[Freeipa-users] ipa fails to start hangs on pki-tomcatd

Rob Verduijn rob.verduijn at gmail.com
Thu Dec 1 18:44:24 UTC 2016 

2016-12-01 17:20 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:

> Rob Verduijn wrote:
> >
> >
> > 2016-12-01 15:41 GMT+01:00 Rob Crittenden <rcritten at redhat.com
> > <mailto:rcritten at redhat.com>>:
> >
> >     Rob Verduijn wrote:
> >     > Hello,
> >     >
> >     > For some reason my ipa server no longer boots.
> >     > It keeps trying to start pki-tomcat service.
> >     >
> >     > Does anybody know where I should start looking to get this fixed ?
> >     >
> >     > Rob Verduijn
> >     >
> >     > ipactl -d start gives this output:
> >     > ipa: DEBUG: The CA status is: check interrupted due to error:
> Command
> >     > ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> '--no-check-certificate'
> >     > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
> >     <https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus>''
> returned
> >     > non-zero exit status 8
> >     > ipa: DEBUG: Waiting for CA to start...
> >     > ipa: DEBUG: Starting external process
> >     > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> >     > '--no-check-certificate'
> >     > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
> >     <https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus>'
> >     > ipa: DEBUG: Process finished, return code=8
> >     > ipa: DEBUG: stdout=
> >     > ipa: DEBUG: stderr=--2016-12-01 11:06:12--
> >     > https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
> >     <https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus>
> >     > Resolving freeipa02.tjako.thuis (freeipa02.tjako.thuis)...
> 172.16.1.13
> >     > Connecting to freeipa02.tjako.thuis
> >     > (freeipa02.tjako.thuis)|172.16.1.13|:8443... connected.
> >     > HTTP request sent, awaiting response...
> >     >   HTTP/1.1 500 Internal Server Error
> >     >   Server: Apache-Coyote/1.1
> >     >   Content-Type: text/html;charset=utf-8
> >     >   Content-Language: en
> >     >   Content-Length: 2134
> >     >   Date: Thu, 01 Dec 2016 10:06:13 GMT
> >     >   Connection: close
> >     > 2016-12-01 11:06:13 ERROR 500: Internal Server Error.
> >     >
> >     > There are also some java warnings in the logs, but its java and I
> can
> >     > never tell if its a serious error when java gives a warning.
> >     > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> >     > org.apache.catalina.startup.SetAllPropertiesRule begin
> >     > Dec  1 09:53:59 freeipa02 server: WARNING:
> >     > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> >     > 'serverCertNickFile' to
> >     > '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a
> >     > matching property.
> >     > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> >     > org.apache.catalina.startup.SetAllPropertiesRule begin
> >     > Dec  1 09:53:59 freeipa02 server: WARNING:
> >     > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> >     > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf'
> did not
> >     > find a matching property.
> >     > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> >     > org.apache.catalina.startup.SetAllPropertiesRule begin
> >     > Dec  1 09:53:59 freeipa02 server: WARNING:
> >     > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> >     > 'passwordClass' to 'org.apache.tomcat.util.net
> >     <http://org.apache.tomcat.util.net>.jss.PlainPasswordFile'
> >     > did not find a matching property.
> >     > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> >     > org.apache.catalina.startup.SetAllPropertiesRule begin
> >     > Dec  1 09:53:59 freeipa02 server: WARNING:
> >     > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> >     > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a
> matching
> >     > property.
> >     > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> >     > org.apache.tomcat.util.digester.SetPropertiesRule begin
> >     > Dec  1 09:53:59 freeipa02 server: WARNING:
> >     > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> >     > 'xmlValidation' to 'false' did not find a matching property.
> >     > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> >     > org.apache.tomcat.util.digester.SetPropertiesRule begin
> >     > Dec  1 09:53:59 freeipa02 server: WARNING:
> >     > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> >     > 'xmlNamespaceAware' to 'false' did not find a matching property.
> >     >
> >     >
> >     > I'm running centos7.2 x86_64 with the latest patches applied.
> >     > some package versions below
> >     > rpm -qa|egrep "ipa|tomcat"|sort
> >     > ipa-admintools-4.2.0-15.0.1.el7.centos.19.x86_64
> >     > ipa-client-4.2.0-15.0.1.el7.centos.19.x86_64
> >     > ipa-python-4.2.0-15.0.1.el7.centos.19.x86_64
> >     > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
> >     > ipa-server-dns-4.2.0-15.0.1.el7.centos.19.x86_64
> >     > libipa_hbac-1.13.0-40.el7_2.12.x86_64
> >     > python-iniparse-0.4-9.el7.noarch
> >     > python-libipa_hbac-1.13.0-40.el7_2.12.x86_64
> >     > sssd-ipa-1.13.0-40.el7_2.12.x86_64
> >     > tomcat-7.0.54-8.el7_2.noarch
> >     > tomcat-el-2.2-api-7.0.54-8.el7_2.noarch
> >     > tomcat-jsp-2.2-api-7.0.54-8.el7_2.noarch
> >     > tomcatjss-7.1.2-1.el7.noarch
> >     > tomcat-lib-7.0.54-8.el7_2.noarch
> >     > tomcat-servlet-3.0-api-7.0.54-8.el7_2.noarch
> >
> >     The debug log is quite verbose. I find it helpful to note where the
> >     previous log ended, starting and pulling the difference and going
> line
> >     by line. It sometimes fails in one place which cascades to others
> this
> >     generally makes it hard to grok.
> >
> >     I'd also run `getcert list` and check to ensure that the CA subsystem
> >     certificates are still valid.
> >
> >     rob
> >
> >
> >
> > Hi,
> >
> > My certs where indeed expired.
> > I did what was said in here
> > http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
> > And now they are all valid again.
> >
> > However it is still stuck at the same spot.
> > It keeps waiting for the ca to start and gets an internal error.
> >
> > In the pki-cataline logs this keeps repeating :
> > Dec 01, 2016 4:22:44 PM org.apache.catalina.core.ContainerBase
> > backgroundProcess
> > WARNING: Exception processing realm
> > com.netscape.cms.tomcat.ProxyRealm at 6934e456 background process
> > java.lang.NullPointerException
> >         at
> > com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(
> ProxyRealm.java:108)
> >         at
> > org.apache.catalina.core.ContainerBase.backgroundProcess(
> ContainerBase.java:1360)
> >         at
> > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.
> processChildren(ContainerBase.java:1530)
> >         at
> > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.
> processChildren(ContainerBase.java:1540)
> >         at
> > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.
> processChildren(ContainerBase.java:1540)
> >         at
> > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.
> run(ContainerBase.java:1519)
> >         at java.lang.Thread.run(Thread.java:745)
> >
> > I keep digging through the logs, but they are rather overwhelming.
> >
> > Have you got any pointers for me ?
>
> My only recommendation is to read top-down instead of bottom up as one
> would normally do. Look for the selftest and see if it was successful.
> If it wasn't then nothing will work.
>
> rob
>



in the pki-catalina log I find a lot of warnings are these real warnings or
just noise from tomcat ?
Dec 01, 2016 6:18:40 PM org.apache.catalina.startup.SetAllPropertiesRule
begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'enableOCSP' to 'false' did not find a matching property.
Dec 01, 2016 6:18:40 PM org.apache.catalina.startup.SetAllPropertiesRule
begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspResponderURL' to 'http://freeipa02.tjako.thuis:9080/ca/ocsp' did not
find a matching property.
Dec 01, 2016 6:18:40 PM org.apache.catalina.startup.SetAllPropertiesRule
begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a
matching property.
Dec 01, 2016 6:18:40 PM org.apache.catalina.startup.SetAllPropertiesRule
begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspCacheSize' to '1000' did not find a matching property.
Dec 01, 2016 6:18:40 PM org.apache.catalina.startup.SetAllPropertiesRule
begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspMinCacheEntryDuration' to '60' did not find a matching property.
Dec 01, 2016 6:18:40 PM org.apache.catalina.startup.SetAllPropertiesRule
begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspMaxCacheEntryDuration' to '120' did not find a matching property.
Dec 01, 2016 6:18:40 PM org.apache.catalina.startup.SetAllPropertiesRule
begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspTimeout' to '10' did not find a matching property.
Dec 01, 2016 6:18:40 PM org.apache.catalina.startup.SetAllPropertiesRule
begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'strictCiphers' to 'true' did not find a matching property.
Dec 01, 2016 6:18:40 PM org.apache.catalina.startup.SetAllPropertiesRule
begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching
property.

Rob Verduijn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161201/09f632d3/attachment.htm>

More information about the Freeipa-users mailing list