Tania Hagan via FreeIPA-users wrote: > Hi Freeipa Users, > > I have upgraded one of my ipa replicas from 4.9.11 to 4.10.2 however I am > struggling to get pki-tomcatd@pki-tomcat to start both via ipactl start and > systemctl start pki-tomcatd. > > My java/tomcat versions are > > Java: > Idm-pki-java 11.4.2-1.el9 > Java-11-openjdk-headless 1:11.0.22.0.7-2.el9 > Java-17-openjdk-headless 1:17.0.10.0.7-2.el9 > Javapackages-filesystem 6.0.0-4.el9 > Javapackages-tools 6.0.0-4.el9 > Tzdata-java 2023d-1.elp > > Tomat: > Idm-tomcatjss 8.4.0-1.el9 > Tomcat 1:9.0.62-37.el9_3.1 > Tomcat-el-3.0-api.noarch 1:9.0.62-37.el9_3.1 > Tomcat-jsp-2.3-api 1:9.0.2-37.el9_3.1 > Tomcat-lib 1:9.0.62-37.el9_3.1 > Tomcat-servlet-4.0-api 1:9.0.62-37.el9_3.1 > > When I run journalctl -xeu pki-tomcatd@pki-tomcat I see: > Ipa-pki-wait-running: Created connection http://<servername>:8080/ca > WARNING: Some of the specified [protocols are not supported by the SSL engine > and have been skipped: [[TLSv1, TLSv1]] > Ipa-pki-wait-running: Connection failed: > HTTPConnectionPool(host=<servername>, port=8080): Max retries exceeded with > url: /ca/admin/ca/getStatus (Caused by > NewConnectionError(‘<urllib3.connection.HTTPConnection object at 0x7XXXX>: > Failed to estable a new connection: [Errno 113] No route to host’)) > > I’ve attempted to follow > https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ > where I see my cert is valid until 2025. > > If I run getcert list I see: > Number of certificates and requests being tracked: 0
That isn't great but ipa-server-upgrade will fix it if it is able to complete. > In the /var/log/ipaupgrade.log i see: ERROR: No kra subsystem in instance > pki-tomcat This is a red herring. It's IPA trying to see if one is configured. > > If I run pki-server subsystem-find > Subsystem ID: ca > Instance ID: pki-tomcat > Enabled: true > > If I run ipa-server-upgrade it fails with the same message. > If I run ipactl start –ignore-service-failures it tries to run the > ipa-server-upgrade If you add --skip-version-check it will not perform the upgrade. > > If I run pkidestroy -i pki-tomcat -s KRA > ERROR: PKI subsystem ‘KRA’ for instance ‘/var/lib/pki-pki-tomcat’ does not > exist > > Is there any way to solve this error? You'll need to look in the PKI debug log to see why it doesn't start. I'd recommend finding the start sequence and move down in the log from there rather than doing a bottom-up scan. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
