Hi Patrick, The "javax.ws.rs.ServiceUnavailableException: Subsystem unavailable" suggests that the CA subsystem got undeployed automatically from Tomcat due to an error in CA (the Tomcat itself seems to be running just fine).
You'll need to check the CA debug log in /var/log/pki/pki-tomcat/ca/*, hopefully it will show the actual problem. Once it's fixed, you just need to restart Tomcat and the CA should be redeployed automatically. Also check the upgrade log in /var/log/pki/pki-server-upgrade-* to see if there's any PKI upgrade issue. Hope this helps. -- Endi S. Dewata ----- Original Message ----- > Looks like it's the second problem (on pagure) > > -- Logs begin at Wed 2019-10-30 02:34:10 HKT, end at Wed 2019-10-30 06:28:21 > HKT. -- > Oct 30 03:39:43 home.local.nonet systemd[1]: Starting PKI Tomcat Server > pki-tomcat... > Oct 30 03:39:44 home.local.nonet pki-server[57211]: > ---------------------------- > Oct 30 03:39:44 home.local.nonet pki-server[57211]: pki-tomcat instance > migrated > Oct 30 03:39:44 home.local.nonet pki-server[57211]: > ---------------------------- > Oct 30 03:39:44 home.local.nonet systemd[1]: Started PKI Tomcat Server > pki-tomcat. > Oct 30 03:39:44 home.local.nonet server[57330]: Java virtual machine used: > /usr/lib/jvm/jre-1.8.0-openjdk/bin/java > Oct 30 03:39:44 home.local.nonet server[57330]: classpath used: > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar > Oct 30 03:39:44 home.local.nonet server[57330]: main class used: > org.apache.catalina.startup.Bootstrap > Oct 30 03:39:44 home.local.nonet server[57330]: flags used: > -Djava.library.path=/usr/lib64/nuxwdog-jni > Oct 30 03:39:44 home.local.nonet server[57330]: options used: > -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat > -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp > -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > -Djava.security.manager > -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy > Oct 30 03:39:44 home.local.nonet server[57330]: arguments used: start > Oct 30 03:40:03 home.local.nonet server[57330]: WARNING: Exception processing > realm [com.netscape.cms.tomcat.ProxyRealm@296c31c9] background process > Oct 30 03:40:03 home.local.nonet server[57330]: > javax.ws.rs.ServiceUnavailableException: Subsystem unavailable > Oct 30 03:40:03 home.local.nonet server[57330]: at > com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:142) > Oct 30 03:40:03 home.local.nonet server[57330]: at > org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1137) > Oct 30 03:40:03 home.local.nonet server[57330]: at > org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5566) > Oct 30 03:40:03 home.local.nonet server[57330]: at > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353) > Oct 30 03:40:03 home.local.nonet server[57330]: at > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357) > Oct 30 03:40:03 home.local.nonet server[57330]: at > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335) > Oct 30 03:40:03 home.local.nonet server[57330]: at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > Oct 30 03:40:03 home.local.nonet server[57330]: at > java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) > Oct 30 03:40:03 home.local.nonet server[57330]: at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) > Oct 30 03:40:03 home.local.nonet server[57330]: at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) > Oct 30 03:40:03 home.local.nonet server[57330]: at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > Oct 30 03:40:03 home.local.nonet server[57330]: at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > Oct 30 03:40:03 home.local.nonet server[57330]: at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > Oct 30 03:40:03 home.local.nonet server[57330]: at > java.lang.Thread.run(Thread.java:748) > > The pki-tomcat instance is running. It would output error when I browse > https://home.local.nonet:8443/ca , but https://home.local.nonet:8443/pki/ is > ok > Instance ID: pki-tomcat > Active: True > Unsecure Port: 8080 > Secure Port: 8443 > AJP Port: 8009 > Tomcat Port: 8005 > > CA Subsystem: > Type: Subordinate CA (Security Domain) > SD Registration URL: https://home.local.nonet:443 > Enabled: True > Unsecure URL: http://home.local.nonet:8080/ca/ee/ca > Secure Agent URL: https://home.local.nonet:8443/ca/agent/ca > Secure EE URL: https://home.local.nonet:8443/ca/ee/ca > Secure Admin URL: https://home.local.nonet:8443/ca/services > PKI Console URL: https://home.local.nonet:8443/ca > > Thanks, > Patrick > > On Wed, Oct 30, 2019 at 5:44 AM Alex Scheel < asch...@redhat.com > wrote: > > > You might try checking journalctl output. > > It might be this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1766451 > > Otherwise, it is a perfect match for this bug: > https://pagure.io/dogtagpki/issue/3111 > > Which I'd also like journalctl output on, if you have any to share. :) > > > I should have a Bodhi update out tonight yet for the issue in the BZ. Without > more information, I'm not sure we'd know what cause for the second issue > is. > > - Alex > > ----- Original Message ----- > > From: "Patrick Dung via FreeIPA-users" < > > freeipa-users@lists.fedorahosted.org > > > To: freeipa-users@lists.fedorahosted.org > > Cc: "Patrick Dung" < patdung...@gmail.com > > > Sent: Tuesday, October 29, 2019 5:29:09 PM > > Subject: [Freeipa-users] FreeIPA having problem after upgrading from Fedora > > 30 to 31 > > > > Hello, > > > > I got problem upgrading from FC30 to FC31. > > Before upgrade the FreeIPA in FC30 is running fine. > > > > After OS upgrade, IPA cannot start and checked that it stuck at the CA > > part. > > I run ipa-server-upgrade manually but there is problem. > > > > 2019-10-29T21:03:58Z DEBUG request GET > > https://home.local.nonet:8443/ca/rest/account/login > > 2019-10-29T21:03:58Z DEBUG request body '' > > 2019-10-29T21:03:58Z DEBUG response status 500 > > 2019-10-29T21:03:58Z DEBUG response headers Content-Type: > > text/html;charset=utf-8 > > Content-Language: en > > Content-Length: 2481 > > Date: Tue, 29 Oct 2019 21:03:58 GMT > > Connection: close > > > > > > 2019-10-29T21:03:58Z DEBUG response body (decoded): b'<!doctype html><html > > lang="en"><head><title>HTTP Status 500 \xe2\x80\x93 Internal Server > > Error</title><style type="text/css">h1 > > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} > > h2 > > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} > > h3 > > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} > > body > > {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b > > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} > > p > > {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} > > a {color:black;} a.name {color:black;} .line > > {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP > > Status 500 \xe2\x80\x93 Internal Server Error</h1><hr class="line" > > /><p><b>Type</b> Exception Report</p><p><b>Message</b> Subsystem > > unavailable</p><p><b>Description</b> The server encountered an unexpected > > condition that prevented it from fulfilling the > > request.</p><p><b>Exception</b></p><pre> javax.ws.rs > > .ServiceUnavailableException: > > Subsystem > > unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:150)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:515)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\n\torg.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)\n\torg.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)\n\torg.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)\n\ > > torg.apache.tomcat.util.net > > .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1589)\n\ > > torg.apache.tomcat.util.net > > .SocketProcessorBase.run(SocketProcessorBase.java:49)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>Note</b> > > The full stack trace of the root cause is available in the server > > logs.</p><hr class="line" /><h3>Apache Tomcat/9.0.26</h3></body></html>' > > 2019-10-29T21:03:58Z ERROR IPA server upgrade failed: Inspect > > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > > 2019-10-29T21:03:58Z DEBUG File > > "/usr/lib/python3.7/site-packages/ipapython/admintool.py", line 179, in > > execute > > return_value = self.run() > > File > > "/usr/lib/python3.7/site-packages/ipaserver/install/ipa_server_upgrade.py", > > line 54, in run > > server.upgrade() > > File > > "/usr/lib/python3.7/site-packages/ipaserver/install/server/upgrade.py", > > line 2223, in upgrade > > upgrade_configuration() > > File > > "/usr/lib/python3.7/site-packages/ipaserver/install/server/upgrade.py", > > line 2093, in upgrade_configuration > > ca_enable_ldap_profile_subsystem(ca) > > File > > "/usr/lib/python3.7/site-packages/ipaserver/install/server/upgrade.py", > > line 414, in ca_enable_ldap_profile_subsystem > > cainstance.migrate_profiles_to_ldap() > > File "/usr/lib/python3.7/site-packages/ipaserver/install/cainstance.py", > > line 1937, in migrate_profiles_to_ldap > > _create_dogtag_profile(profile_id, profile_data, overwrite=False) > > File "/usr/lib/python3.7/site-packages/ipaserver/install/cainstance.py", > > line 1943, in _create_dogtag_profile > > with api.Backend.ra_certprofile as profile_api: > > File "/usr/lib/python3.7/site-packages/ipaserver/plugins/dogtag.py", line > > 1315, in __enter__ > > raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA > > REST API')) > > > > 2019-10-29T21:03:58Z DEBUG The ipa-server-upgrade command failed, > > exception: RemoteRetrieveError: Failed to authenticate to CA REST API > > 2019-10-29T21:03:58Z ERROR Unexpected error - see /var/log/ipaupgrade.log > > for details: > > RemoteRetrieveError: Failed to authenticate to CA REST API > > 2019-10-29T21:03:58Z ERROR The ipa-server-upgrade command failed. See > > /var/log/ipaupgrade.log for more information > > > > From /var/log/pki/pki-tomcat/ca/debug log file: > > 2019-10-30 05:03:50 [main] FINE: LdapAuthInfo: init() > > 2019-10-30 05:03:50 [main] FINE: LdapAuthInfo: init begins > > 2019-10-30 05:03:50 [main] FINEST: Getting > > internaldb.ldapauth.authtype=SslClientAuth > > 2019-10-30 05:03:50 [main] FINE: LdapAuthInfo: init ends > > 2019-10-30 05:03:50 [main] FINEST: Property internaldb.errorIfDown not > > found > > 2019-10-30 05:03:50 [main] FINEST: Getting internaldb.errorIfDown=true > > 2019-10-30 05:03:50 [main] FINEST: Property internaldb.doCloning not found > > 2019-10-30 05:03:50 [main] FINEST: Getting internaldb.doCloning=true > > 2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: doCloning: true > > 2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: mininum: 3 > > 2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: maximum: 15 > > 2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: host: > > home.local.nonet > > 2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: port: 636 > > 2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: secure: true > > 2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: authentication: 2 > > 2019-10-30 05:03:50 [main] FINE: LdapBoundConnFactory: makeConnection(true) > > 2019-10-30 05:03:50 [main] FINEST: Getting > > internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca > > 2019-10-30 05:03:50 [main] FINEST: Property tcp.keepAlive not found > > 2019-10-30 05:03:50 [main] FINEST: Getting tcp.keepAlive=true > > 2019-10-30 05:03:50 [main] FINE: TCP Keep-Alive: true > > 2019-10-30 05:03:50 [main] FINE: LdapBoundConnection: Connecting to > > home.local.nonet:636 with client cert auth > > 2019-10-30 05:03:50 [main] FINE: ldapconn/PKISocketFactory.makeSSLSocket: > > begins > > 2019-10-30 05:03:50 [main] SEVERE: Unable to create socket: > > java.net.ConnectException: Connection refused (Connection refused) > > java.net.ConnectException: Connection refused (Connection refused) > > at java.net.PlainSocketImpl.socketConnect(Native Method) > > at > > java.net > > .AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) > > at > > java.net > > .AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) > > at > > java.net .AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) > > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) > > at java.net.Socket.connect(Socket.java:607) > > at java.net.Socket.connect(Socket.java:556) > > at java.net.Socket.<init>(Socket.java:452) > > at java.net.Socket.<init>(Socket.java:262) > > > > Some error is logged to /var/log/messages: > > Oct 30 05:26:50 home server[65722]: WARNING: Exception processing realm > > [com.netscape.cms.tomcat.ProxyRealm@5647a92b] background process > > Oct 30 05:26:50 home server[65722]: > > javax.ws.rs .ServiceUnavailableException: Subsystem unavailable > > Oct 30 05:26:50 home server[65722]: #011at > > com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:142) > > Oct 30 05:26:50 home server[65722]: #011at > > org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1137) > > Oct 30 05:26:50 home server[65722]: #011at > > org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5566) > > Oct 30 05:26:50 home server[65722]: #011at > > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353) > > Oct 30 05:26:50 home server[65722]: #011at > > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357) > > Oct 30 05:26:50 home server[65722]: #011at > > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335) > > Oct 30 05:26:50 home server[65722]: #011at > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > > Oct 30 05:26:50 home server[65722]: #011at > > java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) > > Oct 30 05:26:50 home server[65722]: #011at > > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) > > Oct 30 05:26:50 home server[65722]: #011at > > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) > > Oct 30 05:26:50 home server[65722]: #011at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > > Oct 30 05:26:50 home server[65722]: #011at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > > Oct 30 05:26:50 home server[65722]: #011at > > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > > Oct 30 05:26:50 home server[65722]: #011at > > java.lang.Thread.run(Thread.java:748) > > > > I am able to connect to my ldap server port 636 with TLS without problem. > > > > Thanks, > > Patrick > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
