Looks like we're missing an LDAP connection port? [09/Jun/2021:10:02:54][localhost-startStop-1]: LdapBoundConnFactory: init Property internaldb.ldapconn.port missing value
Full debug log is at https://gist.github.com/wortmanb/7782c5c0c4318c2aec17f2eea589b567 -- Bret Wortman bret.wort...@damascusgrp.com On Wed, Jun 9, 2021, at 4:59 AM, Bret Wortman via FreeIPA-users wrote: > My misunderstanding, sorry. This is from the existing CA since that's > where I thought the problem would be. Okay, going back and looking at > the debug log on the new server to see if it's more revealing. > > > -- > Bret Wortman > bret.wort...@damascusgrp.com > > On Tue, Jun 8, 2021, at 2:27 PM, Rob Crittenden wrote: > > Bret Wortman via FreeIPA-users wrote: > > > I was tailing several logs in /var/log/pki/pki-tomcat/ca/ (debug, system, > > > and transactions) and though the replica installation failed again at the > > > same point, this is what I got from the logs throughout the installation > > > process: > > > > This doesn't seem to show any errors. Reading the pki logs can be > > problematic as it often charges on after an error is encountered so > > subsequent errors are basically red herrings but I don't see anything > > wrong here at all, or I'm missing something. > > > > The IPA installer calls pki-spawn <bunch of options> so not much comes > > back to us. It's a black box. Can you provide the whole debug log, > > out-of-band is fine too. I'd also suggest looking at the debug log on > > the existing CA as it may be part of the communication as well. > > > > rob > > > > > > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > AuthMethodInterceptor: SecurityDomainResource.getDomainInfo() > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > AuthMethodInterceptor: mapping: default > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > AuthMethodInterceptor: required auth methods: [*] > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > AuthMethodInterceptor: anonymous access allowed > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: > > > SecurityDomainResource.getDomainInfo() > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: No > > > ACL mapping. > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > MessageFormatInterceptor: SecurityDomainResource.getDomainInfo() > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > MessageFormatInterceptor: content-type: null > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > MessageFormatInterceptor: accept: [application/json] > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > MessageFormatInterceptor: response format: application/json > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: according to > > > ccMode, authorization for servlet: securitydomain is LDAP based, not XML > > > {1}, use default authz mgr: {2}. > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > LdapBoundConnFactory: init > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > LdapBoundConnFactory:doCloning true > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: > > > init() > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init > > > begins > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: LdapAuthInfo: init > > > ends > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: init: before > > > makeConnection errorIfDown is false > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: makeConnection: > > > errorIfDown false > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: LdapJssSSLSocket > > > set client auth cert nicknamesubsystemCert cert-pki-ca > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: SSL handshake > > > happened > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: Established LDAP > > > connection with SSL client auth to ipa1.our.net:636 > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: initializing with > > > mininum 3 and maximum 15 connections to host ipa1.our.net port 636, > > > secure connection, true, authentication type 2 > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: increasing minimum > > > connections by 3 > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: new total > > > available connections 3 > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: new number of > > > connections 3 > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: In > > > LdapBoundConnFactory::getConn() > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is > > > connected: true > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is > > > connected true > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns > > > now 2 > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > SecurityDomainProcessor: name: IPA > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > SecurityDomainProcessor: subtype: CA > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > SecurityDomainProcessor: - cn=ipa1.our.net:443,cn=CAList,ou=Security > > > Domain,o=ipaca > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > SecurityDomainProcessor: - objectClass: top > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > SecurityDomainProcessor: - host: ipa1.our.net > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > SecurityDomainProcessor: - SecurePort: 443 > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > SecurityDomainProcessor: - SecureAgentPort: 443 > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > SecurityDomainProcessor: - SecureAdminPort: 443 > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > SecurityDomainProcessor: - SecureEEClientAuthPort: 443 > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > SecurityDomainProcessor: - UnSecurePort: 80 > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > SecurityDomainProcessor: - Clone: FALSE > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > SecurityDomainProcessor: - SubsystemName: CA ipa1.our.net 8443 > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > SecurityDomainProcessor: - cn: ipa1.our.net:443 > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > SecurityDomainProcessor: - DomainManager: TRUE > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > SecurityDomainProcessor: subtype: OCSP > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > SecurityDomainProcessor: subtype: KRA > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > SecurityDomainProcessor: subtype: RA > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > SecurityDomainProcessor: subtype: TKS > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > SecurityDomainProcessor: subtype: TPS > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: Releasing ldap > > > connection > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: > > > mNumConns now 3 > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: Authentication: > > > UID=admin > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: In > > > LdapBoundConnFactory::getConn() > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is > > > connected: true > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is > > > connected true > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns > > > now 2 > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > LdapAnonConnFactory::getConn > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: > > > LdapAnonConnFactory.getConn(): num avail conns now 2 > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: > > > mNumConns now 3 > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: SSL handshake > > > happened > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: > > > mNumConns now 2 > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: In > > > LdapBoundConnFactory::getConn() > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is > > > connected: true > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is > > > connected true > > > [08/Jun/2021:06:35:45][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns > > > now 2 > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: > > > mNumConns now 3 > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: In > > > LdapBoundConnFactory::getConn() > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is > > > connected: true > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is > > > connected true > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns > > > now 2 > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: > > > mNumConns now 3 > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: In > > > LdapBoundConnFactory::getConn() > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: masterConn is > > > connected: true > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: getConn: conn is > > > connected true > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: getConn: mNumConns > > > now 2 > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: returnConn: > > > mNumConns now 3 > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: > > > AuthMethodInterceptor: AccountResource.login() > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: > > > AuthMethodInterceptor: mapping: account > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: > > > AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, > > > certUserDBAuthMgr] > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: > > > AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: > > > AuthMethodInterceptor: access granted > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: > > > AccountResource.login() > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: > > > mapping: account.login > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: > > > principal: admin > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: > > > ACL: certServer.ca.account,login > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: checkACLS(): > > > ACLEntry expressions= user="anybody" > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: evaluating > > > expressions: user="anybody" > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: evaluated > > > expression: user="anybody" to be true > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: DirAclAuthz: > > > authorization passed > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: > > > access granted > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: > > > MessageFormatInterceptor: AccountResource.login() > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: > > > MessageFormatInterceptor: content-type: null > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: > > > MessageFormatInterceptor: accept: [application/json] > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: > > > MessageFormatInterceptor: response format: application/json > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: > > > AuthMethodInterceptor: AccountResource.logout() > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: > > > AuthMethodInterceptor: mapping: account > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: > > > AuthMethodInterceptor: required auth methods: [passwdUserDBAuthMgr, > > > certUserDBAuthMgr] > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: > > > AuthMethodInterceptor: authentication manager: passwdUserDBAuthMgr > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: > > > AuthMethodInterceptor: access granted > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: > > > AccountResource.logout() > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: > > > mapping: account.logout > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: > > > principal: admin > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: > > > ACL: certServer.ca.account,logout > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: checkACLS(): > > > ACLEntry expressions= user="anybody" > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: evaluating > > > expressions: user="anybody" > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: evaluated > > > expression: user="anybody" to be true > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: DirAclAuthz: > > > authorization passed > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: ACLInterceptor: > > > access granted > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: > > > MessageFormatInterceptor: AccountResource.logout() > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: > > > MessageFormatInterceptor: content-type: null > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: > > > MessageFormatInterceptor: accept: [application/json] > > > [08/Jun/2021:06:35:46][ajp-bio-127.0.0.1-8009-exec-2]: > > > MessageFormatInterceptor: response format: application/json > > > > > > It again failed at this point: > > > > > > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes > > > [1/30]: configuring certificate server instance > > > ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA > > > instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmph2SUT4' returned > > > non-zero exit status 1 > > > ipaserver.install.dogtaginstance: CRITICAL See the installation logs and > > > the following files/directories for more information: > > > ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat > > > [error] RuntimeError: CA configuration failed. > > > Your system may be partly configured. > > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > > > ipapython.admintool: ERROR CA configuration failed. > > > ipapython.admintool: ERROR The ipa-replica-install command failed. See > > > /var/log/ipareplica-install.log for more information > > > > > > > > > Is there another way to transfer or duplicate the CA? We are ultimately > > > planning to shut this box down due to its age, and currently it is the > > > only CA, but it seems to be trying to hang on to its job security... ;-) > > > > > > > > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure