[Freeipa-users] pki-tomcatd stopped responding? Won't restart?

Dmitri Pal dpal at redhat.com
Tue Mar 17 22:02:56 UTC 2015 

On 03/17/2015 03:41 PM, Janelle wrote:
> On 3/17/15 12:14 PM, Dmitri Pal wrote:
>> On 03/17/2015 12:12 PM, Janelle wrote:
>>> On 3/17/15 9:06 AM, Martin Kosek wrote:
>>>> On 03/17/2015 04:35 PM, Janelle wrote:
>>>>> Hello,
>>>>>
>>>>> I have a server - a master (has CA) - and it does not want to 
>>>>> restart after it
>>>>> has been running sometime. pki-tomcatd keeps failing. It starts up 
>>>>> with these
>>>>> errors, then adds a lot more. Maybe this might point you to 
>>>>> something that is
>>>>> know or a place I can start looking?
>>>>>
>>>>> Any ideas?
>>>>> ~J
>>>>>
>>>>> Mar 17, 2015 8:21:03 AM 
>>>>> org.apache.catalina.startup.SetAllPropertiesRule begin
>>>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting 
>>>>> property
>>>>> 'enableOCSP' to 'false' did not find a matching property.
>>>>>
>>>>> Mar 17, 2015 8:21:03 AM 
>>>>> org.apache.catalina.startup.SetAllPropertiesRule begin
>>>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting 
>>>>> property
>>>>> 'ocspResponderURL' to 'http://ipa-server.example.com:9080/ca/ocsp' 
>>>>> did not find
>>>>> a matching property.
>>>>>
>>>>> Mar 17, 2015 8:21:03 AM 
>>>>> org.apache.catalina.startup.SetAllPropertiesRule begin
>>>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting 
>>>>> property
>>>>> 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did 
>>>>> not find a
>>>>> matching property.
>>>>>
>>>>> Mar 17, 2015 8:21:03 AM 
>>>>> org.apache.catalina.startup.SetAllPropertiesRule begin
>>>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting 
>>>>> property
>>>>> 'ocspCacheSize' to '1000' did not find a matching property.
>>>>>
>>>>> Mar 17, 2015 8:21:03 AM 
>>>>> org.apache.catalina.startup.SetAllPropertiesRule begin
>>>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting 
>>>>> property
>>>>> 'ocspMinCacheEntryDuration' to '60' did not find a matching property.
>>>>>
>>>>> Mar 17, 2015 8:21:03 AM 
>>>>> org.apache.catalina.startup.SetAllPropertiesRule begin
>>>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting 
>>>>> property
>>>>> 'ocspMaxCacheEntryDuration' to '120' did not find a matching 
>>>>> property.
>>>>>
>>>>> Mar 17, 2015 8:21:03 AM 
>>>>> org.apache.catalina.startup.SetAllPropertiesRule begin
>>>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting 
>>>>> property
>>>>> 'ocspTimeout' to '10' did not find a matching property.
>>>>>
>>>>> Mar 17, 2015 8:21:03 AM 
>>>>> org.apache.catalina.startup.SetAllPropertiesRule begin
>>>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting 
>>>>> property
>>>>> 'strictCiphers' to 'true' did not find a matching property.
>>>>> Mar 17, 2015 8:21:03 AM 
>>>>> org.apache.catalina.startup.SetAllPropertiesRule begin
>>>>>
>>>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting 
>>>>> property
>>>>> 'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a 
>>>>> matching property.
>>>>>
>>>> CCing folks from Dogtag team to know about this issue. However, I 
>>>> think you
>>>> will need to provide more information before we continue with 
>>>> issues - like
>>>> version of FreeIPA, pki-ca packages, what system you are running it on
>>>> (Fedora/RHEL/CentOS/...) and maybe whole logs pasted somewhere 
>>>> (system and
>>>> catalina.out logs are usually most interesting ones).
>>> My bad --
>>>
>>> CentOS 7
>>> FreeIPA 4.1.3 from mosek
>>>
>>> The strange thing is -- 12 other servers - 3 of which are CA masters 
>>> and no issues,
>>>
>>> ~J
>>>
>> Just some areas to check:
>> - versions of dogtag package
>> - versions of nss package
>>
> pki-tools-10.1.2-7.1.el7.centos.x86_64
> dogtag-pki-server-theme-10.1.1-1.el7.centos.noarch
> pki-server-10.1.2-7.1.el7.centos.noarch
> krb5-pkinit-1.12.2-9.el7.centos.x86_64
> pki-base-10.1.2-7.1.el7.centos.noarch
> pki-ca-10.1.2-7.1.el7.centos.noarch
>
> mod_nss-1.0.8-32.el7.x86_64
> nss-sysinit-3.16.2.3-2.el7_0.x86_64
> python-nss-0.15.0-1.el7.centos.x86_64
> nss-softokn-3.16.2.3-1.el7_0.x86_64
> nss-softokn-freebl-3.16.2.3-1.el7_0.x86_64
> nss-tools-3.16.2.3-2.el7_0.x86_64
> nss-util-3.16.2.3-1.el7_0.x86_64
> nss-3.16.2.3-2.el7_0.x86_64
>
> Anything? All the servers are identical.
>
> ~J
>
No if they are same then it is not it.
We need to find what is different on these machines. May be it is tomcat 
or tomcatjss that is different.


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list