Bug 2277151 - ipa-acme-manage fails after upgrade from Fedora 39 to 40
Summary: ipa-acme-manage fails after upgrade from Fedora 39 to 40
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: 40
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: IPA Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-04-25 12:52 UTC by Thomas Höll
Modified: 2025-05-16 08:09 UTC (History)
12 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2025-05-16 08:09:46 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-10998 0 None None None 2024-04-25 12:56:07 UTC

Description Thomas Höll 2024-04-25 12:52:22 UTC 
After the upgrade of my IPA machine from F39 to F40 I noticed, that certificates couldn't be issued anymore (endpoint returns 404).

The ipa-acme-manage command itself also fails due to the same error:

ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-MY-KRB-REALM.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f3069824e30>
ipaserver.masters: DEBUG: Discovery: available servers for service 'CA' are ipa.nix.hoell.internal
ipaserver.masters: DEBUG: Discovery: using my-ipa-server for 'CA' service
ipapython.dogtag: DEBUG: request POST https://my-ipa-server:8443/acme/login
ipapython.dogtag: DEBUG: request body ''
ipapython.dogtag: DEBUG: response status 404
ipapython.dogtag: DEBUG: response headers Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 765
Date: Thu, 25 Apr 2024 12:22:58 GMT


ipapython.dogtag: DEBUG: response body (decoded): b'<!doctype html><html lang="en"><head><title>HTTP Status 404 \xe2\x80\x93 Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 \xe2\x80\x93 Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [&#47;acme&#47;login] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.83</h3></body></html>'
ipapython.admintool: DEBUG:   File "/usr/lib/python3.12/site-packages/ipapython/admintool.py", line 180, in execute
    return_value = self.run()
                   ^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipaserver/install/ipa_acme_manage.py", line 399, in run
    with state as ca_api:
  File "/usr/lib/python3.12/site-packages/ipaserver/install/ipa_acme_manage.py", line 103, in __enter__
    raise errors.RemoteRetrieveError(

ipapython.admintool: DEBUG: The ipa-acme-manage command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API
ipapython.admintool: ERROR: Failed to authenticate to CA REST API
ipapython.admintool: ERROR: The ipa-acme-manage command failed.

Reproducible: Didn't try




It could possibly be related to the update of dogtag-pki-acme from 11.4.3 to 11.5.0.
Comment 1 Alexander Bokovoy 2024-04-25 13:10:41 UTC 
Can you provide PKI and IPA logs, please?
Comment 2 Thomas Höll 2024-04-25 13:40:42 UTC 
WHich logs do you need exactly? Here is /var/log/pki/pki-tomcat/acme/debug.2024-04-25.log

2024-04-25 11:43:48 [main] INFO: Starting ACME engine
2024-04-25 11:43:48 [main] INFO: ACME configuration directory: /var/lib/pki/pki-tomcat/conf/acme
2024-04-25 11:43:48 [main] INFO: Loading ACME engine config from /var/lib/pki/pki-tomcat/conf/acme/engine.conf
2024-04-25 11:43:48 [main] INFO: - enabled: false
2024-04-25 11:43:48 [main] INFO: - base URL: https://my-ipa-server/acme
2024-04-25 11:43:48 [main] INFO: - nonces persistent: null
2024-04-25 11:43:48 [main] INFO: - wildcard: false
2024-04-25 11:43:48 [main] INFO: - nonce retention: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-04-25 11:43:48 [main] INFO: - authorization retention:
2024-04-25 11:43:48 [main] INFO:   - pending: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-04-25 11:43:48 [main] INFO:   - invalid: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-04-25 11:43:48 [main] INFO:   - valid: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-04-25 11:43:48 [main] INFO: - order retention:
2024-04-25 11:43:49 [main] INFO:   - pending: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-04-25 11:43:49 [main] INFO:   - invalid: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-04-25 11:43:49 [main] INFO:   - ready: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-04-25 11:43:49 [main] INFO:   - processing: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-04-25 11:43:49 [main] INFO:   - valid: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-04-25 11:43:49 [main] INFO: - certificate retention: {
  "length" : 30,
  "unit" : "DAYS"
}
2024-04-25 11:43:49 [main] INFO: Loading ACME metadata from /usr/share/pki/acme/conf/metadata.conf
2024-04-25 11:43:49 [main] INFO: Loading ACME database config from /var/lib/pki/pki-tomcat/conf/acme/database.conf
2024-04-25 11:43:49 [main] INFO: Initializing ACME database
2024-04-25 11:43:49 [main] INFO: Loading LDAP database configuration from /etc/pki/pki-tomcat/ca/CS.cfg
2024-04-25 11:43:49 [main] WARNING: The basedn parameter has been deprecated. Use baseDN instead.
2024-04-25 11:43:49 [main] INFO: - base DN: ou=acme,o=ipaca
2024-04-25 11:43:49 [main] INFO: PKISocketFactory: Initializing PKISocketFactory
2024-04-25 11:43:49 [main] INFO: PKISocketFactory: Creating SSL socket for my-ipa-server:636
2024-04-25 11:43:49 [main] INFO: - monitor enabled: null
2024-04-25 11:43:49 [main] INFO: Loading ACME validators config from /usr/share/pki/acme/conf/validators.conf
2024-04-25 11:43:49 [main] INFO: Initializing ACME validators
2024-04-25 11:43:49 [main] INFO: Initializing dns-01 validator
2024-04-25 11:43:49 [main] INFO: Initializing http-01 validator
2024-04-25 11:43:49 [main] INFO: Loading ACME issuer config from /var/lib/pki/pki-tomcat/conf/acme/issuer.conf
2024-04-25 11:43:49 [main] INFO: Initializing ACME issuer
2024-04-25 11:43:49 [main] INFO: Initializing PKI issuer
2024-04-25 11:43:49 [main] INFO: - URL: https://my-ipa-server:8443
2024-04-25 11:43:49 [main] INFO: - username: acme-ipa.my-ipa-server
2024-04-25 11:43:49 [main] INFO: - profile: acmeIPAServerCert
2024-04-25 11:43:49 [main] INFO: Loading ACME scheduler config from /usr/share/pki/acme/conf/scheduler.conf
2024-04-25 11:43:49 [main] INFO: Initializing ACME scheduler
2024-04-25 11:43:49 [main] INFO: Initializing ACME scheduler
2024-04-25 11:43:49 [main] INFO: - threads: 1
2024-04-25 11:43:49 [main] INFO: Initializing maintenance task
2024-04-25 11:43:49 [main] INFO: - initial delay: 5
2024-04-25 11:43:49 [main] INFO: - delay: 5
2024-04-25 11:43:49 [main] INFO: - interval: null
2024-04-25 11:43:49 [main] INFO: - unit: MINUTES
2024-04-25 11:43:49 [main] INFO: Loading ACME monitors config from /var/lib/pki/pki-tomcat/conf/acme/configsources.conf
2024-04-25 11:43:49 [main] INFO: ACME service is DISABLED by configuration
2024-04-25 11:43:49 [main] INFO: ACME wildcard issuance is DISABLED by configuration
2024-04-25 11:43:49 [main] INFO: Loading ACME realm config from /var/lib/pki/pki-tomcat/conf/acme/realm.conf
2024-04-25 11:43:49 [main] INFO: Initializing ACME realm
2024-04-25 11:43:49 [main] INFO: Initializing LDAP realm
2024-04-25 11:43:49 [main] INFO: Loading LDAP realm config from /etc/pki/pki-tomcat/ca/CS.cfg
2024-04-25 11:43:49 [ACMEEngineConfigFileSource] INFO: ACMEEngineConfigSource: watching /etc/pki/pki-tomcat/acme/engine.conf
2024-04-25 11:43:49 [main] INFO: - users DN: ou=people,o=ipaca
2024-04-25 11:43:49 [main] INFO: - groups DN: ou=groups,o=ipaca
2024-04-25 11:43:49 [main] INFO: PKISocketFactory: Initializing PKISocketFactory
2024-04-25 11:43:49 [main] INFO: PKISocketFactory: Creating SSL socket for my-ipa-server:636
2024-04-25 11:43:49 [main] INFO: ACME engine started
2024-04-25 11:43:49 [main] INFO: Initializing ACMEApplication

pki-server logs:

Apr 24 16:14:18 my-ipa-server systemd[1]: Starting pki-tomcatd - PKI Tomcat Server pki-tomcat...
Apr 24 16:14:41 my-ipa-server pki-server[2037]: NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
Apr 24 16:14:41 my-ipa-server pki-server[1989]: AJP connector requiredSecret: None
Apr 24 16:14:41 my-ipa-server pki-server[1989]: AJP connector requiredSecret: None
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg:83: policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caAgentFileSigning.cfg:83: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUUIDdeviceCert.cfg:96: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caCrossSignedCACert.cfg:79: policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUserCert.cfg:98: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:92: policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:164: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:168: policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUserSMIMEcapCert.cfg:98: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirPinUserCert.cfg:96: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg:96: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:92: policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:164: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:168: policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualRAuserCert.cfg:91: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caECDualCert.cfg:164: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caEncUserCert.cfg:92: policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caInstallCACert.cfg:83: policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caTPSCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caInternalAuthOCSPCert.cfg:68: policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg:83: policyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_UserCert.cfg:97: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caOtherCert.cfg:82: policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRACert.cfg:82: policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRARouterCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRAagentCert.cfg:92: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRAserverCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRouterCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caSigningUserCert.cfg:82: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server pkidaemon[2073]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_DirUserCert.cfg:101: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 24 16:14:41 my-ipa-server server[2077]: Java virtual machine used: /usr/lib/jvm/jre-21-openjdk/bin/java
Apr 24 16:14:41 my-ipa-server server[2077]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar
Apr 24 16:14:41 my-ipa-server server[2077]: main class used: org.apache.catalina.startup.Bootstrap
Apr 24 16:14:41 my-ipa-server server[2077]: flags used: -Dcom.redhat.fips=false
Apr 24 16:14:41 my-ipa-server server[2077]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager     -Djava.security.manager     -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy
Apr 24 16:14:41 my-ipa-server server[2077]: arguments used: start
Apr 24 16:14:41 my-ipa-server server[2077]: NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
Apr 24 16:14:41 my-ipa-server server[2077]: WARNING: A command line option has enabled the Security Manager
Apr 24 16:14:41 my-ipa-server server[2077]: WARNING: The Security Manager is deprecated and will be removed in a future release
Apr 24 16:14:42 my-ipa-server ipa-pki-wait-running[2078]: pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in PKIConnection.__init__() has been deprecated (https://github.com/dogtagpki/pki/wiki/PKI-10.8-Python-Changes).
Apr 24 16:14:42 my-ipa-server ipa-pki-wait-running[2078]: ipa-pki-wait-running: Created connection http://my-ipa-server:8080/ca
Apr 24 16:14:42 my-ipa-server ipa-pki-wait-running[2078]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f9b1ec594c0>: Failed to establish a new connection: [Errno 111] Connection refused'))
Apr 24 16:14:43 my-ipa-server ipa-pki-wait-running[2078]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f9b1ec59b80>: Failed to establish a new connection: [Errno 111] Connection refused'))
Apr 24 16:14:44 my-ipa-server server[2077]: WARNING: Tomcat interprets the [protocols] attribute in a manner consistent with the latest OpenSSL development branch. Some of the specified [protocols] are not supported by the configured SSL engine for this connector (which may use JSSE or an older OpenSSL version) and have been skipped: [[TLSv1, TLSv1.1]]
Apr 24 16:14:45 my-ipa-server ipa-pki-wait-running[2078]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Read timed out. (read timeout=1.0)
Apr 24 16:14:47 my-ipa-server ipa-pki-wait-running[2078]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Read timed out. (read timeout=1.0)
Apr 24 16:14:49 my-ipa-server ipa-pki-wait-running[2078]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Read timed out. (read timeout=1.0)
Apr 24 16:14:51 my-ipa-server ipa-pki-wait-running[2078]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Read timed out. (read timeout=1.0)
Apr 24 16:14:53 my-ipa-server ipa-pki-wait-running[2078]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Read timed out. (read timeout=1.0)
Apr 24 16:14:54 my-ipa-server ipa-pki-wait-running[2078]: ipa-pki-wait-running: Success, subsystem ca is running!
Apr 24 16:14:54 my-ipa-server systemd[1]: Started pki-tomcatd - PKI Tomcat Server pki-tomcat.
Apr 25 00:04:50 my-ipa-server server[2077]: java.util.logging.ErrorManager: 1: FileHandler is closed or not yet initialized, unable to log [2024-04-25 00:04:50 [Timer-0] WARNING: SessionTimer: access denied ("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/ca" "read")
Apr 25 00:04:50 my-ipa-server server[2077]: java.security.AccessControlException: access denied ("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/ca" "read")
Apr 25 00:04:50 my-ipa-server server[2077]:         at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:488)
Apr 25 00:04:50 my-ipa-server server[2077]:         at java.base/java.security.AccessController.checkPermission(AccessController.java:1071)
Apr 25 00:04:50 my-ipa-server server[2077]:         at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:411)
Apr 25 00:04:50 my-ipa-server server[2077]:         at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:742)
Apr 25 00:04:50 my-ipa-server server[2077]:         at java.base/java.io.File.exists(File.java:831)
Apr 25 00:04:50 my-ipa-server server[2077]:         at java.base/java.io.File.mkdirs(File.java:1405)
Apr 25 00:04:50 my-ipa-server server[2077]:         at org.apache.juli.FileHandler.openWriter(FileHandler.java:428)
Apr 25 00:04:50 my-ipa-server server[2077]:         at org.apache.juli.FileHandler.publish(FileHandler.java:220)
Apr 25 00:04:50 my-ipa-server server[2077]:         at java.logging/java.util.logging.Logger.log(Logger.java:983)
Apr 25 00:04:50 my-ipa-server server[2077]:         at org.slf4j.impl.JDK14LoggerAdapter.log(JDK14LoggerAdapter.java:582)
Apr 25 00:04:50 my-ipa-server server[2077]:         at org.slf4j.impl.JDK14LoggerAdapter.info(JDK14LoggerAdapter.java:277)
Apr 25 00:04:50 my-ipa-server server[2077]:         at com.netscape.cmscore.session.SessionTimer.runImpl(SessionTimer.java:63)
Apr 25 00:04:50 my-ipa-server server[2077]:         at com.netscape.cmscore.session.SessionTimer.run(SessionTimer.java:55)
Apr 25 00:04:50 my-ipa-server server[2077]:         at java.base/java.util.TimerThread.mainLoop(Timer.java:566)
Apr 25 00:04:50 my-ipa-server server[2077]:         at java.base/java.util.TimerThread.run(Timer.java:516)
Apr 25 00:04:50 my-ipa-server server[2077]: ]
Apr 25 00:04:52 my-ipa-server server[2077]: java.util.logging.ErrorManager: 1: FileHandler is closed or not yet initialized, unable to log [2024-04-25 00:04:52 [pool-3-thread-1] SEVERE: Unable to run maintenance task: access denied ("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/acme" "read")
Apr 25 00:04:52 my-ipa-server server[2077]: java.security.AccessControlException: access denied ("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/acme" "read")
Apr 25 00:04:52 my-ipa-server server[2077]:         at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:488)
Apr 25 00:04:52 my-ipa-server server[2077]:         at java.base/java.security.AccessController.checkPermission(AccessController.java:1071)
Apr 25 00:04:52 my-ipa-server server[2077]:         at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:411)
Apr 25 00:04:52 my-ipa-server server[2077]:         at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:742)
Apr 25 00:04:52 my-ipa-server server[2077]:         at java.base/java.io.File.exists(File.java:831)
Apr 25 00:04:52 my-ipa-server server[2077]:         at java.base/java.io.File.mkdirs(File.java:1405)
Apr 25 00:04:52 my-ipa-server server[2077]:         at org.apache.juli.FileHandler.openWriter(FileHandler.java:428)
Apr 25 00:04:52 my-ipa-server server[2077]:         at org.apache.juli.FileHandler.publish(FileHandler.java:220)
Apr 25 00:04:52 my-ipa-server server[2077]:         at java.logging/java.util.logging.Logger.log(Logger.java:983)
Apr 25 00:04:52 my-ipa-server server[2077]:         at org.slf4j.impl.JDK14LoggerAdapter.log(JDK14LoggerAdapter.java:582)
Apr 25 00:04:52 my-ipa-server server[2077]:         at org.slf4j.impl.JDK14LoggerAdapter.info(JDK14LoggerAdapter.java:277)
Apr 25 00:04:52 my-ipa-server server[2077]:         at org.dogtagpki.acme.scheduler.ACMEMaintenanceTask.run(ACMEMaintenanceTask.java:22)
Apr 25 00:04:52 my-ipa-server server[2077]:         at org.dogtagpki.acme.scheduler.ACMEScheduler$1.run(ACMEScheduler.java:59)
Apr 25 00:04:52 my-ipa-server server[2077]:         at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572)
Apr 25 00:04:52 my-ipa-server server[2077]:         at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:358)
Apr 25 00:04:52 my-ipa-server server[2077]:         at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
Apr 25 00:04:52 my-ipa-server server[2077]:         at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
Apr 25 00:04:52 my-ipa-server server[2077]:         at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
Apr 25 00:04:52 my-ipa-server server[2077]:         at java.base/java.lang.Thread.run(Thread.java:1583)
Apr 25 00:04:52 my-ipa-server server[2077]: ]
Apr 25 11:43:27 my-ipa-server systemd[1]: Stopping pki-tomcatd - PKI Tomcat Server pki-tomcat...
Apr 25 11:43:27 my-ipa-server server[28442]: Java virtual machine used: /usr/lib/jvm/jre-21-openjdk/bin/java
Apr 25 11:43:27 my-ipa-server server[28442]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar
Apr 25 11:43:27 my-ipa-server server[28442]: main class used: org.apache.catalina.startup.Bootstrap
Apr 25 11:43:27 my-ipa-server server[28442]: flags used: -Dcom.redhat.fips=false
Apr 25 11:43:27 my-ipa-server server[28442]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
Apr 25 11:43:27 my-ipa-server server[28442]: arguments used: stop
Apr 25 11:43:27 my-ipa-server server[28442]: NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
Apr 25 11:43:29 my-ipa-server systemd[1]: pki-tomcatd: Deactivated successfully.
Apr 25 11:43:29 my-ipa-server systemd[1]: Stopped pki-tomcatd - PKI Tomcat Server pki-tomcat.
Apr 25 11:43:29 my-ipa-server systemd[1]: pki-tomcatd: Consumed 4min 29.834s CPU time.
Apr 25 11:43:29 my-ipa-server systemd[1]: Starting pki-tomcatd - PKI Tomcat Server pki-tomcat...
Apr 25 11:43:39 my-ipa-server pki-server[29046]: NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
Apr 25 11:43:39 my-ipa-server pki-server[29007]: AJP connector requiredSecret: None
Apr 25 11:43:39 my-ipa-server pki-server[29007]: AJP connector requiredSecret: None
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg:83: policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caAgentFileSigning.cfg:83: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUUIDdeviceCert.cfg:96: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caCrossSignedCACert.cfg:79: policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUserCert.cfg:98: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:92: policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:164: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:168: policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUserSMIMEcapCert.cfg:98: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirPinUserCert.cfg:96: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg:96: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:92: policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:164: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:168: policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualRAuserCert.cfg:91: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caECDualCert.cfg:164: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caEncUserCert.cfg:92: policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caInstallCACert.cfg:83: policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caTPSCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caInternalAuthOCSPCert.cfg:68: policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg:83: policyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_UserCert.cfg:97: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caOtherCert.cfg:82: policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRACert.cfg:82: policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRARouterCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRAagentCert.cfg:92: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRAserverCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRouterCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caSigningUserCert.cfg:82: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server pkidaemon[29082]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_DirUserCert.cfg:101: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:43:39 my-ipa-server server[29086]: Java virtual machine used: /usr/lib/jvm/jre-21-openjdk/bin/java
Apr 25 11:43:39 my-ipa-server server[29086]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar
Apr 25 11:43:39 my-ipa-server server[29086]: main class used: org.apache.catalina.startup.Bootstrap
Apr 25 11:43:39 my-ipa-server server[29086]: flags used: -Dcom.redhat.fips=false
Apr 25 11:43:39 my-ipa-server server[29086]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager     -Djava.security.manager     -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy
Apr 25 11:43:39 my-ipa-server server[29086]: arguments used: start
Apr 25 11:43:39 my-ipa-server server[29086]: NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
Apr 25 11:43:39 my-ipa-server server[29086]: WARNING: A command line option has enabled the Security Manager
Apr 25 11:43:39 my-ipa-server server[29086]: WARNING: The Security Manager is deprecated and will be removed in a future release
Apr 25 11:43:40 my-ipa-server ipa-pki-wait-running[29087]: pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in PKIConnection.__init__() has been deprecated (https://github.com/dogtagpki/pki/wiki/PKI-10.8-Python-Changes).
Apr 25 11:43:40 my-ipa-server ipa-pki-wait-running[29087]: ipa-pki-wait-running: Created connection http://my-ipa-server:8080/ca
Apr 25 11:43:40 my-ipa-server ipa-pki-wait-running[29087]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7ff9918496d0>: Failed to establish a new connection: [Errno 111] Connection refused'))
Apr 25 11:43:41 my-ipa-server ipa-pki-wait-running[29087]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7ff99184a1b0>: Failed to establish a new connection: [Errno 111] Connection refused'))
Apr 25 11:43:41 my-ipa-server server[29086]: WARNING: Tomcat interprets the [protocols] attribute in a manner consistent with the latest OpenSSL development branch. Some of the specified [protocols] are not supported by the configured SSL engine for this connector (which may use JSSE or an older OpenSSL version) and have been skipped: [[TLSv1, TLSv1.1]]
Apr 25 11:43:43 my-ipa-server ipa-pki-wait-running[29087]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Read timed out. (read timeout=1.0)
Apr 25 11:43:45 my-ipa-server ipa-pki-wait-running[29087]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Read timed out. (read timeout=1.0)
Apr 25 11:43:47 my-ipa-server ipa-pki-wait-running[29087]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Read timed out. (read timeout=1.0)
Apr 25 11:43:49 my-ipa-server ipa-pki-wait-running[29087]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Read timed out. (read timeout=1.0)
Apr 25 11:43:51 my-ipa-server ipa-pki-wait-running[29087]: ipa-pki-wait-running: Success, subsystem ca is running!
Apr 25 11:43:51 my-ipa-server systemd[1]: Started pki-tomcatd - PKI Tomcat Server pki-tomcat.
Apr 25 11:45:23 my-ipa-server systemd[1]: Stopping pki-tomcatd - PKI Tomcat Server pki-tomcat...
Apr 25 11:45:23 my-ipa-server server[29540]: Java virtual machine used: /usr/lib/jvm/jre-21-openjdk/bin/java
Apr 25 11:45:23 my-ipa-server server[29540]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar
Apr 25 11:45:23 my-ipa-server server[29540]: main class used: org.apache.catalina.startup.Bootstrap
Apr 25 11:45:23 my-ipa-server server[29540]: flags used: -Dcom.redhat.fips=false
Apr 25 11:45:23 my-ipa-server server[29540]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
Apr 25 11:45:23 my-ipa-server server[29540]: arguments used: stop
Apr 25 11:45:23 my-ipa-server server[29540]: NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
Apr 25 11:45:24 my-ipa-server systemd[1]: pki-tomcatd: Deactivated successfully.
Apr 25 11:45:24 my-ipa-server systemd[1]: Stopped pki-tomcatd - PKI Tomcat Server pki-tomcat.
Apr 25 11:45:24 my-ipa-server systemd[1]: pki-tomcatd: Consumed 27.847s CPU time.
Apr 25 11:45:25 my-ipa-server systemd[1]: Starting pki-tomcatd - PKI Tomcat Server pki-tomcat...
Apr 25 11:45:34 my-ipa-server pki-server[30190]: NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
Apr 25 11:45:34 my-ipa-server pki-server[30151]: AJP connector requiredSecret: None
Apr 25 11:45:34 my-ipa-server pki-server[30151]: AJP connector requiredSecret: None
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg:83: policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caAgentFileSigning.cfg:83: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUUIDdeviceCert.cfg:96: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caCrossSignedCACert.cfg:79: policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUserCert.cfg:98: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:92: policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:164: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:168: policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUserSMIMEcapCert.cfg:98: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirPinUserCert.cfg:96: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg:96: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:92: policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:164: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:168: policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualRAuserCert.cfg:91: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caECDualCert.cfg:164: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caEncUserCert.cfg:92: policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caInstallCACert.cfg:83: policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caTPSCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caInternalAuthOCSPCert.cfg:68: policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg:83: policyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_UserCert.cfg:97: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caOtherCert.cfg:82: policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRACert.cfg:82: policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRARouterCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRAagentCert.cfg:92: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRAserverCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRouterCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caSigningUserCert.cfg:82: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server pkidaemon[30226]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_DirUserCert.cfg:101: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 11:45:34 my-ipa-server server[30230]: Java virtual machine used: /usr/lib/jvm/jre-21-openjdk/bin/java
Apr 25 11:45:34 my-ipa-server server[30230]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar
Apr 25 11:45:34 my-ipa-server server[30230]: main class used: org.apache.catalina.startup.Bootstrap
Apr 25 11:45:34 my-ipa-server server[30230]: flags used: -Dcom.redhat.fips=false
Apr 25 11:45:34 my-ipa-server server[30230]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager     -Djava.security.manager     -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy
Apr 25 11:45:34 my-ipa-server server[30230]: arguments used: start
Apr 25 11:45:34 my-ipa-server server[30230]: NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
Apr 25 11:45:35 my-ipa-server server[30230]: WARNING: A command line option has enabled the Security Manager
Apr 25 11:45:35 my-ipa-server server[30230]: WARNING: The Security Manager is deprecated and will be removed in a future release
Apr 25 11:45:35 my-ipa-server ipa-pki-wait-running[30231]: pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in PKIConnection.__init__() has been deprecated (https://github.com/dogtagpki/pki/wiki/PKI-10.8-Python-Changes).
Apr 25 11:45:35 my-ipa-server ipa-pki-wait-running[30231]: ipa-pki-wait-running: Created connection http://my-ipa-server:8080/ca
Apr 25 11:45:35 my-ipa-server ipa-pki-wait-running[30231]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f803bcbe330>: Failed to establish a new connection: [Errno 111] Connection refused'))
Apr 25 11:45:36 my-ipa-server ipa-pki-wait-running[30231]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f803bcbea80>: Failed to establish a new connection: [Errno 111] Connection refused'))
Apr 25 11:45:36 my-ipa-server server[30230]: WARNING: Tomcat interprets the [protocols] attribute in a manner consistent with the latest OpenSSL development branch. Some of the specified [protocols] are not supported by the configured SSL engine for this connector (which may use JSSE or an older OpenSSL version) and have been skipped: [[TLSv1, TLSv1.1]]
Apr 25 11:45:38 my-ipa-server ipa-pki-wait-running[30231]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Read timed out. (read timeout=1.0)
Apr 25 11:45:40 my-ipa-server ipa-pki-wait-running[30231]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Read timed out. (read timeout=1.0)
Apr 25 11:45:42 my-ipa-server ipa-pki-wait-running[30231]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Read timed out. (read timeout=1.0)
Apr 25 11:45:44 my-ipa-server ipa-pki-wait-running[30231]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Read timed out. (read timeout=1.0)
Apr 25 11:45:45 my-ipa-server ipa-pki-wait-running[30231]: ipa-pki-wait-running: Success, subsystem ca is running!
Apr 25 11:45:45 my-ipa-server systemd[1]: Started pki-tomcatd - PKI Tomcat Server pki-tomcat.
Apr 25 12:01:07 my-ipa-server systemd[1]: Stopping pki-tomcatd - PKI Tomcat Server pki-tomcat...
Apr 25 12:01:07 my-ipa-server server[32309]: Java virtual machine used: /usr/lib/jvm/jre-21-openjdk/bin/java
Apr 25 12:01:07 my-ipa-server server[32309]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar
Apr 25 12:01:07 my-ipa-server server[32309]: main class used: org.apache.catalina.startup.Bootstrap
Apr 25 12:01:07 my-ipa-server server[32309]: flags used: -Dcom.redhat.fips=false
Apr 25 12:01:07 my-ipa-server server[32309]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
Apr 25 12:01:07 my-ipa-server server[32309]: arguments used: stop
Apr 25 12:01:07 my-ipa-server server[32309]: NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
Apr 25 12:01:08 my-ipa-server systemd[1]: pki-tomcatd: Deactivated successfully.
Apr 25 12:01:08 my-ipa-server systemd[1]: Stopped pki-tomcatd - PKI Tomcat Server pki-tomcat.
Apr 25 12:01:08 my-ipa-server systemd[1]: pki-tomcatd: Consumed 33.035s CPU time, 272.1M memory peak, 0B memory swap peak.
Apr 25 12:01:08 my-ipa-server systemd[1]: Starting pki-tomcatd - PKI Tomcat Server pki-tomcat...
Apr 25 12:01:15 my-ipa-server pki-server[32906]: NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
Apr 25 12:01:15 my-ipa-server pki-server[32867]: AJP connector requiredSecret: None
Apr 25 12:01:15 my-ipa-server pki-server[32867]: AJP connector requiredSecret: None
Apr 25 12:01:15 my-ipa-server pkidaemon[32942]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg:83: policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 12:01:15 my-ipa-server pkidaemon[32942]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caAgentFileSigning.cfg:83: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 12:01:15 my-ipa-server pkidaemon[32942]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUUIDdeviceCert.cfg:96: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 12:01:15 my-ipa-server pkidaemon[32942]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caCrossSignedCACert.cfg:79: policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 12:01:15 my-ipa-server pkidaemon[32942]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUserCert.cfg:98: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 12:01:15 my-ipa-server pkidaemon[32942]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:92: policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
Apr 25 12:01:15 my-ipa-server pkidaemon[32942]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:164: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
Apr 25 12:01:15 my-ipa-server pkidaemon[32942]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:168: p
Comment 3 Alexander Bokovoy 2024-04-25 14:15:05 UTC 
Thanks, I think we need logs around the following date when you executed ipa-acme-manage:

Date: Thu, 25 Apr 2024 12:22:58 GMT

I don't see anything out of ordinary in the provided logs at this point. We wait until PKI starts, so what you see around 11:45:35..11:45:45 is expected, startup of tomcat-based application takes time. It looks like it started well and was able to operate.

Endi, anything else to check here?
Comment 4 Endi Sukma Dewata 2024-04-25 17:31:25 UTC 
I see the FilePermission errors in the systemd journal, but they seem to disappear after subsequent restarts. However, the journal seems to be truncated. Is there any error since the last restart?
Comment 5 Thomas Höll 2024-04-26 07:20:06 UTC 
I don't see any logs generated when I run ipa-acme-manage besides the 404 in localhost_access log:

10.10.2.11 - - [26/Apr/2024:07:07:10 +0000] "POST /acme/login HTTP/1.1" 404 765

When I open the ACME endpoint in a browser (https://<ipa-server>/acme) I see that several resources fail to load:

404 - https://my-ipa-server/patternfly-4.35.2/patternfly.min.css
404 - https://my-ipa-server/jquery-3.5.1/jquery.min.js
200 - https://my-ipa-server/acme/js/pki-acme.js
404 - https://my-ipa-server/patternfly-4.35.2/assets/images/img_avatar.svg


This is the log from cert-manager when I try to issue a certificate:
E0426 07:17:24.416951       1 sync.go:290] "failed to create Order resource due to bad request, marking Order as failed" err="404 : <!doctype html><html lang=\"en\"><head><title>HTTP Status 404 – Not Found</title><style type=\"text/css\">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class=\"line\" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [&#47;acme&#47;directory] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class=\"line\" /><h3>Apache Tomcat/9.0.83</h3></body></html>" logger="cert-manager.orders" resource_name="artifactory-tls-1-2893576723" resource_namespace="artifactory" resource_kind="Order" resource_version="v1"

localhost_access.log:

10.10.2.114 - - [26/Apr/2024:07:17:24 +0000] "GET /acme/directory HTTP/1.1" 404 769



Besides the ACME endpoint, I don't see any errors. 

The JRE was upgraded from 17 to 21 in Fedora 40, could that be an issue?
Comment 6 Endi Sukma Dewata 2024-04-26 15:05:20 UTC 
Thanks for the info. In comment #4 I was actually asking about the systemd journal. Is there anything more after this line?

Apr 25 12:01:15 my-ipa-server pkidaemon[32942]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:168: p

The 200 on pki-acme.js indicates that the ACME webapp was deployed properly, so I'm not sure why you got a 404 on /acme/login and /acme/directory. The 404 on patternfly and jquery indicates that the ROOT webapp was not deployed properly. If there is any deployment issue it should appear in the systemd journal.
Comment 7 Thomas Höll 2024-04-30 07:16:14 UTC 
Here is the full log: https://pastebin.com/pjQiBN8b

I also did a fresh install on Fedora 40 and restored an IPA backup. The fresh install worked, after I restored my backup, the ACME endpoint broke again.
Comment 8 Endi Sukma Dewata 2024-04-30 17:46:30 UTC 
Thanks. The log contains both IPA and PKI messages so it's a bit harder to see, but so far I don't see CA or ACME startup issues. The only thing that might be suspicious is these messages:

Apr 30 07:08:55 my-ipa-server pki-server[191697]: AJP connector requiredSecret: None
Apr 30 07:08:55 my-ipa-server pki-server[191697]: AJP connector requiredSecret: None

Could you confirm that the AJP connector is configured properly (i.e. the secret specified in server.xml must match the secret specified in IPA config file)?
Comment 9 Thomas Höll 2024-05-02 07:16:47 UTC 
The secret defined in /etc/pki/pki-tomcat/server.xml matches the secrets in /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg as well as in /etc/httpd/conf.d/ipa-pki-proxy.conf.

However, I noticed that the AJP connector was defined twice in server.xml:

Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="localhost4" name="Connector1" secret="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="localhost6" name="Connector2" secret="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"/>

I removed the 2nd entry and restarted, but it didn't change anything besides the AJP log entry just appearing once:

May 02 07:04:34 my-ipa-server systemd[1]: Starting pki-tomcatd - PKI Tomcat Server pki-tomcat...
May 02 07:04:44 my-ipa-server pki-server[256436]: NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=j>
May 02 07:04:44 my-ipa-server pki-server[256397]: AJP connector requiredSecret: None
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg:83: policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA51>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caAgentFileSigning.cfg:83: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256wit>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUUIDdeviceCert.cfg:96: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caCrossSignedCACert.cfg:79: policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRS>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUserCert.cfg:98: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA51>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:92: policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA25>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:164: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256w>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirBasedDualCert.cfg:168: policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256with>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caUserSMIMEcapCert.cfg:98: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withR>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirPinUserCert.cfg:96: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg:96: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SH>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:92: policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:164: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,S>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualCert.cfg:168: policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA5>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caDualRAuserCert.cfg:91: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caECDualCert.cfg:164: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caEncUserCert.cfg:92: policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256with>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withR>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caInstallCACert.cfg:83: policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SH>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caTPSCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA5>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caInternalAuthOCSPCert.cfg:68: policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256w>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caJarSigningCert.cfg:83: policyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256wit>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_UserCert.cfg:97: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caOtherCert.cfg:82: policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRACert.cfg:82: policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512wit>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRARouterCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRAagentCert.cfg:92: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SH>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRAserverCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caRouterCert.cfg:82: policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,S>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caSigningUserCert.cfg:82: policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256wit>
May 02 07:04:44 my-ipa-server pkidaemon[256472]: WARNING: Deprecated algorithm in /etc/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_DirUserCert.cfg:101: policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SH>
May 02 07:04:44 my-ipa-server server[256476]: Java virtual machine used: /usr/lib/jvm/jre-21-openjdk/bin/java
May 02 07:04:44 my-ipa-server server[256476]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar
May 02 07:04:44 my-ipa-server server[256476]: main class used: org.apache.catalina.startup.Bootstrap
May 02 07:04:44 my-ipa-server server[256476]: flags used: -Dcom.redhat.fips=false
May 02 07:04:44 my-ipa-server server[256476]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config>
May 02 07:04:44 my-ipa-server server[256476]: arguments used: start
May 02 07:04:44 my-ipa-server server[256476]: NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.>
May 02 07:04:44 my-ipa-server server[256476]: WARNING: A command line option has enabled the Security Manager
May 02 07:04:44 my-ipa-server server[256476]: WARNING: The Security Manager is deprecated and will be removed in a future release
May 02 07:04:45 my-ipa-server ipa-pki-wait-running[256477]: pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in PKIConnection.__init__() has been deprecated (https://github.com/dogtagpki/pki/wiki/PKI-10.8-Pyth>
May 02 07:04:45 my-ipa-server ipa-pki-wait-running[256477]: ipa-pki-wait-running: Created connection http://my-ipa-server:8080/ca
May 02 07:04:45 my-ipa-server ipa-pki-wait-running[256477]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by >
May 02 07:04:46 my-ipa-server server[256476]: WARNING: Tomcat interprets the [protocols] attribute in a manner consistent with the latest OpenSSL development branch. Some of the specified [protocols] are not supported by the con>
May 02 07:04:47 my-ipa-server ipa-pki-wait-running[256477]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Read timed out. (read timeout=1.0)
May 02 07:04:49 my-ipa-server ipa-pki-wait-running[256477]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Read timed out. (read timeout=1.0)
May 02 07:04:51 my-ipa-server ipa-pki-wait-running[256477]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Read timed out. (read timeout=1.0)
May 02 07:04:53 my-ipa-server ipa-pki-wait-running[256477]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Read timed out. (read timeout=1.0)
May 02 07:04:55 my-ipa-server ipa-pki-wait-running[256477]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my-ipa-server', port=8080): Read timed out. (read timeout=1.0)
May 02 07:04:56 my-ipa-server ipa-pki-wait-running[256477]: ipa-pki-wait-running: Success, subsystem ca is running!
May 02 07:04:56 my-ipa-server systemd[1]: Started pki-tomcatd - PKI Tomcat Server pki-tomcat.
Comment 10 Thomas Höll 2024-05-02 07:37:52 UTC 
ipaupgrade.log: https://drive.google.com/file/d/139COf3bfrnXftyYWQIhLpgfjbKvPIQft/view?usp=sharing
Comment 11 Han Boetes 2024-05-06 13:11:47 UTC 
(In reply to Thomas Höll from comment #9)

> However, I noticed that the AJP connector was defined twice in server.xml:
> 
> Define an AJP 1.3 Connector on port 8009 -->
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
> address="localhost4" name="Connector1"
> secret="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"/>
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
> address="localhost6" name="Connector2"
> secret="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"/>
> 
> I removed the 2nd entry and restarted, but it didn't change anything besides
> the AJP log entry just appearing once:

On a side note: localhost4 refers to 127.0.0.1 and localhost6 to ::1, the ipv6 version of localhost. No need to remove those entries.


(In reply to Endi Sukma Dewata from comment #8)

> Could you confirm that the AJP connector is configured properly (i.e. the secret specified in server.xml must match the secret specified in IPA config file)?

The output from `grep secret /etc/pki/pki-tomcat/server.xml  /etc/httpd/conf.d/ipa-pki-proxy.conf` now returns the same secret string. Although I did have to edit that string in /etc/httpd/conf.d/ipa-pki-proxy.conf since it wasn't matching. So what Thomas described in this comment:

> The secret defined in /etc/pki/pki-tomcat/server.xml matches the secrets in /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg as well as in /etc/httpd/conf.d/ipa-pki-proxy.conf.

Is now valid for me as well.
Comment 12 Endi Sukma Dewata 2024-05-07 20:49:36 UTC 
Thanks for the info. So is everything working now?
Comment 13 Han Boetes 2024-05-08 06:25:46 UTC 
No it isn't:

root@gandalf ~ #  curl http://gandalf.example.com:8080/ca/admin/ca/getStatus
{
  "Response" : {
    "State" : "1",
    "Type" : "CA",
    "Status" : "running",
    "Version" : "11.5.0-SNAPSHOT"
  }
}#                                                                                                                                                                            root@gandalf ~ #  curl https://gandalf.example.com/acme/directory                                   
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [&#47;acme&#47;directory] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.83</h3></body></html>#
Comment 14 Thomas Höll 2024-05-08 10:54:33 UTC 
Same here:

curl http://ipa.nix.hoell.internal:8080/acme/directory

<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [&#47;acme&#47;directory] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.83</h3></body></html>[root@ipa ~]# 

curl http://localhost:8080/ca/admin/ca/getStatus

{
  "Response" : {
    "State" : "1",
    "Type" : "CA",
    "Status" : "running",
    "Version" : "11.5.0-SNAPSHOT",
    "ProductVersion" : "Dogtag Certificate System"
  }
}
Comment 15 Endi Sukma Dewata 2024-05-09 16:14:59 UTC 
They are all different URLs so it's difficult to make a conclusion. Could you try these URLs?
- http://gandalf.example.com:8080/acme/directory
- https://gandalf.example.com/ca/admin/ca/getStatus
- http://ipa.nix.hoell.internal:8080/ca/admin/ca/getStatus
- http://localhost:8080/acme/directory

Also, could you check the ACME debug log again (like in comment #2) to confirm that the ACME engine was started successfully? Thanks.
Comment 16 Han Boetes 2024-05-09 19:54:16 UTC 
Here you go:

h.boetes@habocp3 ~ %  curl http://gandalf.example.com:8080/acme/directory
curl: (7) Failed to connect to gandalf.example.com port 8080 after 1 ms: Couldn't connect to server
h.boetes@habocp3 ~ %  curl https://gandalf.example.com/ca/admin/ca/getStatus
{
  "Response" : {
    "State" : "1",
    "Type" : "CA",
    "Status" : "running",
    "Version" : "11.5.0-SNAPSHOT"
  }
}%

                                                                                                                                                                       
2024-05-09 21:50:27 [main] INFO: Starting ACME engine
2024-05-09 21:50:27 [main] INFO: ACME configuration directory: /var/lib/pki/pki-tomcat/conf/acme
2024-05-09 21:50:27 [main] INFO: Loading ACME engine config from /var/lib/pki/pki-tomcat/conf/acme/engine.conf
2024-05-09 21:50:27 [main] INFO: - enabled: false
2024-05-09 21:50:27 [main] INFO: - base URL: https://gandalf.example.com/acme
2024-05-09 21:50:27 [main] INFO: - nonces persistent: null
2024-05-09 21:50:27 [main] INFO: - wildcard: false
2024-05-09 21:50:27 [main] INFO: - nonce retention: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-05-09 21:50:27 [main] INFO: - authorization retention:
2024-05-09 21:50:27 [main] INFO:   - pending: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-05-09 21:50:27 [main] INFO:   - invalid: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-05-09 21:50:27 [main] INFO:   - valid: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-05-09 21:50:27 [main] INFO: - order retention:
2024-05-09 21:50:27 [main] INFO:   - pending: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-05-09 21:50:27 [main] INFO:   - invalid: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-05-09 21:50:27 [main] INFO:   - ready: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-05-09 21:50:27 [main] INFO:   - processing: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-05-09 21:50:27 [main] INFO:   - valid: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-05-09 21:50:27 [main] INFO: - certificate retention: {
  "length" : 30,
  "unit" : "DAYS"
}
2024-05-09 21:50:27 [main] INFO: Loading ACME metadata from /usr/share/pki/acme/conf/metadata.conf
2024-05-09 21:50:27 [main] INFO: Loading ACME database config from /var/lib/pki/pki-tomcat/conf/acme/database.conf
2024-05-09 21:50:27 [main] INFO: Initializing ACME database
2024-05-09 21:50:27 [main] INFO: Loading LDAP database configuration from /etc/pki/pki-tomcat/ca/CS.cfg
2024-05-09 21:50:27 [main] WARNING: The basedn parameter has been deprecated. Use baseDN instead.
2024-05-09 21:50:27 [main] INFO: - base DN: ou=acme,o=ipaca
2024-05-09 21:50:27 [main] INFO: PKISocketFactory: Initializing PKISocketFactory
2024-05-09 21:50:27 [main] INFO: PKISocketFactory: Creating SSL socket for gandalf.example.com:636
2024-05-09 21:50:27 [main] INFO: - monitor enabled: null
2024-05-09 21:50:27 [main] INFO: Loading ACME validators config from /usr/share/pki/acme/conf/validators.conf
2024-05-09 21:50:27 [main] INFO: Initializing ACME validators
2024-05-09 21:50:27 [main] INFO: Initializing dns-01 validator
2024-05-09 21:50:27 [main] INFO: Initializing http-01 validator
2024-05-09 21:50:27 [main] INFO: Loading ACME issuer config from /var/lib/pki/pki-tomcat/conf/acme/issuer.conf
2024-05-09 21:50:27 [main] INFO: Initializing ACME issuer
2024-05-09 21:50:27 [main] INFO: Initializing PKI issuer
2024-05-09 21:50:27 [main] INFO: - URL: https://gandalf.example.com:8443
2024-05-09 21:50:27 [main] INFO: - username: acme-gandalf.example.com
2024-05-09 21:50:27 [main] INFO: - profile: acmeIPAServerCert
2024-05-09 21:50:27 [main] INFO: Loading ACME scheduler config from /usr/share/pki/acme/conf/scheduler.conf
2024-05-09 21:50:27 [main] INFO: Initializing ACME scheduler
2024-05-09 21:50:27 [main] INFO: Initializing ACME scheduler
2024-05-09 21:50:27 [main] INFO: - threads: 1
2024-05-09 21:50:27 [main] INFO: Initializing maintenance task
2024-05-09 21:50:27 [main] INFO: - initial delay: 5
2024-05-09 21:50:27 [main] INFO: - delay: 5
2024-05-09 21:50:27 [main] INFO: - interval: null
2024-05-09 21:50:27 [main] INFO: - unit: MINUTES
2024-05-09 21:50:27 [main] INFO: Loading ACME monitors config from /var/lib/pki/pki-tomcat/conf/acme/configsources.conf
2024-05-09 21:50:27 [main] INFO: ACME service is DISABLED by configuration
2024-05-09 21:50:27 [main] INFO: ACME wildcard issuance is DISABLED by configuration
2024-05-09 21:50:27 [main] INFO: Loading ACME realm config from /var/lib/pki/pki-tomcat/conf/acme/realm.conf
2024-05-09 21:50:27 [main] INFO: Initializing ACME realm
2024-05-09 21:50:27 [main] INFO: Initializing LDAP realm
2024-05-09 21:50:27 [main] INFO: Loading LDAP realm config from /etc/pki/pki-tomcat/ca/CS.cfg
2024-05-09 21:50:27 [ACMEEngineConfigFileSource] INFO: ACMEEngineConfigSource: watching /etc/pki/pki-tomcat/acme/engine.conf
2024-05-09 21:50:27 [main] INFO: - users DN: ou=people,o=ipaca
2024-05-09 21:50:27 [main] INFO: - groups DN: ou=groups,o=ipaca
2024-05-09 21:50:27 [main] INFO: PKISocketFactory: Initializing PKISocketFactory
2024-05-09 21:50:27 [main] INFO: PKISocketFactory: Creating SSL socket for gandalf.example.com:636
2024-05-09 21:50:27 [main] INFO: ACME engine started
2024-05-09 21:50:27 [main] INFO: Initializing ACMEApplication
Comment 17 Endi Sukma Dewata 2024-05-09 20:05:41 UTC 
Thanks, so with http://gandalf.example.com:8080/ca/admin/ca/getStatus the server is reachable and the CA is responding properly, but with http://gandalf.example.com:8080/acme/directory the server is not reachable at all, which is strange. Is gandalf.example.com:8080 pointing to Tomcat directly or some other machine/service?
Comment 18 Han Boetes 2024-05-09 20:20:11 UTC 
I think the former, all I ever did to get it working was running `ipa-acme-manage enable`. And it still fails.

root@gandalf ~ #  ipa-acme-manage enable                                                                                                                
Failed to authenticate to CA REST API
The ipa-acme-manage command failed.
Comment 19 Rob Crittenden 2024-05-09 20:29:28 UTC 
ipa-acme-manage enable dos:

POST https://ipa.example.test:8443/acme/login

Using the IPA RA agent client certificate for authentication.

Then 

POST https://ipa.example.test:8443/acme/enable

I assume it is the first POST that fails. The typical response to the login POST is:

{"id":"ipara","FullName":"ipara","Roles":["Certificate Manager Agents","Enterprise ACME Administrators","Registration Manager Agents","Security Domain Administrators"],"Attributes":{"Attribute":[]}}
Comment 20 Endi Sukma Dewata 2024-05-09 20:58:57 UTC 
According to ACME debug log the ACME service is disabled in /var/lib/pki/pki-tomcat/conf/acme/engine.conf, so even though the ACME webapp was started successfully, it might not provide ACME service. I'm not sure why it's disabled (upgrade issue?), but even if it's disabled, IIUC the server should at least return an HTTP 503 instead of becoming unreachable, so I'm not sure if this is the culprit but you might want to try enabling it manually.
Comment 21 Thomas Höll 2024-05-10 05:57:12 UTC 
(In reply to Endi Sukma Dewata from comment #20)
> According to ACME debug log the ACME service is disabled in
> /var/lib/pki/pki-tomcat/conf/acme/engine.conf, so even though the ACME
> webapp was started successfully, it might not provide ACME service. I'm not
> sure why it's disabled (upgrade issue?), but even if it's disabled, IIUC the
> server should at least return an HTTP 503 instead of becoming unreachable,
> so I'm not sure if this is the culprit but you might want to try enabling it
> manually.

The ACME service was indeed disabled in /var/lib/pki/pki-tomcat/conf/acme/engine.conf. I enabled it, did a full ipactl restart and tried ipa-acme-manage status again. Still the same issue.

2024-05-10 05:52:03 [main] INFO: Starting ACME engine
2024-05-10 05:52:03 [main] INFO: ACME configuration directory: /var/lib/pki/pki-tomcat/conf/acme
2024-05-10 05:52:03 [main] INFO: Loading ACME engine config from /var/lib/pki/pki-tomcat/conf/acme/engine.conf
2024-05-10 05:52:03 [main] INFO: - enabled: true
2024-05-10 05:52:03 [main] INFO: - base URL: https://ipa.nix.hoell.internal/acme
2024-05-10 05:52:03 [main] INFO: - nonces persistent: null
2024-05-10 05:52:03 [main] INFO: - wildcard: false
2024-05-10 05:52:03 [main] INFO: - nonce retention: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-05-10 05:52:03 [main] INFO: - authorization retention:
2024-05-10 05:52:03 [main] INFO:   - pending: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-05-10 05:52:03 [main] INFO:   - invalid: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-05-10 05:52:03 [main] INFO:   - valid: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-05-10 05:52:03 [main] INFO: - order retention:
2024-05-10 05:52:03 [main] INFO:   - pending: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-05-10 05:52:03 [main] INFO:   - invalid: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-05-10 05:52:03 [main] INFO:   - ready: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-05-10 05:52:03 [main] INFO:   - processing: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-05-10 05:52:03 [main] INFO:   - valid: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-05-10 05:52:03 [main] INFO: - certificate retention: {
  "length" : 30,
  "unit" : "DAYS"
}
2024-05-10 05:52:03 [main] INFO: Loading ACME metadata from /usr/share/pki/acme/conf/metadata.conf
2024-05-10 05:52:03 [main] INFO: Loading ACME database config from /var/lib/pki/pki-tomcat/conf/acme/database.conf
2024-05-10 05:52:03 [main] INFO: Initializing ACME database
2024-05-10 05:52:03 [main] INFO: Loading LDAP database configuration from /etc/pki/pki-tomcat/ca/CS.cfg
2024-05-10 05:52:03 [main] WARNING: The basedn parameter has been deprecated. Use baseDN instead.
2024-05-10 05:52:03 [main] INFO: - base DN: ou=acme,o=ipaca
2024-05-10 05:52:03 [main] INFO: PKISocketFactory: Initializing PKISocketFactory
2024-05-10 05:52:03 [main] INFO: PKISocketFactory: Creating SSL socket for ipa.nix.hoell.internal:636
2024-05-10 05:52:03 [main] INFO: - monitor enabled: null
2024-05-10 05:52:03 [main] INFO: Loading ACME validators config from /usr/share/pki/acme/conf/validators.conf
2024-05-10 05:52:03 [main] INFO: Initializing ACME validators
2024-05-10 05:52:03 [main] INFO: Initializing dns-01 validator
2024-05-10 05:52:03 [main] INFO: Initializing http-01 validator
2024-05-10 05:52:03 [main] INFO: Loading ACME issuer config from /var/lib/pki/pki-tomcat/conf/acme/issuer.conf
2024-05-10 05:52:03 [main] INFO: Initializing ACME issuer
2024-05-10 05:52:04 [main] INFO: Initializing PKI issuer
2024-05-10 05:52:04 [main] INFO: - URL: https://ipa.nix.hoell.internal:8443
2024-05-10 05:52:04 [main] INFO: - username: acme-ipa.nix.hoell.internal
2024-05-10 05:52:04 [main] INFO: - profile: acmeIPAServerCert
2024-05-10 05:52:04 [main] INFO: Loading ACME scheduler config from /usr/share/pki/acme/conf/scheduler.conf
2024-05-10 05:52:04 [main] INFO: Initializing ACME scheduler
2024-05-10 05:52:04 [main] INFO: Initializing ACME scheduler
2024-05-10 05:52:04 [main] INFO: - threads: 1
2024-05-10 05:52:04 [main] INFO: Initializing maintenance task
2024-05-10 05:52:04 [main] INFO: - initial delay: 5
2024-05-10 05:52:04 [main] INFO: - delay: 5
2024-05-10 05:52:04 [main] INFO: - interval: null
2024-05-10 05:52:04 [main] INFO: - unit: MINUTES
2024-05-10 05:52:04 [main] INFO: Loading ACME monitors config from /var/lib/pki/pki-tomcat/conf/acme/configsources.conf
2024-05-10 05:52:04 [main] INFO: ACME service is enabled by configuration
2024-05-10 05:52:04 [main] INFO: ACME wildcard issuance is DISABLED by configuration
2024-05-10 05:52:04 [main] INFO: Loading ACME realm config from /var/lib/pki/pki-tomcat/conf/acme/realm.conf
2024-05-10 05:52:04 [main] INFO: Initializing ACME realm
2024-05-10 05:52:04 [main] INFO: Initializing LDAP realm
2024-05-10 05:52:04 [main] INFO: Loading LDAP realm config from /etc/pki/pki-tomcat/ca/CS.cfg
2024-05-10 05:52:04 [ACMEEngineConfigFileSource] INFO: ACMEEngineConfigSource: watching /etc/pki/pki-tomcat/acme/engine.conf
2024-05-10 05:52:04 [main] INFO: - users DN: ou=people,o=ipaca
2024-05-10 05:52:04 [main] INFO: - groups DN: ou=groups,o=ipaca
2024-05-10 05:52:04 [main] INFO: PKISocketFactory: Initializing PKISocketFactory
2024-05-10 05:52:04 [main] INFO: PKISocketFactory: Creating SSL socket for ipa.nix.hoell.internal:636
2024-05-10 05:52:04 [main] INFO: ACME engine started


------

ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-NIX-HOELL-INTERNAL.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fd5a9d805c0>
ipaserver.masters: DEBUG: Discovery: available servers for service 'CA' are ipa.nix.hoell.internal
ipaserver.masters: DEBUG: Discovery: using ipa.nix.hoell.internal for 'CA' service
ipapython.dogtag: DEBUG: request POST https://ipa.nix.hoell.internal:8443/acme/login
ipapython.dogtag: DEBUG: request body ''
ipapython.dogtag: DEBUG: response status 404
ipapython.dogtag: DEBUG: response headers Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 765
Date: Fri, 10 May 2024 05:56:07 GMT


ipapython.dogtag: DEBUG: response body (decoded): b'<!doctype html><html lang="en"><head><title>HTTP Status 404 \xe2\x80\x93 Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 \xe2\x80\x93 Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [&#47;acme&#47;login] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.83</h3></body></html>'
ipapython.admintool: DEBUG:   File "/usr/lib/python3.12/site-packages/ipapython/admintool.py", line 180, in execute
    return_value = self.run()
                   ^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipaserver/install/ipa_acme_manage.py", line 399, in run
    with state as ca_api:
  File "/usr/lib/python3.12/site-packages/ipaserver/install/ipa_acme_manage.py", line 103, in __enter__
    raise errors.RemoteRetrieveError(

ipapython.admintool: DEBUG: The ipa-acme-manage command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API
ipapython.admintool: ERROR: Failed to authenticate to CA REST API
ipapython.admintool: ERROR: The ipa-acme-manage command failed.


I changed enabled=true back to enabled=false in engine.conf, since it did not change anything.
Comment 22 Han Boetes 2024-05-10 10:22:38 UTC 
I just compared a backup of /etc/pki from before the upgrade, and the changes are massive. Lots of certificates, code, settings. No wonder, stuff is broken.
Comment 23 Endi Sukma Dewata 2024-05-13 13:35:10 UTC 
It looks like you ran this command locally:
root@gandalf ~ #  curl http://gandalf.example.com:8080/ca/admin/ca/getStatus

and this command remotely:
h.boetes@habocp3 ~ %  curl http://gandalf.example.com:8080/acme/directory

I think IPA has a firewall rule that blocks remote access to port 8080, so that's why the result is inconsistent.
Could you try again the second command locally?
Comment 24 Han Boetes 2024-05-13 14:57:53 UTC 
Ah yes, good point:

root@gandalf ~ #  curl http://gandalf:8080/acme/directory
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [&#47;acme&#47;directory] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.83</h3></body></html>#                                         


Since we will soon need to replace certificates, what is the best way to get the acme server working again?
Comment 25 Endi Sukma Dewata 2024-05-13 15:26:33 UTC 
It's hard to say since this is not a situation I've seen before and I'm not super familiar with how PKI is configured in IPA, but considering this problem does not seem to be happening in IPA tests or other environments it looks like this is an environment-specific issue.

I'd suggest to consider these options:
1. Create a new clone so hopefully it won't have the legacy stuff that might have caused the problem,
2. Set up a separate ACME responder pointing to PKI service in IPA so you have a full control over its configuration,
3. Use IPA or PKI directly to issue the certs, at least temporarily until the issue is resolved.
Comment 26 Thomas Höll 2024-05-14 06:55:34 UTC 
I set up a replica and did a ipa-ca-install. The ACME endpoint on the replica works.

root@ipa-replica:~# ipa-acme-manage status 
ACME is enabled
The ipa-acme-manage command was successful


Is there a way to remove the CA from the master and reinstall it? Something like ipa-ca-install --uninstall? Or would it be the better solution to remove the old master entirely and reinstall it?

On a side note: ipa-replica-install seems to have issues with the reverse lookup of the master's ip when the ca is set up on the master. I needed to fiddle with /etc/hosts to get around this

root@ipa-replica:~# ipa-replica-install
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

The host name ipa.nix.hoell.internal does not match the primary host name ipa-ca.2.10.10.in-addr.arpa. Please check /etc/hosts or DNS name resolution
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
root@ipa-replica:~# dig -x 10.10.2.11

; <<>> DiG 9.18.26 <<>> -x 10.10.2.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45032
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;11.2.10.10.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
11.2.10.10.in-addr.arpa. 7145	IN	PTR	ipa-ca.2.10.10.in-addr.arpa.
11.2.10.10.in-addr.arpa. 7145	IN	PTR	ipa.2.10.10.in-addr.arpa.

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Tue May 14 06:32:36 UTC 2024
;; MSG SIZE  rcvd: 91
Comment 27 Han Boetes 2024-05-15 10:12:35 UTC 
(In reply to Endi Sukma Dewata from comment #25)

> I'd suggest to consider these options:
> 1. Create a new clone so hopefully it won't have the legacy stuff that might have caused the problem,

Hello Endi,

I managed to reinstall the main server, which was a painful operation to say the least, because everything depends on it, but it's working again, and the acme server is also up and running.

Now I have to reinstall the other 2 replicas as well. Luckily, I took notes:


ipa-server-install --uninstall
# Here I reinstalled the host completely.
ipa host-add gandalf.example.com --ip-address=10.10.8.8 --password=ilovefreeipa --force
ipa hostgroup-add-member --hostgroups=ipaservers --hosts=gandalf
unset TMP TMPDIR; ipa-replica-install --setup-dns --no-forwarder --setup-ca
ipa-acme-manage enable
Comment 28 Rob Crittenden 2024-05-15 13:48:13 UTC 
(In reply to Thomas Höll from comment #26)
> 
> The host name ipa.nix.hoell.internal does not match the primary host name
> ipa-ca.2.10.10.in-addr.arpa. Please check /etc/hosts or DNS name resolution
> The ipa-replica-install command failed. See /var/log/ipareplica-install.log
> for more information
> root@ipa-replica:~# dig -x 10.10.2.11
> 
> ; <<>> DiG 9.18.26 <<>> -x 10.10.2.11
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45032
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 65494
> ;; QUESTION SECTION:
> ;11.2.10.10.in-addr.arpa.	IN	PTR
> 
> ;; ANSWER SECTION:
> 11.2.10.10.in-addr.arpa. 7145	IN	PTR	ipa-ca.2.10.10.in-addr.arpa.
> 11.2.10.10.in-addr.arpa. 7145	IN	PTR	ipa.2.10.10.in-addr.arpa.


This looks really strange (unless you've obfuscated), even beyond having a PTR record for ipa-ca. The domain name is the reverse zone?

You only need an A record for ipa-ca.DOMAIN.
Comment 29 Thomas Höll 2024-05-16 06:52:56 UTC 
(In reply to Rob Crittenden from comment #28)
> (In reply to Thomas Höll from comment #26)
> > 
> > The host name ipa.nix.hoell.internal does not match the primary host name
> > ipa-ca.2.10.10.in-addr.arpa. Please check /etc/hosts or DNS name resolution
> > The ipa-replica-install command failed. See /var/log/ipareplica-install.log
> > for more information
> > root@ipa-replica:~# dig -x 10.10.2.11
> > 
> > ; <<>> DiG 9.18.26 <<>> -x 10.10.2.11
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45032
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> > 
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 65494
> > ;; QUESTION SECTION:
> > ;11.2.10.10.in-addr.arpa.	IN	PTR
> > 
> > ;; ANSWER SECTION:
> > 11.2.10.10.in-addr.arpa. 7145	IN	PTR	ipa-ca.2.10.10.in-addr.arpa.
> > 11.2.10.10.in-addr.arpa. 7145	IN	PTR	ipa.2.10.10.in-addr.arpa.
> 
> 
> This looks really strange (unless you've obfuscated), even beyond having a
> PTR record for ipa-ca. The domain name is the reverse zone?
> 
> You only need an A record for ipa-ca.DOMAIN.

The PTR was created during the installation of the CA, I did not add that myself.
The machine was set up in 2016, I guess it's some legacy stuff that was just not removed at some time.

When I set up the replica, no PTR for ipa-ca was created. So I assume it's safe to delete the existing one?

I will now go ahead and reinstall the server, since I have a working replica now. One question though: I have a trust to an AD domain, what would be the best way to handle this?
THe way I understood it, the old server is the trust agent and the replica can't take it's role because it doesn't have a machine account in AD?
Should I just do an ipa-server-install --uninstall, reinstall the server and do an ipa-adtrust-install afterwards? Or should I remove the trust before remove the old IPA server?
Comment 30 Alexander Bokovoy 2024-05-16 07:17:03 UTC 
For trust to AD, one needs to have at least one trust controller role server around. For resolving IDs, it is enough to have the rest as trust agents.

So make sure to do a trust controller (for example, on that new replica). You don't need to remove the trust itself as that is just an information in LDAP and will be replicated back once a new (old) server is added to the topology.

You need to follow server removal instructions. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/installing_identity_management/uninstalling-an-ipa-server_installing-identity-management for details.
Comment 31 Thomas Höll 2024-05-16 11:27:03 UTC 
I'm having trouble removing the old server, since I can't enable the KRA role on the replica. ipa-kra-install failed for some reason (unfortunately subsequent calls overwrite the log). Is there a way to disable KRA altogether? I'm not using it at all.
Comment 32 Rob Crittenden 2024-05-16 18:22:31 UTC 
There should be a pki-kra-spawn log in /var/log/pki that may provide some clues on why the install failed, along with /var/log/ipaserver-kra-install.log.

There is no kra uninstaller. The only way to recover the failed install is to re-install the server.

If you abandon your KRA install and later decide you want one, getting it back may be difficult.
Comment 33 Thomas Höll 2024-05-17 06:49:00 UTC 
(In reply to Rob Crittenden from comment #32)
> There should be a pki-kra-spawn log in /var/log/pki that may provide some
> clues on why the install failed, along with
> /var/log/ipaserver-kra-install.log.
> 
> There is no kra uninstaller. The only way to recover the failed install is
> to re-install the server.
> 
> If you abandon your KRA install and later decide you want one, getting it
> back may be difficult.

The pki-kra-spawn log doesn't show any errors, it just ends with

2024-05-14 07:19:01 INFO: Joining security domain at https://ipa-replica.nix.hoell.internal:443
2024-05-14 07:19:01 INFO: Domain manager: False
2024-05-14 07:19:01 DEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa-replica.nix.hoell.internal:443 --ignore-banner securitydomain-join --install-token /tmp/tmpvf1sqb7t/install-token --type KRA --hostname ipa-replica.nix.hoell.internal --secure-port 443 --unsecure-port 80 --clone --debug KRA ipa-replica.nix.hoell.internal 8443
2024-05-14 07:19:03 INFO: Adding KRA connector in CA
2024-05-14 07:19:03 DEBUG: PKISubsystem.get_subsystem_cert(subsystem)
2024-05-14 07:19:03 INFO: Getting subsystem cert info from CS.cfg
2024-05-14 07:19:03 DEBUG: PKISubsystem.get_nssdb_cert_info(subsystem)
2024-05-14 07:19:03 INFO: Getting subsystem cert info from NSS database
2024-05-14 07:19:03 DEBUG: NSSDatabase.get_cert_info(subsystemCert cert-pki-ca) begins
2024-05-14 07:19:03 DEBUG: NSSDatabase.get_cert(subsystemCert cert-pki-ca) begins
2024-05-14 07:19:03 DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmp3idlw46q/password.txt -n subsystemCert cert-pki-ca -a
2024-05-14 07:19:03 DEBUG: stdout: -1
2024-05-14 07:19:03 DEBUG: certutil returned cert data
2024-05-14 07:19:03 DEBUG: NSSDatabase.get_cert(subsystemCert cert-pki-ca) ends
2024-05-14 07:19:03 DEBUG: NSSDatabase.get_cert(subsystemCert cert-pki-ca) begins
2024-05-14 07:19:03 DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmphjqnb_lb/password.txt -n subsystemCert cert-pki-ca -r
2024-05-14 07:19:03 DEBUG: stdout: -1
2024-05-14 07:19:03 DEBUG: certutil returned cert data
2024-05-14 07:19:03 DEBUG: NSSDatabase.get_cert(subsystemCert cert-pki-ca) ends
2024-05-14 07:19:03 DEBUG: NSSDatabase.get_trust(subsystemCert cert-pki-ca)
2024-05-14 07:19:03 DEBUG: fullname: subsystemCert cert-pki-ca
2024-05-14 07:19:03 DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmplhajmvc6/password.txt
2024-05-14 07:19:03 DEBUG: stdout: -1
2024-05-14 07:19:03 DEBUG: NSSDatabase.get_cert_info(subsystemCert cert-pki-ca) ends
2024-05-14 07:19:03 DEBUG: PKISubsystem.get_subsystem_cert(transport)
2024-05-14 07:19:03 INFO: Getting transport cert info from CS.cfg
2024-05-14 07:19:03 DEBUG: PKISubsystem.get_nssdb_cert_info(transport)
2024-05-14 07:19:03 INFO: Getting transport cert info from NSS database
2024-05-14 07:19:03 DEBUG: NSSDatabase.get_cert_info(transportCert cert-pki-kra) begins
2024-05-14 07:19:03 DEBUG: NSSDatabase.get_cert(transportCert cert-pki-kra) begins
2024-05-14 07:19:03 DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpj0iglxhy/password.txt -n transportCert cert-pki-kra -a
2024-05-14 07:19:03 DEBUG: stdout: -1
2024-05-14 07:19:03 DEBUG: certutil returned cert data
2024-05-14 07:19:03 DEBUG: NSSDatabase.get_cert(transportCert cert-pki-kra) ends
2024-05-14 07:19:03 DEBUG: NSSDatabase.get_cert(transportCert cert-pki-kra) begins
2024-05-14 07:19:03 DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmp2pzwg890/password.txt -n transportCert cert-pki-kra -r
2024-05-14 07:19:03 DEBUG: stdout: -1
2024-05-14 07:19:03 DEBUG: certutil returned cert data
2024-05-14 07:19:03 DEBUG: NSSDatabase.get_cert(transportCert cert-pki-kra) ends
2024-05-14 07:19:03 DEBUG: NSSDatabase.get_trust(transportCert cert-pki-kra)
2024-05-14 07:19:03 DEBUG: fullname: transportCert cert-pki-kra
2024-05-14 07:19:03 DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpfq6yrmdb/password.txt
2024-05-14 07:19:03 DEBUG: stdout: -1
2024-05-14 07:19:03 DEBUG: NSSDatabase.get_cert_info(transportCert cert-pki-kra) ends
2024-05-14 07:19:03 DEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa-replica.nix.hoell.internal:443 --ignore-banner ca-kraconnector-add --url https://ipa-replica.nix.hoell.internal:8443/kra/agent/kra/connector --subsystem-cert /tmp/tmpiufobvwy/subsystem.crt --transport-cert /tmp/tmpiufobvwy/transport.crt --transport-nickname transportCert cert-pki-kra --install-token /tmp/tmpiufobvwy/install-token --debug


ipaserver-kra-install.log just complains that "KRA is already installed". 
It's just that the role wasn't enabled on the replica. Is there a way to do that besides running ipa-kra-install?

root@ipa-replica:~# ipa server-role-find --role 'KRA server'
----------------------
2 server roles matched
----------------------
  Server name: ipa-replica.nix.hoell.internal
  Role name: KRA server
  Role status: absent

  Server name: ipa.nix.hoell.internal
  Role name: KRA server
  Role status: enabled
----------------------------
Number of entries returned 2
Comment 34 Rob Crittenden 2024-05-17 14:21:39 UTC 
Right so the original KRA error was lost due to log overwriting. It's a design choice of potential loss of logs, as in this case, or ever-expanding file size if the tool is rerun multiple times.

The pki logging doesn't always capture stderr. The IPA logging does. So generally one needs to combine the two to see what happened at failure.

The KRA (and CA) installer queries PKI to see if a service is installed: pki-server subsystem-show kra

That is returning Enabled hence the installer quits. But it didn't finish which is why it doesn't show as a role.
Comment 35 Thomas Höll 2024-05-21 12:35:08 UTC 
I installed another replica just for KRA. (ipa-replica-install, ipa-ca-install, ipa-kra-install)

ipa-kra-install failed again with the following error:

INFO: Joining security domain at https://ipa-kra-replica.nix.hoell.internal:443
INFO: Domain manager: False
DEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa-kra-replica.nix.hoell.internal:443 --ignore-banner securitydomain-join --install-token /tmp/tmpe1835kb7/install-token --type KRA --hostname ipa-kra-replica.nix.hoell.internal --secure-port 443 --unsecure-port 80 --clone --debug KRA ipa-kra-replica.nix.hoell.internal 8443
INFO: Connecting to https://ipa-kra-replica.nix.hoell.internal:443
INFO: HTTP request: GET /pki/v2/info HTTP/1.1
FINE: - Authorization: ********
FINE: - Host: ipa-kra-replica.nix.hoell.internal:443
FINE: - Connection: Keep-Alive
FINE: - User-Agent: Apache-HttpClient/4.5.14 (Java/21.0.3)
FINE: Request:

INFO: Server certificate: CN=ipa-kra-replica.nix.hoell.internal,O=NIX.HOELL.INTERNAL
INFO: HTTP response: HTTP/1.1 404 Not Found
FINE: - Date: Tue, 21 May 2024 12:29:54 GMT
FINE: - Server: Apache/2.4.59 (Fedora Linux) OpenSSL/3.2.1 mod_wsgi/5.0.0 Python/3.12 mod_auth_gssapi/1.6.5
FINE: - Content-Length: 196
FINE: - Keep-Alive: timeout=30, max=100
FINE: - Connection: Keep-Alive
FINE: - Content-Type: text/html; charset=iso-8859-1
FINE: Response:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
</body></html>

WARNING: Unable to get server info: Not Found
INFO: HTTP request: POST /ca/admin/ca/updateDomainXML HTTP/1.1
FINE: - Authorization: ********
FINE: - Content-Type: application/x-www-form-urlencoded
FINE: - Content-Length: 234
FINE: - Host: ipa-kra-replica.nix.hoell.internal:443
FINE: - Connection: Keep-Alive
FINE: - User-Agent: Apache-HttpClient/4.5.14 (Java/21.0.3)
FINE: Request:
agentsport=443&eeclientauthsport=443&httpport=80&name=KRA+ipa-kra-replica.nix.hoell.internal+8443&host=ipa-kra-replica.nix.hoell.internal&clone=true&dm=false&sessionID=3557407630066403442&list=KRAList&type=KRA&sport=443&adminsport=443
INFO: HTTP response: HTTP/1.1 200 200
FINE: - Date: Tue, 21 May 2024 12:29:55 GMT
FINE: - Server: Apache/2.4.59 (Fedora Linux) OpenSSL/3.2.1 mod_wsgi/5.0.0 Python/3.12 mod_auth_gssapi/1.6.5
FINE: - Content-Type: application/xml
FINE: - Keep-Alive: timeout=30, max=99
FINE: - Connection: Keep-Alive
FINE: - Transfer-Encoding: chunked
FINE: Response:
<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status></XMLResponse>
INFO: PKIClient: String has no custom mapping for application/xml
INFO: Status: 0
INFO: Adding KRA connector in CA
DEBUG: PKISubsystem.get_subsystem_cert(subsystem)
INFO: Getting subsystem cert info from CS.cfg
DEBUG: PKISubsystem.get_nssdb_cert_info(subsystem)
INFO: Getting subsystem cert info from NSS database
DEBUG: NSSDatabase.get_cert_info(subsystemCert cert-pki-ca) begins
DEBUG: NSSDatabase.get_cert(subsystemCert cert-pki-ca) begins
DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpt5oogs25/password.txt -n subsystemCert cert-pki-ca -a
DEBUG: stdout: -1
DEBUG: certutil returned cert data
DEBUG: NSSDatabase.get_cert(subsystemCert cert-pki-ca) ends
DEBUG: NSSDatabase.get_cert(subsystemCert cert-pki-ca) begins
DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmp3d9y7yes/password.txt -n subsystemCert cert-pki-ca -r
DEBUG: stdout: -1
DEBUG: certutil returned cert data
DEBUG: NSSDatabase.get_cert(subsystemCert cert-pki-ca) ends
DEBUG: NSSDatabase.get_trust(subsystemCert cert-pki-ca)
DEBUG: fullname: subsystemCert cert-pki-ca
DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmp5qz2k_p3/password.txt
DEBUG: stdout: -1
DEBUG: NSSDatabase.get_cert_info(subsystemCert cert-pki-ca) ends
DEBUG: PKISubsystem.get_subsystem_cert(transport)
INFO: Getting transport cert info from CS.cfg
DEBUG: PKISubsystem.get_nssdb_cert_info(transport)
INFO: Getting transport cert info from NSS database
DEBUG: NSSDatabase.get_cert_info(transportCert cert-pki-kra) begins
DEBUG: NSSDatabase.get_cert(transportCert cert-pki-kra) begins
DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmp2r4216h3/password.txt -n transportCert cert-pki-kra -a
DEBUG: stdout: -1
DEBUG: certutil returned cert data
DEBUG: NSSDatabase.get_cert(transportCert cert-pki-kra) ends
DEBUG: NSSDatabase.get_cert(transportCert cert-pki-kra) begins
DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmp4hkqbv56/password.txt -n transportCert cert-pki-kra -r
DEBUG: stdout: -1
DEBUG: certutil returned cert data
DEBUG: NSSDatabase.get_cert(transportCert cert-pki-kra) ends
DEBUG: NSSDatabase.get_trust(transportCert cert-pki-kra)
DEBUG: fullname: transportCert cert-pki-kra
DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmp6l5033u5/password.txt
DEBUG: stdout: -1
DEBUG: NSSDatabase.get_cert_info(transportCert cert-pki-kra) ends
DEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://ipa-kra-replica.nix.hoell.internal:443 --ignore-banner ca-kraconnector-add --url https://ipa-kra-replica.nix.hoell.internal:8443/kra/agent/kra/connector --subsystem-cert /tmp/tmp48_4r0h3/subsystem.crt --transport-cert /tmp/tmp48_4r0h3/transport.crt --transport-nickname transportCert cert-pki-kra --install-token /tmp/tmp48_4r0h3/install-token --debug
INFO: Connecting to https://ipa-kra-replica.nix.hoell.internal:443
INFO: HTTP request: GET /pki/v2/info HTTP/1.1
FINE: - Authorization: ********
FINE: - Host: ipa-kra-replica.nix.hoell.internal:443
FINE: - Connection: Keep-Alive
FINE: - User-Agent: Apache-HttpClient/4.5.14 (Java/21.0.3)
FINE: Request:

INFO: Server certificate: CN=ipa-kra-replica.nix.hoell.internal,O=NIX.HOELL.INTERNAL
INFO: HTTP response: HTTP/1.1 404 Not Found
FINE: - Date: Tue, 21 May 2024 12:29:57 GMT
FINE: - Server: Apache/2.4.59 (Fedora Linux) OpenSSL/3.2.1 mod_wsgi/5.0.0 Python/3.12 mod_auth_gssapi/1.6.5
FINE: - Content-Length: 196
FINE: - Keep-Alive: timeout=30, max=100
FINE: - Connection: Keep-Alive
FINE: - Content-Type: text/html; charset=iso-8859-1
FINE: Response:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
</body></html>

WARNING: Unable to get server info: Not Found
FINE: CAClient: content: {ca.connector.KRA.host=[ipa-kra-replica.nix.hoell.internal], ca.connector.KRA.timeout=[30], ca.connector.KRA.transportCertNickname=[transportCert cert-pki-kra], ca.connector.KRA.port=[8443], ca.connector.KRA.subsystemCert=[MIID/DCCAmSgAwIBAgIBNTANBgkqhkiG9w0BAQsFADA9MRswGQYDVQQKDBJOSVguSE9FTEwuSU5URVJOQUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMzAzMjUxMjQ0NTlaFw0yNTAzMTQxMjQ0NTlaMDQxGzAZBgNVBAoMEk5JWC5IT0VMTC5JTlRFUk5BTDEVMBMGA1UEAwwMQ0EgU3Vic3lzdGVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt2I/9zJdwddf9nkjqdh9iiJ8tSlZsLFc2dQ+aSTrMacE5OaaY/533Gf0ZbqYMQRct98Gv+mTXbSa8oiBMiYzfDtc/aOuwycoMr5OijRHo6pcM6b+wASNILFrInTWK4icKa2+1yLxwqHkpR+LplT3IPZ9mpQR28tZ9wpHLfOE94tWREut4hjLUpZ/Ra1XQHOI7pH/MSHUNlhMZ07VfxmMnETDMbTImno5t6PYgPBIewm1zdFnv72hUW+QQ7OQ1RAZ0bTyRkUJsLLEW5rsbsn7m+BkPhcwMFB93zD1IAyGPTounhw5C6vbE7Jj3ZyLDoynxRa8yQaPd5ecTeriBJbvHwIDAQABo4GPMIGMMB8GA1UdIwQYMBaAFPKhKLic1Lw/nmRytjsy/owUjVNcMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcwAYYoaHR0cDovL2lwYS1jYS5uaXguaG9lbGwuaW50ZXJuYWwvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBLAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBAFtKy6QzqMIqTlZ+j0vdxL0cuc60pzH721R5pWddST7nX4laFYnQ0UnFaR3+OJe3HJhWbwLjlOyb2BRypvXFPGOR+cnXQvtfAwf2xQuNpRuGKPv4YSKMeIQbezEm+9Zan34Bl//cT3pD6Fsyf8tn9qtRgFwgm6t7iKq2wOgrHADgtjFxczoks4eACKKiEOIxbiYt4pKAICkHDAMKKsnm10S1/pVCCjlnSEyYRG4sgzY75sK3flFHCrhnCCyMqzT10YT0mfrNtjKKmE1KXlT3Ixr7fwHooBki60z98YRIzrAEKRgp8vEE8h7XyZYaNvzZs6m2jW/cIowyLu1k3x9RLcF4A9PC7rx1wkiDBR6kfutnDzMTOP43wXAqDCTzExKrEELcraLwQWLXdATw3yKGbNg/T+J9RRi9ibjm+5rPx8wTn9YEcIi/6rTFqSZP6A/pWSbZP+TM3INWbeve/A0H0OREQE2DXqbG02e6e7jOcbXWGBy1sC+rb+T2l6S1AL8ttA==], ca.connector.KRA.enable=[true], ca.connector.KRA.local=[false], sessionID=[3557407630066403442], ca.connector.KRA.transportCert=[MIIECTCCAnGgAwIBAgIBOTANBgkqhkiG9w0BAQsFADA9MRswGQYDVQQKDBJOSVguSE9FTEwuSU5URVJOQUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMzAzMjUxMjUyMTRaFw0yNTAzMTQxMjUyMTRaMEExGzAZBgNVBAoMEk5JWC5IT0VMTC5JTlRFUk5BTDEiMCAGA1UEAwwZS1JBIFRyYW5zcG9ydCBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKKRMx7f4ideZnvYCEhV7HXHi93cZBbhsR9FuI3EnuFHrOFapS5i22rdesNMTs1x8Ih0wKZRMP8fYApy0zwnz1tTbgZzf3TsXJJeFemFLmxif4qHizfqLXClGONfMI8Ce8FFO3OuSZkiphroVpLQxpjheGp93hXSblT4KOJCi8BwnrDXxjH1oZMEkYz/y4mbFnd09Hq60ba0QifYKZ/qkQe5d2u9AG1RCixtoMvKsTnewar+XlyczCg+Rvjpj332YnHBrAYMgiTgMoEHz9Slo8mu4vdoJYmWyuVwo1DsT5tR7u8Ao/pmrmS8sf8Uqh9YBn2oresVDfJV+TCaVDRfKkkCAwEAAaOBjzCBjDAfBgNVHSMEGDAWgBTyoSi4nNS8P55kcrY7Mv6MFI1TXDBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAGGKGh0dHA6Ly9pcGEtY2Eubml4LmhvZWxsLmludGVybmFsL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBgQAkt0DGme16yuARH54AzEaUQgABxYLAwHz7vJqdgp8SLY+t+A5AkjcQNMq39GEZC2ZV0I5zT/Ap1nhb2C0Fj3Py5JwEV5xWXk+cDLceYkemaAxhouK86+fbeztec5qf+9bi1iYvM3LMGiPYVtJJi7HHRhLn6kg1cxjoM1LFIwNmL0t8M+U6uqKLaQKFz4oisViLqpTQVXOB5HPbvPJlL2gsBDRyRKDSnjQ2ebcCEh6pTS+vGQh8i8CGU95pufr4jY2mC+j9fBEJXk/twMlmyK8t3Lk/Y/qcFR6EkLhQ9oJb88ih3q7QW0WnvJJG+/fhO7Ly0Ons190VuPjiWSb5K+9EbAr1Xv9ccdrk6O4rM16ZKXopVmr5/TkDBlEIXy0PeXIGlvJt2oFUe8ZXIcgivu7JCmGM7J+pKiT0OxjESYiKJGnRHAH35m/wgy3C1NTjYHtwOYY4F4keA23yTAlHyrkgorQE35us38tdLXViXZ+Kl6Xbr6VhA6bc19zlqfLMofE=], ca.connector.KRA.uri=[/kra/agent/kra/connector]}
INFO: HTTP request: POST /ca/admin/ca/updateConnector HTTP/1.1
FINE: - Authorization: ********
FINE: - Content-Type: application/x-www-form-urlencoded
FINE: - Content-Length: 3257
FINE: - Host: ipa-kra-replica.nix.hoell.internal:443
FINE: - Connection: Keep-Alive
FINE: - User-Agent: Apache-HttpClient/4.5.14 (Java/21.0.3)
FINE: Request:
ca.connector.KRA.host=ipa-kra-replica.nix.hoell.internal&ca.connector.KRA.timeout=30&ca.connector.KRA.transportCertNickname=transportCert+cert-pki-kra&ca.connector.KRA.port=8443&ca.connector.KRA.subsystemCert=MIID%2FDCCAmSgAwIBAgIBNTANBgkqhkiG9w0BAQsFADA9MRswGQYDVQQKDBJOSVguSE9FTEwuSU5URVJOQUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMzAzMjUxMjQ0NTlaFw0yNTAzMTQxMjQ0NTlaMDQxGzAZBgNVBAoMEk5JWC5IT0VMTC5JTlRFUk5BTDEVMBMGA1UEAwwMQ0EgU3Vic3lzdGVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt2I%2F9zJdwddf9nkjqdh9iiJ8tSlZsLFc2dQ%2BaSTrMacE5OaaY%2F533Gf0ZbqYMQRct98Gv%2BmTXbSa8oiBMiYzfDtc%2FaOuwycoMr5OijRHo6pcM6b%2BwASNILFrInTWK4icKa2%2B1yLxwqHkpR%2BLplT3IPZ9mpQR28tZ9wpHLfOE94tWREut4hjLUpZ%2FRa1XQHOI7pH%2FMSHUNlhMZ07VfxmMnETDMbTImno5t6PYgPBIewm1zdFnv72hUW%2BQQ7OQ1RAZ0bTyRkUJsLLEW5rsbsn7m%2BBkPhcwMFB93zD1IAyGPTounhw5C6vbE7Jj3ZyLDoynxRa8yQaPd5ecTeriBJbvHwIDAQABo4GPMIGMMB8GA1UdIwQYMBaAFPKhKLic1Lw%2FnmRytjsy%2FowUjVNcMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcwAYYoaHR0cDovL2lwYS1jYS5uaXguaG9lbGwuaW50ZXJuYWwvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBLAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBAFtKy6QzqMIqTlZ%2Bj0vdxL0cuc60pzH721R5pWddST7nX4laFYnQ0UnFaR3%2BOJe3HJhWbwLjlOyb2BRypvXFPGOR%2BcnXQvtfAwf2xQuNpRuGKPv4YSKMeIQbezEm%2B9Zan34Bl%2F%2FcT3pD6Fsyf8tn9qtRgFwgm6t7iKq2wOgrHADgtjFxczoks4eACKKiEOIxbiYt4pKAICkHDAMKKsnm10S1%2FpVCCjlnSEyYRG4sgzY75sK3flFHCrhnCCyMqzT10YT0mfrNtjKKmE1KXlT3Ixr7fwHooBki60z98YRIzrAEKRgp8vEE8h7XyZYaNvzZs6m2jW%2FcIowyLu1k3x9RLcF4A9PC7rx1wkiDBR6kfutnDzMTOP43wXAqDCTzExKrEELcraLwQWLXdATw3yKGbNg%2FT%2BJ9RRi9ibjm%2B5rPx8wTn9YEcIi%2F6rTFqSZP6A%2FpWSbZP%2BTM3INWbeve%2FA0H0OREQE2DXqbG02e6e7jOcbXWGBy1sC%2Brb%2BT2l6S1AL8ttA%3D%3D&ca.connector.KRA.enable=true&ca.connector.KRA.local=false&sessionID=3557407630066403442&ca.connector.KRA.transportCert=MIIECTCCAnGgAwIBAgIBOTANBgkqhkiG9w0BAQsFADA9MRswGQYDVQQKDBJOSVguSE9FTEwuSU5URVJOQUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMzAzMjUxMjUyMTRaFw0yNTAzMTQxMjUyMTRaMEExGzAZBgNVBAoMEk5JWC5IT0VMTC5JTlRFUk5BTDEiMCAGA1UEAwwZS1JBIFRyYW5zcG9ydCBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKKRMx7f4ideZnvYCEhV7HXHi93cZBbhsR9FuI3EnuFHrOFapS5i22rdesNMTs1x8Ih0wKZRMP8fYApy0zwnz1tTbgZzf3TsXJJeFemFLmxif4qHizfqLXClGONfMI8Ce8FFO3OuSZkiphroVpLQxpjheGp93hXSblT4KOJCi8BwnrDXxjH1oZMEkYz%2Fy4mbFnd09Hq60ba0QifYKZ%2FqkQe5d2u9AG1RCixtoMvKsTnewar%2BXlyczCg%2BRvjpj332YnHBrAYMgiTgMoEHz9Slo8mu4vdoJYmWyuVwo1DsT5tR7u8Ao%2FpmrmS8sf8Uqh9YBn2oresVDfJV%2BTCaVDRfKkkCAwEAAaOBjzCBjDAfBgNVHSMEGDAWgBTyoSi4nNS8P55kcrY7Mv6MFI1TXDBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAGGKGh0dHA6Ly9pcGEtY2Eubml4LmhvZWxsLmludGVybmFsL2NhL29jc3AwDgYDVR0PAQH%2FBAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBgQAkt0DGme16yuARH54AzEaUQgABxYLAwHz7vJqdgp8SLY%2Bt%2BA5AkjcQNMq39GEZC2ZV0I5zT%2FAp1nhb2C0Fj3Py5JwEV5xWXk%2BcDLceYkemaAxhouK86%2Bfbeztec5qf%2B9bi1iYvM3LMGiPYVtJJi7HHRhLn6kg1cxjoM1LFIwNmL0t8M%2BU6uqKLaQKFz4oisViLqpTQVXOB5HPbvPJlL2gsBDRyRKDSnjQ2ebcCEh6pTS%2BvGQh8i8CGU95pufr4jY2mC%2Bj9fBEJXk%2FtwMlmyK8t3Lk%2FY%2FqcFR6EkLhQ9oJb88ih3q7QW0WnvJJG%2B%2FfhO7Ly0Ons190VuPjiWSb5K%2B9EbAr1Xv9ccdrk6O4rM16ZKXopVmr5%2FTkDBlEIXy0PeXIGlvJt2oFUe8ZXIcgivu7JCmGM7J%2BpKiT0OxjESYiKJGnRHAH35m%2Fwgy3C1NTjYHtwOYY4F4keA23yTAlHyrkgorQE35us38tdLXViXZ%2BKl6Xbr6VhA6bc19zlqfLMofE%3D&ca.connector.KRA.uri=%2Fkra%2Fagent%2Fkra%2Fconnector
INFO: HTTP response: HTTP/1.1 200 200
FINE: - Date: Tue, 21 May 2024 12:29:57 GMT
FINE: - Server: Apache/2.4.59 (Fedora Linux) OpenSSL/3.2.1 mod_wsgi/5.0.0 Python/3.12 mod_auth_gssapi/1.6.5
FINE: - Content-Type: application/json
FINE: - Vary: Accept-Encoding
FINE: - Keep-Alive: timeout=30, max=99
FINE: - Connection: Keep-Alive
FINE: - Transfer-Encoding: chunked
FINE: Response:
{
  "Response" : {
    "Status" : "1",
    "Error" : "Unable to add KRA connector for https://ipa-kra-replica.nix.hoell.internal:8443: KRA connector already exists"
  }
}
FINE: CAClient: Response: {
  "Response" : {
    "Status" : "1",
    "Error" : "Unable to add KRA connector for https://ipa-kra-replica.nix.hoell.internal:8443: KRA connector already exists"
  }
}
FINE: CAClient: status: 1
java.lang.NullPointerException: Cannot invoke "com.fasterxml.jackson.databind.JsonNode.asText()" because the return value of "com.fasterxml.jackson.databind.JsonNode.get(String)" is null
	at com.netscape.certsrv.ca.CAClient.addKRAConnector(CAClient.java:129)
	at com.netscape.cmstools.system.KRAConnectorAddCLI.execute(KRAConnectorAddCLI.java:220)
	at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
	at org.dogtagpki.cli.CLI.execute(CLI.java:353)
	at org.dogtagpki.cli.CLI.execute(CLI.java:353)
	at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79)
	at org.dogtagpki.cli.CLI.execute(CLI.java:353)
	at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:659)
	at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:698)
ERROR: CalledProcessError: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-f', '/etc/pki/pki-tomcat/password.conf', '-U', 'https://ipa-kra-replica.nix.hoell.internal:443', '--ignore-banner', 'ca-kraconnector-add', '--url', 'https://ipa-kra-replica.nix.hoell.internal:8443/kra/agent/kra/connector', '--subsystem-cert', '/tmp/tmp48_4r0h3/subsystem.crt', '--transport-cert', '/tmp/tmp48_4r0h3/transport.crt', '--transport-nickname', 'transportCert cert-pki-kra', '--install-token', '/tmp/tmp48_4r0h3/install-token', '--debug']' returned non-zero exit status 255.
  File "/usr/lib/python3.12/site-packages/pki/server/pkispawn.py", line 568, in main
    deployer.spawn()
  File "/usr/lib/python3.12/site-packages/pki/server/deployment/__init__.py", line 4985, in spawn
    scriptlet.spawn(self)
  File "/usr/lib/python3.12/site-packages/pki/server/deployment/scriptlets/configuration.py", line 197, in spawn
    deployer.finalize_subsystem(subsystem)
  File "/usr/lib/python3.12/site-packages/pki/server/deployment/__init__.py", line 4772, in finalize_subsystem
    self.finalize_kra(subsystem)
  File "/usr/lib/python3.12/site-packages/pki/server/deployment/__init__.py", line 4654, in finalize_kra
    self.add_kra_connector(subsystem, ca_url)
  File "/usr/lib/python3.12/site-packages/pki/server/deployment/__init__.py", line 4207, in add_kra_connector
    subprocess.check_call(cmd)
  File "/usr/lib64/python3.12/subprocess.py", line 413, in check_call
    raise CalledProcessError(retcode, cmd)


2024-05-21T12:29:57Z CRITICAL Failed to configure KRA instance
2024-05-21T12:29:57Z CRITICAL See the installation logs and the following files/directories for more information:
2024-05-21T12:29:57Z CRITICAL   /var/log/pki/pki-tomcat
2024-05-21T12:29:57Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 686, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 672, in run_step
    method()
  File "/usr/lib/python3.12/site-packages/ipaserver/install/krainstance.py", line 223, in __spawn_instance
    DogtagInstance.spawn_instance(
  File "/usr/lib/python3.12/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/dogtaginstance.py", line 604, in handle_setup_error
    raise RuntimeError(
RuntimeError: KRA configuration failed.

2024-05-21T12:29:57Z DEBUG   [error] RuntimeError: KRA configuration failed.
2024-05-21T12:29:57Z DEBUG Removing /var/lib/ipa/tmp-im95986e
2024-05-21T12:29:57Z DEBUG Removing /root/.dogtag/pki-tomcat/kra
2024-05-21T12:29:57Z ERROR 
Your system may be partly configured.
If you run into issues, you may have to re-install IPA on this server.

2024-05-21T12:29:57Z DEBUG   File "/usr/lib/python3.12/site-packages/ipapython/admintool.py", line 180, in execute
    return_value = self.run()
                   ^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipaserver/install/ipa_kra_install.py", line 218, in run
    kra.install(api, config, self.options, custodia=custodia)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/kra.py", line 100, in install
    kra.configure_instance(
  File "/usr/lib/python3.12/site-packages/ipaserver/install/krainstance.py", line 139, in configure_instance
    self.start_creation(runtime=120)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 686, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 672, in run_step
    method()
  File "/usr/lib/python3.12/site-packages/ipaserver/install/krainstance.py", line 223, in __spawn_instance
    DogtagInstance.spawn_instance(
  File "/usr/lib/python3.12/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/dogtaginstance.py", line 604, in handle_setup_error
    raise RuntimeError(

2024-05-21T12:29:57Z DEBUG The ipa-kra-install command failed, exception: RuntimeError: KRA configuration failed.
2024-05-21T12:29:57Z ERROR KRA configuration failed.
2024-05-21T12:29:57Z ERROR The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information
Comment 36 Tom S 2024-08-18 22:56:39 UTC 
RE: original issue

I had a similar problem in a platform upgrades across three nodes, one of which resulted in going from idm-pki-acme-10.15.0 to idm-pki-acme-11.5.0.

On further review it appeared as though tomcat was unable to find the servlet to handle the requests for /acme/directory, /acme/login, etc.  Replacing the web.xml from 11.5 with the extracted content of 10.15 resulted in a successful response from ipa-acme-manage, after issuing a "pki-server restart" on all three hosts:

[root@ipa01 ~]# ipa-acme-manage status
ACME is enabled
The ipa-acme-manage command was successful

Other requests were successful, including using certbot to process a certificate request.
Comment 37 Rob Crittenden 2024-08-20 15:54:16 UTC 
Any chance you can provide the diffs between the two versions? Maybe we can identify the issue.

I don't believe this is entirely due to upgrading to PKI 11.5.0 in itself but it does seem to be an upgrade problem.
Comment 38 Tom S 2024-08-27 04:04:09 UTC 
There appears to be only one commit involving web.xml between 10.15.0 and 11.5.0:

https://github.com/dogtagpki/pki/commit/994d932100c7d335752fe817a7d8757f62439b08#diff-15b53be58a1bff7d6dfacc00c65155158307e32920f69334fe9e2a9a12af7806

Which matches the difference between the two files (just reverse the patch direction)
Comment 39 Rob Crittenden 2024-08-27 19:45:49 UTC 
Thank you, this is very helpful and an unexpected but welcome surprise that you did the analysis yourself.

@edewata this is the upgrade case we discussed last week.

IPA has always used /acme/ as the url base for making requests. It has worked for new deployments since 2020. This only appears to affect older deployments that at some point enabled ACME then upgraded to PKI 11.x
Comment 40 Endi Sukma Dewata 2024-09-23 17:40:19 UTC 
It looks like the new replica is trying to access /pki/v2/info which only exists in PKI 11.5:

INFO: Connecting to https://ipa-kra-replica.nix.hoell.internal:443
INFO: HTTP request: GET /pki/v2/info HTTP/1.1

Is it possible to upgrade the security domain at ipa-kra-replica.nix.hoell.internal:443 to PKI 11.5 first before installing a new replica? In general we want the security domain to have the latest code so it can support both old and new instances, but eventually the old instances will need to be upgraded or decommissioned.
Comment 41 Aoife Moloney 2025-04-25 10:30:37 UTC 
This message is a reminder that Fedora Linux 40 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 40 on 2025-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '40'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 40 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.
Comment 42 Rob Crittenden 2025-04-25 12:11:40 UTC 
I have the feeling the root cause is related to https://bugzilla.redhat.com/show_bug.cgi?id=2350322
Comment 43 Aoife Moloney 2025-05-16 08:09:46 UTC 
Fedora Linux 40 entered end-of-life (EOL) status on 2025-05-13.

Fedora Linux 40 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora Linux
please feel free to reopen this bug against that version. Note that the version
field may be hidden. Click the "Show advanced fields" button if you do not see
the version field.

If you are unable to reopen this bug, please file a new report against an
active release.

Thank you for reporting this bug and we are sorry it could not be fixed.
Note You need to log in before you can comment on or make changes to this bug.