Hi freeipa experts. I have been using freeipa for the past 5 years running in a docker container, no replicas. currently on VERSION: 4.9.6, API_VERSION: 2.245
I have the following issue, not sure what caused this: pki-tomcat service is not starting, and it is no longer possible to login through the web-ui. Auth through ldap (some websites) and through sssd on linux servers is still working, kerberos tickets are generated when logging with password or when running kinit, so critical operations are still possible. The messages in `systemctl status pki-tomcatd@pki-tomcat.service` are ``` Apr 12 13:50:33 ipa.domain.com ipa-pki-wait-running[17869]: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://ipa.domain.com:8080/ca/admin/ca/getStatus Apr 12 13:50:34 ipa.domain.com systemd[1]: pki-tomcatd@pki-tomcat.service: start-post operation timed out. Terminating. Apr 12 13:50:34 ipa.domain.com systemd[1]: pki-tomcatd@pki-tomcat.service: Control process exited, code=killed, status=15/TERM Apr 12 13:50:34 ipa.domain.com systemd[1]: pki-tomcatd@pki-tomcat.service: Failed with result 'timeout'. Apr 12 13:50:34 ipa.domain.com systemd[1]: Failed to start PKI Tomcat Server pki-tomcat. ``` journalctl give other errors (filtered what seems relevant). ``` Apr 12 13:49:05 ipa.domain.com server[17868]: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/commons-collections.jar], exists: [false], canRead: [false] Apr 12 13:49:07 ipa.domain.com java[17868]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock Apr 12 13:49:18 ipa.domain.com server[17868]: SEVERE: Context [/acme] startup failed due to previous errors ``` `/var/log/pki/pki-tomcat/pki/debug.2024-04-12.log` contains the following errors ``` 2024-04-12 15:01:12 [main] SEVERE: Exception initializing random number generator using provider [Mozilla-JSS] java.security.NoSuchProviderException: no such provider: Mozilla-JSS at java.base/sun.security.jca.GetInstance.getService(GetInstance.java:83) at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:206) .... ``` `/var/log/pki/pki-tomcat/ca/debug.2024-04-12.log` contains the following type of errors ``` 2024-04-12 00:17:37 [main] SEVERE: Unable to start CA engine: Property instanceRoot missing value Property instanceRoot missing value at com.netscape.cmscore.base.PropConfigStore.getString(PropConfigStore.java:297) at com.netscape.cmscore.apps.EngineConfig.getInstanceDir(EngineConfig.java:55) at com.netscape.cmscore.apps.CMSEngine.loadConfig(CMSEngine.java:233) at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1025) .... 2024-04-12 17:49:21 [main] SEVERE: Exception sending context initialized event to listener instance of class [org.dogtagpki.server.ca.CAEngine] java.lang.RuntimeException: Unable to start CA engine: Property instanceRoot missing value at com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine.java:1672) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4768) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5230) ``` `getcert list` reports all entries except the caCACert as expired. I tried pretty much everything I could find on the internet (though most of the threads I found were never resolved). Tried ipa-cert-fix. Tried ipa-restoring a backup in a new container, same problem occurs. My guess is that an upgrade years back did break the certificate auto-renewal and went undetected, and now everything is expired it's failing. If you have any ideas of what to check/try I would be very grateful as I am losing my sanity here. Also, I am a bit scared of breaking what is currently working (ldap+sssd) and critical to our operations, so if anything can be tested on a copy of the data in a container that would be great. Thanks! -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue