Hello All,
I thing something is wrong with dogtag packages included in the new
CentOS 7 release. Once CentOS 7.4.1708 arrived in the distro
repositories we got our systems updated. But when we rebooted the PKI
infrastructure server nodes we realized that pki-tomcat somehow cannot
load the certificates and some of the other settings.
We started analyzing the problem by presuming that we made some mistake
in the configuration but when we tried to create from scratch CA
subsystem on freshly installed system (CentOS 7.4.1708, 389 server, and
the pki-* packages installed), we failed:
Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]:
Tomcat:
Instance [pki-tomcat]:
HTTP port [8080]:
Secure HTTP port [8443]:
AJP port [8009]:
Management port [8005]:
Administrator:
Username [caadmin]:
Password:
Verify password:
Import certificate (Yes/No) [N]?
Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]:
Directory Server:
Hostname [
ds.example.com]:
Use a secure LDAPS connection (Yes/No/Quit) [N]?
LDAP Port [389]:
Bind DN [cn=Directory Manager]:
Password:
Base DN [o=pki-tomcat-CA]:
Security Domain:
Name [
example.com Security Domain]:
Begin installation (Yes/No/Quit)? Yes
Log file: /var/log/pki/pki-ca-spawn.20170925074602.log
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
pkispawn : ERROR ....... server failed to restart
Installation failed: server failed to restart
Note that it is a fresh installation. No any customization. 389 server
is running and it got tested before starting with the CA subsystem
installation procedure. All DNS records matching the machine address are
available.
I checked the spawn log file
(/var/log/pki/pki-ca-spawn.20170925074602.log). Most of the entries
there seem absolutely fine. The only records that show some problems are:
2017-09-25 06:32:28 pkispawn : INFO ....... executing 'systemctl
daemon-reload'
2017-09-25 06:32:28 pkispawn : INFO ....... executing 'systemctl
start pki-tomcatd(a)pki-tomcat.service'
2017-09-25 06:32:29 pkispawn : DEBUG ........... No connection -
server may still be down
2017-09-25 06:32:29 pkispawn : DEBUG ........... No connection -
exception thrown: 404 Client Error: Not Found
2017-09-25 06:32:30 pkispawn : DEBUG ........... No connection -
server may still be down
2017-09-25 06:32:30 pkispawn : DEBUG ........... No connection -
exception thrown: 404 Client Error: Not Found
2017-09-25 06:32:31 pkispawn : DEBUG ........... No connection -
server may still be down
2017-09-25 06:32:31 pkispawn : DEBUG ........... No connection -
exception thrown: 404 Client Error: Not Found
...
2017-09-25 06:33:30 pkispawn : ERROR ....... server failed to restart
2017-09-25 06:33:30 pkispawn : DEBUG ....... Error Type: Exception
2017-09-25 06:33:30 pkispawn : DEBUG ....... Error Message: server
failed to restart
2017-09-25 06:33:30 pkispawn : DEBUG ....... File
"/sbin/pkispawn", line 533, in main
Since that piece of information is not very particular on what exactly
happens, I checked the debug log in /var/log/pki/pki-tomcat/ca/debug and
found these pieces of suspicious info:
[25/Sep/2017:07:46:56][localhost-startStop-1]: CMSEngine: restart at
autoShutdown? false
[25/Sep/2017:07:46:56][localhost-startStop-1]: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[25/Sep/2017:07:46:56][localhost-startStop-1]: CMSEngine: about to look
for cert for auto-shutdown support:auditSigningCert cert-pki-tomcat
[25/Sep/2017:07:46:56][localhost-startStop-1]: CMSEngine: cert not
found:auditSigningCert cert-pki-tomcat
[25/Sep/2017:07:46:56][localhost-startStop-1]: CMSEngine:
Exception:org.mozilla.jss.crypto.ObjectNotFoundException
...
Property internaldb.ldapconn.port missing value
...
I know that "Property internaldb.ldapconn.port missing value" error is
explained here
http://pki.fedoraproject.org/wiki/Troubleshooting as
something that could be ignored, but the spawn process does not create
any new LDAP data base (it is supposed to create o=pki-tomcat-CA).
Moreover, except from the cn=Directory Manager dn password validation,
there is no even a single attempt to connect to the 389 directory server
running on the same machine.
Anyone with experience in that?
Best,
Veselin