[Pki-devel] pki-tomcatd restart timeout during installation of KRA on FreeIPA master using LDAPS
Martin Babinsky
mbabinsk at redhat.com
Fri Feb 26 13:22:49 UTC 2016
Hi List,
I have encountered a strange behavior in Dogtag when working on
https://fedorahosted.org/freeipa/ticket/5570
I have set the deployment config for KRA to use LDAPS for communication
with IPA dirsrv backend during spawn. Everything works perfectly, except
that I see the following timeout during ipa-kra-install on FreeIPA master:
http://fpaste.org/329271/45641447/
However the installation finishes as usual and pki-tomcatd service is
running in the end, albeit showing the following traceback:
http://fpaste.org/329260/56413840/
The KRA subsystem is also recognized by subsystem-find:
http://fpaste.org/329335/20387145/
Our upstream XMLRPC tests excersizing KRA and CA subystem also pass, so
clearly functionality is not affected.
Nevertheless something is preventing Dogtag to start up given our 300 s
timeout (i have tried longer intervals up to 1200 s to no avail). In the
IPA KRA install log, I can see our code polling CA's REST interface
unsuccessfully: http://fpaste.org/329294/15776145/
After some few additional installation steps when Dogtag instance is
shutdown and started up again, it goes up just fine and REST api reports
ready status.
I would like to know if this is issue on Dogtag side or some
misconfiguration from my side. I have CA and KRA subsystem logs at hand.
If anyone is interested ping me on IRC and I will give them to you. Endi
an Christian (CC'ed) should also have them at hand.
I should also mentioned that I was only able to reproduce this in my
local vagrant/libvirt environment. Also, deploying CA subsystem on
hardened CA-less FreeIPA server using LDAPS works fine without any timeouts.
Thank you for your help.
--
Martin^3 Babinsky
More information about the Pki-devel
mailing list