[Freeipa-users] Re: healthcheck - Invalid PKI instance: pki-tomcat

Tue, 18 Jan 2022 03:36:18 -0800 


On 18/01/2022 11:23, lejeczek via FreeIPA-users wrote:

Hi guys.


adding second master failed a number of times so I did go 
without '--setup-ca', now on that master I get lots of:


Invalid PKI instance: pki-tomcat:

  {
    "source": "pki.server.healthcheck.certs.expiration",
    "check": "CASystemCertExpiryCheck",
    "result": "CRITICAL",
    "uuid": "7b920e6a-4f47-4541-80fa-e9d87dadff20",
    "when": "20220118102040Z",
    "duration": "0.000175",
    "kw": {
      "msg": "Invalid PKI instance: pki-tomcat"
    }
  },
...
  {
    "source": "ipahealthcheck.ipa.certs",
    "check": "IPACertfileExpirationCheck",
    "result": "ERROR",
    "uuid": "fb01a7bd-3457-4007-8c3d-66662e23b6df",
    "when": "20220118102040Z",
    "duration": "0.006617",
    "kw": {
      "key": "20210709164208",
      "dbdir": "/etc/pki/pki-tomcat/alias",
      "nickname": "auditSigningCert cert-pki-kra",

      "error": "NSSDB '/etc/pki/pki-tomcat/alias' not 
initialized.",
      "msg": "Request id {key}: Unable to retrieve cert 
'{nickname}' from '{dbdir}': {error}"

    }
  },
..


first master's healthcheck does not mention these problems.

Is it that IPA - falsely - believe that this second master 
is CA/KRA?
If so, then how to resolve this - this second master, 
according to '--uinstall' was removed successfully(each 
time '--setup-ca' failed)


many thanks, L.


And when CA install fails on that replica candidate it does 
so, each time with:

...
FINE: - subject: SYSTEM
FINE: PKIClientSocketListener.alertSent: begins
FINE: PKIClientSocketListener.alertSent: got description:0

FINE: PKIClientSocketListener.alertSent: got 
reason:clientAlertSent: CLOSE_NOTIFY

FINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_TERMINATED
FINE: PKIClientSocketListener: SSL alert sent:
FINE: - reason: clientAlertSent: CLOSE_NOTIFY
FINE: - client: 10.0.0.8
FINE: - server: 10.0.0.8
FINE: - subject: SYSTEM
FINE: - server port: 636

com.netscape.certsrv.base.ConflictingOperationException: 
Entry already exists.
    at 
com.netscape.certsrv.ldap.LDAPExceptionConverter.toPKIException(LDAPExceptionConverter.java:45) 

    at 
com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:720) 

    at 
org.dogtagpki.server.cli.SubsystemUserAddCLI.execute(SubsystemUserAddCLI.java:180) 

    at 
org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)

    at org.dogtagpki.cli.CLI.execute(CLI.java:357)
    at org.dogtagpki.cli.CLI.execute(CLI.java:357)
    at org.dogtagpki.cli.CLI.execute(CLI.java:357)

    at 
org.dogtagpki.server.cli.PKIServerCLI.execute(PKIServerCLI.java:93) 

    at 
org.dogtagpki.server.cli.PKIServerCLI.main(PKIServerCLI.java:123) 

Caused by: netscape.ldap.LDAPException: error result (68); 
Already exists

    at netscape.ldap.LDAPConnection.checkMsg(Unknown Source)
    at netscape.ldap.LDAPConnection.add(Unknown Source)
    at netscape.ldap.LDAPConnection.add(Unknown Source)
    at netscape.ldap.LDAPConnection.add(Unknown Source)

    at 
com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:717) 


    ... 7 more

CalledProcessError: Command '['/usr/sbin/runuser', '-u', 
'pkiuser', '--', '/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', 
'-classpath', 
'/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*', 
'-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory', 
'-Dcatalina.base=/var/lib/pki/pki-tomcat', 
'-Dcatalina.home=/usr/share/tomcat', 
'-Djava.endorsed.dirs=', 
'-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp', 
'-Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties', 
'-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager', 
'-Dcom.redhat.fips=false', 
'org.dogtagpki.server.cli.PKIServerCLI', 'ca-user-add', 
'--full-name', 'CA-midway.abba.xx.priv.yy-8443', '--type', 
'agentType', '--state', '1', '--debug', 
'CA-midway.abba.xx.priv.yy-8443']' returned non-zero exit 
status 255.
  File 
"/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", 
line 575, in main

    scriptlet.spawn(deployer)

  File 
"/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", 
line 740, in spawn
    deployer.setup_subsystem_user(instance, subsystem, 
system_certs['subsystem'])
  File 
"/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py", 
line 1040, in setup_subsystem_user

    state='1')

  File 
"/usr/lib/python3.6/site-packages/pki/server/subsystem.py", 
line 1521, in add_user

    capture_output=True)

  File 
"/usr/lib/python3.6/site-packages/pki/server/subsystem.py", 
line 1653, in run

    check=True)
  File "/usr/lib64/python3.6/subprocess.py", line 438, in run
    output=stdout, stderr=stderr)


2022-01-18T11:00:00Z CRITICAL Failed to configure CA instance



Something fundamentally wrong with that first master?(for 
healthcheck says nothing)


thanks, L.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure






















					Reply via email to