Dear flo,
At this point you also need to restart pki:
Thanks, restarted and resubmitted the request, then wait, but sadly
I guess something else may also need attention?
Best wishes
Stuart
----------------------------------------------------------------------------------------------------------------
[root@freeipa01 ~]# systemctl status pki-tomcatd(a)pki-tomcat.service
● pki-tomcatd(a)pki-tomcat.service - PKI Tomcat Server pki-tomcat
Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset:
disabled)
Active: active (running) since Wed 2020-09-16 09:03:41 BST; 1 months 0 days left
Process: 1236 ExecStartPre=/usr/bin/pkidaemon start pki-tomcat (code=exited,
status=0/SUCCESS)
Main PID: 1353 (java)
Tasks: 91 (limit: 4915)
CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd(a)pki-tomcat.service
└─1353 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
-DRESTEASY_LIB=/usr/share/java/resteasy -Djava.library.path=/usr/lib64/nuxwd
Aug 16 09:42:58 freeipa01.our_domain server[1353]: Aug 16, 2020 9:42:58 AM
org.apache.catalina.core.ContainerBase bac
Aug 16 09:42:58 freeipa01.our_domain server[1353]: WARNING: Exception processing realm
com.netscape.cms.tomcat.ProxyR
Aug 16 09:42:58 freeipa01.our_domain server[1353]:
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
Aug 16 09:42:58 freeipa01.our_domain server[1353]: at
com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(Pr
Aug 16 09:42:58 freeipa01.our_domain server[1353]: at
org.apache.catalina.core.ContainerBase.backgroundProces
Aug 16 09:42:58 freeipa01.our_domain server[1353]: at
org.apache.catalina.core.StandardContext.backgroundProc
Aug 16 09:42:58 freeipa01.our_domain server[1353]: at
org.apache.catalina.core.ContainerBase$ContainerBackgro
Aug 16 09:42:58 freeipa01.our_domain server[1353]: at
org.apache.catalina.core.ContainerBase$ContainerBackgro
Aug 16 09:42:58 freeipa01.our_domain server[1353]: at
org.apache.catalina.core.ContainerBase$ContainerBackgro
Aug 16 09:42:58 freeipa01.our_domain server[1353]: at
java.lang.Thread.run(Thread.java:748)
[root@freeipa01 ~]# systemctl restart pki-tomcatd(a)pki-tomcat.service
[root@freeipa01 ~]# systemctl status pki-tomcatd(a)pki-tomcat.service
● pki-tomcatd(a)pki-tomcat.service - PKI Tomcat Server pki-tomcat
Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset:
disabled)
Active: active (running) since Sun 2020-08-16 09:43:19 BST; 3s ago
Process: 1987 ExecStop=/usr/libexec/tomcat/server stop (code=exited, status=0/SUCCESS)
Process: 2021 ExecStartPre=/usr/bin/pkidaemon start pki-tomcat (code=exited,
status=0/SUCCESS)
Main PID: 2135 (java)
Tasks: 17 (limit: 4915)
CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd(a)pki-tomcat.service
└─2135 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
-DRESTEASY_LIB=/usr/share/java/resteasy -Djava.library.path=/usr/lib64/nuxwd
Aug 16 09:43:22 freeipa01.our_domain server[2135]: Aug 16, 2020 9:43:22 AM
org.apache.catalina.startup.HostConfig dep
Aug 16 09:43:22 freeipa01.our_domain server[2135]: INFO: Deploying configuration
descriptor /etc/pki/pki-tomcat/Catal
Aug 16 09:43:22 freeipa01.our_domain server[2135]: Aug 16, 2020 9:43:22 AM
org.apache.jasper.servlet.TldScanner scanJ
Aug 16 09:43:22 freeipa01.our_domain server[2135]: INFO: At least one JAR was scanned for
TLDs yet contained no TLDs.
Aug 16 09:43:22 freeipa01.our_domain server[2135]: Aug 16, 2020 9:43:22 AM
org.apache.catalina.startup.HostConfig dep
Aug 16 09:43:22 freeipa01.our_domain server[2135]: INFO: Deployment of configuration
descriptor /etc/pki/pki-tomcat/C
Aug 16 09:43:22 freeipa01.our_domain server[2135]: Aug 16, 2020 9:43:22 AM
org.apache.catalina.startup.HostConfig dep
Aug 16 09:43:22 freeipa01.our_domain server[2135]: INFO: Deploying configuration
descriptor /etc/pki/pki-tomcat/Catal
Aug 16 09:43:22 freeipa01.our_domain server[2135]: SSLAuthenticatorWithFallback: Creating
SSL authenticator with fall
Aug 16 09:43:22 freeipa01.our_domain server[2135]: SSLAuthenticatorWithFallback: Setting
container
[root@freeipa01 ~]# getcert resubmit -i 20170405152512
Resubmitting "20170405152512" to "IPA".
[root@freeipa01 ~]# sleep 120
[root@freeipa01 ~]# getcert list -i 20170405152512
Number of certificates and requests being tracked: 8.
Request ID '20170405152512':
status: CA_UNREACHABLE
ca-error: Server at
https://freeipa01.our_domain/ipa/xml failed request, will retry:
4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST
API: 500. ).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=OUR_DOMAIN
subject: CN=freeipa01.our_domain,O=OUR_DOMAIN
expires: 2020-09-04 17:46:56 BST
principal name: HTTP/freeipa01.our_domain@OUR_DOMAIN
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
[root@freeipa01 ~]# date
Sun 16 Aug 09:46:26 BST 2020
[root@freeipa01 ~]# getcert list -i 20170405152512
Number of certificates and requests being tracked: 8.
Request ID '20170405152512':
status: CA_UNREACHABLE
ca-error: Server at
https://freeipa01.our_domain/ipa/xml failed request, will retry:
4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST
API: 500. ).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=OUR_DOMAIN
subject: CN=freeipa01.our_domain,O=OUR_DOMAIN
expires: 2020-09-04 17:46:56 BST
principal name: HTTP/freeipa01.our_domain@OUR_DOMAIN
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
[root@freeipa01 ~]# date
Sun 16 Aug 09:53:16 BST 2020
[root@freeipa01 ~]#