[Freeipa-users] Re: IPA certs expired, pki-tomcatd fails to start

Mon, 08 Feb 2021 04:53:38 -0800 

On 2/8/21 11:59 AM, Manuel Gugliucci via FreeIPA-users wrote:

Hello,

I'm running a freeipa server over a cloudera cluster, on 2020-12-31 all the 
certs expired and did not renew by itself.

After I set the system date before the expiration date, I tried 
ipa-cacert-renew but returns an error saying that ca cert are not managed by 
certmonger so I did a getcert resubmit for every cert.


Hi,
the command "ipa-cacert-manage renew" is used to renew the CA certificate (in case IPA was installed with an embedded CA), not the other certs.
Before giving any advice, I would like to know more about the deployment. Are there a single or multiple IPA servers? Is the CA role deployed on multiple servers? Which version is installed? 

# kinit admin; ipa server-role-find
# rpm -qa *ipa-server

Which certificates are valid or expired?
# getcert list

Thanks,
flo


Almos all went on "Monitoring" state, except for one that says 
"NEED_CSR_GEN_PIN".

If I try to do 'ipactl start', it starts to first upgrade IPA and fails because 
of the pki-tomcat service:

```
2019-12-31T19:12:01Z DEBUG response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY 
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : 
black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><HR size="1" noshade="noshade"><p><b>type</b> 
Exception report</p><p><b>message</b> <u>Subsystem unavailable</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this requ
  est.</u></p><p><b>exception</b> <pre>javax.ws.rs.ServiceUnavailableException: 
Subsystem 
unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThrea
  d$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre></p><p><b>note</b> <u>The full stack trace of 
the root cause is available in the Apache Tomcat/7.0.76 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache 
Tomcat/7.0.76</h3></body></html>'
2019-12-31T19:12:01Z DEBUG The CA status is: check interrupted due to error: 
Retrieving CA status failed with status 500
2019-12-31T19:12:01Z DEBUG Waiting for CA to start...
```
I also looked for the previous threads listed on this forum, but none of them 
provided a solution
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to