[Freeipa-users] pki-tomcatd fails to start

Rob Crittenden rcritten at redhat.com
Fri Jan 6 15:19:05 UTC 2017 

Jeff Goddard wrote:
> My environment is freeipa 4.4; centos 7.3. This system was upgraded as
> of yesterday afternoon. I'm unable to start pki-tomcat. The debug log
> show this entry:
> 
> Internal Database Error encountered: Could not connect to LDAP server
> host id-management-1.internal.emerlyn.com
> <http://id-management-1.internal.emerlyn.com> port 636 Error
> netscape.ldap.LDAPException: Authentication failed (48)
>         at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
>         at
> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)
>         at
> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)
>         at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
>         at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>         at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
>         at
> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
>         at javax.servlet.GenericServlet.init(GenericServlet.java:158)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
>         at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>         at
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
>         at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
>         at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
>         at
> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
>         at
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
>         at
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
>         at
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
>         at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
>         at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
>         at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
>         at
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
>         at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
>         at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
>         at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
>         at
> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
>         at
> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
>         at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>         at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>         at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>         at java.lang.Thread.run(Thread.java:745)
> 
> 
> I'm able to get a kerberos ticket using kinit but ldap search gives this
> error:
> 
>  ldapsearch -h id-manaement-1.internal.emerlyn.com
> <http://id-manaement-1.internal.emerlyn.com> -x -b
> "cn=CAcert,cn=ipa,cn=etc,dc=internal,dc=emerlyn,dc=com"
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>  
> adding the -d1 debugging tag results in:
> 
> ldap_create
> ldap_url_parse_ext(ldap://id-manaement-1.internal.emerlyn.com
> <http://id-manaement-1.internal.emerlyn.com>)
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP id-manaement-1.internal.emerlyn.com:389
> <http://id-manaement-1.internal.emerlyn.com:389>
> ldap_connect_to_host: getaddrinfo failed: Name or service not known
> ldap_err2string
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> 
> I'm able to resolve the hostname via nslookup and /etc/hosts has the
> correct mapping entry.
> 
> I'm kind of lost at this point and could use some help.
> 
> Thanks in advance.

You have a typo in the hostname you're trying to connect to, missing the
'g' in management.

I have a vague memory from other reports of this issue that the problem
may be that the value of the certificate(s) in CS.cfg is different from
the dogtag NSS database. I'd see if those line up.

rob

More information about the Freeipa-users mailing list