[Freeipa-users] Yum update broke CA/CS - pki-tomcatd not starting
Martin Kosek
mkosek at redhat.com
Fri Dec 11 08:23:20 UTC 2015
On 12/11/2015 08:31 AM, Jani West wrote:
> Hello,
>
> Pki-tomcatd seems to have difficulties when connecting to CA. LDAP
> server is starting ok when starting it directly with "systemctl start
> dirsrv.target".
>
> When starting "systemctl start ipa" everything else will startup exept the
> pki-tomcatd.
>
> Obviously same thing happens when starting with ipactl directly:
> [root at ipa1 ca]# ipactl start
> Existing service file detected!
> Assuming stale, cleaning and proceeding
> Starting Directory Service
> Starting krb5kdc Service
> Starting kadmin Service
> Starting named Service
> Starting ipa_memcached Service
> Starting httpd Service
> Starting pki-tomcatd Service
> Failed to start pki-tomcatd Service
> Shutting down
> Aborting ipactl
>
>
> /var/log/pki/pki-tomcat/localhost.2015-12-11.log
> SEVERE: Servlet.service() for servlet [caGetStatus] in context with path [/ca]
> threw exception java.io.IOException: CS server is not ready to serve.
>
>
> /var/log/dirsrv/slapd-PLANWEE-LOCAL/errors
> [11/Dec/2015:01:02:19 +0200] - slapd started. Listening on All Interfaces port
> 389 for LDAP requests
> [11/Dec/2015:01:02:19 +0200] - Listening on All Interfaces port 636 for
> LDAPS requests
> [11/Dec/2015:01:02:19 +0200] - Listening on /var/run/slapd-PLANWEE-LOCAL.socket
> for LDAPI requests
> [11/Dec/2015:01:02:19 +0200] slapd_ldap_sasl_interactive_bind - Error:
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
> -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not
> connected)
> [11/Dec/2015:01:02:19 +0200] slapi_ldap_bind - Error: could not perform
> interactive bind for id [] authentication mechanism [GSSAPI]: error -1
> (Can't contact LDAP server)
>
> /var/log/pki/pki-tomcat/ca/debug
> Internal Database Error encountered: Could not connect to LDAP server
> host ipa1.backend.planwee.local port 636 Error netscape.ldap.LDAPException: IO
> Error creating JSS SSL Socket (-1)
>
> Environment:
> CentOS 7
> IPA 4.1
>
> The problem looks the same as this:
> https://access.redhat.com/solutions/2022123
>
> Unfortunately I cannot view resolution.
>
> is this related to expired CA certificates?
If you have expired certificates (you can check with "# getcert list | grep
expires"), it could cause issues like that also.
The article you are referring to is rather around wrong CA certificate trust
attributes in /var/lib/pki/pki-tomcat/alias/ or /etc/dirsrv/slapd-EXAMPLE-COM/
NSS databases.
You can check that with
# certutil -L -d /var/lib/pki/pki-tomcat/alias/
# certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/
BTW, if you want to see the whole article or other articles from the large KB,
I would suggest getting a subscription :-)
More information about the Freeipa-users
mailing list