Florence Blanc-Renaud via FreeIPA-users wrote: > On 9/16/20 11:42 AM, Stuart McRobert via FreeIPA-users wrote: >> Dear flo, >> >>> At this point you also need to restart pki: >> >> Thanks, restarted and resubmitted the request, then wait, but sadly I >> guess something else may also need attention? >> >> Best wishes >> >> Stuart >> >> ---------------------------------------------------------------------------------------------------------------- >> >> >> [root@freeipa01 ~]# systemctl status pki-tomcatd@pki-tomcat.service >> ● pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat >> Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled; >> vendor preset: disabled) >> Active: active (running) since Wed 2020-09-16 09:03:41 BST; 1 >> months 0 days left >> Process: 1236 ExecStartPre=/usr/bin/pkidaemon start pki-tomcat >> (code=exited, status=0/SUCCESS) >> Main PID: 1353 (java) >> Tasks: 91 (limit: 4915) >> CGroup: >> /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd@pki-tomcat.service >> └─1353 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java >> -DRESTEASY_LIB=/usr/share/java/resteasy >> -Djava.library.path=/usr/lib64/nuxwd >> >> Aug 16 09:42:58 freeipa01.our_domain server[1353]: Aug 16, 2020 >> 9:42:58 AM org.apache.catalina.core.ContainerBase bac >> Aug 16 09:42:58 freeipa01.our_domain server[1353]: WARNING: Exception >> processing realm com.netscape.cms.tomcat.ProxyR >> Aug 16 09:42:58 freeipa01.our_domain server[1353]: >> javax.ws.rs.ServiceUnavailableException: Subsystem unavailable >> Aug 16 09:42:58 freeipa01.our_domain server[1353]: at >> com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(Pr >> Aug 16 09:42:58 freeipa01.our_domain server[1353]: at >> org.apache.catalina.core.ContainerBase.backgroundProces >> Aug 16 09:42:58 freeipa01.our_domain server[1353]: at >> org.apache.catalina.core.StandardContext.backgroundProc >> Aug 16 09:42:58 freeipa01.our_domain server[1353]: at >> org.apache.catalina.core.ContainerBase$ContainerBackgro >> Aug 16 09:42:58 freeipa01.our_domain server[1353]: at >> org.apache.catalina.core.ContainerBase$ContainerBackgro >> Aug 16 09:42:58 freeipa01.our_domain server[1353]: at >> org.apache.catalina.core.ContainerBase$ContainerBackgro >> Aug 16 09:42:58 freeipa01.our_domain server[1353]: at >> java.lang.Thread.run(Thread.java:748) >> [root@freeipa01 ~]# systemctl restart pki-tomcatd@pki-tomcat.service >> [root@freeipa01 ~]# systemctl status pki-tomcatd@pki-tomcat.service >> ● pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat >> Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled; >> vendor preset: disabled) >> Active: active (running) since Sun 2020-08-16 09:43:19 BST; 3s ago >> Process: 1987 ExecStop=/usr/libexec/tomcat/server stop >> (code=exited, status=0/SUCCESS) >> Process: 2021 ExecStartPre=/usr/bin/pkidaemon start pki-tomcat >> (code=exited, status=0/SUCCESS) >> Main PID: 2135 (java) >> Tasks: 17 (limit: 4915) >> CGroup: >> /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd@pki-tomcat.service >> └─2135 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java >> -DRESTEASY_LIB=/usr/share/java/resteasy >> -Djava.library.path=/usr/lib64/nuxwd >> >> Aug 16 09:43:22 freeipa01.our_domain server[2135]: Aug 16, 2020 >> 9:43:22 AM org.apache.catalina.startup.HostConfig dep >> Aug 16 09:43:22 freeipa01.our_domain server[2135]: INFO: Deploying >> configuration descriptor /etc/pki/pki-tomcat/Catal >> Aug 16 09:43:22 freeipa01.our_domain server[2135]: Aug 16, 2020 >> 9:43:22 AM org.apache.jasper.servlet.TldScanner scanJ >> Aug 16 09:43:22 freeipa01.our_domain server[2135]: INFO: At least one >> JAR was scanned for TLDs yet contained no TLDs. >> Aug 16 09:43:22 freeipa01.our_domain server[2135]: Aug 16, 2020 >> 9:43:22 AM org.apache.catalina.startup.HostConfig dep >> Aug 16 09:43:22 freeipa01.our_domain server[2135]: INFO: Deployment of >> configuration descriptor /etc/pki/pki-tomcat/C >> Aug 16 09:43:22 freeipa01.our_domain server[2135]: Aug 16, 2020 >> 9:43:22 AM org.apache.catalina.startup.HostConfig dep >> Aug 16 09:43:22 freeipa01.our_domain server[2135]: INFO: Deploying >> configuration descriptor /etc/pki/pki-tomcat/Catal >> Aug 16 09:43:22 freeipa01.our_domain server[2135]: >> SSLAuthenticatorWithFallback: Creating SSL authenticator with fall >> Aug 16 09:43:22 freeipa01.our_domain server[2135]: >> SSLAuthenticatorWithFallback: Setting container >> [root@freeipa01 ~]# getcert resubmit -i 20170405152512 >> Resubmitting "20170405152512" to "IPA". >> [root@freeipa01 ~]# sleep 120 >> [root@freeipa01 ~]# getcert list -i 20170405152512 >> Number of certificates and requests being tracked: 8. >> Request ID '20170405152512': >> status: CA_UNREACHABLE >> ca-error: Server at https://freeipa01.our_domain/ipa/xml failed >> request, will retry: 4035 (RPC failed at server. Request failed with >> status 500: Non-2xx response from CA REST API: 500. ). > > Hi, > can you enable debug logs? Create a file /etc/ipa/server.conf with the > following content: > [global] > debug=True > > then restart httpd: systemctl restart httpd > and check the content of /var/log/httpd/error_log when you run the > getcert resubmit command. This may provide additional information, > around a line with "cert_request(..." > > The operation should also be visible in > /var/log/pki/pki-tomcat/localhost_access_log.$DATE.txt with "POST > ca/rest/certrequests?..." and in /var/log/pki/pki-tomcat/ca/debug.
I'm a bit suspect that the CA is actually running. The CA is a servlet within tomcat so its status is independent of whether tomcatd is running or not. This is reinforced by the fact that the request is returning a 500 error. While back in time when the Apache cert is still valid you can test whether the CA is up with: ipa cert-show 1 rob > > flo >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=OUR_DOMAIN >> subject: CN=freeipa01.our_domain,O=OUR_DOMAIN >> expires: 2020-09-04 17:46:56 BST >> principal name: HTTP/freeipa01.our_domain@OUR_DOMAIN >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> [root@freeipa01 ~]# date >> Sun 16 Aug 09:46:26 BST 2020 >> [root@freeipa01 ~]# getcert list -i 20170405152512 >> Number of certificates and requests being tracked: 8. >> Request ID '20170405152512': >> status: CA_UNREACHABLE >> ca-error: Server at https://freeipa01.our_domain/ipa/xml failed >> request, will retry: 4035 (RPC failed at server. Request failed with >> status 500: Non-2xx response from CA REST API: 500. ). >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=OUR_DOMAIN >> subject: CN=freeipa01.our_domain,O=OUR_DOMAIN >> expires: 2020-09-04 17:46:56 BST >> principal name: HTTP/freeipa01.our_domain@OUR_DOMAIN >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> [root@freeipa01 ~]# date >> Sun 16 Aug 09:53:16 BST 2020 >> [root@freeipa01 ~]# >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> >> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
