hi,

digging further, the tomcat service does not start because the of this error:

server[48368]: org.xml.sax.SAXParseException; systemId: file:/var/lib/pki/pki-tomcat/conf/server.xml; lineNumber: 86; columnNumber: 861; Error at line [86] column [861]: [Cannot invoke "Object.getClass()" because the return value of "org.apache.catalina.connector.Connector.getProtocolHandler()" is null]

If I check the server.xml, there is no colum 861 in line 86, the last char is 860

    <Connector name="Secure" port="8443" protocol="org.dogtagpki.jss.tomcat.Http11NioProtocol" SSLEnabled="true" sslImplementationName="org.dogtagpki.jss.tomcat.JSSImplementation" scheme="https" secure="true" connectionTimeout="80000" keepAliveTimeout="300000" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" enableOCSP="false" ocspResponderURL="http://kdc.sub.domain.tld:8080/ca/ocsp" ocspResponderCertNickname="ocspSigningCert cert-pki-ca" ocspCacheSize="1000" ocspMinCacheEntryDuration="7200" ocspMaxCacheEntryDuration="14400" ocspTimeout="10" serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf" passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf" passwordClass="org.dogtagpki.jss.tomcat.PlainPasswordFile" certdbDir="/var/lib/pki/pki-tomcat/alias">


This line looks similar (replacying the ocsp url) to other ipa ca servers I manage, so I do not know where this is coming from.

If I run this as root it starts but apparently not well enough, because then the ExecStartPost command /usr/libexec/ipa/ipa-pki-wait-running fails with a 404

# /usr/libexec/ipa/ipa-pki-wait-running

pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in PKIConnection.__init__() has been deprecated (https://github.com/dogtagpki/pki/wiki/PKI-10.8-Python-Changes).
ipa-pki-wait-running: Created connection http://kdc.sub.domain.tld:8080/ca
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error:  for url: http://kdc.sub.domain.tld:8080/ca/admin/ca/getStatus

Any clues?

Regards,

Natxo



On Wed, May 29, 2024 at 4:06 PM Natxo Asenjo <natxo.asenjo@gmail.com> wrote:


On Wed, May 29, 2024 at 3:03 PM Rob Crittenden <rcritten@redhat.com> wrote:
Since it starts directly as root perhaps check for SELinux AVCs? Maybe a
relabel would help (or try permissive to catch the full set).

rob


unfortunately selinux was already in permissive mode and no recent avcs:
# ausearch -m avc -ts recent
<no matches>

The latest avc is from a few days agoi regarding the ipa_custodia which we do not use.

I did a restorecon -rv / and it corrected some labels, but no difference so far.





--
--
Groeten,
natxo