Description of problem: Upon running the command PKISPAWN for configuring PKI on Fedora Linux 19 in interactive mode, it is always giving problem and getting failed. pkispawn : INFO ....... ln -s /lib/systemd/system/pki-tomcatd@.service /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd pkispawn : DEBUG ........... chown -h 17:17 /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd pkispawn : INFO ....... executing 'systemctl start pki-tomcatd' pkispawn : DEBUG ........... No connection - server may still be down pkispawn : DEBUG ........... No connection - exception thrown: 404 Client Error: Not Found pkispawn : DEBUG ........... No connection - server may still be down pkispawn : DEBUG ........... No connection - exception thrown: 404 Client Error: Not Found pkispawn : ERROR ....... server failed to restart pkispawn : DEBUG ....... Error Type: SystemExit pkispawn : DEBUG ....... Error Message: 1 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 374, in main rv = instance.spawn() File "/usr/lib/python2.7/site-packages/pki/deployment/configuration.py", line 102, in spawn sys.exit(1) Installation failed. Any Support Idea?
We need a little more info. First, what is the version of the dogtag software and for tomcat: rpm -q pki-server rpm -q tomcat It looks like the server does not come up. Are there any logs in /var/log/pki/pki-tomcat ? Is there anything in /var/log/messages? Also, there is a pkispawn log in /var/log/pki. Is selinux enabled? (getenforce). If selinux is putin permissive mode, (setenforce 0) , does the server start up?
Additional Information As Requested - # rpm -q pki-server pki-server-10.0.5-1.fc19.noarch # rpm -q tomcat tomcat-7.0.42-1.fc19.noarch #LOG 1 - /var/log/pki - pkispawn logs# 2013-09-24 19:34:43 pkispawn : INFO ....... executing 'certutil -N -d /root/.dogtag/pki-tomcat/ca/alias -f /root/.dogtag/pki-tomcat/ca/password.conf' 2013-09-24 19:34:43 pkispawn : INFO ....... ln -s /lib/systemd/system/pki-tomcatd@.service /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd 2013-09-24 19:34:43 pkispawn : DEBUG ........... chown -h 17:17 /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd 2013-09-24 19:34:43 pkispawn : INFO ....... executing 'systemctl start pki-tomcatd' 2013-09-24 19:34:51 pkispawn : DEBUG ........... No connection - server may still be down 2013-09-24 19:34:51 pkispawn : DEBUG ........... No connection - exception thrown: 404 Client Error: Not Found 2013-09-24 19:35:49 pkispawn : DEBUG ........... No connection - exception thrown: 404 Client Error: Not Found 2013-09-24 19:35:50 pkispawn : ERROR ....... server failed to restart 2013-09-24 19:35:50 pkispawn : DEBUG ....... Error Type: SystemExit 2013-09-24 19:35:50 pkispawn : DEBUG ....... Error Message: 1 2013-09-24 19:35:51 pkispawn : DEBUG ....... File "/sbin/pkispawn", line 374, in main rv = instance.spawn() File "/usr/lib/python2.7/site-packages/pki/deployment/configuration.py", line 102, in spawn sys.exit(1) #LOG 2 - /var/log/message logs# Sep 24 19:28:11 gateway goa[1093]: goa-daemon version 3.8.3 starting [main.c:113, main()] Sep 24 19:34:43 gateway systemd[1]: Starting PKI Tomcat Server pki-tomcat... Sep 24 19:34:50 gateway pkidaemon[1159]: 'pki-tomcat' must still be CONFIGURED! Sep 24 19:34:50 gateway pkidaemon[1159]: (see /var/log/pki-tomcat-install.log) #LOG 3 - /var/log/pki/pki-tomcat logs# SSLAuthenticatorWithFallback: Initializing authenticators SSLAuthenticatorWithFallback: Starting authenticators 19:34:58,286 DEBUG (org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to retrieve ServletContext: expandEntityReferences defaults to true 19:34:58,298 DEBUG (org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to retrieve ServletContext: expandEntityReferences defaults to true CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| Server is started. Sep 24, 2013 7:34:59 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-bio-8080"] Sep 24, 2013 7:34:59 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 7755 ms SELINUX is disabled. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Presuming that you used the default setup, please provide the output of the following: # pkidaemon status tomcat pki-tomcat My guess is that it will return something similar to the following: Status for pki-tomcat: pki-tomcat is running .. 'pki-tomcat' must still be CONFIGURED! (see /var/log/pki-tomcat-install.log)
So, based on your logs, it looks like we try to start up the server: 2013-09-24 19:34:43 pkispawn : DEBUG ........... chown -h 17:17 /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd and the server does in fact come up: Sep 24, 2013 7:34:59 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 7755 ms But it does not correctly respond to requests for status -- returning 404's, and so times out. Can you attach any logs in /var/log/pki/pki-tomcat as well as /var/log/pki/pki-tomcat/ca ? The error may have appeared earlier in the log. Also, what is your version of python-requests? Also, you might want to try with selinux in permissive mode. Its likely not the problem - but we always run in at least permissive mode. You'll need to change the config and reboot.
Dear All, After looking in logs, it was clear the pki was trying to start and on secure port it started. It was non-secure port which was not starting. Thus had thought to look on any running port #lsof -i :8080 and httpd daemon was holding the port. Then i removed the complete pki using #pkidestroy and manual commands to remove the complete installation. #pkidestroy -s CA -i pki-tomcat #rm -rf /var/log/pki/pki-tomcat #rm -rf /etc/sysconfig/pki-tomcat #rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat #rm -rf /var/lib/pki/pki-tomcat #rm -rf /etc/pki/pki-tomcat stopped the httpd daemon. #service httpd stop #chkconfig httpd off #reboot Then again reconfigured the pki-tomcat. It went smooth and started without any issue. Thanks for the help extended to look into /var/log . Only thing pending with me is to run SCEP over DOGTAG 10. I have been checking the documentation over google for Dogtag 10 to be used as SCEP for couple of routers and VPN Concentrators. But i was only able to find DogTag 9.0 Documentation for SCEP support. It was will be real great help if somebody can post any link on which i can study & deploy SCEP over Dogtag 10. Rgds, Abhay
Dogtag 9 should be the same as dogtag 10 as far as SCEP. You should also look at the Red Har Certificate Server 8.x documentation (docs.redhat.com) For SCEP, that should all be valid too.