Hi, I want to upgrade tomcat version from 9.0.62 to 9.0.98 in FreeIPA 4.11.0 - CentOS 9
[root@aaa~]# yum list installed tomcat* Installed Packages tomcat.noarch 1:9.0.62-39.el9 @appstream tomcat-el-3.0-api.noarch 1:9.0.62-39.el9 @appstream tomcat-jsp-2.3-api.noarch 1:9.0.62-39.el9 @appstream tomcat-lib.noarch 1:9.0.62-39.el9 @appstream tomcat-servlet-4.0-api.noarch 1:9.0.62-39.el9 @appstream
[root@aaa ~]# yum list available tomcat* Available Packages tomcat.noarch 1:9.0.87-2.el9 appstream tomcat-admin-webapps.noarch 1:9.0.87-2.el9 appstream tomcat-docs-webapp.noarch 1:9.0.87-2.el9 appstream tomcat-el-3.0-api.noarch 1:9.0.87-2.el9 appstream tomcat-jsp-2.3-api.noarch 1:9.0.87-2.el9 appstream tomcat-lib.noarch 1:9.0.87-2.el9 appstream tomcat-servlet-4.0-api.noarch 1:9.0.87-2.el9 appstream tomcat-webapps.noarch 1:9.0.87-2.el9 appstream tomcatjss.noarch 8.2.0-0.2.beta1.el9 appstream
It can't not update with yum. So I download tomcat:9.0.98 with command: "wget https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.98/bin/apache-tomcat-9.0.98.ta..." I changed time system to force certificates renewal. Some certificates renew successfully, but some are failed:
Request ID '20240627032922': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://aaa.bbb.com:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=BBB.COM subject: CN=aaa.bbb.com,O=BBB.COM issued: 2024-06-27 03:28:19 UTC expires: 2026-06-17 03:28:19 UTC dns: aaa.bbb..com key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caServerCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
Can someone help me ?
Thanks a lot.
Tran Ngoc Duc via FreeIPA-users wrote:
Hi, I want to upgrade tomcat version from 9.0.62 to 9.0.98 in FreeIPA 4.11.0 - CentOS 9
[root@aaa~]# yum list installed tomcat* Installed Packages tomcat.noarch 1:9.0.62-39.el9 @appstream tomcat-el-3.0-api.noarch 1:9.0.62-39.el9 @appstream tomcat-jsp-2.3-api.noarch 1:9.0.62-39.el9 @appstream tomcat-lib.noarch 1:9.0.62-39.el9 @appstream tomcat-servlet-4.0-api.noarch 1:9.0.62-39.el9 @appstream
[root@aaa ~]# yum list available tomcat* Available Packages tomcat.noarch 1:9.0.87-2.el9 appstream tomcat-admin-webapps.noarch 1:9.0.87-2.el9 appstream tomcat-docs-webapp.noarch 1:9.0.87-2.el9 appstream tomcat-el-3.0-api.noarch 1:9.0.87-2.el9 appstream tomcat-jsp-2.3-api.noarch 1:9.0.87-2.el9 appstream tomcat-lib.noarch 1:9.0.87-2.el9 appstream tomcat-servlet-4.0-api.noarch 1:9.0.87-2.el9 appstream tomcat-webapps.noarch 1:9.0.87-2.el9 appstream tomcatjss.noarch 8.2.0-0.2.beta1.el9 appstream
It can't not update with yum. So I download tomcat:9.0.98 with command: "wget https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.98/bin/apache-tomcat-9.0.98.ta..." I changed time system to force certificates renewal. Some certificates renew successfully, but some are failed:
Request ID '20240627032922': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://aaa.bbb.com:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=BBB.COM subject: CN=aaa.bbb.com,O=BBB.COM issued: 2024-06-27 03:28:19 UTC expires: 2026-06-17 03:28:19 UTC dns: aaa.bbb..com key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caServerCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
Can someone help me ?
Why did you sideload the tomcat package this way?
Did you spin up your own rpm package from the tarball or just untar it?
I'm not sure if any testing has been done with tomcat 9.0.98. Note that rpm versioning can be misleading as CentOS and RHEL often backports fixes rather then rebasing.
Why did you change time? Just to see if this would work? Or were certs already expired? If they are expired why introduce another variable?
What did you change time from and to?
rob
Hello Rob,
I checked the latest Tomcat version available in the CentOS 9 repositories is 9.0.87-2.el9. So I had to download tomcat package from official Tomcat downloads page.
I backup old folder tomcat. I untar it and replace old folder tomcat. After that I replace /usr/share/tomcat/lib by /root/apache-tomcat-9.0.98/lib
I change time system for test renewal, I set time to 7 days before certificates expire.
Example (I set time to 2026-04-22) Request ID '20240627032920': status: MONITORING ==> SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issued: 2024-05-09 18:56:38 UTC expires: 2026-04-29 18:56:38 UTC ===============> Request ID '20240627032920': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issued: 2025-01-10 09:23:55 UTC expires: 2026-12-31 09:23:55 UTC
Tran Ngoc Duc via FreeIPA-users wrote:
Hello Rob,
I checked the latest Tomcat version available in the CentOS 9 repositories is 9.0.87-2.el9. So I had to download tomcat package from official Tomcat downloads page.
I backup old folder tomcat. I untar it and replace old folder tomcat. After that I replace /usr/share/tomcat/lib by /root/apache-tomcat-9.0.98/lib
I change time system for test renewal, I set time to 7 days before certificates expire.
Example (I set time to 2026-04-22) Request ID '20240627032920': status: MONITORING ==> SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issued: 2024-05-09 18:56:38 UTC expires: 2026-04-29 18:56:38 UTC ===============> Request ID '20240627032920': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issued: 2025-01-10 09:23:55 UTC expires: 2026-12-31 09:23:55 UTC
That is the "what" but not the "why".
What is your goal in manually updating tomcat?
Why are you manually moving time forward? Is it merely to test that renewal will work?
Did you tweak anything else?
Did you have a time service running?
You moved time into 2026 but got a certificate issued in 2025. The CA uses standard time routines to obtain the date and time. It won't go backwards on its own. Even still it only issued a certificate valid for 11 months. Something else is going on here.
rob
freeipa-users@lists.fedorahosted.org
-
Rob Crittenden -
Tran Ngoc Duc