pgb205 via FreeIPA-users wrote:
> I've tried installing in two different ways
> first as a part of full replica install. IE ipa-replica-install
> --setup-ca --no-forwarders  -p <password> replica.gpg 
> this failed on step 8
>   [8/27]: starting certificate server instance
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart
> the Dogtag instance.See the installation log for details.
>   [9/27]: creating RA agent certificate database
>   [10/27]: importing CA chain to RA certificate database
>   [error] RuntimeError: Unable to retrieve CA chain: request failed with
> HTTP status 500
> 
> I then tried installing just the replica (no --setup-ca option) which
> succeeded and then ipa-ca-install -w -p replica.gpg 
> which again failed with the same error
> 
> ca/debug log shows the following when I grep for errors
> [22/Aug/2017:17:01:06][http-bio-8443-exec-3]: SystemConfigService:
> request: ConfigurationRequest [pin=XXXX, token=Internal Key Storage
> Token, tokenPassword=XXXX, securityDomainType=existingdomain,
> securityDomainUri=https://server1:443, securityDomainName=null,
> securityDomainUser=admin, securityDomainPassword=XXXX, isClone=true,
> cloneUri=https://server1:443, subsystemName=CA server2 8443,
> p12File=/tmp/ca.p12, p12Password=XXXX, hierarchy=root, dsHost=server2,
> dsPort=389, baseDN=o=ipaca, bindDN=cn=Directory Manager, bindpwd=XXXX,
> database=ipaca, secureConn=false, removeData=true,
> replicateSchema=false, masterReplicationPort=389,
> cloneReplicationPort=389, replicationSecurity=TLS,
> systemCertsImported=false,
> systemCerts=[com.netscape.certsrv.system.SystemCertData@8ffc78b],
> issuingCA=https://server1:443, backupKeys=true, backupPassword=XXXX,
> backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12, adminUID=null,
> adminPassword=XXXX, adminEmail=null, adminCertRequest=null,
> adminCertRequestType=null, adminSubjectDN=null, adminName=null,
> adminProfileID=null, adminCert=null, importAdminCert=false,
> generateServerCert=true, external=false, standAlone=false,
> stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null,
> authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null,
> enableServerSideKeyGen=null, importSharedSecret=null,
> generateSubsystemCert=null, sharedDB=false, sharedDBUserDN=null,
> createNewDB=true, setupReplication=True,
> subordinateSecurityDomainName=null, reindexData=False,
> startingCrlNumber=0, createSigningCertRecord=true,
> signingCertSerialNumber=1]
> [22/Aug/2017:17:01:07][http-bio-8443-exec-3]: updateNumberRange start
> host=server1 adminPort=443 eePort=443
> [22/Aug/2017:17:01:07][http-bio-8443-exec-3]: ConfigurationUtils: POST
> https://server1:443/ca/admin/ca/updateNumberRange
> [22/Aug/2017:17:01:07][http-bio-8443-exec-3]: updateNumberRange(): status=0
> [22/Aug/2017:17:01:07][http-bio-8443-exec-3]: updateNumberRange start
> host=server1 adminPort=443 eePort=443
> [22/Aug/2017:17:01:07][http-bio-8443-exec-3]: ConfigurationUtils: POST
> https://server1:443/ca/admin/ca/updateNumberRange
> [22/Aug/2017:17:01:07][http-bio-8443-exec-3]: updateNumberRange(): status=0
> [22/Aug/2017:17:01:07][http-bio-8443-exec-3]: updateNumberRange start
> host=server1 adminPort=443 eePort=443
> [22/Aug/2017:17:01:07][http-bio-8443-exec-3]: ConfigurationUtils: POST
> https://server1:443/ca/admin/ca/updateNumberRange
> [22/Aug/2017:17:01:07][http-bio-8443-exec-3]: updateNumberRange(): status=0
> [22/Aug/2017:17:01:09][http-bio-8443-exec-3]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:01:09][http-bio-8443-exec-3]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:01:09][http-bio-8443-exec-3]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:01:09][http-bio-8443-exec-3]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:02:08][http-bio-8443-exec-3]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:02:08][http-bio-8443-exec-3]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:02:09][http-bio-8443-exec-3]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:02:09][http-bio-8443-exec-3]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:02:09][http-bio-8443-exec-3]: enableReplication: Failed
> to modify cn=replica,cn="o=ipaca",cn=mapping tree,cn=config entry.
> Exception: netscape.ldap.LDAPException: error result (68)
> [22/Aug/2017:17:02:51][http-bio-8443-exec-3]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:02:51][http-bio-8443-exec-3]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: importLDIFS(): LDAP Errors
> in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif
> [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> exception in adding entry
> ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68)
> [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> exception in modifying entry o=ipaca:netscape.ldap.LDAPException: error
> result (20)
> [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before
> makeConnection errorIfDown is true
> [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection:
> errorIfDown true
> [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:02:58][http-bio-8443-exec-3]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:02:58][http-bio-8443-exec-3]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:03:07][localhost-startStop-1]: init: before
> makeConnection errorIfDown is true
> [22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection:
> errorIfDown true
> [22/Aug/2017:17:03:07][localhost-startStop-1]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:03:08][localhost-startStop-1]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:03:08][localhost-startStop-1]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation -
> caDirUserRenewal caEnrollImpl
> com.netscape.cms.profile.common.CAEnrollProfile
> [22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation -
> caDirUserRenewal
> [22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation -
> IECUserRoles caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile
> [22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation -
> IECUserRoles
> [22/Aug/2017:17:03:08][localhost-startStop-1]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:03:09][localhost-startStop-1]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:03:09][localhost-startStop-1]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:03:09][localhost-startStop-1]: DBSubsystem:
> getNextRange. Unable to provide next range :netscape.ldap.LDAPException:
> error result (68)
> [22/Aug/2017:17:13:08][SerialNumberUpdateTask]: DBSubsystem:
> getNextRange. Unable to provide next range :netscape.ldap.LDAPException:
> error result (68)
> 
> this has failed on every Centos 7 and Fedora 26 server that we have
> available so doesn't seem like problem with particular versions.

A 500 suggests that the CA on the master you are creating a replica to
is down or limping along.

> 
> Can someone please suggest as to what the problem might be here. 

It would help if you said which debug log this is from, the master you
are installing or the existing master you are connecting to. I think
this is from the replica.

You want to look at the debug log on the other side because that is
likely where things are failing.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to