.298345097 +0100] - WARN - csngen_new_csn - Too much time skew (-416135 secs). Current seqnum=1 Jan 26 20:09:25 idm1 ns-slapd: [26/Jan/2018:20:09:25.093696262 +0100] - WARN - csngen_new_csn - Too much time skew (-416102 secs). Current seqnum=1 Jan 26 20:09:25 idm1 ns-slapd: [26/Jan/2018:20:09:25.115607333 +0100] - WARN - csngen_new_csn - Too much time skew (-416103 secs). Current seqnum=1 Jan 26 20:10:27 idm1 ns-slapd: [26/Jan/2018:20:10:27.371866302 +0100] - WARN - csngen_new_csn - Too much time skew (-416042 secs). Current seqnum=1 Jan 26 20:11:11 idm1 ns-slapd: [26/Jan/2018:20:11:11.185235999 +0100] - WARN - csngen_new_csn - Too much time skew (-415999 secs). Current seqnum=1 Jan 26 20:12:24 idm1 systemd: Starting Samba SMB Daemon... Jan 26 20:12:24 idm1 smbd[16684]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid) Jan 26 20:12:24 idm1 ns-slapd: [26/Jan/2018:20:12:24.338023606 +0100] - WARN - csngen_new_csn - Too much time skew (-415927 secs). Current seqnum=1 Jan 26 20:12:24 idm1 ns-slapd: [26/Jan/2018:20:12:24.492918154 +0100] - WARN - csngen_new_csn - Too much time skew (-415928 secs). Current seqnum=1 Jan 26 20:12:24 idm1 smbd[16684]: [2018/01/26 20:12:24.644663, 0] ../lib/util/become_daemon.c:124(daemon_ready) Jan 26 20:12:24 idm1 systemd: Started Samba SMB Daemon. Jan 26 20:12:24 idm1 smbd[16684]: STATUS=daemon 'smbd' finished starting up and ready to serve connections Jan 26 20:12:24 idm1 systemd: Starting Samba Winbind Daemon... Jan 26 20:12:24 idm1 winbindd[16702]: [2018/01/26 20:12:24.744499, 0] ../source3/winbindd/winbindd_cache.c:3171(initialize_winbindd_cache) Jan 26 20:12:24 idm1 systemd: winbind.service: Supervising process 16702 which is not our child. We'll most likely not notice when it exits. Jan 26 20:12:24 idm1 winbindd[16702]: initialize_winbindd_cache: clearing cache and re-creating with version number 2 Jan 26 20:12:24 idm1 winbindd[16702]: [2018/01/26 20:12:24.788607, 0] ../lib/util/become_daemon.c:124(daemon_ready) Jan 26 20:12:24 idm1 systemd: Started Samba Winbind Daemon. Jan 26 20:12:24 idm1 winbindd[16702]: STATUS=daemon 'winbindd' finished starting up and ready to serve connections Jan 26 20:12:24 idm1 systemd: Listening on ipa-otpd socket. Jan 26 20:12:24 idm1 systemd: Starting ipa-otpd socket. Jan 26 20:12:24 idm1 ns-slapd: [26/Jan/2018:20:12:24.835355417 +0100] - WARN - csngen_new_csn - Too much time skew (-415928 secs). Current seqnum=1
Jan 26 20:16:36 idm1 ns-slapd: [26/Jan/2018:20:16:36.642664215 +0100] - WARN - csngen_new_csn - Too much time skew (-415688 secs). Current seqnum=1 Jan 26 20:16:36 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:16:37 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:17:24 idm1 ns-slapd: [26/Jan/2018:20:17:24.820564227 +0100] - WARN - csngen_new_csn - Too much time skew (-415641 secs). Current seqnum=1 Jan 26 20:17:37 idm1 ns-slapd: [26/Jan/2018:20:17:37.625304230 +0100] - WARN - csngen_new_csn - Too much time skew (-415629 secs). Current seqnum=1 Jan 26 20:17:37 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:17:37 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:18:01 idm1 logrotate: ALERT exited abnormally with [1] Jan 26 20:18:38 idm1 ns-slapd: [26/Jan/2018:20:18:38.792663979 +0100] - WARN - csngen_new_csn - Too much time skew (-415569 secs). Current seqnum=1 Jan 26 20:22:24 idm1 ns-slapd: [26/Jan/2018:20:22:24.817110632 +0100] - WARN - csngen_new_csn - Too much time skew (-415344 secs). Current seqnum=1
Jan 26 20:23:59 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:23:59 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:24:45 idm1 stop_pkicad: Stopping pki_tomcatd Jan 26 20:24:45 idm1 systemd: Stopping PKI Tomcat Server pki-tomcat... Jan 26 20:24:45 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:24:45 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:24:45 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:24:45 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:24:45 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Jan 26 20:24:45 idm1 server: arguments used: stop Jan 26 20:24:45 idm1 server: Jan 26, 2018 8:24:45 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:24:45 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:24:46 idm1 server: Jan 26, 2018 8:24:46 PM org.apache.catalina.core.StandardServer await Jan 26 20:24:46 idm1 server: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Jan 26 20:24:46 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Jan 26 20:24:46 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[stop] Jan 26 20:24:46 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Jan 26 20:24:46 idm1 server: Jan 26, 2018 8:24:46 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:24:46 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Jan 26 20:24:46 idm1 systemd: Stopped PKI Tomcat Server pki-tomcat. Jan 26 20:24:46 idm1 stop_pkicad: Stopped pki_tomcatd Jan 26 20:27:24 idm1 ns-slapd: [26/Jan/2018:20:27:24.817184276 +0100] - WARN - csngen_new_csn - Too much time skew (-415053 secs). Current seqnum=1 Jan 26 20:28:39 idm1 ns-slapd: [26/Jan/2018:20:28:39.388139879 +0100] - WARN - csngen_new_csn - Too much time skew (-414980 secs). Current seqnum=1 Jan 26 20:28:45 idm1 systemd: Reloading. Jan 26 20:28:45 idm1 systemd: [/usr/lib/systemd/system/ip6tables.service:3] Failed to add dependency on syslog.target,iptables.service, ignoring: Invalid argument Jan 26 20:28:45 idm1 yum[17021]: Installed: pki-server-10.4.1-17.el7_4.noarch
Jan 26 20:30:09 idm1 yum[17100]: Installed: pki-symkey-10.4.1-17.el7_4.x86_64 Jan 26 20:30:10 idm1 ns-slapd: [26/Jan/2018:20:30:10.056412100 +0100] - WARN - csngen_new_csn - Too much time skew (-414902 secs). Current seqnum=1 Jan 26 20:30:10 idm1 ns-slapd: [26/Jan/2018:20:30:10.112492509 +0100] - WARN - csngen_new_csn - Too much time skew (-414903 secs). Current seqnum=1 Jan 26 20:30:36 idm1 systemd: Stopping Certificate monitoring and PKI enrollment... Jan 26 20:30:36 idm1 systemd: Starting Certificate monitoring and PKI enrollment... Jan 26 20:30:36 idm1 systemd: Started Certificate monitoring and PKI enrollment. Jan 26 20:30:51 idm1 ns-slapd: [26/Jan/2018:20:30:51.459575928 +0100] - WARN - csngen_new_csn - Too much time skew (-414862 secs). Current seqnum=1 Jan 26 20:30:53 idm1 ns-slapd: [26/Jan/2018:20:30:53.004542140 +0100] - WARN - csngen_new_csn - Too much time skew (-414862 secs). Current seqnum=1
Jan 26 20:32:53 idm1 ns-slapd: [26/Jan/2018:20:32:53.104794576 +0100] - WARN - csngen_new_csn - Too much time skew (-414747 secs). Current seqnum=1 Jan 26 20:33:38 idm1 ns-slapd: [26/Jan/2018:20:33:38.708156346 +0100] - WARN - csngen_new_csn - Too much time skew (-414702 secs). Current seqnum=1 Jan 26 20:35:26 idm1 systemd: Starting PKI Tomcat Server tomcatd... Jan 26 20:35:27 idm1 pkidaemon: tomcatd is an invalid 'tomcat' instance Jan 26 20:35:27 idm1 systemd: pki-tomcatd@tomcatd.service: control process exited, code=exited status=5 Jan 26 20:35:27 idm1 systemd: Failed to start PKI Tomcat Server tomcatd. Jan 26 20:35:27 idm1 systemd: Unit pki-tomcatd@tomcatd.service entered failed state. Jan 26 20:35:27 idm1 systemd: pki-tomcatd@tomcatd.service failed. Jan 26 20:38:15 idm1 systemd: Stopping Certificate monitoring and PKI enrollment... Jan 26 20:38:15 idm1 systemd: Starting Certificate monitoring and PKI enrollment... Jan 26 20:38:16 idm1 systemd: Started Certificate monitoring and PKI enrollment.
Jan 26 20:38:50 idm1 systemd: Stopped target PKI Tomcat Server. Jan 26 20:38:50 idm1 systemd: Stopping PKI Tomcat Server. Jan 26 20:38:50 idm1 systemd: Stopping 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:38:50 idm1 ns-slapd: [26/Jan/2018:20:38:50.930128624 +0100] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 7 max work q size 3 max work q stack size 3 Jan 26 20:38:50 idm1 ns-slapd: [26/Jan/2018:20:38:50.938738333 +0100] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Jan 26 20:38:51 idm1 ns-slapd: [26/Jan/2018:20:38:51.491982395 +0100] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop Jan 26 20:38:52 idm1 ns-slapd: [26/Jan/2018:20:38:52.643000430 +0100] - INFO - dblayer_pre_close - All database threads now stopped Jan 26 20:38:52 idm1 ns-slapd: [26/Jan/2018:20:38:52.843193691 +0100] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Jan 26 20:38:52 idm1 ns-slapd: [26/Jan/2018:20:38:52.845431711 +0100] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 3 work q stack objects - freed 7 op stack objects Jan 26 20:38:52 idm1 ns-slapd: [26/Jan/2018:20:38:52.949112608 +0100] - INFO - main - slapd stopped. Jan 26 20:38:53 idm1 systemd: Starting 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.798684376 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.802136681 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.803482731 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.804571447 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.805584219 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.806587975 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.807433596 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.808344028 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.809263480 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.810258405 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.811278159 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.812279895 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.813211722 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.814155963 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.815027810 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.815884935 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.816664023 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.817588461 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.820002292 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.820921200 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.821848282 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.822790429 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.823796031 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.824792858 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.825834646 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.826645719 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.827439967 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.828388576 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.829379262 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.830270347 +0100] - INFO - Security Initialization - SSL info: #011TLS_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.831112791 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.842425631 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.844467130 +0100] - INFO - main - 389-Directory/1.3.6.1 B2018.025.1550 starting up Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.862148344 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.866723860 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.872029440 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.880396494 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.887683843 +0100] - NOTICE - ldbm_back_start - found 1532164k physical memory Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.889387846 +0100] - NOTICE - ldbm_back_start - found 957616k available Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.890401127 +0100] - NOTICE - ldbm_back_start - cache autosizing: db cache: 61286k Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.891282794 +0100] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 65536k Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.893673995 +0100] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 65536k Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.896279383 +0100] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 65536k Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.899099347 +0100] - NOTICE - ldbm_back_start - total cache size: 282989821 B; Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.288606109 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.356204866 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.357475508 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.358533489 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.359655614 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.360824909 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.361929056 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.362916495 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.363933986 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.364863852 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.365773801 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.366715005 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.367657233 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.368620393 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.369654121 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.370568017 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.371627613 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.372549625 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.373548074 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.374515489 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.375468905 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.376417537 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.384105365 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.385229794 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.489142376 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.492165481 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.493230810 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.494325526 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.533752266 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.538206222 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idm1.XXXkd.fau.de@XXXKD.FAU.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.542196033 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.550911263 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Jan 26 20:38:55 idm1 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_993)) Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.552234132 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-XXXKD-FAU-DE.socket for LDAPI requests Jan 26 20:38:55 idm1 systemd: Started 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:38:55 idm1 systemd: Stopping Kerberos 5 KDC... Jan 26 20:38:55 idm1 systemd: Starting Kerberos 5 KDC... Jan 26 20:38:55 idm1 systemd: PID file /var/run/krb5kdc.pid not readable (yet?) after start. Jan 26 20:38:55 idm1 systemd: Started Kerberos 5 KDC. Jan 26 20:38:55 idm1 systemd: Stopping Kerberos 5 Password-changing and Administration... Jan 26 20:38:55 idm1 systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jan 26 20:38:55 idm1 systemd: Unit kadmin.service entered failed state. Jan 26 20:38:55 idm1 systemd: kadmin.service failed. Jan 26 20:38:55 idm1 systemd: Starting Kerberos 5 Password-changing and Administration... Jan 26 20:38:56 idm1 systemd: Started Kerberos 5 Password-changing and Administration. Jan 26 20:38:56 idm1 systemd: Stopping The Apache HTTP Server... Jan 26 20:38:58 idm1 ns-slapd: [26/Jan/2018:20:38:58.564805340 +0100] - WARN - csngen_new_csn - Too much time skew (-414396 secs). Current seqnum=1 Jan 26 20:38:58 idm1 ns-slapd: [26/Jan/2018:20:38:58.641081747 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToidm2.XXXkd.fau.de" (idm2:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () Jan 26 20:39:00 idm1 systemd: Starting The Apache HTTP Server... Jan 26 20:39:00 idm1 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Jan 26 20:39:00 idm1 ns-slapd: [26/Jan/2018:20:39:00.943662244 +0100] - ERR - schema-compat-plugin - Finished plugin initialization. Jan 26 20:39:01 idm1 systemd: Started The Apache HTTP Server. Jan 26 20:39:01 idm1 systemd: Stopping IPA Custodia Service... Jan 26 20:39:01 idm1 systemd: Starting IPA Custodia Service... Jan 26 20:39:02 idm1 systemd: Started IPA Custodia Service. Jan 26 20:39:02 idm1 ipa-custodia: 2018-01-26 20:39:02 - server - Serving on Unix socket /run/httpd/ipa-custodia.sock Jan 26 20:39:02 idm1 systemd: Starting Network Time Service... Jan 26 20:39:02 idm1 ntpd[17985]: ntpd 4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1) Jan 26 20:39:02 idm1 systemd: Started Network Time Service. Jan 26 20:39:02 idm1 ntpd[17986]: proto: precision = 0.097 usec Jan 26 20:39:02 idm1 ntpd[17986]: 0.0.0.0 c01d 0d kern kernel time sync enabled Jan 26 20:39:02 idm1 systemd: Starting PKI Tomcat Server pki-tomcat... Jan 26 20:39:03 idm1 ntpd[17986]: getaddrinfo: "2001:638:a000:b201::/64" invalid host address, ignored Jan 26 20:39:03 idm1 ntpd[17986]: restrict: error in address '2001:638:a000:b201::/64' on line 21. Ignoring... Jan 26 20:39:03 idm1 ntpd[17986]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen and drop on 1 v6wildcard :: UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 3 eth0 10.188.220.100 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 4 lo ::1 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 5 eth0 fe80::5054:ff:fe4e:b270 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 6 eth0 2001:638:a000:b201::220:100 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listening on routing socket on fd #23 for interface updates Jan 26 20:39:03 idm1 ntpd[17986]: 0.0.0.0 c016 06 restart Jan 26 20:39:03 idm1 ntpd[17986]: 0.0.0.0 c012 02 freq_set ntpd -11.506 PPM Jan 26 20:39:04 idm1 ns-slapd: [26/Jan/2018:20:39:04.677894447 +0100] - WARN - csngen_new_csn - Too much time skew (-414391 secs). Current seqnum=1 Jan 26 20:39:05 idm1 pkidaemon: ----------------------- Jan 26 20:39:05 idm1 pkidaemon: Banner is not installed Jan 26 20:39:05 idm1 pkidaemon: ----------------------- Jan 26 20:39:05 idm1 pkidaemon: ---------------------- Jan 26 20:39:05 idm1 pkidaemon: Enabled all subsystems Jan 26 20:39:05 idm1 pkidaemon: ---------------------- Jan 26 20:39:05 idm1 systemd: Started PKI Tomcat Server pki-tomcat. Jan 26 20:39:05 idm1 systemd: Reached target PKI Tomcat Server. Jan 26 20:39:05 idm1 systemd: Starting PKI Tomcat Server. Jan 26 20:39:05 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:39:05 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:39:05 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:39:05 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:39:05 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Jan 26 20:39:05 idm1 server: arguments used: start Jan 26 20:39:07 idm1 ntpd[17986]: 0.0.0.0 c515 05 clock_sync Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm1.XXXkd.fau.de:9080/ca/ocsp' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Jan 26 20:39:07 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.coyote.AbstractProtocol init Jan 26 20:39:08 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.coyote.AbstractProtocol init Jan 26 20:39:08 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Jan 26 20:39:08 idm1 server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:39:08 idm1 server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.coyote.AbstractProtocol init Jan 26 20:39:08 idm1 server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:39:08 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.catalina.startup.Catalina load Jan 26 20:39:08 idm1 server: INFO: Initialization processed in 1254 ms Jan 26 20:39:08 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Jan 26 20:39:08 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Jan 26 20:39:08 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[start] Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.catalina.core.StandardService startInternal Jan 26 20:39:08 idm1 server: INFO: Starting service Catalina Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.catalina.core.StandardEngine startInternal Jan 26 20:39:08 idm1 server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.76 Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:08 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Jan 26 20:39:08 idm1 server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Jan 26 20:39:08 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:39:10 idm1 server: Jan 26, 2018 8:39:10 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:39:10 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:39:10 idm1 server: SSLAuthenticatorWithFallback: Initializing authenticators Jan 26 20:39:10 idm1 server: SSLAuthenticatorWithFallback: Starting authenticators Jan 26 20:39:10 idm1 server: CMSEngine.initializePasswordStore() begins Jan 26 20:39:10 idm1 server: CMSEngine.initializePasswordStore(): tag=internaldb Jan 26 20:39:10 idm1 server: CMSEngine.initializePasswordStore(): tag=replicationdb Jan 26 20:39:13 idm1 server: SelfTestSubsystem: Disabling "ca" subsystem due to selftest failure. Jan 26 20:39:13 idm1 server: ----------------------- Jan 26 20:39:13 idm1 server: Disabled "ca" subsystem Jan 26 20:39:13 idm1 server: ----------------------- Jan 26 20:39:13 idm1 server: Subsystem ID: ca Jan 26 20:39:13 idm1 server: Instance ID: pki-tomcat Jan 26 20:39:13 idm1 server: Enabled: False Jan 26 20:39:13 idm1 server: Invalid class name repositorytop Jan 26 20:39:14 idm1 server: Invalid class name repositorytop Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1378) Jan 26 20:39:14 idm1 server: at com.netscape.certsrv.apps.CMS.startup(CMS.java:202) Jan 26 20:39:14 idm1 server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1632) Jan 26 20:39:14 idm1 server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) Jan 26 20:39:14 idm1 server: at javax.servlet.GenericServlet.init(GenericServlet.java:158) Jan 26 20:39:14 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:39:14 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:39:14 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:39:14 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) Jan 26 20:39:14 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:39:14 idm1 server: at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) Jan 26 20:39:14 idm1 server: at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) Jan 26 20:39:14 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) Jan 26 20:39:14 idm1 server: at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) Jan 26 20:39:14 idm1 server: at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) Jan 26 20:39:14 idm1 server: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) Jan 26 20:39:14 idm1 server: at java.util.concurrent.FutureTask.run(FutureTask.java:266) Jan 26 20:39:14 idm1 server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) Jan 26 20:39:14 idm1 server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) Jan 26 20:39:14 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:14 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 5,603 ms Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:14 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:39:14 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:14 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 724 ms Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:14 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:39:15 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:15 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has finished in 1,041 ms Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.coyote.AbstractProtocol start Jan 26 20:39:15 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8080"] Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.coyote.AbstractProtocol start Jan 26 20:39:15 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8443"] Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.coyote.AbstractProtocol start Jan 26 20:39:15 idm1 server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:39:15 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Jan 26 20:39:15 idm1 server: PKIListener: Subsystem CA is disabled. Jan 26 20:39:15 idm1 server: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. Jan 26 20:39:15 idm1 server: PKIListener: To enable the subsystem: Jan 26 20:39:15 idm1 server: PKIListener: pki-server subsystem-enable -i pki-tomcat ca Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.catalina.startup.Catalina start Jan 26 20:39:15 idm1 server: INFO: Server startup in 7480 ms Jan 26 20:39:17 idm1 ns-slapd: [26/Jan/2018:20:39:17.236299024 +0100] - WARN - csngen_new_csn - Too much time skew (-414380 secs). Current seqnum=1 Jan 26 20:39:22 idm1 ns-slapd: [26/Jan/2018:20:39:22.056843883 +0100] - WARN - csngen_new_csn - Too much time skew (-414376 secs). Current seqnum=1 Jan 26 20:39:22 idm1 ns-slapd: [26/Jan/2018:20:39:22.084016470 +0100] - WARN - csngen_new_csn - Too much time skew (-414377 secs). Current seqnum=1 Jan 26 20:39:26 idm1 ns-slapd: [26/Jan/2018:20:39:26.282879120 +0100] - WARN - csngen_new_csn - Too much time skew (-414374 secs). Current seqnum=1 Jan 26 20:39:26 idm1 ns-slapd: [26/Jan/2018:20:39:26.321619015 +0100] - WARN - csngen_new_csn - Too much time skew (-414375 secs). Current seqnum=1 Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.startup.HostConfig undeploy Jan 26 20:39:26 idm1 server: INFO: Undeploying context [/ca] Jan 26 20:39:26 idm1 server: SSLAuthenticatorWithFallback: Stopping authenticators Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-0 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-2 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: SSLAuthenticatorWithFallback: Setting container J
Jan 26 20:42:16 idm1 systemd: Closed ipa-otpd socket. Jan 26 20:42:16 idm1 systemd: Stopping ipa-otpd socket. Jan 26 20:42:16 idm1 systemd: Stopping Samba Winbind Daemon... Jan 26 20:42:16 idm1 winbindd[16702]: [2018/01/26 20:42:16.696807, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Jan 26 20:42:16 idm1 winbindd[16702]: Got sig[15] terminate (is_parent=1) Jan 26 20:42:16 idm1 winbindd[16703]: [2018/01/26 20:42:16.841466, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Jan 26 20:42:16 idm1 winbindd[16703]: Got sig[15] terminate (is_parent=0) Jan 26 20:42:16 idm1 systemd: Stopped Samba Winbind Daemon. Jan 26 20:42:16 idm1 systemd: Stopping Samba SMB Daemon... Jan 26 20:42:16 idm1 smbd[16688]: [2018/01/26 20:42:16.916550, 0] ../source3/rpc_server/lsasd.c:139(lsasd_sig_term_handler) Jan 26 20:42:16 idm1 smbd[16688]: termination signal Jan 26 20:42:16 idm1 systemd: Stopped Samba SMB Daemon. Jan 26 20:42:17 idm1 systemd: Stopping IPA Custodia Service... Jan 26 20:42:17 idm1 systemd: Stopped IPA Custodia Service. Jan 26 20:42:17 idm1 systemd: Stopping The Apache HTTP Server... Jan 26 20:42:18 idm1 systemd: Stopped The Apache HTTP Server. Jan 26 20:42:18 idm1 systemd: Stopping Kerberos 5 Password-changing and Administration... Jan 26 20:42:18 idm1 systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jan 26 20:42:18 idm1 systemd: Stopped Kerberos 5 Password-changing and Administration. Jan 26 20:42:18 idm1 systemd: Unit kadmin.service entered failed state. Jan 26 20:42:18 idm1 systemd: kadmin.service failed. Jan 26 20:42:18 idm1 systemd: Stopping Kerberos 5 KDC... Jan 26 20:42:18 idm1 systemd: Stopped Kerberos 5 KDC. Jan 26 20:42:18 idm1 systemd: Stopping 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:42:18 idm1 ns-slapd: [26/Jan/2018:20:42:18.368608160 +0100] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 6 max work q size 2 max work q stack size 2 Jan 26 20:42:18 idm1 ns-slapd: [26/Jan/2018:20:42:18.372309172 +0100] - INFO - slapd_daemon - slapd shutting down - waiting for 15 threads to terminate Jan 26 20:42:18 idm1 ns-slapd: [26/Jan/2018:20:42:18.374142668 +0100] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Jan 26 20:42:18 idm1 ns-slapd: [26/Jan/2018:20:42:18.726004813 +0100] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop Jan 26 20:42:19 idm1 ns-slapd: [26/Jan/2018:20:42:19.258064040 +0100] - INFO - dblayer_pre_close - All database threads now stopped Jan 26 20:42:19 idm1 ns-slapd: [26/Jan/2018:20:42:19.286571363 +0100] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Jan 26 20:42:19 idm1 ns-slapd: [26/Jan/2018:20:42:19.288632006 +0100] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 2 work q stack objects - freed 7 op stack objects Jan 26 20:42:19 idm1 ns-slapd: [26/Jan/2018:20:42:19.803231467 +0100] - INFO - main - slapd stopped. Jan 26 20:42:19 idm1 systemd: Stopped 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[stop] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:42:30 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:42:30 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8443"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:42:30 idm1 server: INFO: Pausing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.catalina.core.StandardService stopInternal Jan 26 20:42:30 idm1 server: INFO: Stopping service Catalina Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol stop Jan 26 20:42:30 idm1 server: INFO: Stopping ProtocolHandler ["http-bio-8080"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol stop Jan 26 20:42:30 idm1 server: INFO: Stopping ProtocolHandler ["http-bio-8443"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol stop Jan 26 20:42:30 idm1 server: INFO: Stopping ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_stop] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_destroy] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol destroy Jan 26 20:42:30 idm1 server: INFO: Destroying ProtocolHandler ["http-bio-8080"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol destroy Jan 26 20:42:30 idm1 server: INFO: Destroying ProtocolHandler ["http-bio-8443"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol destroy Jan 26 20:42:30 idm1 server: INFO: Destroying ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_destroy] Jan 26 20:42:30 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:42:30 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:42:30 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:42:30 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:42:30 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Jan 26 20:42:30 idm1 server: arguments used: stop Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.catalina.startup.Catalina stopServer Jan 26 20:42:30 idm1 server: SEVERE: Could not contact localhost:8005. Tomcat may not be running. Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.catalina.startup.Catalina stopServer Jan 26 20:42:30 idm1 server: SEVERE: Catalina.stop: Jan 26 20:42:30 idm1 server: java.net.ConnectException: Connection refused (Connection refused) Jan 26 20:42:30 idm1 server: at java.net.PlainSocketImpl.socketConnect(Native Method) Jan 26 20:42:30 idm1 server: at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) Jan 26 20:42:30 idm1 server: at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) Jan 26 20:42:30 idm1 server: at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) Jan 26 20:42:30 idm1 server: at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) Jan 26 20:42:30 idm1 server: at java.net.Socket.connect(Socket.java:589) Jan 26 20:42:30 idm1 server: at java.net.Socket.connect(Socket.java:538) Jan 26 20:42:30 idm1 server: at java.net.Socket.<init>(Socket.java:434) Jan 26 20:42:30 idm1 server: at java.net.Socket.<init>(Socket.java:211) Jan 26 20:42:30 idm1 server: at org.apache.catalina.startup.Catalina.stopServer(Catalina.java:498) Jan 26 20:42:30 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:42:30 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:42:30 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:42:30 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:42:30 idm1 server: at org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:343) Jan 26 20:42:30 idm1 server: at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:430) Jan 26 20:42:30 idm1 systemd: pki-tomcatd@pki-tomcat.service: control process exited, code=exited status=1 Jan 26 20:42:30 idm1 systemd: Unit pki-tomcatd@pki-tomcat.service entered failed state. Jan 26 20:42:30 idm1 systemd: pki-tomcatd@pki-tomcat.service failed. Jan 26 20:43:06 idm1 systemd: Starting 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.135519647 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.137896015 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.138653476 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.139362471 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.139997617 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.140969886 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.141763790 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.142425874 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.143128669 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.143876111 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.144506089 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.145128275 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.145681866 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.146327021 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.146946087 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.147538973 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.148175269 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.148809308 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.149468022 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.150081883 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.150700313 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.151358604 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.151978602 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.152607727 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.153363369 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.153985935 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.154615624 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.155162346 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.155751837 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.156407344 +0100] - INFO - Security Initialization - SSL info: #011TLS_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.157006854 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.166751450 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.167990669 +0100] - INFO - main - 389-Directory/1.3.6.1 B2018.025.1550 starting up Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.182152260 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.186165063 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.190789757 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.197372415 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.203502167 +0100] - NOTICE - ldbm_back_start - found 1532164k physical memory Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.204358115 +0100] - NOTICE - ldbm_back_start - found 945032k available Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.205099201 +0100] - NOTICE - ldbm_back_start - cache autosizing: db cache: 61286k Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.205772172 +0100] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 65536k Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.207976581 +0100] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 65536k Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.209935120 +0100] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 65536k Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.211955092 +0100] - NOTICE - ldbm_back_start - total cache size: 282989821 B; Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.268450630 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.282669243 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.283853676 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.284750958 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.285646359 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.286462970 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.287349607 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.288118043 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.289095649 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.289876366 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.290752671 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.291856781 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.292684559 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.293502496 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.294411988 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.295131467 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.295944190 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.296675050 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.297436245 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.298242490 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.299012600 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.299921149 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.307173136 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.308050707 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.414161967 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.417370681 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.418164001 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.419003673 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.451898960 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.454077292 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idm1.XXXkd.fau.de@XXXKD.FAU.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.459158890 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Jan 26 20:43:07 idm1 systemd: Started 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.461550924 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.462589374 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-XXXKD-FAU-DE.socket for LDAPI requests Jan 26 20:43:07 idm1 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_993)) Jan 26 20:43:07 idm1 systemd: Starting Kerberos 5 KDC... Jan 26 20:43:07 idm1 systemd: Started Kerberos 5 KDC. Jan 26 20:43:07 idm1 systemd: Starting Kerberos 5 Password-changing and Administration... Jan 26 20:43:07 idm1 systemd: Started Kerberos 5 Password-changing and Administration. Jan 26 20:43:08 idm1 systemd: Starting The Apache HTTP Server... Jan 26 20:43:08 idm1 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Jan 26 20:43:08 idm1 systemd: Started The Apache HTTP Server. Jan 26 20:43:09 idm1 systemd: Starting IPA Custodia Service... Jan 26 20:43:09 idm1 ipa-custodia: 2018-01-26 20:43:09 - server - Serving on Unix socket /run/httpd/ipa-custodia.sock Jan 26 20:43:09 idm1 systemd: Started IPA Custodia Service. Jan 26 20:43:09 idm1 systemd: Starting Network Time Service... Jan 26 20:43:09 idm1 ntpd[18606]: ntpd 4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1) Jan 26 20:43:09 idm1 ntpd[18607]: proto: precision = 0.092 usec Jan 26 20:43:09 idm1 ntpd[18607]: 0.0.0.0 c01d 0d kern kernel time sync enabled Jan 26 20:43:09 idm1 systemd: Started Network Time Service. Jan 26 20:43:09 idm1 ntpd[18607]: getaddrinfo: "2001:638:a000:b201::/64" invalid host address, ignored Jan 26 20:43:09 idm1 ntpd[18607]: restrict: error in address '2001:638:a000:b201::/64' on line 21. Ignoring... Jan 26 20:43:09 idm1 ntpd[18607]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen and drop on 1 v6wildcard :: UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 3 eth0 10.188.220.100 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 4 lo ::1 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 5 eth0 fe80::5054:ff:fe4e:b270 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 6 eth0 2001:638:a000:b201::220:100 UDP 123 Jan 26 20:43:10 idm1 ntpd[18607]: Listening on routing socket on fd #23 for interface updates Jan 26 20:43:10 idm1 ntpd[18607]: 0.0.0.0 c016 06 restart Jan 26 20:43:10 idm1 ntpd[18607]: 0.0.0.0 c012 02 freq_set ntpd -11.506 PPM Jan 26 20:43:10 idm1 systemd: Starting PKI Tomcat Server pki-tomcat... Jan 26 20:43:10 idm1 ns-slapd: [26/Jan/2018:20:43:10.654518701 +0100] - WARN - csngen_new_csn - Too much time skew (-414240 secs). Current seqnum=1 Jan 26 20:43:10 idm1 ns-slapd: [26/Jan/2018:20:43:10.903986761 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToidm2.XXXkd.fau.de" (idm2:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () Jan 26 20:43:11 idm1 ns-slapd: [26/Jan/2018:20:43:11.090525190 +0100] - WARN - csngen_new_csn - Too much time skew (-414241 secs). Current seqnum=1 Jan 26 20:43:11 idm1 ns-slapd: [26/Jan/2018:20:43:11.418472466 +0100] - WARN - csngen_new_csn - Too much time skew (-414242 secs). Current seqnum=1 Jan 26 20:43:11 idm1 ns-slapd: [26/Jan/2018:20:43:11.690552308 +0100] - WARN - csngen_new_csn - Too much time skew (-414242 secs). Current seqnum=1 Jan 26 20:43:11 idm1 ns-slapd: [26/Jan/2018:20:43:11.913216706 +0100] - WARN - csngen_new_csn - Too much time skew (-414243 secs). Current seqnum=1 Jan 26 20:43:12 idm1 pkidaemon: ----------------------- Jan 26 20:43:12 idm1 pkidaemon: Banner is not installed Jan 26 20:43:12 idm1 pkidaemon: ----------------------- Jan 26 20:43:12 idm1 pkidaemon: ---------------------- Jan 26 20:43:12 idm1 pkidaemon: Enabled all subsystems Jan 26 20:43:12 idm1 pkidaemon: ---------------------- Jan 26 20:43:12 idm1 systemd: Started PKI Tomcat Server pki-tomcat. Jan 26 20:43:12 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:43:12 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:43:12 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:43:12 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:43:12 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Jan 26 20:43:12 idm1 server: arguments used: start Jan 26 20:43:12 idm1 ns-slapd: [26/Jan/2018:20:43:12.856244489 +0100] - ERR - schema-compat-plugin - Finished plugin initialization. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm1.XXXkd.fau.de:9080/ca/ocsp' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.coyote.AbstractProtocol init Jan 26 20:43:13 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.coyote.AbstractProtocol init Jan 26 20:43:13 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Jan 26 20:43:13 idm1 server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:43:13 idm1 server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.coyote.AbstractProtocol init Jan 26 20:43:13 idm1 server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.Catalina load Jan 26 20:43:13 idm1 server: INFO: Initialization processed in 887 ms Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[start] Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.core.StandardService startInternal Jan 26 20:43:13 idm1 server: INFO: Starting service Catalina Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.core.StandardEngine startInternal Jan 26 20:43:13 idm1 server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.76 Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:13 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Jan 26 20:43:13 idm1 server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Jan 26 20:43:13 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:43:14 idm1 ntpd[18607]: 0.0.0.0 c515 05 clock_sync Jan 26 20:43:15 idm1 server: Jan 26, 2018 8:43:15 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:43:15 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:43:15 idm1 server: SSLAuthenticatorWithFallback: Initializing authenticators Jan 26 20:43:15 idm1 server: SSLAuthenticatorWithFallback: Starting authenticators Jan 26 20:43:15 idm1 server: CMSEngine.initializePasswordStore() begins Jan 26 20:43:15 idm1 server: CMSEngine.initializePasswordStore(): tag=internaldb Jan 26 20:43:15 idm1 server: CMSEngine.initializePasswordStore(): tag=replicationdb Jan 26 20:43:16 idm1 ns-slapd: [26/Jan/2018:20:43:16.928242338 +0100] - WARN - csngen_new_csn - Too much time skew (-414239 secs). Current seqnum=1 Jan 26 20:43:17 idm1 ns-slapd: [26/Jan/2018:20:43:17.631952903 +0100] - WARN - csngen_new_csn - Too much time skew (-414239 secs). Current seqnum=1 Jan 26 20:43:17 idm1 ns-slapd: [26/Jan/2018:20:43:17.654048776 +0100] - WARN - csngen_new_csn - Too much time skew (-414240 secs). Current seqnum=1 Jan 26 20:43:18 idm1 server: SelfTestSubsystem: Disabling "ca" subsystem due to selftest failure. Jan 26 20:43:18 idm1 server: ----------------------- Jan 26 20:43:18 idm1 server: Disabled "ca" subsystem Jan 26 20:43:18 idm1 server: ----------------------- Jan 26 20:43:18 idm1 server: Subsystem ID: ca Jan 26 20:43:18 idm1 server: Instance ID: pki-tomcat Jan 26 20:43:18 idm1 server: Enabled: False Jan 26 20:43:18 idm1 server: Invalid class name repositorytop Jan 26 20:43:19 idm1 server: Invalid class name repositorytop Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1378) Jan 26 20:43:19 idm1 server: at com.netscape.certsrv.apps.CMS.startup(CMS.java:202) Jan 26 20:43:19 idm1 server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1632) Jan 26 20:43:19 idm1 server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) Jan 26 20:43:19 idm1 server: at javax.servlet.GenericServlet.init(GenericServlet.java:158) Jan 26 20:43:19 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:43:19 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:43:19 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:43:19 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) Jan 26 20:43:19 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:43:19 idm1 server: at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) Jan 26 20:43:19 idm1 server: at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) Jan 26 20:43:19 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) Jan 26 20:43:19 idm1 server: at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) Jan 26 20:43:19 idm1 server: at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) Jan 26 20:43:19 idm1 server: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) Jan 26 20:43:19 idm1 server: at java.util.concurrent.FutureTask.run(FutureTask.java:266) Jan 26 20:43:19 idm1 server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) Jan 26 20:43:19 idm1 server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) Jan 26 20:43:19 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:19 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 5,274 ms Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:19 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:43:19 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:19 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 738 ms Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:19 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:43:20 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:20 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has finished in 1,088 ms Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.coyote.AbstractProtocol start Jan 26 20:43:20 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8080"] Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.coyote.AbstractProtocol start Jan 26 20:43:20 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8443"] Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.coyote.AbstractProtocol start Jan 26 20:43:20 idm1 server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:43:20 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Jan 26 20:43:20 idm1 server: PKIListener: Subsystem CA is disabled. Jan 26 20:43:20 idm1 server: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. Jan 26 20:43:20 idm1 server: PKIListener: To enable the subsystem: Jan 26 20:43:20 idm1 server: PKIListener: pki-server subsystem-enable -i pki-tomcat ca Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.catalina.startup.Catalina start Jan 26 20:43:20 idm1 server: INFO: Server startup in 7197 ms Jan 26 20:43:21 idm1 ns-slapd: [26/Jan/2018:20:43:21.078383741 +0100] - WARN - csngen_new_csn - Too much time skew (-414238 secs). Current seqnum=1 Jan 26 20:43:21 idm1 ns-slapd: [26/Jan/2018:20:43:21.369142943 +0100] - WARN - csngen_new_csn - Too much time skew (-414239 secs). Current seqnum=1 Jan 26 20:43:29 idm1 ns-slapd: [26/Jan/2018:20:43:29.176587570 +0100] - WARN - csngen_new_csn - Too much time skew (-414232 secs). Current seqnum=1 Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.startup.HostConfig undeploy Jan 26 20:43:31 idm1 server: INFO: Undeploying context [/ca] Jan 26 20:43:31 idm1 server: SSLAuthenticatorWithFallback: Stopping authenticators Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-0 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-2 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:43:38 idm1 ns-slapd: [26/Jan/2018:20:43:38.212105934 +0100] - WARN - csngen_new_csn - Too much time skew (-414224 secs). Current seqnum=1 Jan 26 20:43:38 idm1 ns-slapd: [26/Jan/2018:20:43:38.221564490 +0100] - WARN - csngen_new_csn - Too much time skew (-414225 secs). Current seqnum=1 Jan 26 20:43:50 idm1 ns-slapd: [26/Jan/2018:20:43:50.895768971 +0100] - WARN - csngen_new_csn - Too much time skew (-414213 secs). Current seqnum=1 Jan 26 20:43:50 idm1 ns-slapd: [26/Jan/2018:20:43:50.928585085 +0100] - WARN - csngen_new_csn - Too much time skew (-414214 secs). Current seqnum=1 Jan 26 20:43:50 idm1 ns-slapd: [26/Jan/2018:20:43:50.973568568 +0100] - WARN - csngen_new_csn - Too much time skew (-414215 secs). Current seqnum=1 Jan 26 20:43:50 idm1 ns-slapd: [26/Jan/2018:20:43:50.996767806 +0100] - WARN - csngen_new_csn - Too much time skew (-414216 secs). Current seqnum=1 Jan 26 20:43:53 idm1 ns-slapd: [26/Jan/2018:20:43:53.245471011 +0100] - WARN - csngen_new_csn - Too much time skew (-414215 secs). Current seqnum=1 Jan 26 20:44:09 idm1 ns-slapd: [26/Jan/2018:20:44:09.057455395 +0100] - WARN - csngen_new_csn - Too much time skew (-414200 secs). Current seqnum=1 Jan 26 20:44:09 idm1 ns-slapd: [26/Jan/2018:20:44:09.080883041 +0100] - WARN - csngen_new_csn - Too much time skew (-414201 secs). Current seqnum=1 Jan 26 20:44:22 idm1 ns-slapd: [26/Jan/2018:20:44:22.056086120 +0100] - WARN - csngen_new_csn - Too much time skew (-414189 secs). Current seqnum=1 Jan 26 20:44:22 idm1 ns-slapd: [26/Jan/2018:20:44:22.083244850 +0100] - WARN - csngen_new_csn - Too much time skew (-414190 secs). Current seqnum=1 Jan 26 20:44:22 idm1 ns-slapd: [26/Jan/2018:20:44:22.090879226 +0100] - WARN - csngen_new_csn - Too much time skew (-414191 secs). Current seqnum=1
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Thu, Feb 01, 2018 at 10:39:00AM +0100, Christof Schulze via FreeIPA-users wrote:
pki-tomcatd does not start because the 'auditSigningCert cert-pki-ca' is always invalid (expired or not valid now)
Old one Not Before: Feb 9 12:01:11 2016 GMT Not After : Jan 29 12:01:11 2018 GMT
New one Not Before: Jan 29 13:22:53 2018 GMT Not After : Jan 19 13:22:53 2020 GMT
Can I just restore this certificate from an old backup and try to resubmit it long before it is expiring?
Or do I have to do an ipa-restore from the old backup.
This certificate is also already replicated to the replicas.
Sure. Backup the certificate and key using `pk12util' first. (Or just make a copy the whole NSSDB) Then delete the certificate from the NSSDB using `certutil -D`. (I think this will leave they key in place). Then add the older certificate that will be valid according to the system time. Then Dogtag should start, and you should be able to continue recovering the system.
HTH, Fraser
On 01.02.2018 01:48, Fraser Tweedale via FreeIPA-users wrote:
On Wed, Jan 31, 2018 at 04:58:30PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,
did time roll back. Does look like the pki-tomcatd is not running, and can not be restared.
Checked the userCertificates, they look identical to me.
The Certificate requests for the three expiring certificates are now in SUBMITTING-state. Cant see any other Errors than:
Jan 26 20:23:59 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16805]: dogtag-ipa-renew-agent returned 2 Jan 26 20:30:36 idm1.XXXkd.fau.de systemd[1]: Stopping Certificate monitoring and PKI enrollment... Jan 26 20:30:36 idm1.XXXkd.fau.de systemd[1]: Starting Certificate monitoring and PKI enrollment...
Is there some way to start certmonger and maybe the pki-tomcatd in debugging mode?
What is is /var/log/pki/pki-tomcat/ca/debug? If it is not starting properly, there should be some output in there related to that.
Thanks, Fraser
On 31.01.2018 00:27, Fraser Tweedale via FreeIPA-users wrote:
On Tue, Jan 30, 2018 at 05:29:46PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,
Checked AVCs first. Selinux is always a burden on our Fedora Clients.
Certmonger is still trying.
Does it make sense to make some timetravel for certificate renewal with the Renewal master, even if the renewal didn't work when the certificates where still valid?
Time travel will be necessary.
Wind the clock back on the renewal master to a time when all certs are valid, and then investigate why renewal was failing.
Please check that the userCertificate attributes of the following entries are in sync with their corresponding certificates:
- uid=ipara,ou=people,o=ipaca must match /var/lib/ipa/ra-agent.pem - uid=pkidbuser,ou=people,o=ipaca must match /etc/pki/pki-tomcat/alias : 'subsystemCert cert-pki-ca'Cheers, Fraser
On 30.01.2018 16:42, Rob Crittenden via FreeIPA-users wrote:
Christof Schulze via FreeIPA-users wrote: > Hi, > > Here may be the problem, all are masters, the idm1 I am working on is > the CA renewal master (checked ldap and config-show). > > IPA masters: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de > IPA CA servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de > IPA NTP servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de > IPA CA renewal master: idm1.ww8kd.fau.de > > But when checking the different points on the side linked by you. I can > see: > All off them have > ca.crl.MasterCRL.enableCRLUpdates=false > ca.crl.MasterCRL.enableCRLCache=false > > And all of them have the RewriteRule in the > /etc/httpd/conf.d/ipa-pki-proxy.conf. > > I remember years ago the original idm1 got roasted by some electrical > surge. And I think it got cloned by one of the others (documentation > would be king). > > So all of them are clones and we don't have a CRL generation master. > > The renewed "auditSigningCert cert-pki-ca" on the master didn't get > replicated to the others. > > Can I just promote idm1 to become CRL generation master by setting > ca.crl.MasterCRL.enableCRLUpdates=true > ca.crl.MasterCRL.enableCRLCache=true
Yes but that won't affect renewal.
> And how to get new certificates?
As Flo suggested, check syslog for certmonger messages. Look for AVCs.
Look at the output of getcert list to see what the status and errors are.
rob
> > > And Thanks for your patience. > > > On 30.01.2018 14:26, Florence Blanc-Renaud wrote: > > On 01/30/2018 02:02 PM, Christof Schulze via FreeIPA-users wrote: > > > Hi, > > > > > > Now the roof is on fire, all certificates are synced on all masters > > > since a long time ago. > > > > > > The not renewing certificates in /etc/pki/pki-tomcat/alias have now > > > expired > > > "subsystemCert cert-pki-ca" , "ocspSigningCert cert-pki-ca" , > > > "/var/lib/ipa/ra-agent.pem" > > > > > > The "auditSigningCert cert-pki-ca" certificate is the only one which > > > has been renewed. (Old Serial Number: 5 (0x5), New Serial Number: > > > 536739845 (0x1ffe0005) valid till 2020) > > > > > > The userCertificate in (uid=ipara,ou=people,o=ipaca) and the IPA RA > > > certificate in /var/lib/ipa/ra-agent.pem are matching and expired. > > > > > > > > > pki-tomcat can no longer access the ldap. > > > > > > slapi_ldap_bind - Error: could not send startTLS request: error > > > -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not > > > connected) > > > > > > > > > Is there some way this situation can be solved? > > Hi, > > > > you need first to identify who is your renewal master and start > > repairing this machine. You can use ipa config-show or a direct > > ldapsearch as described here > > (https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Iden...) > > to find the renewal master. > > > > On the renewal master, check if the certificates have been properly > > renewed. If it is not the case, you will need to chase the failure by > > checking SE linux AVCs or errors in the journal produced by certmonger. > > The renewal master really needs to be repaired first, as it is the > > source containing some certs that will later be downloaded by the > > other masters. > > > > Flo > > > > > > > > Thanks > > > > > > Christof Schulze > > > > > > > > > > > > Request ID '20171206120336': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin set > > > certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-ca-renew-agent > > > issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some > > > Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH > > > subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - > > > FAU,C=DE,E=guy@example.com,L=FUERTH > > > expires: 2020-01-19 13:22:53 UTC > > > key usage: digitalSignature,nonRepudiation > > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > > > "auditSigningCert cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20171206120337': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin set > > > certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-ca-renew-agent > > > issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some > > > Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH > > > subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute > > > (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH > > > expires: 2018-01-29 12:00:44 UTC > > > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > > > eku: id-kp-OCSPSigning > > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > > > "ocspSigningCert cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20171206120338': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > > cert-pki-ca',token='NSS Certificate DB',pin set > > > certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-ca-renew-agent > > > issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some > > > Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH > > > subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) > > > - FAU,C=DE,E=guy@example.com,L=FUERTH > > > expires: 2018-01-29 12:00:44 UTC > > > key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > > > "subsystemCert cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20171206120340': > > > status: MONITORING > > > stuck: no > > > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > > > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > > > CA: dogtag-ipa-ca-renew-agent > > > issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some > > > Institute (XXX) - FAU,C=DE,E=guy@example.com,L=FUERTH > > > subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - > > > FAU,C=DE,E=guy@example.com,L=FUERTH > > > expires: 2018-01-29 12:01:11 UTC > > > key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > > > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > > > track: yes > > > auto-renew: yes > > > > > > > > > On 30.01.2018 00:40, Fraser Tweedale via FreeIPA-users wrote: > > > > On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via > > > > FreeIPA-users wrote: > > > > > Hi, > > > > > > > > > > some certificates on our freeipa-cluster (3 servers) are have been not > > > > > renewed till now, 2 hours before expiring. Can this be a problem? > > > > > > > > > > Some of the certificates, the ones expiring show "ca-error: > > > > > Invalid cookie: > > > > > '' in the "getcert list" output, what makes me nervous. > > > > > > > > > > We also have the problem when certmonger can not reach the CA > > > > > CA_UNREACHABLE > > > > > after restarting a freeipa-server. But when we restart the > > > > > certmonger.server > > > > > after everything being up again everything looks good. > > > > > > > > > > Maybe you can give me some advice what to check and which logs you > > > > > else > > > > > would need. > > > > > > > > > > > > > > > Thanks > > > > > > > > > > Christof Schulze > > > > > > > > > Hi Christof, > > > > > > > > Yes, it is a problem. They should have been renewed before now. > > > > The errors in `getcert list' output show that there has been a > > > > problem. > > > > > > > > First, check that all certificates are valid, all certificates have > > > > been synced across all masters using `ipa-certupdate` on each > > > > master. You should also check that the userCertificate attribute in > > > > entry: > > > > > > > > uid=ipara,ou=people,o=ipaca > > > > > > > > matches the actual IPA RA certificate in /var/lib/ipa/ra-agent.pem > > > > > > > > Also check that your topology has correct renewal master > > > > configuration. ldapsearch cn=masters,cn=ipa,cn=etc,dc=ipa,dc=local > > > > with filter (&(cn=CA)(ipaConfigString=caRenewalMaster)). It should > > > > return exactly one entry and it must be a valid, active master. > > > > > > > > HTH, > > > > Fraser > > > > > > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
journalctl -u certmonger.service
Jan 29 20:43:46 idm1.ww8kd.fau.de certmonger[13223]: Certificate in file "/var/lib/ipa/ra-agent.pem" is no longer valid. Jan 29 20:43:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13225]: Forwarding request to dogtag-ipa-renew-agent Jan 29 20:43:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13225]: dogtag-ipa-renew-agent returned 2
.... repeating till...
Jan 29 20:45:10 idm1.ww8kd.fau.de certmonger[13328]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 29 20:45:13 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13330]: Forwarding request to dogtag-ipa-renew-agent
.... repeating till...
Jan 29 20:53:36 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13943]: dogtag-ipa-renew-agent returned 2 Jan 29 20:53:47 idm1.ww8kd.fau.de certmonger[13954]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 29 20:53:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13956]: Forwarding request to dogtag-ipa-renew-agent Jan 29 20:53:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13956]: dogtag-ipa-renew-agent returned 2
.... repeating till...
Jan 29 20:55:57 idm1.ww8kd.fau.de certmonger[14110]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 29 20:55:59 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[14112]: Forwarding request to dogtag-ipa-renew-agent Jan 29 20:55:59 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[14112]: dogtag-ipa-renew-agent returned 2
.... repeating
Then suddenly:
Jan 30 16:09:31 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27370]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE' Jan 30 16:09:31 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:31 [15905] Internal error Jan 30 16:09:50 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27500]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE' Jan 30 16:09:50 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:50 [15905] Internal error Jan 30 16:09:51 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27509]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE' Jan 30 16:09:51 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:51 [15905] Internal error Jan 30 16:15:03 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[28056]: Forwarding request to dogtag-ipa-renew-agent Jan 30 16:15:03 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[28056]: dogtag-ipa-renew-agent returned 2
.... repeating till end...
an 30 17:10:18 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 30 17:10:20 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:20 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:24 idm1 server: Jan 30, 2018 5:10:24 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:24 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:24 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:24 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:24 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:24 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:26 idm1 certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" is no longer valid. Jan 30 17:10:28 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:28 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:34 idm1 server: Jan 30, 2018 5:10:34 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:34 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:34 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:34 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:34 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:34 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:44 idm1 server: Jan 30, 2018 5:10:44 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:44 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:44 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:44 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:44 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:44 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:44 idm1 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 30 17:10:46 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:46 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:50 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. Jan 30 17:10:53 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:10:53 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 30 17:10:54 idm1 server: Jan 30, 2018 5:10:54 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 30 17:10:54 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 30 17:10:54 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 30 17:10:54 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 30 17:10:54 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 30 17:10:54 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 30 17:10:58 idm1 certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" is no longer valid. Jan 30 17:11:01 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 30 17:11:01 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- Christof Schulze
Institute of Materials Simulation (WW8) Department of Materials Science Friedrich-Alexander-University Erlangen-Nürnberg Dr.-Mack-Str. 77, 90762 Fürth, Germany
Tel: 0911/65078-65069 Email: christof.schulze@ww.uni-erlangen.de
journalctl -u certmonger.service
Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 1 Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 1 Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 1 Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 1 Jan 26 20:03:58 idm1.XXXkd.fau.de ipa-submit[15799]: GSSAPI client step 2 Jan 26 20:03:59 idm1.XXXkd.fau.de certmonger[15838]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20180129120044. Jan 26 20:04:32 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15860]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:32 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15860]: dogtag-ipa-renew-agent returned 2 Jan 26 20:04:42 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15853]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:42 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15853]: dogtag-ipa-renew-agent returned 2 Jan 26 20:04:52 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15851]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:52 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[15851]: dogtag-ipa-renew-agent returned 2 Jan 26 20:06:08 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16044]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:06:08 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16044]: dogtag-ipa-renew-agent returned 2 Jan 26 20:16:36 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16726]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:16:37 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16726]: dogtag-ipa-renew-agent returned 2 Jan 26 20:17:37 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16746]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:17:37 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16746]: dogtag-ipa-renew-agent returned 2 Jan 26 20:23:59 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16805]: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:23:59 idm1.XXXkd.fau.de dogtag-ipa-ca-renew-agent-submit[16805]: dogtag-ipa-renew-agent returned 2
equest ID '20171206120337': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120338': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH expires: 2018-01-29 12:00:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171206120340': status: SUBMITTING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH expires: 2018-01-29 12:01:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
ldapsearch -x -h localhost -b uid=pkidbuser,ou=people,o=ipaca # extended LDIF # # LDAPv3 # base <uid=pkidbuser,ou=people,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# pkidbuser, people, ipaca dn: uid=pkidbuser,ou=people,o=ipaca objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser uid: pkidbuser sn: pkidbuser cn: pkidbuser mail: usertype: agentType userstate: 1 description: 2;4;CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Institute of Mater ials Simulation (XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH;CN=CA Sub system,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E =christof.schulze@fau.de,L=FUERTH userCertificate:: MIIEcz ................. seeAlso: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute ( XXX) - FAU,C=DE,E=christof.schulze@fau.de,L=FUERTH
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Jan 26 20:00:00 idm1 systemd: Time has been changed Jan 26 20:00:05 idm1 server: Jan 26, 2018 8:00:05 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:05 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:05 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:05 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:05 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:05 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:10 idm1 ns-slapd: [26/Jan/2018:20:00:10.040578826 +0100] - WARN - csngen_new_csn - Too much time skew (-416592 secs). Current seqnum=4 Jan 26 20:00:10 idm1 ns-slapd: [26/Jan/2018:20:00:10.061165225 +0100] - WARN - csngen_new_csn - Too much time skew (-416593 secs). Current seqnum=5 Jan 26 20:00:10 idm1 ns-slapd: [26/Jan/2018:20:00:10.087176808 +0100] - WARN - csngen_new_csn - Too much time skew (-416594 secs). Current seqnum=6 Jan 26 20:00:10 idm1 ns-slapd: [26/Jan/2018:20:00:10.093683659 +0100] - WARN - csngen_new_csn - Too much time skew (-416595 secs). Current seqnum=7 Jan 26 20:00:15 idm1 server: Jan 26, 2018 8:00:15 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:15 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:15 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:15 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:15 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:15 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:25 idm1 server: Jan 26, 2018 8:00:25 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:25 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:25 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:25 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:25 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:25 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:26 idm1 systemd: Starting PKI Tomcat Server tomcatd... Jan 26 20:00:26 idm1 pkidaemon: tomcatd is an invalid 'tomcat' instance Jan 26 20:00:26 idm1 systemd: pki-tomcatd@tomcatd.service: control process exited, code=exited status=5 Jan 26 20:00:26 idm1 systemd: Failed to start PKI Tomcat Server tomcatd. Jan 26 20:00:26 idm1 systemd: Unit pki-tomcatd@tomcatd.service entered failed state. Jan 26 20:00:26 idm1 systemd: pki-tomcatd@tomcatd.service failed. Jan 26 20:00:30 idm1 ns-slapd: [26/Jan/2018:20:00:30.030350069 +0100] - WARN - csngen_new_csn - Too much time skew (-416576 secs). Current seqnum=8 Jan 26 20:00:30 idm1 ns-slapd: [26/Jan/2018:20:00:30.036532171 +0100] - WARN - csngen_new_csn - Too much time skew (-416577 secs). Current seqnum=9 Jan 26 20:00:30 idm1 ns-slapd: [26/Jan/2018:20:00:30.054084481 +0100] - WARN - csngen_new_csn - Too much time skew (-416578 secs). Current seqnum=a Jan 26 20:00:30 idm1 ns-slapd: [26/Jan/2018:20:00:30.072843629 +0100] - WARN - csngen_new_csn - Too much time skew (-416579 secs). Current seqnum=b Jan 26 20:00:35 idm1 server: Jan 26, 2018 8:00:35 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:35 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:35 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:35 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:35 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:35 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:45 idm1 server: Jan 26, 2018 8:00:45 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:45 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:45 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:45 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:45 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:45 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:48 idm1 ns-slapd: [26/Jan/2018:20:00:48.030570760 +0100] - WARN - csngen_new_csn - Too much time skew (-416562 secs). Current seqnum=4 Jan 26 20:00:48 idm1 ns-slapd: [26/Jan/2018:20:00:48.035772779 +0100] - WARN - csngen_new_csn - Too much time skew (-416563 secs). Current seqnum=5 Jan 26 20:00:48 idm1 ns-slapd: [26/Jan/2018:20:00:48.053399054 +0100] - WARN - csngen_new_csn - Too much time skew (-416564 secs). Current seqnum=6 Jan 26 20:00:48 idm1 ns-slapd: [26/Jan/2018:20:00:48.058488375 +0100] - WARN - csngen_new_csn - Too much time skew (-416565 secs). Current seqnum=7 Jan 26 20:00:54 idm1 systemd: Stopped target PKI Tomcat Server. Jan 26 20:00:54 idm1 systemd: Stopping PKI Tomcat Server. Jan 26 20:00:54 idm1 systemd: Stopping PKI Tomcat Server pki-tomcat... Jan 26 20:00:54 idm1 systemd: Stopping 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:00:54 idm1 ns-slapd: [26/Jan/2018:20:00:54.631434461 +0100] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 19 max work q size 6 max work q stack size 6 Jan 26 20:00:54 idm1 ns-slapd: [26/Jan/2018:20:00:54.662944402 +0100] - INFO - slapd_daemon - slapd shutting down - waiting for 14 threads to terminate Jan 26 20:00:54 idm1 ns-slapd: [26/Jan/2018:20:00:54.693612476 +0100] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Jan 26 20:00:55 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:00:55 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:00:55 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:00:55 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:00:55 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Jan 26 20:00:55 idm1 server: arguments used: stop Jan 26 20:00:55 idm1 ns-slapd: [26/Jan/2018:20:00:55.269159082 +0100] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop Jan 26 20:00:55 idm1 server: Jan 26, 2018 8:00:55 PM org.apache.catalina.core.ContainerBase backgroundProcess Jan 26 20:00:55 idm1 server: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process Jan 26 20:00:55 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jan 26 20:00:55 idm1 server: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552) Jan 26 20:00:55 idm1 server: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520) Jan 26 20:00:55 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:00:56 idm1 ns-slapd: [26/Jan/2018:20:00:56.047222363 +0100] - INFO - dblayer_pre_close - All database threads now stopped Jan 26 20:00:56 idm1 ns-slapd: [26/Jan/2018:20:00:56.136143475 +0100] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Jan 26 20:00:56 idm1 ns-slapd: [26/Jan/2018:20:00:56.250499625 +0100] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 6 work q stack objects - freed 19 op stack objects Jan 26 20:00:56 idm1 ns-slapd: [26/Jan/2018:20:00:56.466290546 +0100] - INFO - main - slapd stopped. Jan 26 20:00:57 idm1 systemd: Starting 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:00:57 idm1 server: Jan 26, 2018 8:00:57 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:00:57 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:00:59 idm1 server: Jan 26, 2018 8:00:59 PM org.apache.catalina.core.StandardServer await Jan 26 20:00:59 idm1 server: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Jan 26 20:00:59 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Jan 26 20:00:59 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[stop] Jan 26 20:00:59 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Jan 26 20:00:59 idm1 server: Jan 26, 2018 8:00:59 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:00:59 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.166056006 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.192768272 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.194054627 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.195443005 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.196488030 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.197471823 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.198476669 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.199408370 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.200335494 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.201269623 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.202187620 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.203076746 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:01:00 idm1 systemd: Stopped PKI Tomcat Server pki-tomcat. Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.212403223 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.213802057 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.214320583 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.215664034 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.216287901 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.216973776 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.217398701 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.217909449 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.218369168 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.218796504 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.219235985 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.220009250 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.220862707 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.221671302 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.222376985 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.223115430 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.223989576 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_128_GCM_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.224808605 +0100] - INFO - Security Initialization - SSL info: #011TLS_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.225509347 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_256_GCM_SHA384: enabled Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.251261397 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.252601147 +0100] - INFO - main - 389-Directory/1.3.6.1 B2018.025.1550 starting up Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.267546859 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.271447152 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.275981745 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.283140403 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.289336025 +0100] - NOTICE - ldbm_back_start - found 1532164k physical memory Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.290187342 +0100] - NOTICE - ldbm_back_start - found 588692k available Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.291044337 +0100] - NOTICE - ldbm_back_start - cache autosizing: db cache: 61286k Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.291982935 +0100] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 65536k Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.294255028 +0100] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 65536k Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.296509006 +0100] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 65536k Jan 26 20:01:00 idm1 ns-slapd: [26/Jan/2018:20:01:00.298844301 +0100] - NOTICE - ldbm_back_start - total cache size: 282989821 B; Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.208240370 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.256911972 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.258221666 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.259183606 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.260299224 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.261345202 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.262389108 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.263438748 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.264619539 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.265661588 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.266617305 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.267503563 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.268386977 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.269339542 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.270164213 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.271060127 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.271880025 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.272730680 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.273618472 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.274598861 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.275455547 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.276441760 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.283273623 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.284297934 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:01:01 idm1 systemd: Started Session 84 of user root. Jan 26 20:01:01 idm1 systemd: Starting Session 84 of user root. Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.396213753 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.399323317 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.399986425 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.400970832 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.636616613 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.639886286 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idm1.XXXkd.fau.de@XXXKD.FAU.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.644711700 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.645973404 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Jan 26 20:01:01 idm1 ns-slapd: [26/Jan/2018:20:01:01.659963996 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-XXXKD-FAU-DE.socket for LDAPI requests Jan 26 20:01:01 idm1 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_993)) Jan 26 20:01:01 idm1 systemd: Started 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:01:01 idm1 systemd: Stopping Kerberos 5 KDC... Jan 26 20:01:01 idm1 systemd: Starting Kerberos 5 KDC... Jan 26 20:01:02 idm1 systemd: PID file /var/run/krb5kdc.pid not readable (yet?) after start. Jan 26 20:01:02 idm1 systemd: Started Kerberos 5 KDC. Jan 26 20:01:02 idm1 systemd: Stopping Kerberos 5 Password-changing and Administration... Jan 26 20:01:02 idm1 systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jan 26 20:01:02 idm1 systemd: Unit kadmin.service entered failed state. Jan 26 20:01:02 idm1 systemd: kadmin.service failed. Jan 26 20:01:02 idm1 systemd: Starting Kerberos 5 Password-changing and Administration... Jan 26 20:01:02 idm1 systemd: Started Kerberos 5 Password-changing and Administration. Jan 26 20:01:02 idm1 systemd: Stopping The Apache HTTP Server... Jan 26 20:01:04 idm1 kernel: httpd[27874]: segfault at 8 ip 00007ff9ffbd2a90 sp 00007ff9dbc05d70 error 4 in libpython2.7.so.1.0[7ff9ffad3000+17d000] Jan 26 20:01:04 idm1 ns-slapd: [26/Jan/2018:20:01:04.672339153 +0100] - WARN - csngen_new_csn - Too much time skew (-416549 secs). Current seqnum=8 Jan 26 20:01:05 idm1 ns-slapd: [26/Jan/2018:20:01:05.044521936 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToidm2.XXXkd.fau.de" (idm2:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () Jan 26 20:01:05 idm1 systemd: Starting The Apache HTTP Server... Jan 26 20:01:05 idm1 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Jan 26 20:01:06 idm1 systemd: Started The Apache HTTP Server. Jan 26 20:01:07 idm1 systemd: Stopping IPA Custodia Service... Jan 26 20:01:07 idm1 systemd: Starting IPA Custodia Service... Jan 26 20:01:07 idm1 ns-slapd: [26/Jan/2018:20:01:07.739422386 +0100] - ERR - schema-compat-plugin - Finished plugin initialization. Jan 26 20:01:08 idm1 ipa-custodia: 2018-01-26 20:01:08 - server - Serving on Unix socket /run/httpd/ipa-custodia.sock Jan 26 20:01:08 idm1 systemd: Started IPA Custodia Service. Jan 26 20:01:08 idm1 systemd: Starting Network Time Service... Jan 26 20:01:08 idm1 ntpd[15428]: ntpd 4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1) Jan 26 20:01:08 idm1 ntpd[15429]: proto: precision = 0.087 usec Jan 26 20:01:08 idm1 ntpd[15429]: 0.0.0.0 c01d 0d kern kernel time sync enabled Jan 26 20:01:08 idm1 systemd: Started Network Time Service. Jan 26 20:01:08 idm1 ntpd[15429]: getaddrinfo: "2001:638:a000:b201::/64" invalid host address, ignored Jan 26 20:01:08 idm1 systemd: Starting PKI Tomcat Server pki-tomcat... Jan 26 20:01:08 idm1 ntpd[15429]: restrict: error in address '2001:638:a000:b201::/64' on line 21. Ignoring... Jan 26 20:01:08 idm1 ntpd[15429]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen and drop on 1 v6wildcard :: UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 3 eth0 10.188.220.100 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 4 lo ::1 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 5 eth0 fe80::5054:ff:fe4e:b270 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listen normally on 6 eth0 2001:638:a000:b201::220:100 UDP 123 Jan 26 20:01:08 idm1 ntpd[15429]: Listening on routing socket on fd #23 for interface updates Jan 26 20:01:08 idm1 ntpd[15429]: 0.0.0.0 c016 06 restart Jan 26 20:01:08 idm1 ntpd[15429]: 0.0.0.0 c012 02 freq_set ntpd -11.506 PPM Jan 26 20:01:09 idm1 pkidaemon: ----------------------- Jan 26 20:01:09 idm1 pkidaemon: Banner is not installed Jan 26 20:01:09 idm1 pkidaemon: ----------------------- Jan 26 20:01:09 idm1 pkidaemon: ---------------------- Jan 26 20:01:09 idm1 pkidaemon: Enabled all subsystems Jan 26 20:01:09 idm1 pkidaemon: ---------------------- Jan 26 20:01:10 idm1 systemd: Started PKI Tomcat Server pki-tomcat. Jan 26 20:01:10 idm1 systemd: Reached target PKI Tomcat Server. Jan 26 20:01:10 idm1 systemd: Starting PKI Tomcat Server. Jan 26 20:01:10 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:01:10 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:01:10 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:01:10 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:01:10 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Jan 26 20:01:10 idm1 server: arguments used: start Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:01:11 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:01:11 idm1 ns-slapd: [26/Jan/2018:20:01:11.084620256 +0100] - WARN - csngen_new_csn - Too much time skew (-416544 secs). Current seqnum=9 Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm1.XXXkd.fau.de:9080/ca/ocsp' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Jan 26 20:01:11 idm1 server: Jan 26, 2018 8:01:11 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:01:11 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Jan 26 20:01:11 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.coyote.AbstractProtocol init Jan 26 20:01:12 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.coyote.AbstractProtocol init Jan 26 20:01:12 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Jan 26 20:01:12 idm1 server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:01:12 idm1 server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.coyote.AbstractProtocol init Jan 26 20:01:12 idm1 server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:01:12 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.catalina.startup.Catalina load Jan 26 20:01:12 idm1 server: INFO: Initialization processed in 1363 ms Jan 26 20:01:12 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Jan 26 20:01:12 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Jan 26 20:01:12 idm1 ns-slapd: [26/Jan/2018:20:01:12.623763048 +0100] - WARN - csngen_new_csn - Too much time skew (-416544 secs). Current seqnum=a Jan 26 20:01:12 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[start] Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.catalina.core.StandardService startInternal Jan 26 20:01:12 idm1 server: INFO: Starting service Catalina Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.catalina.core.StandardEngine startInternal Jan 26 20:01:12 idm1 server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.76 Jan 26 20:01:12 idm1 server: Jan 26, 2018 8:01:12 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:12 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Jan 26 20:01:12 idm1 ns-slapd: [26/Jan/2018:20:01:12.731562409 +0100] - WARN - csngen_new_csn - Too much time skew (-416544 secs). Current seqnum=b Jan 26 20:01:12 idm1 server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Jan 26 20:01:12 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:01:13 idm1 ntpd[15429]: 0.0.0.0 c515 05 clock_sync Jan 26 20:01:15 idm1 server: Jan 26, 2018 8:01:15 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:01:15 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:01:15 idm1 server: SSLAuthenticatorWithFallback: Initializing authenticators Jan 26 20:01:15 idm1 server: SSLAuthenticatorWithFallback: Starting authenticators Jan 26 20:01:15 idm1 server: CMSEngine.initializePasswordStore() begins Jan 26 20:01:15 idm1 server: CMSEngine.initializePasswordStore(): tag=internaldb Jan 26 20:01:15 idm1 server: CMSEngine.initializePasswordStore(): tag=replicationdb Jan 26 20:01:18 idm1 server: SelfTestSubsystem: Disabling "ca" subsystem due to selftest failure. Jan 26 20:01:18 idm1 server: ----------------------- Jan 26 20:01:18 idm1 server: Disabled "ca" subsystem Jan 26 20:01:18 idm1 server: ----------------------- Jan 26 20:01:18 idm1 server: Subsystem ID: ca Jan 26 20:01:18 idm1 server: Instance ID: pki-tomcat Jan 26 20:01:18 idm1 server: Enabled: False Jan 26 20:01:18 idm1 server: Invalid class name repositorytop Jan 26 20:01:19 idm1 server: Invalid class name repositorytop Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460) Jan 26 20:01:19 idm1 server: at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1378) Jan 26 20:01:19 idm1 server: at com.netscape.certsrv.apps.CMS.startup(CMS.java:202) Jan 26 20:01:19 idm1 server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1632) Jan 26 20:01:19 idm1 server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) Jan 26 20:01:19 idm1 server: at javax.servlet.GenericServlet.init(GenericServlet.java:158) Jan 26 20:01:19 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:01:19 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:01:19 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:01:19 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) Jan 26 20:01:19 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:01:19 idm1 server: at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) Jan 26 20:01:19 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) Jan 26 20:01:19 idm1 server: at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) Jan 26 20:01:19 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) Jan 26 20:01:19 idm1 server: at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) Jan 26 20:01:19 idm1 server: at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) Jan 26 20:01:19 idm1 server: at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) Jan 26 20:01:19 idm1 server: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) Jan 26 20:01:19 idm1 server: at java.util.concurrent.FutureTask.run(FutureTask.java:266) Jan 26 20:01:19 idm1 server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) Jan 26 20:01:19 idm1 server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) Jan 26 20:01:19 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:01:19 idm1 server: Jan 26, 2018 8:01:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:19 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 6,698 ms Jan 26 20:01:19 idm1 server: Jan 26, 2018 8:01:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:19 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Jan 26 20:01:20 idm1 server: Jan 26, 2018 8:01:20 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:01:20 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:01:20 idm1 server: Jan 26, 2018 8:01:20 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:20 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 857 ms Jan 26 20:01:20 idm1 server: Jan 26, 2018 8:01:20 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:20 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:01:21 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:01:21 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has finished in 1,161 ms Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.coyote.AbstractProtocol start Jan 26 20:01:21 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8080"] Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.coyote.AbstractProtocol start Jan 26 20:01:21 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8443"] Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.coyote.AbstractProtocol start Jan 26 20:01:21 idm1 server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:01:21 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Jan 26 20:01:21 idm1 ntpd[15429]: 0.0.0.0 0613 03 spike_detect +416608.985992 s Jan 26 20:01:21 idm1 server: PKIListener: Subsystem CA is disabled. Jan 26 20:01:21 idm1 server: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. Jan 26 20:01:21 idm1 server: PKIListener: To enable the subsystem: Jan 26 20:01:21 idm1 server: PKIListener: pki-server subsystem-enable -i pki-tomcat ca Jan 26 20:01:21 idm1 server: Jan 26, 2018 8:01:21 PM org.apache.catalina.startup.Catalina start Jan 26 20:01:21 idm1 server: INFO: Server startup in 8856 ms Jan 26 20:01:23 idm1 ns-slapd: [26/Jan/2018:20:01:23.234040056 +0100] - WARN - csngen_new_csn - Too much time skew (-416535 secs). Current seqnum=c Jan 26 20:01:31 idm1 ns-slapd: [26/Jan/2018:20:01:31.761653163 +0100] - WARN - csngen_new_csn - Too much time skew (-416527 secs). Current seqnum=d Jan 26 20:01:31 idm1 ns-slapd: [26/Jan/2018:20:01:31.782442210 +0100] - WARN - csngen_new_csn - Too much time skew (-416528 secs). Current seqnum=e Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.startup.HostConfig undeploy Jan 26 20:01:31 idm1 server: INFO: Undeploying context [/ca] Jan 26 20:01:31 idm1 server: SSLAuthenticatorWithFallback: Stopping authenticators Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-0 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-2 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: Jan 26, 2018 8:01:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:01:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:01:31 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:01:32 idm1 ns-slapd: [26/Jan/2018:20:01:32.298667463 +0100] - WARN - csngen_new_csn - Too much time skew (-416529 secs). Current seqnum=f Jan 26 20:01:32 idm1 ns-slapd: [26/Jan/2018:20:01:32.678832654 +0100] - WARN - csngen_new_csn - Too much time skew (-416530 secs). Current seqnum=10 Jan 26 20:01:33 idm1 ns-slapd: [26/Jan/2018:20:01:33.028623160 +0100] - WARN - csngen_new_csn - Too much time skew (-416530 secs). Current seqnum=11 Jan 26 20:01:33 idm1 ns-slapd: [26/Jan/2018:20:01:33.048763804 +0100] - WARN - csngen_new_csn - Too much time skew (-416531 secs). Current seqnum=12 Jan 26 20:01:47 idm1 ns-slapd: [26/Jan/2018:20:01:47.701332510 +0100] - WARN - csngen_new_csn - Too much time skew (-416517 secs). Current seqnum=13 Jan 26 20:02:04 idm1 ns-slapd: [26/Jan/2018:20:02:04.380427048 +0100] - WARN - csngen_new_csn - Too much time skew (-416502 secs). Current seqnum=14 Jan 26 20:02:04 idm1 ns-slapd: [26/Jan/2018:20:02:04.405310477 +0100] - WARN - csngen_new_csn - Too much time skew (-416503 secs). Current seqnum=15 Jan 26 20:02:34 idm1 ns-slapd: [26/Jan/2018:20:02:34.796622396 +0100] - WARN - csngen_new_csn - Too much time skew (-416473 secs). Current seqnum=16 Jan 26 20:02:37 idm1 ns-slapd: [26/Jan/2018:20:02:37.454779669 +0100] - WARN - csngen_new_csn - Too much time skew (-416472 secs). Current seqnum=17 Jan 26 20:02:37 idm1 ns-slapd: [26/Jan/2018:20:02:37.476249201 +0100] - WARN - csngen_new_csn - Too much time skew (-416473 secs). Current seqnum=18 Jan 26 20:02:37 idm1 ns-slapd: [26/Jan/2018:20:02:37.517017269 +0100] - WARN - csngen_new_csn - Too much time skew (-416474 secs). Current seqnum=19 Jan 26 20:02:37 idm1 ns-slapd: [26/Jan/2018:20:02:37.539991754 +0100] - WARN - csngen_new_csn - Too much time skew (-416475 secs). Current seqnum=1a Jan 26 20:02:48 idm1 systemd: Stopping Network Time Service... Jan 26 20:02:48 idm1 ntpd[15429]: ntpd exiting on signal 15 Jan 26 20:02:48 idm1 systemd: Stopped Network Time Service. Jan 26 20:03:01 idm1 ns-slapd: [26/Jan/2018:20:03:01.034768459 +0100] - WARN - csngen_new_csn - Too much time skew (-416452 secs). Current seqnum=1b Jan 26 20:03:01 idm1 ns-slapd: [26/Jan/2018:20:03:01.055043214 +0100] - WARN - csngen_new_csn - Too much time skew (-416453 secs). Current seqnum=1c Jan 26 20:03:03 idm1 ns-slapd: [26/Jan/2018:20:03:03.375580834 +0100] - WARN - csngen_new_csn - Too much time skew (-416452 secs). Current seqnum=1d Jan 26 20:03:03 idm1 ns-slapd: [26/Jan/2018:20:03:03.399395635 +0100] - WARN - csngen_new_csn - Too much time skew (-416453 secs). Current seqnum=1e Jan 26 20:03:10 idm1 ns-slapd: [26/Jan/2018:20:03:10.279455298 +0100] - WARN - csngen_new_csn - Too much time skew (-416447 secs). Current seqnum=1f Jan 26 20:03:10 idm1 ns-slapd: [26/Jan/2018:20:03:10.320874031 +0100] - WARN - csngen_new_csn - Too much time skew (-416448 secs). Current seqnum=20 Jan 26 20:03:45 idm1 systemd: Stopping Certificate monitoring and PKI enrollment... Jan 26 20:03:45 idm1 systemd: Stopped Certificate monitoring and PKI enrollment. Jan 26 20:03:56 idm1 systemd: Starting Certificate monitoring and PKI enrollment... Jan 26 20:03:57 idm1 systemd: Started Certificate monitoring and PKI enrollment. Jan 26 20:03:58 idm1 ns-slapd: [26/Jan/2018:20:03:58.111287110 +0100] - WARN - csngen_new_csn - Too much time skew (-416401 secs). Current seqnum=21 Jan 26 20:03:58 idm1 ns-slapd: [26/Jan/2018:20:03:58.390628999 +0100] - WARN - csngen_new_csn - Too much time skew (-416402 secs). Current seqnum=22 Jan 26 20:03:59 idm1 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20180129120044. Jan 26 20:03:59 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20180129120044. Jan 26 20:03:59 idm1 certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20180129120111. Jan 26 20:04:01 idm1 ns-slapd: [26/Jan/2018:20:04:01.082324882 +0100] - WARN - csngen_new_csn - Too much time skew (-416400 secs). Current seqnum=23 Jan 26 20:04:06 idm1 ns-slapd: [26/Jan/2018:20:04:06.245845741 +0100] - WARN - csngen_new_csn - Too much time skew (-416396 secs). Current seqnum=24 Jan 26 20:04:17 idm1 ns-slapd: [26/Jan/2018:20:04:17.377907663 +0100] - WARN - csngen_new_csn - Too much time skew (-416385 secs). Current seqnum=25 Jan 26 20:04:32 idm1 ns-slapd: [26/Jan/2018:20:04:32.296003137 +0100] - WARN - csngen_new_csn - Too much time skew (-416372 secs). Current seqnum=26 Jan 26 20:04:32 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:32 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:04:42 idm1 ns-slapd: [26/Jan/2018:20:04:42.139493501 +0100] - WARN - csngen_new_csn - Too much time skew (-416363 secs). Current seqnum=27 Jan 26 20:04:42 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:42 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:04:52 idm1 ns-slapd: [26/Jan/2018:20:04:52.130303926 +0100] - WARN - csngen_new_csn - Too much time skew (-416354 secs). Current seqnum=28 Jan 26 20:04:52 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:04:52 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:05:15 idm1 systemd: Reloading. Jan 26 20:05:16 idm1 systemd: [/usr/lib/systemd/system/ip6tables.service:3] Failed to add dependency on syslog.target,iptables.service, ignoring: Invalid argument Jan 26 20:06:08 idm1 ns-slapd: [26/Jan/2018:20:06:08.075349646 +0100] - WARN - csngen_new_csn - Too much time skew (-416279 secs). Current seqnum=29 Jan 26 20:06:08 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:06:08 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:06:10 idm1 systemd: Stopping Kerberos 5 KDC... Jan 26 20:06:10 idm1 systemd: Stopped Kerberos 5 KDC. Jan 26 20:06:10 idm1 systemd: Stopping Kerberos 5 Password-changing and Administration... Jan 26 20:06:10 idm1 systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jan 26 20:06:10 idm1 systemd: Stopped Kerberos 5 Password-changing and Administration. Jan 26 20:06:10 idm1 systemd: Unit kadmin.service entered failed state. Jan 26 20:06:10 idm1 systemd: kadmin.service failed. Jan 26 20:06:10 idm1 systemd: Stopping The Apache HTTP Server... Jan 26 20:06:43 idm1 systemd: Stopped The Apache HTTP Server. Jan 26 20:06:44 idm1 systemd: Stopping IPA Custodia Service... Jan 26 20:06:44 idm1 systemd: Stopped IPA Custodia Service. Jan 26 20:06:44 idm1 systemd: Stopped target PKI Tomcat Server. Jan 26 20:06:44 idm1 systemd: Stopping PKI Tomcat Server. Jan 26 20:06:44 idm1 systemd: Stopping PKI Tomcat Server pki-tomcat... Jan 26 20:06:44 idm1 systemd: Stopping Samba SMB Daemon... Jan 26 20:06:44 idm1 smbd[28030]: [2018/01/26 20:06:44.275355, 0] ../source3/rpc_server/lsasd.c:139(lsasd_sig_term_handler) Jan 26 20:06:44 idm1 smbd[28030]: termination signal Jan 26 20:06:44 idm1 systemd: Stopped Samba SMB Daemon. Jan 26 20:06:44 idm1 systemd: Stopping Samba Winbind Daemon... Jan 26 20:06:44 idm1 winbindd[28044]: [2018/01/26 20:06:44.476018, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Jan 26 20:06:44 idm1 winbindd[28044]: Got sig[15] terminate (is_parent=1) Jan 26 20:06:44 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:06:44 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:06:44 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:06:44 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:06:44 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Jan 26 20:06:44 idm1 server: arguments used: stop Jan 26 20:06:44 idm1 winbindd[28045]: [2018/01/26 20:06:44.508730, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Jan 26 20:06:44 idm1 systemd: Stopped Samba Winbind Daemon. Jan 26 20:06:44 idm1 winbindd[28045]: Got sig[15] terminate (is_parent=0) Jan 26 20:06:44 idm1 systemd: Closed ipa-otpd socket. Jan 26 20:06:44 idm1 systemd: Stopping ipa-otpd socket. Jan 26 20:06:44 idm1 systemd: Stopping 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:06:44 idm1 ns-slapd: [26/Jan/2018:20:06:44.721155688 +0100] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 5 max work q size 2 max work q stack size 2 Jan 26 20:06:44 idm1 ns-slapd: [26/Jan/2018:20:06:44.735943820 +0100] - INFO - slapd_daemon - slapd shutting down - waiting for 18 threads to terminate Jan 26 20:06:44 idm1 ns-slapd: [26/Jan/2018:20:06:44.825965094 +0100] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Jan 26 20:06:45 idm1 ns-slapd: [26/Jan/2018:20:06:45.381054379 +0100] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop Jan 26 20:06:45 idm1 ns-slapd: [26/Jan/2018:20:06:45.927329520 +0100] - INFO - dblayer_pre_close - All database threads now stopped Jan 26 20:06:46 idm1 ns-slapd: [26/Jan/2018:20:06:46.117991206 +0100] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Jan 26 20:06:46 idm1 ns-slapd: [26/Jan/2018:20:06:46.172299744 +0100] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 2 work q stack objects - freed 7 op stack objects Jan 26 20:06:46 idm1 server: Jan 26, 2018 8:06:46 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:06:46 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:06:46 idm1 ns-slapd: [26/Jan/2018:20:06:46.752180768 +0100] - INFO - main - slapd stopped. Jan 26 20:06:47 idm1 systemd: Stopped 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:06:47 idm1 server: Jan 26, 2018 8:06:47 PM org.apache.catalina.core.StandardServer await Jan 26 20:06:47 idm1 server: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Jan 26 20:06:47 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Jan 26 20:06:47 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[stop] Jan 26 20:06:47 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Jan 26 20:06:47 idm1 server: Jan 26, 2018 8:06:47 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:06:47 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Jan 26 20:06:47 idm1 server: Jan 26, 2018 8:06:47 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:06:47 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8443"] Jan 26 20:06:48 idm1 server: Jan 26, 2018 8:06:48 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:06:48 idm1 server: INFO: Pausing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:06:48 idm1 systemd: Stopped PKI Tomcat Server pki-tomcat. Jan 26 20:07:15 idm1 systemd: Starting 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.478325959 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.480593865 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.481219973 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.481824600 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.482318301 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.482871806 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.483404678 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.483877775 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.484356724 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.485086617 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.485626013 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.486222706 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.486720917 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.487170422 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.487651590 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.488120831 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.488616154 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.489101124 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.489614588 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.490132278 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.490638790 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.491050535 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.491551374 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.491963122 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.492404036 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.492844912 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.493331259 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.493865506 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.494373239 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_128_GCM_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.494856356 +0100] - INFO - Security Initialization - SSL info: #011TLS_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.495379801 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_256_GCM_SHA384: enabled Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.504713771 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.505720965 +0100] - INFO - main - 389-Directory/1.3.6.1 B2018.025.1550 starting up Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.519359109 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.522754168 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.527038258 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.533380854 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.539571019 +0100] - NOTICE - ldbm_back_start - found 1532164k physical memory Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.540267898 +0100] - NOTICE - ldbm_back_start - found 1210532k available Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.540903052 +0100] - NOTICE - ldbm_back_start - cache autosizing: db cache: 61286k Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.541531113 +0100] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 65536k Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.543313364 +0100] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 65536k Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.544960676 +0100] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 65536k Jan 26 20:07:16 idm1 ns-slapd: [26/Jan/2018:20:07:16.546649579 +0100] - NOTICE - ldbm_back_start - total cache size: 282989821 B; Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.188126082 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.254545220 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.255636672 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.256464414 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.257250650 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.258164746 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.258863403 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.259511799 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.260127161 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.260803146 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.261498596 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.262204544 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.262929674 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.263636127 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.264272729 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.265176992 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.265924764 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.266565141 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.267196538 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.267799261 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.268432799 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.269320406 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.277180952 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.277931491 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.394597339 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.397664334 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.398357312 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.398994945 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.437779220 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idm1.XXXkd.fau.de@XXXKD.FAU.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.450559118 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jan 26 20:07:17 idm1 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_993)) Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.457942893 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.459144092 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Jan 26 20:07:17 idm1 ns-slapd: [26/Jan/2018:20:07:17.460493541 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-XXXKD-FAU-DE.socket for LDAPI requests Jan 26 20:07:17 idm1 systemd: Started 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:07:17 idm1 systemd: Starting Kerberos 5 KDC... Jan 26 20:07:18 idm1 systemd: PID file /var/run/krb5kdc.pid not readable (yet?) after start. Jan 26 20:07:18 idm1 systemd: Started Kerberos 5 KDC. Jan 26 20:07:18 idm1 systemd: Starting Kerberos 5 Password-changing and Administration... Jan 26 20:07:18 idm1 systemd: Started Kerberos 5 Password-changing and Administration. Jan 26 20:07:18 idm1 systemd: Starting The Apache HTTP Server... Jan 26 20:07:18 idm1 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Jan 26 20:07:19 idm1 systemd: Started The Apache HTTP Server. Jan 26 20:07:19 idm1 systemd: Starting IPA Custodia Service... Jan 26 20:07:20 idm1 ipa-custodia: 2018-01-26 20:07:20 - server - Serving on Unix socket /run/httpd/ipa-custodia.sock Jan 26 20:07:20 idm1 systemd: Started IPA Custodia Service. Jan 26 20:07:20 idm1 ns-slapd: [26/Jan/2018:20:07:20.562156820 +0100] - WARN - csngen_new_csn - Too much time skew (-416207 secs). Current seqnum=2a Jan 26 20:07:20 idm1 systemd: Starting Network Time Service... Jan 26 20:07:20 idm1 ns-slapd: [26/Jan/2018:20:07:20.753895497 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToidm2.XXXkd.fau.de" (idm2:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () Jan 26 20:07:20 idm1 ntpd[16369]: ntpd 4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1) Jan 26 20:07:20 idm1 systemd: Started Network Time Service. Jan 26 20:07:20 idm1 ntpd[16370]: proto: precision = 0.087 usec Jan 26 20:07:20 idm1 ntpd[16370]: 0.0.0.0 c01d 0d kern kernel time sync enabled Jan 26 20:07:20 idm1 ntpd[16370]: getaddrinfo: "2001:638:a000:b201::/64" invalid host address, ignored Jan 26 20:07:20 idm1 ntpd[16370]: restrict: error in address '2001:638:a000:b201::/64' on line 21. Ignoring... Jan 26 20:07:20 idm1 ntpd[16370]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Jan 26 20:07:20 idm1 systemd: Starting PKI Tomcat Server pki-tomcat... Jan 26 20:07:20 idm1 ntpd[16370]: Listen and drop on 1 v6wildcard :: UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 3 eth0 10.188.220.100 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 4 lo ::1 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 5 eth0 fe80::5054:ff:fe4e:b270 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listen normally on 6 eth0 2001:638:a000:b201::220:100 UDP 123 Jan 26 20:07:20 idm1 ntpd[16370]: Listening on routing socket on fd #23 for interface updates Jan 26 20:07:20 idm1 ntpd[16370]: 0.0.0.0 c016 06 restart Jan 26 20:07:20 idm1 ntpd[16370]: 0.0.0.0 c012 02 freq_set ntpd -11.506 PPM Jan 26 20:07:23 idm1 ns-slapd: [26/Jan/2018:20:07:23.040493392 +0100] - ERR - schema-compat-plugin - Finished plugin initialization. Jan 26 20:07:23 idm1 pkidaemon: ----------------------- Jan 26 20:07:23 idm1 pkidaemon: Banner is not installed Jan 26 20:07:23 idm1 pkidaemon: ----------------------- Jan 26 20:07:23 idm1 pkidaemon: ---------------------- Jan 26 20:07:23 idm1 pkidaemon: Enabled all subsystems Jan 26 20:07:23 idm1 pkidaemon: ---------------------- Jan 26 20:07:23 idm1 systemd: Started PKI Tomcat Server pki-tomcat. Jan 26 20:07:23 idm1 systemd: Reached target PKI Tomcat Server. Jan 26 20:07:23 idm1 systemd: Starting PKI Tomcat Server. Jan 26 20:07:23 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:07:23 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:07:23 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:07:23 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:07:23 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Jan 26 20:07:23 idm1 server: arguments used: start Jan 26 20:07:23 idm1 server: Jan 26, 2018 8:07:23 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:07:23 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm1.XXXkd.fau.de:9080/ca/ocsp' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Jan 26 20:07:24 idm1 server: Jan 26, 2018 8:07:24 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:07:24 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Jan 26 20:07:24 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.coyote.AbstractProtocol init Jan 26 20:07:25 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.coyote.AbstractProtocol init Jan 26 20:07:25 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Jan 26 20:07:25 idm1 server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:07:25 idm1 server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.coyote.AbstractProtocol init Jan 26 20:07:25 idm1 server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:07:25 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.catalina.startup.Catalina load Jan 26 20:07:25 idm1 server: INFO: Initialization processed in 1535 ms Jan 26 20:07:25 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Jan 26 20:07:25 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Jan 26 20:07:25 idm1 ntpd[16370]: 0.0.0.0 c515 05 clock_sync Jan 26 20:07:25 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[start] Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.catalina.core.StandardService startInternal Jan 26 20:07:25 idm1 server: INFO: Starting service Catalina Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.catalina.core.StandardEngine startInternal Jan 26 20:07:25 idm1 server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.76 Jan 26 20:07:25 idm1 server: Jan 26, 2018 8:07:25 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:25 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Jan 26 20:07:25 idm1 server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Jan 26 20:07:25 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:07:26 idm1 ns-slapd: [26/Jan/2018:20:07:26.811402672 +0100] - WARN - csngen_new_csn - Too much time skew (-416202 secs). Current seqnum=2b Jan 26 20:07:27 idm1 server: Jan 26, 2018 8:07:27 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:07:27 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:07:27 idm1 server: SSLAuthenticatorWithFallback: Initializing authenticators Jan 26 20:07:27 idm1 server: SSLAuthenticatorWithFallback: Starting authenticators Jan 26 20:07:28 idm1 server: CMSEngine.initializePasswordStore() begins Jan 26 20:07:28 idm1 server: CMSEngine.initializePasswordStore(): tag=internaldb Jan 26 20:07:28 idm1 server: CMSEngine.initializePasswordStore(): tag=replicationdb Jan 26 20:07:30 idm1 server: SelfTestSubsystem: Disabling "ca" subsystem due to selftest failure. Jan 26 20:07:31 idm1 server: ----------------------- Jan 26 20:07:31 idm1 server: Disabled "ca" subsystem Jan 26 20:07:31 idm1 server: ----------------------- Jan 26 20:07:31 idm1 server: Subsystem ID: ca Jan 26 20:07:31 idm1 server: Instance ID: pki-tomcat Jan 26 20:07:31 idm1 server: Enabled: False Jan 26 20:07:31 idm1 server: Invalid class name repositorytop Jan 26 20:07:31 idm1 server: Invalid class name repositorytop Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460) Jan 26 20:07:31 idm1 server: at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1378) Jan 26 20:07:31 idm1 server: at com.netscape.certsrv.apps.CMS.startup(CMS.java:202) Jan 26 20:07:31 idm1 server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1632) Jan 26 20:07:31 idm1 server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) Jan 26 20:07:31 idm1 server: at javax.servlet.GenericServlet.init(GenericServlet.java:158) Jan 26 20:07:31 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:07:31 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:07:31 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:07:31 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) Jan 26 20:07:31 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:07:31 idm1 server: at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) Jan 26 20:07:31 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) Jan 26 20:07:31 idm1 server: at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) Jan 26 20:07:31 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) Jan 26 20:07:31 idm1 server: at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) Jan 26 20:07:31 idm1 server: at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) Jan 26 20:07:31 idm1 server: at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) Jan 26 20:07:31 idm1 server: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) Jan 26 20:07:31 idm1 server: at java.util.concurrent.FutureTask.run(FutureTask.java:266) Jan 26 20:07:31 idm1 server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) Jan 26 20:07:31 idm1 server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) Jan 26 20:07:31 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:07:31 idm1 server: Jan 26, 2018 8:07:31 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:31 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 5,520 ms Jan 26 20:07:31 idm1 server: Jan 26, 2018 8:07:31 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:31 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Jan 26 20:07:32 idm1 server: Jan 26, 2018 8:07:32 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:07:32 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:07:32 idm1 server: Jan 26, 2018 8:07:32 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:32 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 790 ms Jan 26 20:07:32 idm1 server: Jan 26, 2018 8:07:32 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:32 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:07:33 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:07:33 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has finished in 1,064 ms Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.coyote.AbstractProtocol start Jan 26 20:07:33 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8080"] Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.coyote.AbstractProtocol start Jan 26 20:07:33 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8443"] Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.coyote.AbstractProtocol start Jan 26 20:07:33 idm1 server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:07:33 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Jan 26 20:07:33 idm1 server: PKIListener: Subsystem CA is disabled. Jan 26 20:07:33 idm1 server: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. Jan 26 20:07:33 idm1 server: PKIListener: To enable the subsystem: Jan 26 20:07:33 idm1 server: PKIListener: pki-server subsystem-enable -i pki-tomcat ca Jan 26 20:07:33 idm1 server: Jan 26, 2018 8:07:33 PM org.apache.catalina.startup.Catalina start Jan 26 20:07:33 idm1 server: INFO: Server startup in 7515 ms Jan 26 20:07:39 idm1 ns-slapd: [26/Jan/2018:20:07:39.035843722 +0100] - WARN - csngen_new_csn - Too much time skew (-416191 secs). Current seqnum=2c Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.startup.HostConfig undeploy Jan 26 20:07:43 idm1 server: INFO: Undeploying context [/ca] Jan 26 20:07:43 idm1 server: SSLAuthenticatorWithFallback: Stopping authenticators Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-0 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-2 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: Jan 26, 2018 8:07:43 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:07:43 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:07:43 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:07:47 idm1 ns-slapd: [26/Jan/2018:20:07:47.844329850 +0100] - WARN - csngen_new_csn - Too much time skew (-416183 secs). Current seqnum=2d
Jan 26 20:08:09 idm1 ns-slapd: [26/Jan/2018:20:08:09.059172306 +0100] - WARN - csngen_new_csn - Too much time skew (-416174 secs). Current seqnum=1 Jan 26 20:08:27 idm1 ntpd[16370]: ntpd exiting on signal 15 Jan 26 20:08:27 idm1 systemd: Stopping Network Time Service... Jan 26 20:08:27 idm1 systemd: Stopped Network Time Service. Jan 26 20:08:49 idm1 ns-slapd: [26/Jan/2018:20:08:49.052101605 +0100] - WARN - csngen_new_csn - Too much time skew (-416135 secs). Current seqnum=1 Jan 26 20:08:49 idm1 ns-slapd: [26/Jan/2018:20:08:49.075642776 +0100] - WARN - csngen_new_csn - Too much time skew (-416136 secs). Current seqnum=1 Jan 26 20:08:51 idm1 ns-slapd: [26/Jan/2018:20:08:51.298345097 +0100] - WARN - csngen_new_csn - Too much time skew (-416135 secs). Current seqnum=1 Jan 26 20:09:25 idm1 ns-slapd: [26/Jan/2018:20:09:25.093696262 +0100] - WARN - csngen_new_csn - Too much time skew (-416102 secs). Current seqnum=1 Jan 26 20:09:25 idm1 ns-slapd: [26/Jan/2018:20:09:25.115607333 +0100] - WARN - csngen_new_csn - Too much time skew (-416103 secs). Current seqnum=1 Jan 26 20:10:27 idm1 ns-slapd: [26/Jan/2018:20:10:27.371866302 +0100] - WARN - csngen_new_csn - Too much time skew (-416042 secs). Current seqnum=1 Jan 26 20:11:11 idm1 ns-slapd: [26/Jan/2018:20:11:11.185235999 +0100] - WARN - csngen_new_csn - Too much time skew (-415999 secs). Current seqnum=1 Jan 26 20:12:24 idm1 systemd: Starting Samba SMB Daemon... Jan 26 20:12:24 idm1 smbd[16684]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid) Jan 26 20:12:24 idm1 ns-slapd: [26/Jan/2018:20:12:24.338023606 +0100] - WARN - csngen_new_csn - Too much time skew (-415927 secs). Current seqnum=1 Jan 26 20:12:24 idm1 ns-slapd: [26/Jan/2018:20:12:24.492918154 +0100] - WARN - csngen_new_csn - Too much time skew (-415928 secs). Current seqnum=1 Jan 26 20:12:24 idm1 smbd[16684]: [2018/01/26 20:12:24.644663, 0] ../lib/util/become_daemon.c:124(daemon_ready) Jan 26 20:12:24 idm1 systemd: Started Samba SMB Daemon. Jan 26 20:12:24 idm1 smbd[16684]: STATUS=daemon 'smbd' finished starting up and ready to serve connections Jan 26 20:12:24 idm1 systemd: Starting Samba Winbind Daemon... Jan 26 20:12:24 idm1 winbindd[16702]: [2018/01/26 20:12:24.744499, 0] ../source3/winbindd/winbindd_cache.c:3171(initialize_winbindd_cache) Jan 26 20:12:24 idm1 systemd: winbind.service: Supervising process 16702 which is not our child. We'll most likely not notice when it exits. Jan 26 20:12:24 idm1 winbindd[16702]: initialize_winbindd_cache: clearing cache and re-creating with version number 2 Jan 26 20:12:24 idm1 winbindd[16702]: [2018/01/26 20:12:24.788607, 0] ../lib/util/become_daemon.c:124(daemon_ready) Jan 26 20:12:24 idm1 systemd: Started Samba Winbind Daemon. Jan 26 20:12:24 idm1 winbindd[16702]: STATUS=daemon 'winbindd' finished starting up and ready to serve connections Jan 26 20:12:24 idm1 systemd: Listening on ipa-otpd socket. Jan 26 20:12:24 idm1 systemd: Starting ipa-otpd socket. Jan 26 20:12:24 idm1 ns-slapd: [26/Jan/2018:20:12:24.835355417 +0100] - WARN - csngen_new_csn - Too much time skew (-415928 secs). Current seqnum=1
Jan 26 20:16:36 idm1 ns-slapd: [26/Jan/2018:20:16:36.642664215 +0100] - WARN - csngen_new_csn - Too much time skew (-415688 secs). Current seqnum=1 Jan 26 20:16:36 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:16:37 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:17:24 idm1 ns-slapd: [26/Jan/2018:20:17:24.820564227 +0100] - WARN - csngen_new_csn - Too much time skew (-415641 secs). Current seqnum=1 Jan 26 20:17:37 idm1 ns-slapd: [26/Jan/2018:20:17:37.625304230 +0100] - WARN - csngen_new_csn - Too much time skew (-415629 secs). Current seqnum=1 Jan 26 20:17:37 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:17:37 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:18:01 idm1 logrotate: ALERT exited abnormally with [1] Jan 26 20:18:38 idm1 ns-slapd: [26/Jan/2018:20:18:38.792663979 +0100] - WARN - csngen_new_csn - Too much time skew (-415569 secs). Current seqnum=1 Jan 26 20:22:24 idm1 ns-slapd: [26/Jan/2018:20:22:24.817110632 +0100] - WARN - csngen_new_csn - Too much time skew (-415344 secs). Current seqnum=1
Jan 26 20:23:59 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Jan 26 20:23:59 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 2 Jan 26 20:24:45 idm1 stop_pkicad: Stopping pki_tomcatd Jan 26 20:24:45 idm1 systemd: Stopping PKI Tomcat Server pki-tomcat... Jan 26 20:24:45 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:24:45 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:24:45 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:24:45 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:24:45 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Jan 26 20:24:45 idm1 server: arguments used: stop Jan 26 20:24:45 idm1 server: Jan 26, 2018 8:24:45 PM org.apache.catalina.startup.ClassLoaderFactory validateFile Jan 26 20:24:45 idm1 server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 26 20:24:46 idm1 server: Jan 26, 2018 8:24:46 PM org.apache.catalina.core.StandardServer await Jan 26 20:24:46 idm1 server: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Jan 26 20:24:46 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Jan 26 20:24:46 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[stop] Jan 26 20:24:46 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Jan 26 20:24:46 idm1 server: Jan 26, 2018 8:24:46 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:24:46 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Jan 26 20:24:46 idm1 systemd: Stopped PKI Tomcat Server pki-tomcat. Jan 26 20:24:46 idm1 stop_pkicad: Stopped pki_tomcatd Jan 26 20:27:24 idm1 ns-slapd: [26/Jan/2018:20:27:24.817184276 +0100] - WARN - csngen_new_csn - Too much time skew (-415053 secs). Current seqnum=1 Jan 26 20:28:39 idm1 ns-slapd: [26/Jan/2018:20:28:39.388139879 +0100] - WARN - csngen_new_csn - Too much time skew (-414980 secs). Current seqnum=1 Jan 26 20:28:45 idm1 systemd: Reloading. Jan 26 20:28:45 idm1 systemd: [/usr/lib/systemd/system/ip6tables.service:3] Failed to add dependency on syslog.target,iptables.service, ignoring: Invalid argument Jan 26 20:28:45 idm1 yum[17021]: Installed: pki-server-10.4.1-17.el7_4.noarch
Jan 26 20:30:09 idm1 yum[17100]: Installed: pki-symkey-10.4.1-17.el7_4.x86_64 Jan 26 20:30:10 idm1 ns-slapd: [26/Jan/2018:20:30:10.056412100 +0100] - WARN - csngen_new_csn - Too much time skew (-414902 secs). Current seqnum=1 Jan 26 20:30:10 idm1 ns-slapd: [26/Jan/2018:20:30:10.112492509 +0100] - WARN - csngen_new_csn - Too much time skew (-414903 secs). Current seqnum=1 Jan 26 20:30:36 idm1 systemd: Stopping Certificate monitoring and PKI enrollment... Jan 26 20:30:36 idm1 systemd: Starting Certificate monitoring and PKI enrollment... Jan 26 20:30:36 idm1 systemd: Started Certificate monitoring and PKI enrollment. Jan 26 20:30:51 idm1 ns-slapd: [26/Jan/2018:20:30:51.459575928 +0100] - WARN - csngen_new_csn - Too much time skew (-414862 secs). Current seqnum=1 Jan 26 20:30:53 idm1 ns-slapd: [26/Jan/2018:20:30:53.004542140 +0100] - WARN - csngen_new_csn - Too much time skew (-414862 secs). Current seqnum=1
Jan 26 20:32:53 idm1 ns-slapd: [26/Jan/2018:20:32:53.104794576 +0100] - WARN - csngen_new_csn - Too much time skew (-414747 secs). Current seqnum=1 Jan 26 20:33:38 idm1 ns-slapd: [26/Jan/2018:20:33:38.708156346 +0100] - WARN - csngen_new_csn - Too much time skew (-414702 secs). Current seqnum=1 Jan 26 20:35:26 idm1 systemd: Starting PKI Tomcat Server tomcatd... Jan 26 20:35:27 idm1 pkidaemon: tomcatd is an invalid 'tomcat' instance Jan 26 20:35:27 idm1 systemd: pki-tomcatd@tomcatd.service: control process exited, code=exited status=5 Jan 26 20:35:27 idm1 systemd: Failed to start PKI Tomcat Server tomcatd. Jan 26 20:35:27 idm1 systemd: Unit pki-tomcatd@tomcatd.service entered failed state. Jan 26 20:35:27 idm1 systemd: pki-tomcatd@tomcatd.service failed. Jan 26 20:38:15 idm1 systemd: Stopping Certificate monitoring and PKI enrollment... Jan 26 20:38:15 idm1 systemd: Starting Certificate monitoring and PKI enrollment... Jan 26 20:38:16 idm1 systemd: Started Certificate monitoring and PKI enrollment.
Jan 26 20:38:50 idm1 systemd: Stopped target PKI Tomcat Server. Jan 26 20:38:50 idm1 systemd: Stopping PKI Tomcat Server. Jan 26 20:38:50 idm1 systemd: Stopping 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:38:50 idm1 ns-slapd: [26/Jan/2018:20:38:50.930128624 +0100] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 7 max work q size 3 max work q stack size 3 Jan 26 20:38:50 idm1 ns-slapd: [26/Jan/2018:20:38:50.938738333 +0100] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Jan 26 20:38:51 idm1 ns-slapd: [26/Jan/2018:20:38:51.491982395 +0100] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop Jan 26 20:38:52 idm1 ns-slapd: [26/Jan/2018:20:38:52.643000430 +0100] - INFO - dblayer_pre_close - All database threads now stopped Jan 26 20:38:52 idm1 ns-slapd: [26/Jan/2018:20:38:52.843193691 +0100] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Jan 26 20:38:52 idm1 ns-slapd: [26/Jan/2018:20:38:52.845431711 +0100] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 3 work q stack objects - freed 7 op stack objects Jan 26 20:38:52 idm1 ns-slapd: [26/Jan/2018:20:38:52.949112608 +0100] - INFO - main - slapd stopped. Jan 26 20:38:53 idm1 systemd: Starting 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.798684376 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.802136681 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.803482731 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.804571447 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.805584219 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.806587975 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.807433596 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.808344028 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.809263480 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.810258405 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.811278159 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.812279895 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.813211722 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.814155963 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.815027810 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.815884935 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.816664023 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.817588461 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.820002292 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.820921200 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.821848282 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.822790429 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.823796031 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.824792858 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.825834646 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.826645719 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.827439967 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.828388576 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.829379262 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_128_GCM_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.830270347 +0100] - INFO - Security Initialization - SSL info: #011TLS_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.831112791 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_256_GCM_SHA384: enabled Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.842425631 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.844467130 +0100] - INFO - main - 389-Directory/1.3.6.1 B2018.025.1550 starting up Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.862148344 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.866723860 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.872029440 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.880396494 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.887683843 +0100] - NOTICE - ldbm_back_start - found 1532164k physical memory Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.889387846 +0100] - NOTICE - ldbm_back_start - found 957616k available Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.890401127 +0100] - NOTICE - ldbm_back_start - cache autosizing: db cache: 61286k Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.891282794 +0100] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 65536k Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.893673995 +0100] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 65536k Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.896279383 +0100] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 65536k Jan 26 20:38:54 idm1 ns-slapd: [26/Jan/2018:20:38:54.899099347 +0100] - NOTICE - ldbm_back_start - total cache size: 282989821 B; Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.288606109 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.356204866 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.357475508 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.358533489 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.359655614 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.360824909 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.361929056 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.362916495 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.363933986 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.364863852 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.365773801 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.366715005 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.367657233 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.368620393 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.369654121 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.370568017 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.371627613 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.372549625 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.373548074 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.374515489 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.375468905 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.376417537 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.384105365 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.385229794 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.489142376 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.492165481 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.493230810 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.494325526 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.533752266 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.538206222 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idm1.XXXkd.fau.de@XXXKD.FAU.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.542196033 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.550911263 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Jan 26 20:38:55 idm1 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_993)) Jan 26 20:38:55 idm1 ns-slapd: [26/Jan/2018:20:38:55.552234132 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-XXXKD-FAU-DE.socket for LDAPI requests Jan 26 20:38:55 idm1 systemd: Started 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:38:55 idm1 systemd: Stopping Kerberos 5 KDC... Jan 26 20:38:55 idm1 systemd: Starting Kerberos 5 KDC... Jan 26 20:38:55 idm1 systemd: PID file /var/run/krb5kdc.pid not readable (yet?) after start. Jan 26 20:38:55 idm1 systemd: Started Kerberos 5 KDC. Jan 26 20:38:55 idm1 systemd: Stopping Kerberos 5 Password-changing and Administration... Jan 26 20:38:55 idm1 systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jan 26 20:38:55 idm1 systemd: Unit kadmin.service entered failed state. Jan 26 20:38:55 idm1 systemd: kadmin.service failed. Jan 26 20:38:55 idm1 systemd: Starting Kerberos 5 Password-changing and Administration... Jan 26 20:38:56 idm1 systemd: Started Kerberos 5 Password-changing and Administration. Jan 26 20:38:56 idm1 systemd: Stopping The Apache HTTP Server... Jan 26 20:38:58 idm1 ns-slapd: [26/Jan/2018:20:38:58.564805340 +0100] - WARN - csngen_new_csn - Too much time skew (-414396 secs). Current seqnum=1 Jan 26 20:38:58 idm1 ns-slapd: [26/Jan/2018:20:38:58.641081747 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToidm2.XXXkd.fau.de" (idm2:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () Jan 26 20:39:00 idm1 systemd: Starting The Apache HTTP Server... Jan 26 20:39:00 idm1 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Jan 26 20:39:00 idm1 ns-slapd: [26/Jan/2018:20:39:00.943662244 +0100] - ERR - schema-compat-plugin - Finished plugin initialization. Jan 26 20:39:01 idm1 systemd: Started The Apache HTTP Server. Jan 26 20:39:01 idm1 systemd: Stopping IPA Custodia Service... Jan 26 20:39:01 idm1 systemd: Starting IPA Custodia Service... Jan 26 20:39:02 idm1 systemd: Started IPA Custodia Service. Jan 26 20:39:02 idm1 ipa-custodia: 2018-01-26 20:39:02 - server - Serving on Unix socket /run/httpd/ipa-custodia.sock Jan 26 20:39:02 idm1 systemd: Starting Network Time Service... Jan 26 20:39:02 idm1 ntpd[17985]: ntpd 4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1) Jan 26 20:39:02 idm1 systemd: Started Network Time Service. Jan 26 20:39:02 idm1 ntpd[17986]: proto: precision = 0.097 usec Jan 26 20:39:02 idm1 ntpd[17986]: 0.0.0.0 c01d 0d kern kernel time sync enabled Jan 26 20:39:02 idm1 systemd: Starting PKI Tomcat Server pki-tomcat... Jan 26 20:39:03 idm1 ntpd[17986]: getaddrinfo: "2001:638:a000:b201::/64" invalid host address, ignored Jan 26 20:39:03 idm1 ntpd[17986]: restrict: error in address '2001:638:a000:b201::/64' on line 21. Ignoring... Jan 26 20:39:03 idm1 ntpd[17986]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen and drop on 1 v6wildcard :: UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 3 eth0 10.188.220.100 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 4 lo ::1 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 5 eth0 fe80::5054:ff:fe4e:b270 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listen normally on 6 eth0 2001:638:a000:b201::220:100 UDP 123 Jan 26 20:39:03 idm1 ntpd[17986]: Listening on routing socket on fd #23 for interface updates Jan 26 20:39:03 idm1 ntpd[17986]: 0.0.0.0 c016 06 restart Jan 26 20:39:03 idm1 ntpd[17986]: 0.0.0.0 c012 02 freq_set ntpd -11.506 PPM Jan 26 20:39:04 idm1 ns-slapd: [26/Jan/2018:20:39:04.677894447 +0100] - WARN - csngen_new_csn - Too much time skew (-414391 secs). Current seqnum=1 Jan 26 20:39:05 idm1 pkidaemon: ----------------------- Jan 26 20:39:05 idm1 pkidaemon: Banner is not installed Jan 26 20:39:05 idm1 pkidaemon: ----------------------- Jan 26 20:39:05 idm1 pkidaemon: ---------------------- Jan 26 20:39:05 idm1 pkidaemon: Enabled all subsystems Jan 26 20:39:05 idm1 pkidaemon: ---------------------- Jan 26 20:39:05 idm1 systemd: Started PKI Tomcat Server pki-tomcat. Jan 26 20:39:05 idm1 systemd: Reached target PKI Tomcat Server. Jan 26 20:39:05 idm1 systemd: Starting PKI Tomcat Server. Jan 26 20:39:05 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:39:05 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:39:05 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:39:05 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:39:05 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Jan 26 20:39:05 idm1 server: arguments used: start Jan 26 20:39:07 idm1 ntpd[17986]: 0.0.0.0 c515 05 clock_sync Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm1.XXXkd.fau.de:9080/ca/ocsp' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Jan 26 20:39:07 idm1 server: Jan 26, 2018 8:39:07 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:39:07 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Jan 26 20:39:07 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.coyote.AbstractProtocol init Jan 26 20:39:08 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.coyote.AbstractProtocol init Jan 26 20:39:08 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Jan 26 20:39:08 idm1 server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:39:08 idm1 server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.coyote.AbstractProtocol init Jan 26 20:39:08 idm1 server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:39:08 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.catalina.startup.Catalina load Jan 26 20:39:08 idm1 server: INFO: Initialization processed in 1254 ms Jan 26 20:39:08 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Jan 26 20:39:08 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Jan 26 20:39:08 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[start] Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.catalina.core.StandardService startInternal Jan 26 20:39:08 idm1 server: INFO: Starting service Catalina Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.catalina.core.StandardEngine startInternal Jan 26 20:39:08 idm1 server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.76 Jan 26 20:39:08 idm1 server: Jan 26, 2018 8:39:08 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:08 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Jan 26 20:39:08 idm1 server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Jan 26 20:39:08 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:39:10 idm1 server: Jan 26, 2018 8:39:10 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:39:10 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:39:10 idm1 server: SSLAuthenticatorWithFallback: Initializing authenticators Jan 26 20:39:10 idm1 server: SSLAuthenticatorWithFallback: Starting authenticators Jan 26 20:39:10 idm1 server: CMSEngine.initializePasswordStore() begins Jan 26 20:39:10 idm1 server: CMSEngine.initializePasswordStore(): tag=internaldb Jan 26 20:39:10 idm1 server: CMSEngine.initializePasswordStore(): tag=replicationdb Jan 26 20:39:13 idm1 server: SelfTestSubsystem: Disabling "ca" subsystem due to selftest failure. Jan 26 20:39:13 idm1 server: ----------------------- Jan 26 20:39:13 idm1 server: Disabled "ca" subsystem Jan 26 20:39:13 idm1 server: ----------------------- Jan 26 20:39:13 idm1 server: Subsystem ID: ca Jan 26 20:39:13 idm1 server: Instance ID: pki-tomcat Jan 26 20:39:13 idm1 server: Enabled: False Jan 26 20:39:13 idm1 server: Invalid class name repositorytop Jan 26 20:39:14 idm1 server: Invalid class name repositorytop Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460) Jan 26 20:39:14 idm1 server: at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1378) Jan 26 20:39:14 idm1 server: at com.netscape.certsrv.apps.CMS.startup(CMS.java:202) Jan 26 20:39:14 idm1 server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1632) Jan 26 20:39:14 idm1 server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) Jan 26 20:39:14 idm1 server: at javax.servlet.GenericServlet.init(GenericServlet.java:158) Jan 26 20:39:14 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:39:14 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:39:14 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:39:14 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) Jan 26 20:39:14 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:39:14 idm1 server: at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) Jan 26 20:39:14 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) Jan 26 20:39:14 idm1 server: at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) Jan 26 20:39:14 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) Jan 26 20:39:14 idm1 server: at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) Jan 26 20:39:14 idm1 server: at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) Jan 26 20:39:14 idm1 server: at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) Jan 26 20:39:14 idm1 server: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) Jan 26 20:39:14 idm1 server: at java.util.concurrent.FutureTask.run(FutureTask.java:266) Jan 26 20:39:14 idm1 server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) Jan 26 20:39:14 idm1 server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) Jan 26 20:39:14 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:14 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 5,603 ms Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:14 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:39:14 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:14 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 724 ms Jan 26 20:39:14 idm1 server: Jan 26, 2018 8:39:14 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:14 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:39:15 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:39:15 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has finished in 1,041 ms Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.coyote.AbstractProtocol start Jan 26 20:39:15 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8080"] Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.coyote.AbstractProtocol start Jan 26 20:39:15 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8443"] Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.coyote.AbstractProtocol start Jan 26 20:39:15 idm1 server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:39:15 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Jan 26 20:39:15 idm1 server: PKIListener: Subsystem CA is disabled. Jan 26 20:39:15 idm1 server: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. Jan 26 20:39:15 idm1 server: PKIListener: To enable the subsystem: Jan 26 20:39:15 idm1 server: PKIListener: pki-server subsystem-enable -i pki-tomcat ca Jan 26 20:39:15 idm1 server: Jan 26, 2018 8:39:15 PM org.apache.catalina.startup.Catalina start Jan 26 20:39:15 idm1 server: INFO: Server startup in 7480 ms Jan 26 20:39:17 idm1 ns-slapd: [26/Jan/2018:20:39:17.236299024 +0100] - WARN - csngen_new_csn - Too much time skew (-414380 secs). Current seqnum=1 Jan 26 20:39:22 idm1 ns-slapd: [26/Jan/2018:20:39:22.056843883 +0100] - WARN - csngen_new_csn - Too much time skew (-414376 secs). Current seqnum=1 Jan 26 20:39:22 idm1 ns-slapd: [26/Jan/2018:20:39:22.084016470 +0100] - WARN - csngen_new_csn - Too much time skew (-414377 secs). Current seqnum=1 Jan 26 20:39:26 idm1 ns-slapd: [26/Jan/2018:20:39:26.282879120 +0100] - WARN - csngen_new_csn - Too much time skew (-414374 secs). Current seqnum=1 Jan 26 20:39:26 idm1 ns-slapd: [26/Jan/2018:20:39:26.321619015 +0100] - WARN - csngen_new_csn - Too much time skew (-414375 secs). Current seqnum=1 Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.startup.HostConfig undeploy Jan 26 20:39:26 idm1 server: INFO: Undeploying context [/ca] Jan 26 20:39:26 idm1 server: SSLAuthenticatorWithFallback: Stopping authenticators Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-0 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-2 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: Jan 26, 2018 8:39:26 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:39:26 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:39:26 idm1 server: SSLAuthenticatorWithFallback: Setting container J
Jan 26 20:42:16 idm1 systemd: Closed ipa-otpd socket. Jan 26 20:42:16 idm1 systemd: Stopping ipa-otpd socket. Jan 26 20:42:16 idm1 systemd: Stopping Samba Winbind Daemon... Jan 26 20:42:16 idm1 winbindd[16702]: [2018/01/26 20:42:16.696807, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Jan 26 20:42:16 idm1 winbindd[16702]: Got sig[15] terminate (is_parent=1) Jan 26 20:42:16 idm1 winbindd[16703]: [2018/01/26 20:42:16.841466, 0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) Jan 26 20:42:16 idm1 winbindd[16703]: Got sig[15] terminate (is_parent=0) Jan 26 20:42:16 idm1 systemd: Stopped Samba Winbind Daemon. Jan 26 20:42:16 idm1 systemd: Stopping Samba SMB Daemon... Jan 26 20:42:16 idm1 smbd[16688]: [2018/01/26 20:42:16.916550, 0] ../source3/rpc_server/lsasd.c:139(lsasd_sig_term_handler) Jan 26 20:42:16 idm1 smbd[16688]: termination signal Jan 26 20:42:16 idm1 systemd: Stopped Samba SMB Daemon. Jan 26 20:42:17 idm1 systemd: Stopping IPA Custodia Service... Jan 26 20:42:17 idm1 systemd: Stopped IPA Custodia Service. Jan 26 20:42:17 idm1 systemd: Stopping The Apache HTTP Server... Jan 26 20:42:18 idm1 systemd: Stopped The Apache HTTP Server. Jan 26 20:42:18 idm1 systemd: Stopping Kerberos 5 Password-changing and Administration... Jan 26 20:42:18 idm1 systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jan 26 20:42:18 idm1 systemd: Stopped Kerberos 5 Password-changing and Administration. Jan 26 20:42:18 idm1 systemd: Unit kadmin.service entered failed state. Jan 26 20:42:18 idm1 systemd: kadmin.service failed. Jan 26 20:42:18 idm1 systemd: Stopping Kerberos 5 KDC... Jan 26 20:42:18 idm1 systemd: Stopped Kerberos 5 KDC. Jan 26 20:42:18 idm1 systemd: Stopping 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:42:18 idm1 ns-slapd: [26/Jan/2018:20:42:18.368608160 +0100] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 6 max work q size 2 max work q stack size 2 Jan 26 20:42:18 idm1 ns-slapd: [26/Jan/2018:20:42:18.372309172 +0100] - INFO - slapd_daemon - slapd shutting down - waiting for 15 threads to terminate Jan 26 20:42:18 idm1 ns-slapd: [26/Jan/2018:20:42:18.374142668 +0100] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Jan 26 20:42:18 idm1 ns-slapd: [26/Jan/2018:20:42:18.726004813 +0100] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop Jan 26 20:42:19 idm1 ns-slapd: [26/Jan/2018:20:42:19.258064040 +0100] - INFO - dblayer_pre_close - All database threads now stopped Jan 26 20:42:19 idm1 ns-slapd: [26/Jan/2018:20:42:19.286571363 +0100] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Jan 26 20:42:19 idm1 ns-slapd: [26/Jan/2018:20:42:19.288632006 +0100] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 2 work q stack objects - freed 7 op stack objects Jan 26 20:42:19 idm1 ns-slapd: [26/Jan/2018:20:42:19.803231467 +0100] - INFO - main - slapd stopped. Jan 26 20:42:19 idm1 systemd: Stopped 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[stop] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:42:30 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:42:30 idm1 server: INFO: Pausing ProtocolHandler ["http-bio-8443"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol pause Jan 26 20:42:30 idm1 server: INFO: Pausing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.catalina.core.StandardService stopInternal Jan 26 20:42:30 idm1 server: INFO: Stopping service Catalina Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol stop Jan 26 20:42:30 idm1 server: INFO: Stopping ProtocolHandler ["http-bio-8080"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol stop Jan 26 20:42:30 idm1 server: INFO: Stopping ProtocolHandler ["http-bio-8443"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol stop Jan 26 20:42:30 idm1 server: INFO: Stopping ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_stop] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_destroy] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol destroy Jan 26 20:42:30 idm1 server: INFO: Destroying ProtocolHandler ["http-bio-8080"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol destroy Jan 26 20:42:30 idm1 server: INFO: Destroying ProtocolHandler ["http-bio-8443"] Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.coyote.AbstractProtocol destroy Jan 26 20:42:30 idm1 server: INFO: Destroying ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:42:30 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_destroy] Jan 26 20:42:30 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:42:30 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:42:30 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:42:30 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:42:30 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Jan 26 20:42:30 idm1 server: arguments used: stop Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.catalina.startup.Catalina stopServer Jan 26 20:42:30 idm1 server: SEVERE: Could not contact localhost:8005. Tomcat may not be running. Jan 26 20:42:30 idm1 server: Jan 26, 2018 8:42:30 PM org.apache.catalina.startup.Catalina stopServer Jan 26 20:42:30 idm1 server: SEVERE: Catalina.stop: Jan 26 20:42:30 idm1 server: java.net.ConnectException: Connection refused (Connection refused) Jan 26 20:42:30 idm1 server: at java.net.PlainSocketImpl.socketConnect(Native Method) Jan 26 20:42:30 idm1 server: at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) Jan 26 20:42:30 idm1 server: at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) Jan 26 20:42:30 idm1 server: at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) Jan 26 20:42:30 idm1 server: at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) Jan 26 20:42:30 idm1 server: at java.net.Socket.connect(Socket.java:589) Jan 26 20:42:30 idm1 server: at java.net.Socket.connect(Socket.java:538) Jan 26 20:42:30 idm1 server: at java.net.Socket.<init>(Socket.java:434) Jan 26 20:42:30 idm1 server: at java.net.Socket.<init>(Socket.java:211) Jan 26 20:42:30 idm1 server: at org.apache.catalina.startup.Catalina.stopServer(Catalina.java:498) Jan 26 20:42:30 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:42:30 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:42:30 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:42:30 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:42:30 idm1 server: at org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:343) Jan 26 20:42:30 idm1 server: at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:430) Jan 26 20:42:30 idm1 systemd: pki-tomcatd@pki-tomcat.service: control process exited, code=exited status=1 Jan 26 20:42:30 idm1 systemd: Unit pki-tomcatd@pki-tomcat.service entered failed state. Jan 26 20:42:30 idm1 systemd: pki-tomcatd@pki-tomcat.service failed. Jan 26 20:43:06 idm1 systemd: Starting 389 Directory Server XXXKD-FAU-DE.... Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.135519647 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.137896015 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.138653476 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.139362471 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.139997617 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.140969886 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.141763790 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.142425874 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.143128669 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.143876111 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.144506089 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.145128275 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.145681866 +0100] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.146327021 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.146946087 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.147538973 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.148175269 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.148809308 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.149468022 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.150081883 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.150700313 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.151358604 +0100] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.151978602 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.152607727 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.153363369 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.153985935 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.154615624 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.155162346 +0100] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.155751837 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_128_GCM_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.156407344 +0100] - INFO - Security Initialization - SSL info: #011TLS_CHACHA20_POLY1305_SHA256: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.157006854 +0100] - INFO - Security Initialization - SSL info: #011TLS_AES_256_GCM_SHA384: enabled Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.166751450 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.167990669 +0100] - INFO - main - 389-Directory/1.3.6.1 B2018.025.1550 starting up Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.182152260 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.186165063 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.190789757 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.197372415 +0100] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.203502167 +0100] - NOTICE - ldbm_back_start - found 1532164k physical memory Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.204358115 +0100] - NOTICE - ldbm_back_start - found 945032k available Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.205099201 +0100] - NOTICE - ldbm_back_start - cache autosizing: db cache: 61286k Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.205772172 +0100] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 65536k Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.207976581 +0100] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 65536k Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.209935120 +0100] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 65536k Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.211955092 +0100] - NOTICE - ldbm_back_start - total cache size: 282989821 B; Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.268450630 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.282669243 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.283853676 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.284750958 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.285646359 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.286462970 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.287349607 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.288118043 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.289095649 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.289876366 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.290752671 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.291856781 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.292684559 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.293502496 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.294411988 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.295131467 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.295944190 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.296675050 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.297436245 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.298242490 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.299012600 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.299921149 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.307173136 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.308050707 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=XXXkd,dc=fau,dc=de does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.414161967 +0100] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.417370681 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.418164001 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.419003673 +0100] - ERR - auto-membership-plugin - automember_parse_regex_rule - Unable to parse regex rule (invalid regex). Error "nothing to repeat". Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.451898960 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.454077292 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/idm1.XXXkd.fau.de@XXXKD.FAU.DE] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.459158890 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Jan 26 20:43:07 idm1 systemd: Started 389 Directory Server XXXKD-FAU-DE.. Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.461550924 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Jan 26 20:43:07 idm1 ns-slapd: [26/Jan/2018:20:43:07.462589374 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-XXXKD-FAU-DE.socket for LDAPI requests Jan 26 20:43:07 idm1 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_993)) Jan 26 20:43:07 idm1 systemd: Starting Kerberos 5 KDC... Jan 26 20:43:07 idm1 systemd: Started Kerberos 5 KDC. Jan 26 20:43:07 idm1 systemd: Starting Kerberos 5 Password-changing and Administration... Jan 26 20:43:07 idm1 systemd: Started Kerberos 5 Password-changing and Administration. Jan 26 20:43:08 idm1 systemd: Starting The Apache HTTP Server... Jan 26 20:43:08 idm1 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Jan 26 20:43:08 idm1 systemd: Started The Apache HTTP Server. Jan 26 20:43:09 idm1 systemd: Starting IPA Custodia Service... Jan 26 20:43:09 idm1 ipa-custodia: 2018-01-26 20:43:09 - server - Serving on Unix socket /run/httpd/ipa-custodia.sock Jan 26 20:43:09 idm1 systemd: Started IPA Custodia Service. Jan 26 20:43:09 idm1 systemd: Starting Network Time Service... Jan 26 20:43:09 idm1 ntpd[18606]: ntpd 4.2.6p5@1.2349-o Wed Apr 12 21:24:06 UTC 2017 (1) Jan 26 20:43:09 idm1 ntpd[18607]: proto: precision = 0.092 usec Jan 26 20:43:09 idm1 ntpd[18607]: 0.0.0.0 c01d 0d kern kernel time sync enabled Jan 26 20:43:09 idm1 systemd: Started Network Time Service. Jan 26 20:43:09 idm1 ntpd[18607]: getaddrinfo: "2001:638:a000:b201::/64" invalid host address, ignored Jan 26 20:43:09 idm1 ntpd[18607]: restrict: error in address '2001:638:a000:b201::/64' on line 21. Ignoring... Jan 26 20:43:09 idm1 ntpd[18607]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen and drop on 1 v6wildcard :: UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 3 eth0 10.188.220.100 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 4 lo ::1 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 5 eth0 fe80::5054:ff:fe4e:b270 UDP 123 Jan 26 20:43:09 idm1 ntpd[18607]: Listen normally on 6 eth0 2001:638:a000:b201::220:100 UDP 123 Jan 26 20:43:10 idm1 ntpd[18607]: Listening on routing socket on fd #23 for interface updates Jan 26 20:43:10 idm1 ntpd[18607]: 0.0.0.0 c016 06 restart Jan 26 20:43:10 idm1 ntpd[18607]: 0.0.0.0 c012 02 freq_set ntpd -11.506 PPM Jan 26 20:43:10 idm1 systemd: Starting PKI Tomcat Server pki-tomcat... Jan 26 20:43:10 idm1 ns-slapd: [26/Jan/2018:20:43:10.654518701 +0100] - WARN - csngen_new_csn - Too much time skew (-414240 secs). Current seqnum=1 Jan 26 20:43:10 idm1 ns-slapd: [26/Jan/2018:20:43:10.903986761 +0100] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToidm2.XXXkd.fau.de" (idm2:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () Jan 26 20:43:11 idm1 ns-slapd: [26/Jan/2018:20:43:11.090525190 +0100] - WARN - csngen_new_csn - Too much time skew (-414241 secs). Current seqnum=1 Jan 26 20:43:11 idm1 ns-slapd: [26/Jan/2018:20:43:11.418472466 +0100] - WARN - csngen_new_csn - Too much time skew (-414242 secs). Current seqnum=1 Jan 26 20:43:11 idm1 ns-slapd: [26/Jan/2018:20:43:11.690552308 +0100] - WARN - csngen_new_csn - Too much time skew (-414242 secs). Current seqnum=1 Jan 26 20:43:11 idm1 ns-slapd: [26/Jan/2018:20:43:11.913216706 +0100] - WARN - csngen_new_csn - Too much time skew (-414243 secs). Current seqnum=1 Jan 26 20:43:12 idm1 pkidaemon: ----------------------- Jan 26 20:43:12 idm1 pkidaemon: Banner is not installed Jan 26 20:43:12 idm1 pkidaemon: ----------------------- Jan 26 20:43:12 idm1 pkidaemon: ---------------------- Jan 26 20:43:12 idm1 pkidaemon: Enabled all subsystems Jan 26 20:43:12 idm1 pkidaemon: ---------------------- Jan 26 20:43:12 idm1 systemd: Started PKI Tomcat Server pki-tomcat. Jan 26 20:43:12 idm1 server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 26 20:43:12 idm1 server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 26 20:43:12 idm1 server: main class used: org.apache.catalina.startup.Bootstrap Jan 26 20:43:12 idm1 server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 26 20:43:12 idm1 server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Jan 26 20:43:12 idm1 server: arguments used: start Jan 26 20:43:12 idm1 ns-slapd: [26/Jan/2018:20:43:12.856244489 +0100] - ERR - schema-compat-plugin - Finished plugin initialization. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://idm1.XXXkd.fau.de:9080/ca/ocsp' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jan 26 20:43:13 idm1 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.coyote.AbstractProtocol init Jan 26 20:43:13 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.coyote.AbstractProtocol init Jan 26 20:43:13 idm1 server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Jan 26 20:43:13 idm1 server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:43:13 idm1 server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" not recognized by tomcatjss Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.coyote.AbstractProtocol init Jan 26 20:43:13 idm1 server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.Catalina load Jan 26 20:43:13 idm1 server: INFO: Initialization processed in 887 ms Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Jan 26 20:43:13 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[start] Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.core.StandardService startInternal Jan 26 20:43:13 idm1 server: INFO: Starting service Catalina Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.core.StandardEngine startInternal Jan 26 20:43:13 idm1 server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.76 Jan 26 20:43:13 idm1 server: Jan 26, 2018 8:43:13 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:13 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Jan 26 20:43:13 idm1 server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Jan 26 20:43:13 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:43:14 idm1 ntpd[18607]: 0.0.0.0 c515 05 clock_sync Jan 26 20:43:15 idm1 server: Jan 26, 2018 8:43:15 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:43:15 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:43:15 idm1 server: SSLAuthenticatorWithFallback: Initializing authenticators Jan 26 20:43:15 idm1 server: SSLAuthenticatorWithFallback: Starting authenticators Jan 26 20:43:15 idm1 server: CMSEngine.initializePasswordStore() begins Jan 26 20:43:15 idm1 server: CMSEngine.initializePasswordStore(): tag=internaldb Jan 26 20:43:15 idm1 server: CMSEngine.initializePasswordStore(): tag=replicationdb Jan 26 20:43:16 idm1 ns-slapd: [26/Jan/2018:20:43:16.928242338 +0100] - WARN - csngen_new_csn - Too much time skew (-414239 secs). Current seqnum=1 Jan 26 20:43:17 idm1 ns-slapd: [26/Jan/2018:20:43:17.631952903 +0100] - WARN - csngen_new_csn - Too much time skew (-414239 secs). Current seqnum=1 Jan 26 20:43:17 idm1 ns-slapd: [26/Jan/2018:20:43:17.654048776 +0100] - WARN - csngen_new_csn - Too much time skew (-414240 secs). Current seqnum=1 Jan 26 20:43:18 idm1 server: SelfTestSubsystem: Disabling "ca" subsystem due to selftest failure. Jan 26 20:43:18 idm1 server: ----------------------- Jan 26 20:43:18 idm1 server: Disabled "ca" subsystem Jan 26 20:43:18 idm1 server: ----------------------- Jan 26 20:43:18 idm1 server: Subsystem ID: ca Jan 26 20:43:18 idm1 server: Instance ID: pki-tomcat Jan 26 20:43:18 idm1 server: Enabled: False Jan 26 20:43:18 idm1 server: Invalid class name repositorytop Jan 26 20:43:19 idm1 server: Invalid class name repositorytop Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460) Jan 26 20:43:19 idm1 server: at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1378) Jan 26 20:43:19 idm1 server: at com.netscape.certsrv.apps.CMS.startup(CMS.java:202) Jan 26 20:43:19 idm1 server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1632) Jan 26 20:43:19 idm1 server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) Jan 26 20:43:19 idm1 server: at javax.servlet.GenericServlet.init(GenericServlet.java:158) Jan 26 20:43:19 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 26 20:43:19 idm1 server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 26 20:43:19 idm1 server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 26 20:43:19 idm1 server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) Jan 26 20:43:19 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:43:19 idm1 server: at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) Jan 26 20:43:19 idm1 server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) Jan 26 20:43:19 idm1 server: at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) Jan 26 20:43:19 idm1 server: at java.security.AccessController.doPrivileged(Native Method) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) Jan 26 20:43:19 idm1 server: at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) Jan 26 20:43:19 idm1 server: at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) Jan 26 20:43:19 idm1 server: at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) Jan 26 20:43:19 idm1 server: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) Jan 26 20:43:19 idm1 server: at java.util.concurrent.FutureTask.run(FutureTask.java:266) Jan 26 20:43:19 idm1 server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) Jan 26 20:43:19 idm1 server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) Jan 26 20:43:19 idm1 server: at java.lang.Thread.run(Thread.java:748) Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:19 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 5,274 ms Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:19 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:43:19 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:19 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 738 ms Jan 26 20:43:19 idm1 server: Jan 26, 2018 8:43:19 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:19 idm1 server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.catalina.startup.TldConfig execute Jan 26 20:43:20 idm1 server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.catalina.startup.HostConfig deployDescriptor Jan 26 20:43:20 idm1 server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has finished in 1,088 ms Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.coyote.AbstractProtocol start Jan 26 20:43:20 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8080"] Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.coyote.AbstractProtocol start Jan 26 20:43:20 idm1 server: INFO: Starting ProtocolHandler ["http-bio-8443"] Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.coyote.AbstractProtocol start Jan 26 20:43:20 idm1 server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jan 26 20:43:20 idm1 server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Jan 26 20:43:20 idm1 server: PKIListener: Subsystem CA is disabled. Jan 26 20:43:20 idm1 server: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. Jan 26 20:43:20 idm1 server: PKIListener: To enable the subsystem: Jan 26 20:43:20 idm1 server: PKIListener: pki-server subsystem-enable -i pki-tomcat ca Jan 26 20:43:20 idm1 server: Jan 26, 2018 8:43:20 PM org.apache.catalina.startup.Catalina start Jan 26 20:43:20 idm1 server: INFO: Server startup in 7197 ms Jan 26 20:43:21 idm1 ns-slapd: [26/Jan/2018:20:43:21.078383741 +0100] - WARN - csngen_new_csn - Too much time skew (-414238 secs). Current seqnum=1 Jan 26 20:43:21 idm1 ns-slapd: [26/Jan/2018:20:43:21.369142943 +0100] - WARN - csngen_new_csn - Too much time skew (-414239 secs). Current seqnum=1 Jan 26 20:43:29 idm1 ns-slapd: [26/Jan/2018:20:43:29.176587570 +0100] - WARN - csngen_new_csn - Too much time skew (-414232 secs). Current seqnum=1 Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.startup.HostConfig undeploy Jan 26 20:43:31 idm1 server: INFO: Undeploying context [/ca] Jan 26 20:43:31 idm1 server: SSLAuthenticatorWithFallback: Stopping authenticators Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-0 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-2 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3 ldaps://idm1.XXXkd.fau.de:636] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: Jan 26, 2018 8:43:31 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads Jan 26 20:43:31 idm1 server: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 26 20:43:31 idm1 server: SSLAuthenticatorWithFallback: Setting container Jan 26 20:43:38 idm1 ns-slapd: [26/Jan/2018:20:43:38.212105934 +0100] - WARN - csngen_new_csn - Too much time skew (-414224 secs). Current seqnum=1 Jan 26 20:43:38 idm1 ns-slapd: [26/Jan/2018:20:43:38.221564490 +0100] - WARN - csngen_new_csn - Too much time skew (-414225 secs). Current seqnum=1 Jan 26 20:43:50 idm1 ns-slapd: [26/Jan/2018:20:43:50.895768971 +0100] - WARN - csngen_new_csn - Too much time skew (-414213 secs). Current seqnum=1 Jan 26 20:43:50 idm1 ns-slapd: [26/Jan/2018:20:43:50.928585085 +0100] - WARN - csngen_new_csn - Too much time skew (-414214 secs). Current seqnum=1 Jan 26 20:43:50 idm1 ns-slapd: [26/Jan/2018:20:43:50.973568568 +0100] - WARN - csngen_new_csn - Too much time skew (-414215 secs). Current seqnum=1 Jan 26 20:43:50 idm1 ns-slapd: [26/Jan/2018:20:43:50.996767806 +0100] - WARN - csngen_new_csn - Too much time skew (-414216 secs). Current seqnum=1 Jan 26 20:43:53 idm1 ns-slapd: [26/Jan/2018:20:43:53.245471011 +0100] - WARN - csngen_new_csn - Too much time skew (-414215 secs). Current seqnum=1 Jan 26 20:44:09 idm1 ns-slapd: [26/Jan/2018:20:44:09.057455395 +0100] - WARN - csngen_new_csn - Too much time skew (-414200 secs). Current seqnum=1 Jan 26 20:44:09 idm1 ns-slapd: [26/Jan/2018:20:44:09.080883041 +0100] - WARN - csngen_new_csn - Too much time skew (-414201 secs). Current seqnum=1 Jan 26 20:44:22 idm1 ns-slapd: [26/Jan/2018:20:44:22.056086120 +0100] - WARN - csngen_new_csn - Too much time skew (-414189 secs). Current seqnum=1 Jan 26 20:44:22 idm1 ns-slapd: [26/Jan/2018:20:44:22.083244850 +0100] - WARN - csngen_new_csn - Too much time skew (-414190 secs). Current seqnum=1 Jan 26 20:44:22 idm1 ns-slapd: [26/Jan/2018:20:44:22.090879226 +0100] - WARN - csngen_new_csn - Too much time skew (-414191 secs). Current seqnum=1
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- Christof Schulze
Institute of Materials Simulation (WW8) Department of Materials Science Friedrich-Alexander-University Erlangen-Nürnberg Dr.-Mack-Str. 77, 90762 Fürth, Germany
Tel: 0911/65078-65069 Email: christof.schulze@ww.uni-erlangen.de _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
Problem solved.
Just took the whole /etc/pki/pki-tomcat/alias folder from the backup. Added permissions and selinux labels, and went back to Christmas.
Problem still there, renewal did not work:
ca-error: Invalid cookie: ''
From another (old) threat someone had a similar problem, invalid cookie: '' and no "CA renewal master".
In the ldap my "first master" was the first master, but someone (me) forgot when it was rebuild (cloned) from one of the other masters to promote it to a "CA renewal master". ipa config-show ... IPA CA renewal master: idm1.XXXkd.fau.de
but
ca.crl.MasterCRL.enableCRLUpdates=false ca.crl.MasterCRL.enableCRLCache=false
And even the certmonger didn't know about.
getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep post-save
'restart_pkicad' and not 'renew_ca_cert' like it should for a CA renewal master.
So thanks to the Fraser's blog, I had been able find to fix the configuration problem, restarted the pki-tomcatd,httpd and certmonger and renewed all the expiring certificates.
Everything is working now again, weekend can come.
Thanks for all the help
On 02.02.2018 02:31, Fraser Tweedale wrote:
On Thu, Feb 01, 2018 at 10:39:00AM +0100, Christof Schulze via FreeIPA-users wrote:
pki-tomcatd does not start because the 'auditSigningCert cert-pki-ca' is always invalid (expired or not valid now)
Old one Not Before: Feb 9 12:01:11 2016 GMT Not After : Jan 29 12:01:11 2018 GMT
New one Not Before: Jan 29 13:22:53 2018 GMT Not After : Jan 19 13:22:53 2020 GMT
Can I just restore this certificate from an old backup and try to resubmit it long before it is expiring?
Or do I have to do an ipa-restore from the old backup.
This certificate is also already replicated to the replicas.
Sure. Backup the certificate and key using `pk12util' first. (Or just make a copy the whole NSSDB) Then delete the certificate from the NSSDB using `certutil -D`. (I think this will leave they key in place). Then add the older certificate that will be valid according to the system time. Then Dogtag should start, and you should be able to continue recovering the system.
HTH, Fraser
On Fri, Feb 02, 2018 at 01:35:38PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,
Problem solved.
Just took the whole /etc/pki/pki-tomcat/alias folder from the backup. Added permissions and selinux labels, and went back to Christmas.
Problem still there, renewal did not work:
ca-error: Invalid cookie: ''
From another (old) threat someone had a similar problem, invalid cookie: '' and no "CA renewal master".
In the ldap my "first master" was the first master, but someone (me) forgot when it was rebuild (cloned) from one of the other masters to promote it to a "CA renewal master".
ipa config-show ... IPA CA renewal master: idm1.XXXkd.fau.de
but
ca.crl.MasterCRL.enableCRLUpdates=false ca.crl.MasterCRL.enableCRLCache=false
And even the certmonger didn't know about.
getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep post-save
'restart_pkicad' and not 'renew_ca_cert' like it should for a CA renewal master.
So thanks to the Fraser's blog, I had been able find to fix the configuration problem, restarted the pki-tomcatd,httpd and certmonger and renewed all the expiring certificates.
Everything is working now again, weekend can come.
Glad we were able to help. I hope you had a nice, stress-free weekend :)
Cheers, Fraser
Thanks for all the help
On 02.02.2018 02:31, Fraser Tweedale wrote:
On Thu, Feb 01, 2018 at 10:39:00AM +0100, Christof Schulze via FreeIPA-users wrote:
pki-tomcatd does not start because the 'auditSigningCert cert-pki-ca' is always invalid (expired or not valid now)
Old one Not Before: Feb 9 12:01:11 2016 GMT Not After : Jan 29 12:01:11 2018 GMT
New one Not Before: Jan 29 13:22:53 2018 GMT Not After : Jan 19 13:22:53 2020 GMT
Can I just restore this certificate from an old backup and try to resubmit it long before it is expiring?
Or do I have to do an ipa-restore from the old backup.
This certificate is also already replicated to the replicas.
Sure. Backup the certificate and key using `pk12util' first. (Or just make a copy the whole NSSDB) Then delete the certificate from the NSSDB using `certutil -D`. (I think this will leave they key in place). Then add the older certificate that will be valid according to the system time. Then Dogtag should start, and you should be able to continue recovering the system.
HTH, Fraser
-- Christof Schulze
Institute of Materials Simulation (WW8) Department of Materials Science Friedrich-Alexander-University Erlangen-Nürnberg Dr.-Mack-Str. 77, 90762 Fürth, Germany
Tel: 0911/65078-65069 Email: christof.schulze@ww.uni-erlangen.de _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Christof Schulze -
Florence Blanc-Renaud -
Fraser Tweedale -
Rob Crittenden