[Freeipa-users] Yum update broke CA/CS - pki-tomcatd not starting
Jani West
jwest at iki.fi
Fri Dec 11 07:31:47 UTC 2015
Hello,
Pki-tomcatd seems to have difficulties when connecting to CA. LDAP
server is starting ok when starting it directly with "systemctl start
dirsrv.target".
When starting "systemctl start ipa" everything else will startup exept
the pki-tomcatd.
Obviously same thing happens when starting with ipactl directly:
[root at ipa1 ca]# ipactl start
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Shutting down
Aborting ipactl
/var/log/pki/pki-tomcat/localhost.2015-12-11.log
SEVERE: Servlet.service() for servlet [caGetStatus] in context with path
[/ca] threw exception java.io.IOException: CS server is not ready to serve.
/var/log/dirsrv/slapd-PLANWEE-LOCAL/errors
[11/Dec/2015:01:02:19 +0200] - slapd started. Listening on All
Interfaces port 389 for LDAP requests
[11/Dec/2015:01:02:19 +0200] - Listening on All Interfaces port 636 for
LDAPS requests
[11/Dec/2015:01:02:19 +0200] - Listening on
/var/run/slapd-PLANWEE-LOCAL.socket for LDAPI requests
[11/Dec/2015:01:02:19 +0200] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
-1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is
not connected)
[11/Dec/2015:01:02:19 +0200] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -1
(Can't contact LDAP server)
/var/log/pki/pki-tomcat/ca/debug
Internal Database Error encountered: Could not connect to LDAP server
host ipa1.backend.planwee.local port 636 Error
netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
Environment:
CentOS 7
IPA 4.1
The problem looks the same as this:
https://access.redhat.com/solutions/2022123
Unfortunately I cannot view resolution.
is this related to expired CA certificates?
--
-- Jani West -- jwest at iki.fi
More information about the Freeipa-users
mailing list