From flo at redhat.com Tue Apr 10 12:06:20 2018 Content-Type: multipart/mixed; boundary="===============0598264165779464988==" MIME-Version: 1.0 From: Florence Blanc-Renaud To: freeipa-users at lists.fedorahosted.org Subject: [Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?) Date: Tue, 10 Apr 2018 14:05:45 +0200 Message-ID: <29a54acd-eb01-c658-455c-3ef0dd435a18@redhat.com> In-Reply-To: 20180410093545.27442.39647@mailman01.phx2.fedoraproject.org --===============0598264165779464988== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable On 04/10/2018 11:35 AM, Hillar Aarelaid via FreeIPA-users wrote: > Hi > = > not exactly same, but feels similar here ;( > = > _single_ freeipa server > (Linux ipa.idm.domain.tld 4.15.14-300.fc27.x86_64 IPA VERSION: 4.6.3, API= _VERSION: 2.229) > = > 1) full backup made with ipa-backup > 2) server loss > 3) new server build from scratch > 4) ipa-restore > 5) ..Failed to start pki-tomcatd Service > = > = > ----------- > = > ipa: DEBUG: response body b'Apache Tomc= at/8.0.50 - Error report

HTTP Status 500 - Subsystem unavailable

type Exception report

messag= e Subsystem unavailable

description The server e= ncountered an internal error > that prevented it from fulfilling this request.

exception<= /b>

javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\=
n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.ja=
va:138)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(Authe=
nticatorBase.java:490)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationVal=
ve.invoke(ExternalAuthenticationValve.java:81)\n\torg.apache.catalina.valve=
s.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.=
valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)\n\tor=
g.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)\n=
\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Pr=
ocessor.java:1132)\n\torg.apache.coyote.AbstractProtocol$AbstractConnection=
Handler.process(AbstractProtocol.java:684)\n\torg.apache.tomcat.util.net.Ni=
oEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)\n\torg.apache.tomcat=
.util.net.NioEndpoint$Sock
>   etProcessor.run(NioEndpoint.java:1495)\n\tjava.util.concurrent.ThreadPo=
olExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.=
ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.to=
mcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tja=
va.lang.Thread.run(Thread.java:748)\n

note The full stack= trace of the root cause is available in the Apache Tomcat/8.0.50 logs.=

Apache Tomcat/8.0.50

' > ipa: DEBUG: The CA status is: check interrupted due to error: Retrieving = CA status failed with status 500 > ipa: DEBUG: Waiting for CA to start... > Failed to start pki-tomcatd Service > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.= org > = Hi, you can find troubleshooting information in this blog: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomca= td-fails-to-start/ I would start by checking if all the certificates are up-to-date, = especially subsystemCert cert-pki-ca. HTH, Flo --===============0598264165779464988==--