Hi everyone,
I completed a new installation of FreeIPA. The web interface doesn't work when I try to access it. I tried enabling, starting tomcat and rebooting the machine. This has no effect.
Install works fine, no indications of an error. kinit command works fine. When going to the url, I get a secure connection failed error and the tomcat service is down.
I should get to the web interface screen to login with new credentials for the admin account.
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.6.5-11.el7.centos.3.x86_64 ipa-client-4.6.5-11.el7.centos.3.x86_64 package 289-ds-base is not installed pki-ca-10.5.16-5.el7_7.noarch krb5-server-1.15.1-37.el7_7.2.x86_64
Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.
Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting
More data about the issue:
Installation Results
[xadministrator@idm Server]$ [xadministrator@idm Server]$ sudo bash ozadmin_FreeIPAServerInstall.sh [sudo] password for xadministrator: Checking DNS domain cs.xxxx, please wait ...
This program will set up the IPA Server.
This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) * Configure the KDC to enable PKINIT
WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd
Warning: skipping DNS resolution of host idm.cs.xxxx Checking DNS domain cs.xxxx., please wait ...
The IPA Master Server will be configured with: Hostname: idm.cs.xxxx IP address(es): 10.0.0.200 Domain name: cs.xxxx Realm name: CS.XXXX
BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Forward policy: only Reverse zone(s): No reverse zone
Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/44]: creating directory server instance [2/44]: enabling ldapi [3/44]: configure autobind for root [4/44]: stopping directory server [5/44]: updating configuration in dse.ldif [6/44]: starting directory server [7/44]: adding default schema [8/44]: enabling memberof plugin [9/44]: enabling winsync plugin [10/44]: configuring replication version plugin [11/44]: enabling IPA enrollment plugin [12/44]: configuring uniqueness plugin [13/44]: configuring uuid plugin [14/44]: configuring modrdn plugin [15/44]: configuring DNS plugin [16/44]: enabling entryUSN plugin [17/44]: configuring lockout plugin [18/44]: configuring topology plugin [19/44]: creating indices [20/44]: enabling referential integrity plugin [21/44]: configuring certmap.conf [22/44]: configure new location for managed entries [23/44]: configure dirsrv ccache [24/44]: enabling SASL mapping fallback [25/44]: restarting directory server [26/44]: adding sasl mappings to the directory [27/44]: adding default layout [28/44]: adding delegation layout [29/44]: creating container for managed entries [30/44]: configuring user private groups [31/44]: configuring netgroups from hostgroups [32/44]: creating default Sudo bind user [33/44]: creating default Auto Member layout [34/44]: adding range check plugin [35/44]: creating default HBAC rule allow_all [36/44]: adding entries for topology management [37/44]: initializing group membership [38/44]: adding master entry [39/44]: initializing domain level [40/44]: configuring Posix uid/gid generation [41/44]: adding replication acis [42/44]: activating sidgen plugin [43/44]: activating extdom plugin [44/44]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/10]: adding kerberos container to the directory [2/10]: configuring KDC [3/10]: initialize kerberos container [4/10]: adding default ACIs [5/10]: creating a keytab for the directory [6/10]: creating a keytab for the machine [7/10]: adding the password extension to the directory [8/10]: creating anonymous principal [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa-custodia [1/5]: Making sure custodia container exists [2/5]: Generating ipa-custodia config file [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/29]: configuring certificate server instance [2/29]: reindex attributes [3/29]: exporting Dogtag certificate store pin [4/29]: stopping certificate server instance to update CS.cfg [5/29]: backing up CS.cfg [6/29]: disabling nonces [7/29]: set up CRL publishing [8/29]: enable PKIX certificate path discovery and validation [9/29]: starting certificate server instance [10/29]: configure certmonger for renewals [11/29]: requesting RA certificate from CA [12/29]: setting audit signing renewal to 2 years [13/29]: restarting certificate server [14/29]: publishing the CA certificate [15/29]: adding RA agent as a trusted user [16/29]: authorizing RA to modify profiles [17/29]: authorizing RA to manage lightweight CAs [18/29]: Ensure lightweight CAs container exists [19/29]: configure certificate renewals [20/29]: configure Server-Cert certificate renewal [21/29]: Configure HTTP to proxy connections [22/29]: restarting certificate server [23/29]: updating IPA configuration [24/29]: enabling CA instance [25/29]: migrating certificate profiles to LDAP [26/29]: importing IPA certificate profiles [27/29]: adding default CA ACL [28/29]: adding 'ipa' CA entry [29/29]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: adding CA certificate entry [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: setting mod_nss port to 443 [3/22]: setting mod_nss cipher suite [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [5/22]: setting mod_nss password file [6/22]: enabling mod_nss renegotiate [7/22]: disabling mod_nss OCSP [8/22]: adding URL rewriting rules [9/22]: configuring httpd [10/22]: setting up httpd keytab [11/22]: configuring Gssproxy [12/22]: setting up ssl [13/22]: configure certmonger for renewals [14/22]: importing CA certificates from LDAP [15/22]: publish CA cert [16/22]: clean up any existing httpd ccaches [17/22]: configuring SELinux for httpd [18/22]: create KDC proxy config [19/22]: enable KDC proxy [20/22]: starting httpd [21/22]: configuring httpd to start on boot [22/22]: enabling oddjobd Done configuring the web interface (httpd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Restarting the KDC Configuring DNS (named) [1/11]: generating rndc key file [2/11]: adding DNS container [3/11]: setting up our zone [4/11]: setting up our own record [5/11]: setting up records for other masters [6/11]: adding NS record to the zones [7/11]: setting up kerberos principal [8/11]: setting up named.conf [9/11]: setting up server configuration [10/11]: configuring named to start on boot [11/11]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting the web server to pick up resolv.conf changes Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/7]: checking status [2/7]: setting up bind-dyndb-ldap working directory [3/7]: setting up kerberos principal [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Client hostname: idm.cs.xxxx Realm: CS.XXXX DNS Domain: cs.xxxx IPA Server: idm.cs.xxxx BaseDN: dc=cs,dc=xxxx
Skipping synchronizing time with NTP server. New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf trying https://idm.cs.xxxx/ipa/json
Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring cs.xxxx as NIS domain. Client configuration complete. The ipa-client-install command was successful
============================================================================== Setup complete
Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password
Service Status
[xadministrator@idm log]$ sudo systemctl enable tomcat.service -l [xadministrator@idm log]$ sudo systemctl start tomcat.service -l [xadministrator@idm log]$ sudo systemctl status tomcat.service -l \u25cf tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/usr/lib/systemd/system/tomcat.service; enabled; vendor preset: disabled) Active: inactive (dead) since Tue 2020-01-21 14:42:52 EST; 3s ago Process: 15192 ExecStart=/usr/libexec/tomcat/server start (code=exited, status=0/SUCCESS) Main PID: 15192 (code=exited, status=0/SUCCESS)
Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.catalina.core.StandardService stopInternal Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Stopping service Catalina Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.coyote.AbstractProtocol stop Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Stopping ProtocolHandler ["http-bio-8080"] Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.coyote.AbstractProtocol destroy Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Destroying ProtocolHandler ["http-bio-8080"] Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.coyote.AbstractProtocol stop Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Stopping ProtocolHandler ["ajp-bio-8009"] Jan 21 14:42:52 idm.cs.xxxx server[15192]: Jan 21, 2020 2:42:52 PM org.apache.coyote.AbstractProtocol destroy Jan 21 14:42:52 idm.cs.xxxx server[15192]: INFO: Destroying ProtocolHandler ["ajp-bio-8009"] [xadministrator@idm log]$
We prefer to handle user-support issues on the freeipa-users list to improve visibility both for others that may be having similar issues and for additional input beyond those that read issues.
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Adding another log file... <img alt="Issue2.txt" src="/freeipa/issue/raw/files/9bc2e965d7f7138de889d81380c82072145ab40727457c994152c66cfd47d083-Issue2.txt" />
Metadata Update from @noobeee: - Issue status updated to: Open (was: Closed)
For full reference, the issue was discussed in freeipa-user mailing list: thread.
Issue solved, hence closing this ticket.
Metadata Update from @frenaud: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.