Hello all,
since one or two days I can't access the WebUI on my IPA Master (4.9.10). With the
Replica it works without problems.
In the /var/log/messages I have the following message
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caTPSCert.cfg:82:
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1wit>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg:83:
policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1with>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg:83:
policyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRS>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caAgentFileSigning.cfg:83:
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRS>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caOtherCert.cfg:82:
policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1wi>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caUUIDdeviceCert.cfg:96:
policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caUserCert.cfg:98:
policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1with>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caRACert.cfg:82:
policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caRARouterCert.cfg:82:
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caUserSMIMEcapCert.cfg:98:
policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caRAagentCert.cfg:92:
policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1w>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caRAserverCert.cfg:82:
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caRouterCert.cfg:82:
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caCrossSignedCACert.cfg:79:
policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,S>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:92:
policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384wi>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:164:
policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512with>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:168:
policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caDirPinUserCert.cfg:96:
policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg:96:
policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1w>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_DirUserCert.cfg:101:
policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA51>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:92:
policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:164:
policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:168:
policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1wit>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_UserCert.cfg:101:
policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512wi>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caDualRAuserCert.cfg:91:
policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caSigningUserCert.cfg:82:
policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRS>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caECDualCert.cfg:164:
policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caInternalAuthOCSPCert.cfg:68:
policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512with>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caEncUserCert.cfg:92:
policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg:82:
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in
/etc/pki/pki-tomcat/ca/profiles/ca/caInstallCACert.cfg:83:
policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1w>
Sep 3 10:44:49 fedora server[2507]: Java virtual machine used:
/usr/lib/jvm/jre-17-openjdk/bin/java
Sep 3 10:44:49 fedora server[2507]: classpath used:
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:
Sep 3 10:44:49 fedora server[2507]: main class used:
org.apache.catalina.startup.Bootstrap
Sep 3 10:44:49 fedora server[2507]: flags used: -Dcom.redhat.fips=false
Sep 3 10:44:49 fedora server[2507]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat
-Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs=
-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
-Djava.util.logging.config.file=/var/lib/pk>
Sep 3 10:44:49 fedora server[2507]: arguments used: start
Sep 3 10:44:49 fedora server[2507]: NOTE: Picked up JDK_JAVA_OPTIONS:
--add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED
--add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.co>
Sep 3 10:44:49 fedora server[2507]: WARNING: A command line option has enabled the
Security Manager
Sep 3 10:44:49 fedora server[2507]: WARNING: The Security Manager is deprecated and will
be removed in a future release
Sep 3 10:44:50 fedora ipa-pki-wait-running[2508]: pki.client:
/usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in PKIConnection.__init__() has
been deprecated (
https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes).
Sep 3 10:44:50 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: Created
connection
http://ipa.kolanos.net:8080/ca
Sep 3 10:44:50 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: Connection
failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): Max retries
exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<url>
Sep 3 10:44:51 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: Connection
failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): Max retries
exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<url>
Sep 3 10:44:52 fedora certmonger[2542]: 2022-09-03 10:44:52 [2542] Certificate
"KOLANOS.NET IPA CA" valid for 589414559s.
Sep 3 10:44:52 fedora pcscd[833]: 03957038 auth.c:137:IsClientAuthorized() Process 2507
(user: 17) is NOT authorized for action: access_pcsc
Sep 3 10:44:52 fedora pcscd[833]: 00000451 winscard_svc.c:335:ContextThread() Rejected
unauthorized PC/SC client
Sep 3 10:44:52 fedora pcscd[833]: 00048514 auth.c:137:IsClientAuthorized() Process 2507
(user: 17) is NOT authorized for action: access_pcsc
Sep 3 10:44:52 fedora pcscd[833]: 00000400 winscard_svc.c:335:ContextThread() Rejected
unauthorized PC/SC client
Sep 3 10:44:52 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: Connection
failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): Max retries
exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<url>
Sep 3 10:44:52 fedora pcscd[833]: 00035722 auth.c:137:IsClientAuthorized() Process 2507
(user: 17) is NOT authorized for action: access_pcsc
Sep 3 10:44:52 fedora pcscd[833]: 00000293 winscard_svc.c:335:ContextThread() Rejected
unauthorized PC/SC client
Sep 3 10:44:52 fedora pcscd[833]: 00039624 auth.c:137:IsClientAuthorized() Process 2507
(user: 17) is NOT authorized for action: access_pcsc
Sep 3 10:44:52 fedora pcscd[833]: 00000335 winscard_svc.c:335:ContextThread() Rejected
unauthorized PC/SC client
Sep 3 10:44:53 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: Connection
failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): Max retries
exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<url>
Sep 3 10:44:54 fedora server[2507]: WARNING: Some of the specified [protocols] are not
supported by the SSL engine and have been skipped: [[TLSv1, TLSv1.1]]
Sep 3 10:44:55 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: Connection
failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): Read timed out.
(read timeout=1.0)
Does anyone have a tip for me how I can proceed here?
Thanks a lot
vapaa