Hi Freeipa Users,
I have upgraded one of my ipa replicas from 4.9.11 to 4.10.2 however I am struggling to get pki-tomcatd@pki-tomcat to start both via ipactl start and systemctl start pki-tomcatd.
My java/tomcat versions are
Java: Idm-pki-java 11.4.2-1.el9 Java-11-openjdk-headless 1:11.0.22.0.7-2.el9 Java-17-openjdk-headless 1:17.0.10.0.7-2.el9 Javapackages-filesystem 6.0.0-4.el9 Javapackages-tools 6.0.0-4.el9 Tzdata-java 2023d-1.elp
Tomat: Idm-tomcatjss 8.4.0-1.el9 Tomcat 1:9.0.62-37.el9_3.1 Tomcat-el-3.0-api.noarch 1:9.0.62-37.el9_3.1 Tomcat-jsp-2.3-api 1:9.0.2-37.el9_3.1 Tomcat-lib 1:9.0.62-37.el9_3.1 Tomcat-servlet-4.0-api 1:9.0.62-37.el9_3.1
When I run journalctl -xeu pki-tomcatd@pki-tomcat I see: Ipa-pki-wait-running: Created connection http://<servername>:8080/ca WARNING: Some of the specified [protocols are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1]] Ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host=<servername>, port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError(‘<urllib3.connection.HTTPConnection object at 0x7XXXX>: Failed to estable a new connection: [Errno 113] No route to host’))
I’ve attempted to follow https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcat... where I see my cert is valid until 2025.
If I run getcert list I see: Number of certificates and requests being tracked: 0
In the /var/log/ipaupgrade.log i see: ERROR: No kra subsystem in instance pki-tomcat
If I run pki-server subsystem-find Subsystem ID: ca Instance ID: pki-tomcat Enabled: true
If I run ipa-server-upgrade it fails with the same message. If I run ipactl start –ignore-service-failures it tries to run the ipa-server-upgrade
If I run pkidestroy -i pki-tomcat -s KRA ERROR: PKI subsystem ‘KRA’ for instance ‘/var/lib/pki-pki-tomcat’ does not exist
Is there any way to solve this error?
Many Thanks, Tania
Tania Hagan via FreeIPA-users wrote:
Hi Freeipa Users,
I have upgraded one of my ipa replicas from 4.9.11 to 4.10.2 however I am struggling to get pki-tomcatd@pki-tomcat to start both via ipactl start and systemctl start pki-tomcatd.
My java/tomcat versions are
Java: Idm-pki-java 11.4.2-1.el9 Java-11-openjdk-headless 1:11.0.22.0.7-2.el9 Java-17-openjdk-headless 1:17.0.10.0.7-2.el9 Javapackages-filesystem 6.0.0-4.el9 Javapackages-tools 6.0.0-4.el9 Tzdata-java 2023d-1.elp
Tomat: Idm-tomcatjss 8.4.0-1.el9 Tomcat 1:9.0.62-37.el9_3.1 Tomcat-el-3.0-api.noarch 1:9.0.62-37.el9_3.1 Tomcat-jsp-2.3-api 1:9.0.2-37.el9_3.1 Tomcat-lib 1:9.0.62-37.el9_3.1 Tomcat-servlet-4.0-api 1:9.0.62-37.el9_3.1
When I run journalctl -xeu pki-tomcatd@pki-tomcat I see: Ipa-pki-wait-running: Created connection http://<servername>:8080/ca WARNING: Some of the specified [protocols are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1]] Ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host=<servername>, port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError(‘<urllib3.connection.HTTPConnection object at 0x7XXXX>: Failed to estable a new connection: [Errno 113] No route to host’))
I’ve attempted to follow https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcat... where I see my cert is valid until 2025.
If I run getcert list I see: Number of certificates and requests being tracked: 0
That isn't great but ipa-server-upgrade will fix it if it is able to complete.
In the /var/log/ipaupgrade.log i see: ERROR: No kra subsystem in instance pki-tomcat
This is a red herring. It's IPA trying to see if one is configured.
If I run pki-server subsystem-find Subsystem ID: ca Instance ID: pki-tomcat Enabled: true
If I run ipa-server-upgrade it fails with the same message. If I run ipactl start –ignore-service-failures it tries to run the ipa-server-upgrade
If you add --skip-version-check it will not perform the upgrade.
If I run pkidestroy -i pki-tomcat -s KRA ERROR: PKI subsystem ‘KRA’ for instance ‘/var/lib/pki-pki-tomcat’ does not exist
Is there any way to solve this error?
You'll need to look in the PKI debug log to see why it doesn't start. I'd recommend finding the start sequence and move down in the log from there rather than doing a bottom-up scan.
rob
Hi,
I tried looking at the pki debug log again and the main warning that stood out was that /var/lib/ipa/pki-ca/publish did not exist. I recreated the folder with chown root:pkiuser, chmod 775, and restarted the service, and the error disappeared in the log, but the service still not start. Is this important and should it contain the MasterCRL.bin that appears to now be missing from my configuration?
Many Thanks, Tania
Tania Hagan via FreeIPA-users wrote:
Hi,
I tried looking at the pki debug log again and the main warning that stood out was that /var/lib/ipa/pki-ca/publish did not exist. I recreated the folder with chown root:pkiuser, chmod 775, and restarted the service, and the error disappeared in the log, but the service still not start. Is this important and should it contain the MasterCRL.bin that appears to now be missing from my configuration?
I don't believe this will prevent the CA from running and a CRL present is definitely not required.
You might also look at the selftest log and the catalina log, maybe those hold something useful.
rob
Hi Rob,
Cheers, I looked in those logs as well, but nothing in particular is standing out as an error.
After a week trying to find a solution, I think we'll build new servers and migrate the data from working servers as a way to move forward. It seems a safer option upgrading from el9 to el9 anyways.
Many Thanks, Tania
freeipa-users@lists.fedorahosted.org