Hi,
I've a bunch of 5 servers for my domain. One has CA on it and on any other the attempt to bring it up as secondary,.. CA replica fails with:
ipa-ca-install
... caSigningCert cert-pki-ca CTu,Cu,Cu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u
Installation failed: <html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-f amily:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sa ns-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - javax.ws.rs.ProcessingException: Unable to invoke request</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>javax.ws.rs.ProcessingException: Unable to invoke request</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.jboss.resteasy. spi.UnhandledException: javax.ws.rs.ProcessingException: Unable to invoke request org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) javax.servlet.http.HttpServlet.service(HttpServlet.java:731) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
together with a (journalctl)
Jul 17 10:24:14 kre.example.com server[21753]: CMS Warning: FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| Jul 17 10:24:14 kre.example.com server[21753]: CA is started. Jul 17 10:24:17 server[21753]: getSystemCertProfileID tag: subsystem defaultName: caInternalAuthSubsystemCert keyType: null Jul 17 10:24:17 kre.example.com server[21753]: FATAL: SSL alert received: HANDSHAKE_FAILURE
The pki-tomcat is the last thing started, but throws an exeption
I can provide the ipareplication-install.log. For all servers the failure is exactly the same (without the running master of course).
Software: centos 7 with
pa-common-4.6.8-5.el7.centos.14.noarch ipa-server-trust-ad-4.6.8-5.el7.centos.14.x86_64 ipa-client-common-4.6.8-5.el7.centos.14.noarch ipa-client-4.6.8-5.el7.centos.14.x86_64 ipa-server-dns-4.6.8-5.el7.centos.14.noarch ipa-server-common-4.6.8-5.el7.centos.14.noarch ipa-server-4.6.8-5.el7.centos.14.x86_64
Maybe someone has a tip for me?
Regards,
Rudi G.
Rudi Gabler via FreeIPA-users wrote:
Hi,
I've a bunch of 5 servers for my domain. One has CA on it and on any other the attempt to bring it up as secondary,.. CA replica fails with:
ipa-ca-install
... caSigningCert cert-pki-ca CTu,Cu,Cu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u
Installation failed:
<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-f amily:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sa ns-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - javax.ws.rs.ProcessingException: Unable to invoke request</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>javax.ws.rs.ProcessingException: Unable to invoke request</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.jboss.resteasy. spi.UnhandledException: javax.ws.rs.ProcessingException: Unable to invoke request org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) javax.servlet.http.HttpServlet.service(HttpServlet.java:731) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
together with a (journalctl)
Jul 17 10:24:14 kre.example.com server[21753]: CMS Warning: FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| Jul 17 10:24:14 kre.example.com server[21753]: CA is started. Jul 17 10:24:17 server[21753]: getSystemCertProfileID tag: subsystem defaultName: caInternalAuthSubsystemCert keyType: null Jul 17 10:24:17 kre.example.com server[21753]: FATAL: SSL alert received: HANDSHAKE_FAILURE
The pki-tomcat is the last thing started, but throws an exeption
I can provide the ipareplication-install.log. For all servers the failure is exactly the same (without the running master of course).
Software: centos 7 with
pa-common-4.6.8-5.el7.centos.14.noarch ipa-server-trust-ad-4.6.8-5.el7.centos.14.x86_64 ipa-client-common-4.6.8-5.el7.centos.14.noarch ipa-client-4.6.8-5.el7.centos.14.x86_64 ipa-server-dns-4.6.8-5.el7.centos.14.noarch ipa-server-common-4.6.8-5.el7.centos.14.noarch ipa-server-4.6.8-5.el7.centos.14.x86_64
Maybe someone has a tip for me?
You'd want to look at the pki-ca-spawn log and since things partially started, /var/log/pki/pki-tomcat/ca/debug*.log
rob
Not solved it, but removed the CA from all and use 3rd party certs now.
Thank you for your help
Rudi Gabler via FreeIPA-users wrote:
Not solved it, but removed the CA from all and use 3rd party certs now.
Thank you for your help
Be sure to set a reminder before they expire so you can renew them. It's a very easy thing to forget to do, particularly is there is turnover.
regards
rob
I'm using acme.sh which renews any certs reliable (and a script with ipa-server-certinstall -w -d resp. in it)
regards,
Rudi
freeipa-users@lists.fedorahosted.org