| Summary: | Configuration is DOGTAG-PKI using PKISPAWN is failing | ||
|---|---|---|---|
| Product: | [Retired] Dogtag Certificate System | Reporter: | Vinamra <abhayindia> |
| Component: | Installer (pkispawn/pkidestroy) | Assignee: | Matthew Harmsen <mharmsen> |
| Status: | CLOSED NOTABUG | QA Contact: | Chandrasekar Kannan <ckannan> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 10.0 | CC: | abhayindia, alee, benl, dennis, extras-orphan, kwright, mharmsen, nkinder |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-09-27 18:42:51 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
We need a little more info. First, what is the version of the dogtag software and for tomcat: rpm -q pki-server rpm -q tomcat It looks like the server does not come up. Are there any logs in /var/log/pki/pki-tomcat ? Is there anything in /var/log/messages? Also, there is a pkispawn log in /var/log/pki. Is selinux enabled? (getenforce). If selinux is putin permissive mode, (setenforce 0) , does the server start up? Additional Information As Requested -
# rpm -q pki-server
pki-server-10.0.5-1.fc19.noarch
# rpm -q tomcat
tomcat-7.0.42-1.fc19.noarch
#LOG 1 - /var/log/pki - pkispawn logs#
2013-09-24 19:34:43 pkispawn : INFO ....... executing 'certutil -N -d /root/.dogtag/pki-tomcat/ca/alias -f /root/.dogtag/pki-tomcat/ca/password.conf'
2013-09-24 19:34:43 pkispawn : INFO ....... ln -s /lib/systemd/system/pki-tomcatd@.service /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd
2013-09-24 19:34:43 pkispawn : DEBUG ........... chown -h 17:17 /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd
2013-09-24 19:34:43 pkispawn : INFO ....... executing 'systemctl start pki-tomcatd'
2013-09-24 19:34:51 pkispawn : DEBUG ........... No connection - server may still be down
2013-09-24 19:34:51 pkispawn : DEBUG ........... No connection - exception thrown: 404 Client Error: Not Found
2013-09-24 19:35:49 pkispawn : DEBUG ........... No connection - exception thrown: 404 Client Error: Not Found
2013-09-24 19:35:50 pkispawn : ERROR ....... server failed to restart
2013-09-24 19:35:50 pkispawn : DEBUG ....... Error Type: SystemExit
2013-09-24 19:35:50 pkispawn : DEBUG ....... Error Message: 1
2013-09-24 19:35:51 pkispawn : DEBUG ....... File "/sbin/pkispawn", line 374, in main
rv = instance.spawn()
File "/usr/lib/python2.7/site-packages/pki/deployment/configuration.py", line 102, in spawn
sys.exit(1)
#LOG 2 - /var/log/message logs#
Sep 24 19:28:11 gateway goa[1093]: goa-daemon version 3.8.3 starting [main.c:113, main()]
Sep 24 19:34:43 gateway systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Sep 24 19:34:50 gateway pkidaemon[1159]: 'pki-tomcat' must still be CONFIGURED!
Sep 24 19:34:50 gateway pkidaemon[1159]: (see /var/log/pki-tomcat-install.log)
#LOG 3 - /var/log/pki/pki-tomcat logs#
SSLAuthenticatorWithFallback: Initializing authenticators
SSLAuthenticatorWithFallback: Starting authenticators
19:34:58,286 DEBUG (org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to retrieve ServletContext: expandEntityReferences defaults to true
19:34:58,298 DEBUG (org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to retrieve ServletContext: expandEntityReferences defaults to true
CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value|
Server is started.
Sep 24, 2013 7:34:59 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Sep 24, 2013 7:34:59 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 7755 ms
SELINUX is disabled.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Presuming that you used the default setup, please provide the output of the following:
# pkidaemon status tomcat pki-tomcat
My guess is that it will return something similar to the following:
Status for pki-tomcat: pki-tomcat is running ..
'pki-tomcat' must still be CONFIGURED!
(see /var/log/pki-tomcat-install.log)
So, based on your logs, it looks like we try to start up the server: 2013-09-24 19:34:43 pkispawn : DEBUG ........... chown -h 17:17 /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd and the server does in fact come up: Sep 24, 2013 7:34:59 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 7755 ms But it does not correctly respond to requests for status -- returning 404's, and so times out. Can you attach any logs in /var/log/pki/pki-tomcat as well as /var/log/pki/pki-tomcat/ca ? The error may have appeared earlier in the log. Also, what is your version of python-requests? Also, you might want to try with selinux in permissive mode. Its likely not the problem - but we always run in at least permissive mode. You'll need to change the config and reboot. Dear All, After looking in logs, it was clear the pki was trying to start and on secure port it started. It was non-secure port which was not starting. Thus had thought to look on any running port #lsof -i :8080 and httpd daemon was holding the port. Then i removed the complete pki using #pkidestroy and manual commands to remove the complete installation. #pkidestroy -s CA -i pki-tomcat #rm -rf /var/log/pki/pki-tomcat #rm -rf /etc/sysconfig/pki-tomcat #rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat #rm -rf /var/lib/pki/pki-tomcat #rm -rf /etc/pki/pki-tomcat stopped the httpd daemon. #service httpd stop #chkconfig httpd off #reboot Then again reconfigured the pki-tomcat. It went smooth and started without any issue. Thanks for the help extended to look into /var/log . Only thing pending with me is to run SCEP over DOGTAG 10. I have been checking the documentation over google for Dogtag 10 to be used as SCEP for couple of routers and VPN Concentrators. But i was only able to find DogTag 9.0 Documentation for SCEP support. It was will be real great help if somebody can post any link on which i can study & deploy SCEP over Dogtag 10. Rgds, Abhay Dogtag 9 should be the same as dogtag 10 as far as SCEP. You should also look at the Red Har Certificate Server 8.x documentation (docs.redhat.com) For SCEP, that should all be valid too. |
Description of problem: Upon running the command PKISPAWN for configuring PKI on Fedora Linux 19 in interactive mode, it is always giving problem and getting failed. pkispawn : INFO ....... ln -s /lib/systemd/system/pki-tomcatd@.service /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd pkispawn : DEBUG ........... chown -h 17:17 /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd pkispawn : INFO ....... executing 'systemctl start pki-tomcatd' pkispawn : DEBUG ........... No connection - server may still be down pkispawn : DEBUG ........... No connection - exception thrown: 404 Client Error: Not Found pkispawn : DEBUG ........... No connection - server may still be down pkispawn : DEBUG ........... No connection - exception thrown: 404 Client Error: Not Found pkispawn : ERROR ....... server failed to restart pkispawn : DEBUG ....... Error Type: SystemExit pkispawn : DEBUG ....... Error Message: 1 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 374, in main rv = instance.spawn() File "/usr/lib/python2.7/site-packages/pki/deployment/configuration.py", line 102, in spawn sys.exit(1) Installation failed. Any Support Idea?