On 04/10/2018 11:35 AM, Hillar Aarelaid via FreeIPA-users wrote:
Hi
not exactly same, but feels similar here ;(
_single_ freeipa server
(Linux ipa.idm.domain.tld 4.15.14-300.fc27.x86_64 IPA VERSION: 4.6.3, API_VERSION:
2.229)
1) full backup made with ipa-backup
2) server loss
3) new server build from scratch
4) ipa-restore
5) ..Failed to start pki-tomcatd Service
-----------
ipa: DEBUG: response body b'<!DOCTYPE
html><html><head><title>Apache Tomcat/8.0.50 - Error
report</title><style type="text/css">H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color
: black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border:
none;}</style> </head><body><h1>HTTP Status 500 - Subsystem
unavailable</h1><div
class="line"></div><p><b>type</b> Exception
report</p><p><b>message</b> <u>Subsystem
unavailable</u></p><p><b>description</b> <u>The server
encountered an internal error
that prevented it from fulfilling this
request.</u></p><p><b>exception</b></p><pre>javax.ws.rs.ServiceUnavailableException:
Subsystem
unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:138)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:81)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)\n\torg.apache.tomcat.util.net.NioEndpoint$Sock
etProcessor.run(NioEndpoint.java:1495)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>note</b>
<u>The full stack trace of the root cause is available in the Apache Tomcat/8.0.50
logs.</u></p><hr class="line"><h3>Apache
Tomcat/8.0.50</h3></body></html>'
ipa: DEBUG: The CA status is: check interrupted due to error: Retrieving CA status failed
with status 500
ipa: DEBUG: Waiting for CA to start...
Failed to start pki-tomcatd Service
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Hi,
you can find troubleshooting information in this blog:
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
I would start by checking if all the certificates are up-to-date,
especially subsystemCert cert-pki-ca.
HTH,
Flo