Vinícius Ferrão via FreeIPA-users wrote:
Hi Rob, in fact it’s not working either.
Jan 8 00:02:58 headnode ipa-pki-wait-running[59836]:
ipa-pki-wait-running: Connection
failed: HTTPConnectionPool(host='headnode.cluster.tmc.if.ufrj.br',
port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus
(Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object
at 0x7f4caa2ffda0>, 'Connection to headnode.cluster.tmc.if.ufrj.br timed
out. (connect timeout=1.0)'))
Jan 8 00:02:58 headnode systemd[1]: pki-tomcatd(a)pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>: Start-post operation timed out.
Stopping.
Jan 8 00:02:59 headnode systemd[1]: pki-tomcatd(a)pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>: Failed with result 'timeout'.
Jan 8 00:02:59 headnode systemd[1]: Failed to start PKI Tomcat Server
pki-tomcat.
I have upgraded from 8.2 to 8.3; here’s the output of yum history and
indeed there’s an error with Java:
https://pastebin.com/CH5g3kBw
On the end of the paste there’s the Java errors.
Ok, so my thinking on the bad openjdk release was wrong. It was fixed in
8.3 for sure.
Can you provide journalctl -u pki-tomcatd@pki-tomcat and take a look at
the debug log in /var/log/pki/pki-tomcat/ca ?
Note that reading the debug log is best done by finding in the log the
last time the CA was started and move down from there, rather than
moving up from the bottom, as the CA is optimistic and will try to
continue past some kinds of errors.
rob
Thank you.
> On 7 Jan 2021, at 11:01, Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Vinícius Ferrão via FreeIPA-users wrote:
>> Hello, I’ve a single IPA machine that provides authentication for
>> itself. It does not even have any client or host.
>>
>> After def -y update and reboot, IPA fails to load an it’s in broken
>> state.
>>
>> [root@headnode ~]# systemctl status ipa
>> ● ipa.service - Identity, Policy, Audit
>> Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor
>> preset: disabled)
>> Active: failed (Result: exit-code) since Wed 2021-01-06 16:14:48 -03;
>> 45min ago
>> Process: 1278 ExecStart=/usr/sbin/ipactl start (code=exited,
>> status=1/FAILURE)
>> Main PID: 1278 (code=exited, status=1/FAILURE)
>>
>> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CRL tree
>> already moved
>> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: IPA server
>> upgrade failed: Inspect /var/log/ipaupgrade.log and run command i>
>> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Unexpected
>> error - see /var/log/ipaupgrade.log for details:
>> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]:
>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl',
>> 'start', '>
>> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: The
>> ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more >
>> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: See the
>> upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade>
>> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Aborting
>> ipactl
>> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service:
>> Main process exited, code=exited, status=1/FAILURE
>> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service:
>> Failed with result 'exit-code'.
>> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: Failed to
>> start Identity, Policy, Audit.
>>
>> If asks for look on /var/log/ipaupgrade.log; but this log is just
>> overwhelming. You must know what you should be looking for for actually
>> find something.
>>
>> The relevant thing that I’ve found by myself is:
>> 2021-01-06T19:09:51Z DEBUG The ipa-server-upgrade command failed,
>> exception: CalledProcessError: CalledProcessError(Command
>> ['/bin/systemctl', 'start', 'pki-tomcatd(a)pki-tomcat.service
>> <mailto:pki-tomcatd@pki-tomcat.service>
>> <mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit
status
>> 1: 'Job for pki-tomcatd(a)pki-tomcat.service
>> <mailto:pki-tomcatd@pki-tomcat.service>
>> <mailto:pki-tomcatd@pki-tomcat.service> failed because a timeout was
>> exceeded.\nSee "systemctl status pki-tomcatd(a)pki-tomcat.service
>> <mailto:pki-tomcatd@pki-tomcat.service>
>> <mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl
-xe" for
>> details.\n’)
>>
>> Is that Java regression again that happened a month or two ago?
>>
>
> Hard to say. You upgraded from what to what? Was java included in the
> updated packages?
>
> Does /bin/systemctl start pki-tomcatd(a)pki-tomcat.service
> <mailto:pki-tomcatd@pki-tomcat.service> work outside
> the upgrader?
>
> rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...