Omar Pagan via FreeIPA-users wrote:
Hello,
I came back from vacation and noticed that the pki-tomcatd was not running. All other services are running fine, I can kinit admin and search for users, I can also log into the UI and see everything. When I try to start the service I see the following errors: Mar 11 20:44:44 ldap01.app.uaap.maxar.com ipa-pki-wait-running[7903]: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat%3E Mar 11 20:44:44 ldap01.app.uaap.maxar.com systemd[1]: pki-tomcatd@pki-tomcat.service: Start-post operation timed out. Stopping.
I have checked all the certs and everything is in order: $ getcert list | grep expire expires: 2025-01-22 14:07:35 UTC expires: 2025-01-22 14:06:46 UTC expires: 2025-01-22 14:06:45 UTC expires: 2025-01-22 14:06:45 UTC expires: 2043-02-02 14:06:44 UTC expires: 2025-01-22 14:06:45 UTC expires: 2025-02-02 14:08:10 UTC
I also have checked this: $ klist -ekt /etc/dirsrv/ds.keytab Keytab name: FILE:/etc/dirsrv/ds.keytab KVNO Timestamp Principal
2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com@APP.UAAP.MAXAR.COM (aes256-cts-hmac-sha1-96) 2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com@APP.UAAP.MAXAR.COM (aes128-cts-hmac-sha1-96) 2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com@APP.UAAP.MAXAR.COM (aes128-cts-hmac-sha256-128) 2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com@APP.UAAP.MAXAR.COM (aes256-cts-hmac-sha384-192) 2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com@APP.UAAP.MAXAR.COM (camellia128-cts-cmac) 2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar.com@APP.UAAP.MAXAR.COM (camellia256-cts-cmac)
not sure if that's correct or not. Please help, I don't see why pki-tomcatd would just die on me for no reason. I haven't run any updates / upgrades on the system and it was working fine before I left. Thanks
The keytab is unrelated.
I'd start with: ipactl status
Confirm that it isn't running. Then try ipactl start and it will try to restart it. Maybe it was reaped by the OOM killer. The journal should tell you.
If it starts then ipa cert-find --sizelimit 10 is a pretty lightweight way to confirm that it is reachable and at least sort of working.
Otherwise PKI runs as a webapp so a 404 means it wasn't loaded by tomcat. I'd suggest checking the logs in /var/log/pki. There may be something in catalina or in ca/debug-<date>. The latter most likely. Be wary that there be dragons. PKI often charges on after hitting an error so the last one is often a red herring.
rob