[Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Sina Owolabi notify.sina at gmail.com
Mon May 18 16:17:57 UTC 2015 

Hi Rob

There are  some logs in /var/log/pki-ca/catalina.out that appear to
indicate  a problem:
CMS Warning: FAILURE: Cannot build CA chain. Error
java.security.cert.CertificateException: Certificate is not a PKCS #11
certificate|FAILURE: authz instance DirAclAuthz initialization failed
and skipped, error=Property internaldb.ldapconn.port missing value|
Server is started.

SEVERE: A web application appears to have started a thread named
[Timer-0] but has failed to stop it. This is very likely to create a
memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-3] but has failed to
stop it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-4] but has failed
to stop it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.flush-5] but has failed to stop it. This
is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.rollover-6] but has failed to stop it.
This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.flush-7] but has failed to stop it.
This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.rollover-8] but has failed to stop
it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/selftests.log.flush-9] but has failed to stop
it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/selftests.log.rollover-10] but has failed to
stop it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-2 ldap://dc.ourdom.com:7389] but has failed to stop
it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-3 ldap://dc.ourdom.com:7389] but has failed to stop
it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-4 ldap://dc.ourdom.com:7389] but has failed to stop
it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-5 ldap://dc.ourdom.com:7389] but has failed to stop
it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-6 ldap://dc.ourdom.com:7389] but has failed to stop
it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-8 ldap://dc.ourdom.com:7389] but has failed to stop
it. This is very likely to create a memory leak.
May 24, 2013 11:47:35 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads

May 24, 2013 11:48:10 AM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path:
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib


SEVERE: A web application created a ThreadLocal with key of type
[null] (value [com.netscape.cmscore.util.Debug$1 at 7e8905bd]) and a
value of type [java.text.SimpleDateFormat] (value
[java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when
the web application was stopped. To prevent a memory leak, the
ThreadLocal has been forcibly removed.
May 24, 2013 12:17:01 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type
[null] (value [com.netscape.cmscore.util.Debug$1 at 7e8905bd]) and a
value of type [java.text.SimpleDateFormat] (value
[java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when
the web application was stopped. To prevent a memory leak, the
ThreadLocal has been forcibly removed.
May 24, 2013 12:17:01 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type
[null] (value [com.netscape.cmscore.util.Debug$1 at 7e8905bd]) and a
value of type [java.text.SimpleDateFormat] (value
[java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when
the web application was stopped. To prevent a memory leak, the
ThreadLocal has been forcibly removed.


Also running "getcert list" tells me there are two expired certs:

Request ID '20130524104636':
        status: CA_UNREACHABLE
        ca-error: Server at https://dc.ourdom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server.  cannot connect to
'https://dc.ourdom.com:443/ca/agent/ca/displayBySerial': [Errno
-12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
certificate as expired.).
        stuck: no


Request ID '20130524104828':
        status: CA_UNREACHABLE
        ca-error: Server at https://dc.ourdom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server.  cannot connect to
'https://dc.ourdom.com:443/ca/agent/ca/displayBySerial': [Errno
-12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
certificate as expired.).
        stuck: no

I'd be grateful to know what to do.

On Mon, May 18, 2015 at 3:05 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Sina Owolabi wrote:
>>
>> Yes CA is running,  and it's on the same machine.
>>
>> [root at dc ~]# ipa-replica-prepare dc01.ourdom.com
>> <http://dc01.ourdom.com> --ip-address 192.168.2.40
>>
>> Directory Manager (existing master) password:
>>
>>
>> Preparing replica for dc01.ourdom.com <http://dc01.ourdom.com> from
>> dc.ourdom.com <http://dc.ourdom.com>
>>
>> Creating SSL certificate for the Directory Server
>>
>> Certificate operation cannot be completed: Unable to communicate with
>> CMS (Not Found)
>>
>> [root at dc ~]# ipactl status
>>
>> Directory Service: RUNNING
>>
>> KDC Service: RUNNING
>>
>> KPASSWD Service: RUNNING
>>
>> DNS Service: RUNNING
>>
>> MEMCACHE Service: RUNNING
>>
>> HTTP Service: RUNNING
>>
>> CA Service: RUNNING
>>
>> [root at dc ~]#
>
>
> This suggests that while the process is running the CA isn't actually
> operational. You'll need to poke through the logs in /var/log/pki* to see if
> there are any errors.
>
> I'd also see if the certificates are expired by running `getcert list` as
> root.
>
> rob
>

More information about the Freeipa-users mailing list