Hello all,
since one or two days I can't access the WebUI on my IPA Master (4.9.10). With the Replica it works without problems.
In the /var/log/messages I have the following message
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caTPSCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1wit>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg:83: policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1with>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg:83: policyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRS>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caAgentFileSigning.cfg:83: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRS>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caOtherCert.cfg:82: policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1wi>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUUIDdeviceCert.cfg:96: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUserCert.cfg:98: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1with>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRACert.cfg:82: policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRARouterCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUserSMIMEcapCert.cfg:98: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRAagentCert.cfg:92: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1w>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRAserverCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRouterCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caCrossSignedCACert.cfg:79: policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,S>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:92: policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384wi>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:164: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512with>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:168: policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirPinUserCert.cfg:96: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg:96: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1w>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_DirUserCert.cfg:101: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA51>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:92: policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:164: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:168: policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1wit>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_UserCert.cfg:101: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512wi>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualRAuserCert.cfg:91: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caSigningUserCert.cfg:82: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRS>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caECDualCert.cfg:164: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SH>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caInternalAuthOCSPCert.cfg:68: policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512with>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caEncUserCert.cfg:92: policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,>
Sep 3 10:44:49 fedora pkidaemon[2503]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caInstallCACert.cfg:83: policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1w>
Sep 3 10:44:49 fedora server[2507]: Java virtual machine used: /usr/lib/jvm/jre-17-openjdk/bin/java
Sep 3 10:44:49 fedora server[2507]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:
Sep 3 10:44:49 fedora server[2507]: main class used: org.apache.catalina.startup.Bootstrap
Sep 3 10:44:49 fedora server[2507]: flags used: -Dcom.redhat.fips=false
Sep 3 10:44:49 fedora server[2507]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pk>
Sep 3 10:44:49 fedora server[2507]: arguments used: start
Sep 3 10:44:49 fedora server[2507]: NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.co>
Sep 3 10:44:49 fedora server[2507]: WARNING: A command line option has enabled the Security Manager
Sep 3 10:44:49 fedora server[2507]: WARNING: The Security Manager is deprecated and will be removed in a future release
Sep 3 10:44:50 fedora ipa-pki-wait-running[2508]: pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in PKIConnection.__init__() has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes).
Sep 3 10:44:50 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: Created connection http://ipa.kolanos.net:8080/ca
Sep 3 10:44:50 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<url>
Sep 3 10:44:51 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<url>
Sep 3 10:44:52 fedora certmonger[2542]: 2022-09-03 10:44:52 [2542] Certificate "KOLANOS.NET IPA CA" valid for 589414559s.
Sep 3 10:44:52 fedora pcscd[833]: 03957038 auth.c:137:IsClientAuthorized() Process 2507 (user: 17) is NOT authorized for action: access_pcsc
Sep 3 10:44:52 fedora pcscd[833]: 00000451 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Sep 3 10:44:52 fedora pcscd[833]: 00048514 auth.c:137:IsClientAuthorized() Process 2507 (user: 17) is NOT authorized for action: access_pcsc
Sep 3 10:44:52 fedora pcscd[833]: 00000400 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Sep 3 10:44:52 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<url>
Sep 3 10:44:52 fedora pcscd[833]: 00035722 auth.c:137:IsClientAuthorized() Process 2507 (user: 17) is NOT authorized for action: access_pcsc
Sep 3 10:44:52 fedora pcscd[833]: 00000293 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Sep 3 10:44:52 fedora pcscd[833]: 00039624 auth.c:137:IsClientAuthorized() Process 2507 (user: 17) is NOT authorized for action: access_pcsc
Sep 3 10:44:52 fedora pcscd[833]: 00000335 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Sep 3 10:44:53 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<url>
Sep 3 10:44:54 fedora server[2507]: WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1.1]]
Sep 3 10:44:55 fedora ipa-pki-wait-running[2508]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa.kolanos.net', port=8080): Read timed out. (read timeout=1.0)
This looks like pki fails to start.
What is the output of "ipactl status" on the master?
If the services are down, you can restart them with "ipactl start --ignore-service-failures" and troubleshoot the failing services.
HTH,
flo
Does anyone have a tip for me how I can proceed here?
Thanks a lot
vapaa
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue