mbasti-rh commented on a pull request """ On replica:
``` [root@vm-058-017 ~]# ipa-ca-install Directory Manager (existing master) password: Run connection check to master Connection check OK Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/25]: creating certificate server user [2/25]: creating certificate server db [3/25]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 2 seconds elapsed Update succeeded [4/25]: creating installation admin user [5/25]: setting up certificate server [6/25]: stopping instance to update CS.cfg [7/25]: backing up CS.cfg [8/25]: disabling nonces [9/25]: set up CRL publishing [10/25]: enable PKIX certificate path discovery and validation [11/25]: set up client auth to db [12/25]: destroying installation admin user [13/25]: Ensure lightweight CAs container exists [14/25]: Configure lightweight CA key retrieval [15/25]: starting instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag instance.See the installation log for details. [16/25]: importing CA chain to RA certificate database [error] RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500 ``` ``` 2016-08-26T12:41:39Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500 2016-08-26T12:41:39Z DEBUG Waiting for CA to start... 2016-08-26T12:41:40Z DEBUG request POST http://vm-058-017.abc.idm.lab.eng.brq.redhat.com:8080/ca/admin/ca/getStatus 2016-08-26T12:41:40Z DEBUG request body '' 2016-08-26T12:41:40Z DEBUG response status 500 2016-08-26T12:41:40Z DEBUG response headers {'content-length': '2351', 'content-language': 'en', 'server': 'Apache-Coyote/1.1', 'connection': 'close', 'date': 'Fri, 26 Aug 2016 12:41:40 GMT', 'content-type': 'te xt/html;charset=utf-8'} 2016-08-26T12:41:40Z DEBUG response body '<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.32 - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color: #525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px; } BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:wh ite;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><div cl ass="line"></div><p><b>type</b> Exception report</p><p><b>message</b> <u>Subsystem unavailable</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this requ est.</u></p><p><b>exception</b></p><pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:138)\n\torg.apache.catalina.au thenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(Abstra ctAccessLogValve.java:616)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095)\n\torg.apa che.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)\n\torg.apache.tomcat.util.net.NioEn dpoint$SocketProcessor.run(NioEndpoint.java:1456)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java: 617)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:745)\n</pre><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/8.0.32 logs.</u></p><hr class="line"><h3>Apache Tomcat/8.0.32</h3></body></html>' 2016-08-26T12:41:40Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500 2016-08-26T12:41:40Z DEBUG Waiting for CA to start... 2016-08-26T12:41:41Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 194, in start_instance self.start('pki-tomcat') File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 345, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 218, in start self.wait_until_running() File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 212, in wait_until_running raise RuntimeError('CA did not start in %ss' % timeout) RuntimeError: CA did not start in 300.0s ``` Debug log ``` Internal Database Error encountered: Could not connect to LDAP server host vm-058-017.abc.idm.lab.eng.brq.redhat.com port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket: org.mozilla.jss.ssl.SSLSocketException: Unable to connect: (-5961) TCP connection reset by peer. (-1) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:286) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:283) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:318) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:173) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:122) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1226) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1151) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1038) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4997) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5289) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:585) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1794) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) ``` ``` [root@vm-058-017 ~]# ldapsearch -ZZ -b 'cn=directory manager' -W -x -h `hostname` ldap_start_tls: Protocol error (2) additional info: unsupported extended operation Works without SSL ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/21#issuecomment-242727129
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
