Hello! On one of our ipa masters (alma9.2, ipa 4.10.1, CA renewal master) we have some problems with pki-tomcat, on neighbour master (alma9.2, ipa 4.10.1, ca role) there are no same problems. ipactl status and ipa-healthcheck reports all ok, restarting of services also goes normally. But in pki debug log have some flood about java exeption:
[root@dc1 ~]# tail -n 57 /var/log/pki/pki-tomcat/pki/debug.2023-05-23.log 2023-05-23 14:30:21 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-2] ERROR: RESTEASY002010: Failed to execute javax.ws.rs.ServiceUnavailableException: ACME service is disabled at org.dogtagpki.acme.server.ACMERequestFilter.filter(ACMERequestFilter.java:48) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:263) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:764) at jdk.internal.reflect.GeneratedMethodAccessor49.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) at java.base/java.security.AccessController.doPrivileged(AccessController.java:712) at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:222) at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146) at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at jdk.internal.reflect.GeneratedMethodAccessor51.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) at java.base/java.security.AccessController.doPrivileged(AccessController.java:712) at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146) at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:433) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1724) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:833)
Also have some flood in systemctl status pki-tomcatd@pki-tomcat.service like:
[root@dc1 ~]# journalctl -u pki-tomcatd@pki-tomcat.service --no-pager|tail -n 4 May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The SHA-1 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm. May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The MD2 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm. May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The MD5 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm. May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The SHA-1 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm.
What could be the reason for these messages? And how to fix it? Thank you in advance!
Hi,
On Tue, May 23, 2023 at 1:40 PM Georgy Safronov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hello! On one of our ipa masters (alma9.2, ipa 4.10.1, CA renewal master) we have some problems with pki-tomcat, on neighbour master (alma9.2, ipa 4.10.1, ca role) there are no same problems. ipactl status and ipa-healthcheck reports all ok, restarting of services also goes normally. But in pki debug log have some flood about java exeption:
[root@dc1 ~]# tail -n 57 /var/log/pki/pki-tomcat/pki/debug.2023-05-23.log 2023-05-23 14:30:21 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-2] ERROR: RESTEASY002010: Failed to execute javax.ws.rs.ServiceUnavailableException: ACME service is disabled
What is the output of # ipa-acme-manage status If it shows "ACME is disabled", it means that the ACME functionality is not enabled and those logs can safely be ignored.
at
org.dogtagpki.acme.server.ACMERequestFilter.filter(ACMERequestFilter.java:48) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:263) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:764) at jdk.internal.reflect.GeneratedMethodAccessor49.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) at java.base/java.security.AccessController.doPrivileged(AccessController.java:712) at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:222) at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146) at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at jdk.internal.reflect.GeneratedMethodAccessor51.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) at java.base/java.security.AccessController.doPrivileged(AccessController.java:712) at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146) at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:433) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893) at org.apache.tomcat.util.net .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1724) at org.apache.tomcat.util.net .SocketProcessorBase.run(SocketProcessorBase.java:49) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:833)
Also have some flood in systemctl status pki-tomcatd@pki-tomcat.service like:
[root@dc1 ~]# journalctl -u pki-tomcatd@pki-tomcat.service --no-pager|tail -n 4 May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The SHA-1 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm. May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The MD2 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm. May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The MD5 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm. May 23 14:30:17 dc1.id.netrika server[4743]: WARNING: The SHA-1 algorithm used in org.mozilla.jss.netscape.security.util.CertPrettyPrint::X509toString:329 is deprecated. Use a more secure algorithm.
For the above messages, I would ask help from dogtag at users@lists.dogtagpki.org https://lists.dogtagpki.org/archives/list/users@lists.dogtagpki.org/
flo
What could be the reason for these messages? And how to fix it? Thank you in advance! _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org
-
Florence Blanc-Renaud -
Georgy Safronov