[Freeipa-users] Unit pki-tomcatd at pki-tomcat.service entered failed state @ vanilla install on jessie – with log attached
Ade Lee
alee at redhat.com
Thu Dec 11 16:49:56 UTC 2014
On Tue, 2014-12-09 at 23:52 +0100, chymian wrote:
> Am Dienstag, 9. Dezember 2014, 09:49:04 schrieb Ade Lee:
>
> > On Tue, 2014-12-09 at 13:54 +0100, chymian wrote:
>
> > > hey people,
>
> > >
>
> > > after a successful install of ipa 4.0.5-2 on jessie, the named
> services started flawless during setup. see attached log, Installation
> summary (line 3107)
>
> > > but after reboot, it refuses to start. (did this install a couple
> times, on vanilla jessie)
>
> > >
>
> > > I can reach & work with Dogtag https://ipa.eb8.lan:8443/ca, but
> not the admin-services on https://ipa.eb8.lan/ca/ee/ca and
> https://ipa.eb8.lan/ca/agent/ca.
>
> > >
>
> > >
>
> > > $ systemctl status pki-tomcatd at pki-tomcat.service
>
> > > ● pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat
>
> > > Loaded: loaded (/lib/systemd/system/pki-tomcatd at .service; enabled)
>
> > > Active: failed (Result: resources)
>
> > >
>
> > > Dez 08 20:40:13 ipa systemd[1]: Starting PKI Tomcat Server
> pki-tomcat...
>
> > > Dez 08 20:40:13 ipa systemd[1]: Failed to load environment files:
> No such file or directory
>
> > > Dez 08 20:40:13 ipa systemd[1]: pki-tomcatd at pki-tomcat.service
> failed to run 'start-pre' task: No such file or directory
>
> > > Dez 08 20:40:13 ipa systemd[1]: Failed to start PKI Tomcat Server
> pki-tomcat.
>
> > > Dez 08 20:40:13 ipa systemd[1]: Unit
> pki-tomcatd at pki-tomcat.service entered failed state.
>
> > >
>
> > >
>
> >
>
> > Is dogtag actually running? ps -ef |grep java
>
>
>
> it shows:
>
> pkiuser 676 1 0 13:25 ? 00:00:26 /usr/lib/jvm/default-java/bin/java
> -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -DRESTEASY_LIB=/usr/share/java/ -Djava.endorsed.dirs=/usr/share/tomcat7/endorsed -classpath /usr/share/tomcat7/bin/bootstrap.jar:/var/lib/pki/pki-tomcat/bin/tomcat-juli.jar -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat7 -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp org.apache.catalina.startup.Bootstrap start
>
>
>
> is it ment to be, that the dogtag-pki package it’s self is not
> installed, just the dogtag-pki-server-theme is
>
> and a couple pki-packages… pki-base, pki-ca, pki-server, pki-tools?
>
>
Ok, so as far as I can see, the dogtag CA is in fact up and operational.
The systemctl error messages are probably a result of the systemd unit
scripts not yet being used.
We clearly see that the IPA RA and Jar signing certs are issued with no
problems. I do notice a few attempts to reach the agent pages which
result in failed authentication. My guess is that you are trying to
access these pages using the browser and are not providing the agent
cert.
As you have the dogtag-pki-server-theme package installed, you should be
able to reach the UI. But ..
-- If you try to access the dogtag UI pages through port 80 and 443,
then you are going through the apache instance for IPA. This instance
talks to Dogtag on the back-end using AJP, and has a proxy configuration
file that only permits certain URL paths to go through.
-- If you want to access the Dogtag UI pages, you need to access
https://host:8443/... or http://host:8080/...
To access the agent pages, you need to import the IPA RA agent
certificate into your browser (and trust the CA cert). That cert/key is
in the IPA HTTP certdb. You will need to extract it from there as a p12
file and import it into your browser.
Ade
>
>
>
> >
>
> > You could try restarting it -
>
> > systemctl restart pki-tomcatd at pki-tomcat.service
>
>
>
> fails with same log-msg.
>
>
>
> >
>
> > The logs should be found in the journal -->
>
> > journalctl -u pki-tomcatd at pki-tomcat.service
>
>
>
> same as above.
>
>
>
> >
>
> > Other debug logs should be found under /var/log/pki/pki-tomcat/.
> Please
>
> > provide a tar of that directory.
>
>
>
> attached
>
>
>
> > I am curious what the unit file looks like: On Fedora, its
>
> >
> at /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.service
>
>
>
> lrwxrwxrwx 1 pkiuser pkiuser 40 Dez 8 20:22
> pki-tomcatd at pki-tomcat.service
> -> /lib/systemd/system/pki-tomcatd at .service
>
> root at ipa /etc/systemd/system/pki-tomcatd.target.wants
>
> $ cat pki-tomcatd at pki-tomcat.service
>
> [Unit]
>
> Description=PKI Tomcat Server %i
>
> After=pki-tomcatd.target network.target
>
> PartOf=pki-tomcatd.target
>
>
>
> [Service]
>
> Type=simple
>
> EnvironmentFile=/etc/tomcat/tomcat.conf
>
> Environment="NAME=%i"
>
> EnvironmentFile=-/etc/default/%i
>
> ExecStartPre=/usr/bin/pkidaemon start %i
>
> ExecStart=/usr/libexec/tomcat/server start
>
> ExecStop=/usr/libexec/tomcat/server stop
>
> SuccessExitStatus=143
>
> User=pkiuser
>
> Group=pkiuser
>
>
>
> [Install]
>
> WantedBy=multi-user.target
>
>
>
>
>
> > which points to an EnvironmentFile /etc/tomcat/tomcat.conf. Does
> that
>
> > file exist?
>
>
>
> there is not even an dir. /etc/tomcat/, or rather a tomcat.conf in it.
>
>
>
> this is what was installed:
>
>
>
> ii libtomcat7-java 7.0.56-1
>
> ii libtomcatjss-java 7.1.1-2
>
> ii tomcat7-common 7.0.56-1
>
> ii tomcat7-user 7.0.56-1
>
>
>
> and if I would install tomcat7, it would give me an /etc/tomcat7 – not
> a /etc/tomcat
>
>
>
> and, here on debian, there is no such dir. /usr/libexec.
>
> seems that the unitfile is more a centos one.
>
>
>
>
>
> but:
>
>
>
> systemctl status pki-tomcatd.service
>
> ● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
>
> Loaded: loaded (/etc/init.d/pki-tomcatd)
>
> Active: active (running) since Di 2014-12-09 13:25:12 CET; 10h ago
>
> CGroup: /user.slice/user-0.slice/session-5.scope/system.slice/pki-tomcatd.service
>
> └─676 /usr/lib/jvm/default-java/bin/java
> -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.log...
>
>
>
> Dez 09 13:25:12 ipa pki-tomcatd[484]: .
>
> Dez 09 13:25:12 ipa systemd[1]: Started LSB: Start pki-tomcatd at boot
> time.
>
>
>
>
>
> which is started with a /etc/init.d/pki-tomcatd script, not
> systemd-unit-file – yet.
>
>
>
> >
>
> > Ade
>
>
>
> thx,
>
> guenter
>
>
>
> >
>
> > > a second service fails to start:
>
> > >
>
> > > $ systemctl status dirsrv-snmp.service
>
> > > ● dirsrv-snmp.service - 389 Directory Server SNMP Subagent.
>
> > > Loaded: loaded (/lib/systemd/system/dirsrv-snmp.service; enabled)
>
> > > Active: failed (Result: exit-code) since Di 2014-12-09 13:25:04
> CET; 5min ago
>
> > > Process: 156
> ExecStart=/usr/sbin/ldap-agent /etc/dirsrv/config/ldap-agent.conf
> (code=exited, status=1/FAILURE)
>
> > >
>
> > > Dez 09 13:25:04 ipa systemd[1]: Starting 389 Directory Server SNMP
> Subagent....
>
> > > Dez 09 13:25:04 ipa ldap-agent[156]: ldap-agent: No server
> instances defined in config file
>
> > > Dez 09 13:25:04 ipa systemd[1]: dirsrv-snmp.service: control
> process exited, code=exited status=1
>
> > > Dez 09 13:25:04 ipa systemd[1]: Failed to start 389 Directory
> Server SNMP Subagent..
>
> > > Dez 09 13:25:04 ipa systemd[1]: Unit dirsrv-snmp.service entered
> failed state.
>
> > >
>
> > >
>
> > > except these, I was able to subscribe a jessie-client with
> autodiscovery right after I did configure the ipa-server, before first
> reboot.
>
> > >
>
> > >
>
> > > any help appreciated, since I do not have much experience with IPA
> – yet.
>
> > > guenter
>
> >
>
> >
>
>
>
More information about the Freeipa-users
mailing list