PR: https://github.com/freeipa/freeipa/pull/4337

master:

• 593fac1 Tighten permissions on PKI proxy configuration
• ec73de9 Secure AJP connector between Dogtag and Apache proxy

ipa-4-8:

• 1deb101 Tighten permissions on PKI proxy configuration
• d4d8b98 Secure AJP connector between Dogtag and Apache proxy

ipa-4-7:

• d4ad2c2 Tighten permissions on PKI proxy configuration
• fc82b96 Secure AJP connector between Dogtag and Apache proxy

ipa-4-6:

• af2dca1 Tighten permissions on PKI proxy configuration
• 901d0ec Secure AJP connector between Dogtag and Apache proxy

Hi!
On RHEL-8.2 I tried to reinstall the replica using ipa-server-4.8.4-7.module+el8.2.0+6046+aaa49f96, not knowing it has this bug. My attempt failed with 'SEVERE: DBSubsystem: initialization failed: Unable to connect to LDAP server: Authentication failed' in /var/log/pki/pki-tomcat/ca/debug.2020-12-16.log. I've found this bug is fixed in ipa-server-4.8.0-13.module+el8.1.0+4923+c6efe041 and tried upgrading IPA on one of the remaining IPA replicas. It failed because of the same authentication failure. As a partial workaround I am starting now ipact with '--force --ignore-service-failures --skip-version-check'. Can I fix this authentication problem without destroying existing IPA servers and recreating from backups?

This does not sound like this problem at all. Please provide your debug log.

This does not sound like this problem at all. Please provide your debug log.

To have a new debug log I run 'systemctl restart pki-tomcatd@pki-tomcat.service.
Journalctl for this service shows:
Dec 18 12:22:24 ipa02.cs.umd.edu systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Dec 18 12:22:28 ipa02.cs.umd.edu server[458423]: Java virtual machine used: /usr/lib/jvm/jre-openjdk/bin/java
Dec 18 12:22:28 ipa02.cs.umd.edu server[458423]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-launcher.jar:/usr/lib/jvm/java/lib/tools.jar
Dec 18 12:22:28 ipa02.cs.umd.edu server[458423]: main class used: org.apache.catalina.startup.Bootstrap
Dec 18 12:22:28 ipa02.cs.umd.edu server[458423]: flags used: -Dcom.redhat.fips=false
Dec 18 12:22:28 ipa02.cs.umd.edu server[458423]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/>
Dec 18 12:22:28 ipa02.cs.umd.edu server[458423]: arguments used: start
Dec 18 12:22:28 ipa02.cs.umd.edu ipa-pki-wait-running[458424]: pki.client: /usr/libexec/ipa/ipa-pki-wait-running:63: The subsystem in PKIConnection.init() has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes).
Dec 18 12:22:28 ipa02.cs.umd.edu ipa-pki-wait-running[458424]: ipa-pki-wait-running: Created connection http://ipa02.cs.umd.edu:8080/ca
Dec 18 12:22:28 ipa02.cs.umd.edu ipa-pki-wait-running[458424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa02.cs.umd.edu', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urll>
Dec 18 12:22:30 ipa02.cs.umd.edu server[458423]: WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1.1]]
Dec 18 12:22:31 ipa02.cs.umd.edu ipa-pki-wait-running[458424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa02.cs.umd.edu', port=8080): Read timed out. (read timeout=1.0)
Dec 18 12:22:33 ipa02.cs.umd.edu ipa-pki-wait-running[458424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa02.cs.umd.edu', port=8080): Read timed out. (read timeout=1.0)
Dec 18 12:22:35 ipa02.cs.umd.edu server[458423]: SEVERE: CA subsystem unavailable. Check CA debug log.
Dec 18 12:22:35 ipa02.cs.umd.edu server[458423]: SEVERE: CA subsystem unavailable. Check CA debug log.
Dec 18 12:22:35 ipa02.cs.umd.edu ipa-pki-wait-running[458424]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa02.cs.umd.edu', port=8080): Read timed out. (read timeout=1.0)
Dec 18 12:22:36 ipa02.cs.umd.edu server[458423]: SEVERE: CA subsystem unavailable. Check CA debug log.
Dec 18 12:22:36 ipa02.cs.umd.edu ipa-pki-wait-running[458424]: ipa-pki-wait-running: Request failed unexpectedly, 500 Server Error: for url: http://ipa02.cs.umd.edu:8080/ca/admin/ca/getStatus
Dec 18 12:22:37 ipa02.cs.umd.edu server[458423]: SEVERE: CA subsystem unavailable. Check CA debug log.
Dec 18 12:22:37 ipa02.cs.umd.edu ipa-pki-wait-running[458424]: ipa-pki-wait-running: Request failed unexpectedly, 500 Server Error: for url: http://ipa02.cs.umd.edu:8080/ca/admin/ca/getStatus
Dec 18 12:22:38 ipa02.cs.umd.edu server[458423]: SEVERE: CA subsystem unavailable. Check CA debug log.
Dec 18 12:22:38 ipa02.cs.umd.edu ipa-pki-wait-running[458424]: ipa-pki-wait-running: Request failed unexpectedly, 500 Server Error: for url: http://ipa02.cs.umd.edu:8080/ca/admin/ca/getStatus
Dec 18 12:22:39 ipa02.cs.umd.edu server[458423]: SEVERE: CA subsystem unavailable. Check CA debug log.
Dec 18 12:22:39 ipa02.cs.umd.edu ipa-pki-wait-running[458424]: ipa-pki-wait-running: Request failed unexpectedly, 500 Server Error: for url: http://ipa02.cs.umd.edu:8080/ca/admin/ca/getStatus
Dec 18 12:22:40 ipa02.cs.umd.edu server[458423]: SEVERE: CA subsystem unavailable. Check CA debug log.
Dec 18 12:22:40 ipa02.cs.umd.edu ipa-pki-wait-running[458424]: ipa-pki-wait-running: Request failed unexpectedly, 500 Server Error: for url: http://ipa02.cs.umd.edu:8080/ca/admin/ca/getStatus
Dec 18 12:22:41 ipa02.cs.umd.edu server[458423]: SEVERE: CA subsystem unavailable. Check CA debug log.
Dec 18 12:22:41 ipa02.cs.umd.edu ipa-pki-wait-running[458424]: ipa-pki-wait-running: Request failed unexpectedly, 500 Server Error: for url: http://ipa02.cs.umd.edu:8080/ca/admin/ca/getStatus
Dec 18 12:22:42 ipa02.cs.umd.edu server[458423]: SEVERE: CA subsystem unavailable. Check CA debug log.
Dec 18 12:22:42 ipa02.cs.umd.edu ipa-pki-wait-running[458424]: ipa-pki-wait-running: Request failed unexpectedly, 500 Server Error: for url: http://ipa02.cs.umd.edu:8080/ca/admin/ca/getStatus
Dec 18 12:22:43 ipa02.cs.umd.edu server[458423]: SEVERE: CA subsystem unavailable. Check CA debug log.
Dec 18 12:22:43 ipa02.cs.umd.edu ipa-pki-wait-running[458424]: ipa-pki-wait-running: Request failed unexpectedly, 500 Server Error: for url: http://ipa02.cs.umd.edu:8080/ca/admin/ca/getStatus
Dec 18 12:22:44 ipa02.cs.umd.edu server[458423]: SEVERE: CA subsystem unavailable. Check CA debug log.
Dec 18 12:22:44 ipa02.cs.umd.edu ipa-pki-wait-running[458424]: ipa-pki-wait-running: Request failed unexpectedly, 500 Server Error: for url: http://ipa02.cs.umd.edu:8080/ca/admin/ca/getStatus
Dec 18 12:22:44 ipa02.cs.umd.edu server[458423]: SEVERE: CA subsystem unavailable. Check CA debug log.
Dec 18 12:22:44 ipa02.cs.umd.edu server[458423]: WARNING: Exception processing realm [com.netscape.cms.tomcat.ProxyRealm@2739945a] background process
Dec 18 12:22:44 ipa02.cs.umd.edu server[458423]: javax.ws.rs.ServiceUnavailableException: CA subsystem unavailable. Check CA debug log.
Dec 18 12:22:44 ipa02.cs.umd.edu server[458423]: at com.netscape.cms.tomcat.ProxyRealm.validateRealm(ProxyRealm.java:81)
Dec 18 12:22:44 ipa02.cs.umd.edu server[458423]: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:143)
Dec 18 12:22:44 ipa02.cs.umd.edu server[458423]: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1137)
Dec 18 12:22:44 ipa02.cs.umd.edu server[458423]: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5566)
Dec 18 12:22:44 ipa02.cs.umd.edu server[458423]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353)
Dec 18 12:22:44 ipa02.cs.umd.edu server[458423]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
Dec 18 12:22:44 ipa02.cs.umd.edu server[458423]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335)
Dec 18 12:22:44 ipa02.cs.umd.edu server[458423]: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
Dec 18 12:22:44 ipa02.cs.umd.edu server[458423]: at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
Dec 18 12:22:44 ipa02.cs.umd.edu server[458423]: at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
Dec 18 12:22:44 ipa02.cs.umd.edu server[458423]: at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
Dec 18 12:22:44 ipa02.cs.umd.edu server[458423]: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
Dec 18 12:22:44 ipa02.cs.umd.edu server[458423]: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
Dec 18 12:22:44 ipa02.cs.umd.edu server[458423]: at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
Dec 18 12:22:44 ipa02.cs.umd.edu server[458423]: at java.lang.Thread.run(Thread.java:748)
Dec 18 12:22:45 ipa02.cs.umd.edu server[458423]: SEVERE: CA subsystem unavailable. Check CA debug log.

And /var/log/pki/pki-tomcat/ca/debug.2020-12-18.log starts with:
2020-12-18 12:22:34 [main] INFO: Initializing CA subsystem
2020-12-18 12:22:34 [main] INFO: CMSEngine: initializing password stores
2020-12-18 12:22:34 [main] INFO: CMSEngine: initializing password store for internaldb
2020-12-18 12:22:34 [main] INFO: CMSEngine: initializing password store for replicationdb
2020-12-18 12:22:34 [main] INFO: PluginRegistry: Loading plugin registry from /var/lib/pki/pki-tomcat/conf/ca/registry.cfg
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - profile
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - caEnrollImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - caCACertEnrollImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - caServerCertEnrollImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - caUserCertEnrollImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - defaultPolicy
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - noDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - genericExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - autoAssignDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - subjectNameDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - validityDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - randomizedValidityDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - caValidityDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - subjectKeyIdentifierExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - authorityKeyIdentifierExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - basicConstraintsExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - keyUsageExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - nsCertTypeExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - extendedKeyUsageExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - ocspNoCheckExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - issuerAltNameExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - subjectAltNameExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - userSubjectNameDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - cmcUserSignedSubjectNameDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - signingAlgDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - userKeyDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - userValidityDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - userExtensionDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - userSigningAlgDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - authTokenSubjectNameDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - subjectInfoAccessExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - authInfoAccessExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - nscCommentExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - freshestCRLExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - crlDistributionPointsExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - policyConstraintsExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - policyMappingsExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - nameConstraintsExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - certificateVersionDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - certificatePoliciesExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - subjectDirAttributesExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - privateKeyPeriodExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - inhibitAnyPolicyExtDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - imageDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - nsTokenDeviceKeySubjectNameDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - nsTokenUserKeySubjectNameDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - authzRealmDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - commonNameToSANDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - sanToCNDefaultImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - constraintPolicy
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - noConstraintImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - subjectNameConstraintImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - uniqueSubjectNameConstraintImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - userSubjectNameConstraintImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - cmcSharedTokenSubjectNameConstraintImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - cmcUserSignedSubjectNameConstraintImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - caValidityConstraintImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - validityConstraintImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - keyUsageExtConstraintImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - nsCertTypeExtConstraintImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - extendedKeyUsageExtConstraintImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - keyConstraintImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - basicConstraintsExtConstraintImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - extensionConstraintImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - signingAlgConstraintImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - uniqueKeyConstraintImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - renewGracePeriodConstraintImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - authzRealmConstraintImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - externalProcessConstraintImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - profileInput
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - cmcCertReqInputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - certReqInputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - keyGenInputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - encKeyGenInputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - signKeyGenInputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - dualKeyGenInputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - subjectNameInputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - submitterInfoInputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - genericInputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - fileSigningInputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - imageInputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - subjectDNInputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - nsNKeyCertReqInputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - nsHKeyCertReqInputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - serialNumRenewInputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - subjectAltNameExtInputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - profileOutput
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - certOutputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - cmmfOutputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - pkcs7OutputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - nsNKeyOutputImpl
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - profileUpdater
2020-12-18 12:22:34 [main] INFO: PluginRegistry: - subsystemGroupUpdaterImpl
2020-12-18 12:22:34 [main] INFO: CMSEngine: Initializing subsystems
2020-12-18 12:22:34 [main] INFO: CMSEngine: Initializing log subsystem
2020-12-18 12:22:34 [main] INFO: CMSEngine: Initializing jss subsystem
2020-12-18 12:22:34 [main] INFO: CMSEngine: Initializing dbs subsystem
2020-12-18 12:22:34 [main] SEVERE: LdapBoundConnFactory: Unable to connect to LDAP server: Authentication failed
netscape.ldap.LDAPException: Authentication failed (48)
at netscape.ldap.LDAPSaslBind.checkForSASLBindCompletion(Unknown Source)
at netscape.ldap.LDAPSaslBind.bind(Unknown Source)
at netscape.ldap.LDAPSaslBind.bind(Unknown Source)
at netscape.ldap.LDAPConnection.authenticate(Unknown Source)
at netscape.ldap.LDAPConnection.authenticate(Unknown Source)
at netscape.ldap.LDAPConnection.checkClientAuth(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at netscape.ldap.LDAPConnection.connect(Unknown Source)
at com.netscape.cmscore.ldapconn.LdapBoundConnection.<init>(LdapBoundConnection.java:105)
at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:285)
at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:261)
at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:224)
at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:193)
at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:661)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:807)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:782)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:773)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:448)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:113)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1122)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1089)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:983)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4871)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5180)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:631)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1831)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112)
at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:526)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:425)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1576)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936)
at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:841)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134)
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909)
at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.StandardService.startInternal(StandardService.java:421)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)

Thanks. This issue is about HTTP connector between frontend and tomcat while your issue is LDAP connection inside Dogtag. The latter uses SSL certificate to authenticate to LDAP server. It most likely that you have RA certificate expired or the certificate in LDAP entry different to the one Dogtag uses to authenticate.

Please use freeipa-users@ mailing list to discuss your problem if you don't have RHEL subscription. Otherwise, please use Red Hat's support system to open a case.

As for freeipa-users@, just today there was a similar request and @frenaud already provided suggestions what to look at: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/VVUBPGAOBQ6PEMR633Q7L54SD2VRNHPM/

Going back to the OP, my security scanner reports that CVE-2020-1938 after a fresh install of ipa-server 4.8.7 (Release: 12.module_el8.3.0+511+8a502f20) on Centos8.3.2011, specifically the tomcat v9.0.30 installed to /usr/share/tomcat/ . I believe it is installed by pki-servlet-4.0-api-9.0.30-1

@abbra , should I understand this code change to mean that while the version of tomcat may exhibit that CVE, my server is not vulnerable to it because of the way it uses the AJP connector?

Alternatively, any advice on what I'd need to do to get a different version of tomcat...

Thank you, and apologies if this is not the right place to ask about this change.

IPA mitigates this in two ways:

1. Only listen for AJP on localhost
2. Require a secret to connect

You can verify by checking the connector configuration. If connector details have a secret set, the cve is mitigated. This is default for IPA in CentOS 8.3