Tania Hagan via FreeIPA-users wrote:
Hi Freeipa Users,
I have upgraded one of my ipa replicas from 4.9.11 to 4.10.2 however I am struggling to get pki-tomcatd@pki-tomcat to start both via ipactl start and systemctl start pki-tomcatd.
My java/tomcat versions are
Java: Idm-pki-java 11.4.2-1.el9 Java-11-openjdk-headless 1:11.0.22.0.7-2.el9 Java-17-openjdk-headless 1:17.0.10.0.7-2.el9 Javapackages-filesystem 6.0.0-4.el9 Javapackages-tools 6.0.0-4.el9 Tzdata-java 2023d-1.elp
Tomat: Idm-tomcatjss 8.4.0-1.el9 Tomcat 1:9.0.62-37.el9_3.1 Tomcat-el-3.0-api.noarch 1:9.0.62-37.el9_3.1 Tomcat-jsp-2.3-api 1:9.0.2-37.el9_3.1 Tomcat-lib 1:9.0.62-37.el9_3.1 Tomcat-servlet-4.0-api 1:9.0.62-37.el9_3.1
When I run journalctl -xeu pki-tomcatd@pki-tomcat I see: Ipa-pki-wait-running: Created connection http://<servername>:8080/ca WARNING: Some of the specified [protocols are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1]] Ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host=<servername>, port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError(‘<urllib3.connection.HTTPConnection object at 0x7XXXX>: Failed to estable a new connection: [Errno 113] No route to host’))
I’ve attempted to follow https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcat... where I see my cert is valid until 2025.
If I run getcert list I see: Number of certificates and requests being tracked: 0
That isn't great but ipa-server-upgrade will fix it if it is able to complete.
In the /var/log/ipaupgrade.log i see: ERROR: No kra subsystem in instance pki-tomcat
This is a red herring. It's IPA trying to see if one is configured.
If I run pki-server subsystem-find Subsystem ID: ca Instance ID: pki-tomcat Enabled: true
If I run ipa-server-upgrade it fails with the same message. If I run ipactl start –ignore-service-failures it tries to run the ipa-server-upgrade
If you add --skip-version-check it will not perform the upgrade.
If I run pkidestroy -i pki-tomcat -s KRA ERROR: PKI subsystem ‘KRA’ for instance ‘/var/lib/pki-pki-tomcat’ does not exist
Is there any way to solve this error?
You'll need to look in the PKI debug log to see why it doesn't start. I'd recommend finding the start sequence and move down in the log from there rather than doing a bottom-up scan.
rob