[Freeipa-users] Failed to start pki-tomcatd Service
Lukas Slebodnik
lslebodn at redhat.com
Thu Jul 16 08:58:14 UTC 2015
On (16/07/15 09:56), Alexandre Ellert wrote:
>
>> Le 16 juil. 2015 à 09:29, Lukas Slebodnik <lslebodn at redhat.com> a écrit :
>>
>> I had a similar issue on fedora 21 or fedora 22.
>> The workarounds from freeipa ticket #4666 did not help for me either.
>> I found out that there was some problem with upgrading dogtag configuration.
>>
>> You can try up ru upgrade manually. It might help you.
>> [root at vm-114 ~]# rpm -q --scripts pki-server
>> postinstall scriptlet (using /bin/sh):
>> ## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem
>> ## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
>> ## PKI deployment process
>>
>> echo "Upgrading server at `/bin/date`." >>
>> /var/log/pki/pki-server-upgrade-10.2.4.log 2>&1
>> /sbin/pki-server-upgrade --silent >>
>> /var/log/pki/pki-server-upgrade-10.2.4.log 2>&1
>> echo >> /var/log/pki/pki-server-upgrade-10.2.4.log 2>&1
>>
>> systemctl daemon-reload
>>
>>
>> In my case, it didn't help. So I updated freeipa to the latest version.
>> then I install similar new freeipa on another machine. So I had functional
>> dogtag. Then I tried to fix broken dogtag configuration using functional
>> configuration from 2nd freeipa. I would definitely recommend to backup data
>> from old freeipa before any manual updates.
>>
>> Maybe Fraser would have a better advice.
>>
>> LS
>
>I tried the suggested solution with pki-server-upgrade script but it didn’t fix, the output was :
># cat /var/log/pki/pki-server-upgrade-10.1.2.log
>Upgrading from version 10.1.2 to 10.1.2:
>1. Add TLS Range Support
>
>Upgrade complete.
>
>I will try the second solution and install a fresh new IPA server to compare dogtag configuration.
>Do you know what files/directory I should check ?
>
I filtered my bash history and here is an output. I hope the history contains
all files. Please do not forget to backup all data.
[root at vm-114 ~]# history | grep vimdiff
272 vimdiff pki/pki-tomcat/pki.policy /etc/pki/pki-tomcat/pki.policy
275 vimdiff pki/pki-tomcat/context.xml /etc/pki/pki-tomcat/context.xml
277 vimdiff pki/pki-tomcat/tomcat-users.xml pki/pki-tomcat/tomcat-users.xml
278 vimdiff pki/pki-tomcat/tomcat-users.xml /etc/pki/pki-tomcat/tomcat-users.xml
280 vimdiff pki/pki-tomcat/log4j.properties /etc/pki/pki-tomcat/log4j.properties
288 vimdiff pki/pki-tomcat/password.conf /etc/pki/pki-tomcat/password.conf
290 vimdiff pki/pki-tomcat/password.conf /etc/pki/pki-tomcat/password.conf
293 vimdiff pki/pki-tomcat/tomcat.conf /etc/pki/pki-tomcat/tomcat.conf
299 vimdiff pki/pki-tomcat/server.xml /etc/pki/pki-tomcat/server.xml
302 vimdiff pki/pki-tomcat/Catalina/localhost/ca.xml /etc/pki/pki-tomcat/Catalina/localhost/ca.xml
304 vimdiff pki/pki-tomcat/ca/vlvtasks.ldif /etc/pki/pki-tomcat/ca/vlvtasks.ldif
306 vimdiff pki/pki-tomcat/ca/caOCSPCert.profile /etc/pki/pki-tomcat/ca/caOCSPCert.profile
307 vimdiff pki/pki-tomcat/ca/acl.ldif /etc/pki/pki-tomcat/ca/acl.ldif
309 vimdiff pki/pki-tomcat/ca/adminCert.profile /etc/pki/pki-tomcat/ca/adminCert.profile
312 vimdiff pki/pki-tomcat/ca/database.ldif /etc/pki/pki-tomcat/ca/database.ldif
314 vimdiff pki/pki-tomcat/ca/db.ldif /etc/pki/pki-tomcat/ca/db.ldif
316 vimdiff pki/pki-tomcat/ca/index.ldif /etc/pki/pki-tomcat/ca/index.ldif
318 vimdiff pki/pki-tomcat/ca/manager.ldif /etc/pki/pki-tomcat/ca/manager.ldif
320 vimdiff pki/pki-tomcat/ca/proxy.conf /etc/pki/pki-tomcat/ca/proxy.conf
322 vimdiff pki/pki-tomcat/ca/registry.cfg /etc/pki/pki-tomcat/ca/registry.cfg
325 vimdiff pki/pki-tomcat/ca/schema.ldif /etc/pki/pki-tomcat/ca/schema.ldif
613 vimdiff pki/java/cacerts /etc/pki/java/cacerts
623 vimdiff pki/default.cfg /etc/pki/default.cfg
626 vimdiff pki/pki.version /etc/pki/pki.version
632 vimdiff pki/pki-tomcat/logging.properties /etc/pki/pki-tomcat/logging.properties
635 vimdiff pki/pki-tomcat/catalina.policy /etc/pki/pki-tomcat/catalina.policy
638 vimdiff pki/pki-tomcat/web.xml /etc/pki/pki-tomcat/web.xml
654 vimdiff pki/pki-tomcat/ca/CS.cfg /etc/pki/pki-tomcat/ca/CS.cfg
666 vimdiff pki/ca-trust/ca-legacy.conf /etc/pki/ca-trust/ca-legacy.conf
677 vimdiff pki/nssdb/pkcs11.txt /etc/pki/nssdb/pkcs11.txt
684 vimdiff pki/default.cfg /etc/pki/default.cfg
707 vimdiff pki/tls/openssl.cnf etc/pki/tls/openssl.cnf
708 vimdiff pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf
871 vimdiff slapd-IDM-EXAMPLE-COM/dse.ldif /etc/dirsrv/slapd-IDM-EXAMPLE-COM/dse.ldif
1005 vimdiff pki/pki-tomcat/ca/schema.ldif /etc/pki/pki-tomcat/ca/schema.ldif
It is also possible that some certificates might be expired because dogtag
was not functional for soem time. So please take a look into wiki:
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
LS
More information about the Freeipa-users
mailing list