>
> Do you have the original log from installing that KRA?
I've attached it.
> What healthcheck errors are you seeing?
The "unexpected cert" warnings are of long standing and are because I
have certmonger-managed certs for cockpit on the controller. The others
seem to be KRA-related:
Unable to retrieve cert: transportCert cert-pki-kra
Unable to retrieve cert: storageCert cert-pki-kra
Unable to retrieve cert: auditSigningCert cert-pki-kra
[
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "ERROR",
"uuid": "fab3c57d-a8a0-40dc-bc19-a61e7a4d89e2",
"when": "20230407183208Z",
"duration": "0.668865",
"kw": {
"key": "cert-database=/etc/pki/pki-tomcat/alias, cert-
nickname=auditSigningCert cert-pki-kra, ca-name=dogtag-ipa-ca-renew-
agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
\"auditSigningCert cert-pki-kra\", template-
profile=caAuditSigningCert",
"msg": "Expected certmonger tracking is missing for {key}. Automated
renewal will not happen for this certificate"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "ERROR",
"uuid": "771f3f3c-c097-4efc-b649-39ca883e4990",
"when": "20230407183208Z",
"duration": "0.697353",
"kw": {
"key": "cert-database=/etc/pki/pki-tomcat/alias, cert-
nickname=transportCert cert-pki-kra, ca-name=dogtag-ipa-ca-renew-agent,
cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-
postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
\"transportCert cert-pki-kra\", template-profile=caTransportCert",
"msg": "Expected certmonger tracking is missing for {key}. Automated
renewal will not happen for this certificate"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "ERROR",
"uuid": "45d65f75-86f2-4e69-b62a-968dcadfe933",
"when": "20230407183208Z",
"duration": "0.725562",
"kw": {
"key": "cert-database=/etc/pki/pki-tomcat/alias, cert-
nickname=storageCert cert-pki-kra, ca-name=dogtag-ipa-ca-renew-agent,
cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-
postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
\"storageCert cert-pki-kra\", template-profile=caStorageCert",
"msg": "Expected certmonger tracking is missing for {key}. Automated
renewal will not happen for this certificate"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "WARNING",
"uuid": "0147b205-ea93-45dd-b4ee-2e5137031c6f",
"when": "20230407183208Z",
"duration": "0.813082",
"kw": {
"key": "20210927043555",
"msg": "certmonger tracking request {key} found and is not expected on
an IPA master."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertNSSTrust",
"result": "ERROR",
"uuid": "d928b9ed-a59f-46f0-94bc-1cee3915c945",
"when": "20230407183209Z",
"duration": "0.293241",
"kw": {
"key": "transportCert cert-pki-kra",
"nickname": "transportCert cert-pki-kra",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "Certificate {nickname} missing from {dbdir} while verifying
trust"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertNSSTrust",
"result": "ERROR",
"uuid": "27073a02-8378-4b54-9434-978496bc3ef4",
"when": "20230407183209Z",
"duration": "0.293253",
"kw": {
"key": "storageCert cert-pki-kra",
"nickname": "storageCert cert-pki-kra",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "Certificate {nickname} missing from {dbdir} while verifying
trust"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertNSSTrust",
"result": "ERROR",
"uuid": "7506a8c2-2cc0-4ac6-8deb-a6a71a54023c",
"when": "20230407183209Z",
"duration": "0.293279",
"kw": {
"key": "auditSigningCert cert-pki-kra",
"nickname": "auditSigningCert cert-pki-kra",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "Certificate {nickname} missing from {dbdir} while verifying
trust"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPADogtagCertsMatchCheck",
"result": "CRITICAL",
"uuid": "fb12bf41-4fc0-4b7c-8e58-a014ce47c525",
"when": "20230407183210Z",
"duration": "0.593639",
"kw": {
"exception": "no matching entry found",
"traceback": "Traceback (most recent call last):\n File
\"/usr/lib/python3.11/site-packages/ipahealthcheck/core/core.py\", line
56, in run_plugin\n for result in plugin.check():\n File
\"/usr/lib/python3.11/site-packages/ipahealthcheck/core/plugin.py\",
line 18, in wrapper\n for result in f(*args, **kwds):\n File
\"/usr/lib/python3.11/site-packages/ipahealthcheck/ipa/certs.py\", line
901, in check\n ipaca_certs_ok = yield from
match_ldap_nss_certs_by_subject(\n
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File
\"/usr/lib/python3.11/site-packages/ipahealthcheck/ipa/certs.py\", line
828, in match_ldap_nss_certs_by_subject\n entries = ldap.get_entries(\n
^^^^^^^^^^^^^^^^^\n File \"/usr/lib/python3.11/site-
packages/ipapython/ipaldap.py\", line 1453, in get_entries\n entries,
truncated = self.find_entries(\n ^^^^^^^^^^^^^^^^^^\n File
\"/usr/lib/python3.11/site-packages/ipapython/ipaldap.py\", line 1597,
in find_entries\n raise errors.EmptyResult(reason='no matching entry
found')\nipalib.errors.EmptyResult: no matching entry found\n"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPAKRAAgent",
"result": "ERROR",
"uuid": "7fa1fca0-0678-4872-ba2c-e3a60787d47e",
"when": "20230407183210Z",
"duration": "0.265466",
"kw": {
"key": "KRA",
"description": "2;805240873;CN=Certificate
Authority,O=IMLADRIS.LAN;CN=IPA RA,O=IMLADRIS.LAN",
"msg": "KRA agent not found in LDAP"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "99ce4f5c-0e92-44d8-8dd6-cccb25fcb7c0",
"when": "20230407183212Z",
"duration": "1.502588",
"kw": {
"key": null,
"dbdir": "/etc/pki/pki-tomcat/alias",
"nickname": "auditSigningCert cert-pki-kra",
"error": "Failed to get auditSigningCert cert-pki-kra",
"msg": "Unable to retrieve certificate '{nickname}' from {dbdir}:
{error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "5ad72560-7441-4099-a674-1413571b94a5",
"when": "20230407183212Z",
"duration": "1.563678",
"kw": {
"key": null,
"dbdir": "/etc/pki/pki-tomcat/alias",
"nickname": "transportCert cert-pki-kra",
"error": "Failed to get transportCert cert-pki-kra",
"msg": "Unable to retrieve certificate '{nickname}' from {dbdir}:
{error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "3d9adf37-cdea-46bf-89f0-cd101fee4afc",
"when": "20230407183212Z",
"duration": "1.624445",
"kw": {
"key": null,
"dbdir": "/etc/pki/pki-tomcat/alias",
"nickname": "storageCert cert-pki-kra",
"error": "Failed to get storageCert cert-pki-kra",
"msg": "Unable to retrieve certificate '{nickname}' from {dbdir}:
{error}"
}
},
{
"source": "ipahealthcheck.system.filesystemspace",
"check": "FileSystemSpaceCheck",
"result": "ERROR",
"uuid": "a46d2101-3274-4c90-81d0-1b02d94a7d4c",
"when": "20230407183217Z",
"duration": "0.000118",
"kw": {
"key": "/var/lib/dirsrv/",
"msg": "/var/lib/dirsrv/: free space percentage under threshold: 18% <
20%",
"store": "/var/lib/dirsrv/",
"percent_free": 18,
"threshold": 20
}
},
{
"source": "ipahealthcheck.system.filesystemspace",
"check": "FileSystemSpaceCheck",
"result": "ERROR",
"uuid": "b1743dac-757d-4718-9134-1bdb0cb995aa",
"when": "20230407183217Z",
"duration": "0.000174",
"kw": {
"key": "/var/lib/ipa/backup/",
"msg": "/var/lib/ipa/backup/: free space percentage under threshold:
18% < 20%",
"store": "/var/lib/ipa/backup/",
"percent_free": 18,
"threshold": 20
}
},
{
"source": "ipahealthcheck.system.filesystemspace",
"check": "FileSystemSpaceCheck",
"result": "ERROR",
"uuid": "73d75a7e-cab1-4642-b243-9ea1b6d5e2df",
"when": "20230407183217Z",
"duration": "0.000216",
"kw": {
"key": "/var/log/",
"msg": "/var/log/: free space percentage under threshold: 18% < 20%",
"store": "/var/log/",
"percent_free": 18,
"threshold": 20
}
},
{
"source": "ipahealthcheck.system.filesystemspace",
"check": "FileSystemSpaceCheck",
"result": "ERROR",
"uuid": "944f2056-4954-4bfe-a901-3955bfb9e4d5",
"when": "20230407183217Z",
"duration": "0.000258",
"kw": {
"key": "/var/tmp/",
"msg": "/var/tmp/: free space percentage under threshold: 18% < 20%",
"store": "/var/tmp/",
"percent_free": 18,
"threshold": 20
}
},
{
"source": "pki.server.healthcheck.certs.expiration",
"check": "KRASystemCertExpiryCheck",
"result": "ERROR",
"uuid": "76cc6843-d47f-4879-a9c4-92e5fdb7ffcf",
"when": "20230407183217Z",
"duration": "0.033473",
"kw": {
"cert_id": "transport",
"msg": "Unable to get cert's expiry date"
}
},
{
"source": "pki.server.healthcheck.certs.expiration",
"check": "KRASystemCertExpiryCheck",
"result": "ERROR",
"uuid": "92e25850-578c-41eb-80e3-09eeb6538275",
"when": "20230407183217Z",
"duration": "0.064507",
"kw": {
"cert_id": "storage",
"msg": "Unable to get cert's expiry date"
}
},
{
"source": "pki.server.healthcheck.certs.expiration",
"check": "KRASystemCertExpiryCheck",
"result": "ERROR",
"uuid": "9c57f4a9-c5e8-4851-bcb2-8fea3ada13ce",
"when": "20230407183218Z",
"duration": "0.221997",
"kw": {
"cert_id": "audit_signing",
"msg": "Unable to get cert's expiry date"
}
},
{
"source": "pki.server.healthcheck.certs.trustflags",
"check": "KRASystemCertTrustFlagCheck",
"result": "ERROR",
"uuid": "7c7a968c-1337-4aac-bf2a-fc376207cd3d",
"when": "20230407183218Z",
"duration": "0.066155",
"kw": {
"key": "transport",
"nssdbDir": "/etc/pki/pki-tomcat/alias",
"msg": "Unable to load cert from NSSDB: 'NoneType' object has no
attribute 'group'"
}
},
{
"source": "pki.server.healthcheck.certs.trustflags",
"check": "KRASystemCertTrustFlagCheck",
"result": "ERROR",
"uuid": "acb8c421-553c-4aea-9f3d-44df6de45bd2",
"when": "20230407183218Z",
"duration": "0.128915",
"kw": {
"key": "storage",
"nssdbDir": "/etc/pki/pki-tomcat/alias",
"msg": "Unable to load cert from NSSDB: 'NoneType' object has no
attribute 'group'"
}
},
{
"source": "pki.server.healthcheck.certs.trustflags",
"check": "KRASystemCertTrustFlagCheck",
"result": "ERROR",
"uuid": "29122bb0-5f70-4cf4-9999-bb67ffd4c32e",
"when": "20230407183218Z",
"duration": "0.384702",
"kw": {
"key": "audit_signing",
"nssdbDir": "/etc/pki/pki-tomcat/alias",
"msg": "Unable to load cert from NSSDB: 'NoneType' object has no
attribute 'group'"
}
},
{
"source": "pki.server.healthcheck.meta.connectivity",
"check": "DogtagKRAConnectivityCheck",
"result": "ERROR",
"uuid": "66ff4f8e-76fd-4e49-917c-22a2d9a36869",
"when": "20230407183220Z",
"duration": "0.118461",
"kw": {
"msg": "KRA server is up. But, unable to retrieve transport cert",
"serverURI": "https://localhost:8443";,
"rest_path": "/ca/rest/config/cert"
}
}
]
--
Martin Jackson <[email protected]>
2023-04-06T15:52:43Z DEBUG Logging to /var/log/ipaserver-kra-install.log
2023-04-06T15:52:43Z DEBUG ipa-kra-install was invoked with arguments [] and options: {'verbose': False, 'quiet': False, 'log_file': None, 'no_host_dns': False, 'unattended': False, 'uninstall': False, 'pki_config_override': None}
2023-04-06T15:52:43Z DEBUG IPA version 4.10.1-1.fc37
2023-04-06T15:52:43Z DEBUG IPA platform fedora
2023-04-06T15:52:43Z DEBUG IPA os-release Fedora Linux 37 (Thirty Seven)
2023-04-06T15:52:43Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-04-06T15:52:43Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2023-04-06T15:52:43Z DEBUG Starting external process
2023-04-06T15:52:43Z DEBUG args=['pki-server', 'subsystem-show', 'kra']
2023-04-06T15:52:44Z DEBUG Process finished, return code=1
2023-04-06T15:52:44Z DEBUG stdout=
2023-04-06T15:52:44Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
2023-04-06T15:52:44Z DEBUG Starting new HTTPS connection (1): srv-ds-2.imladris.lan:8443
2023-04-06T15:52:45Z DEBUG https://srv-ds-2.imladris.lan:8443 "GET /ca/rest/securityDomain/domainInfo HTTP/1.1" 200 2399
2023-04-06T15:52:45Z DEBUG Created connection context.ldap2_139658998283344
2023-04-06T15:52:45Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-04-06T15:52:45Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2023-04-06T15:52:45Z DEBUG Starting external process
2023-04-06T15:52:45Z DEBUG args=['pki-server', 'subsystem-show', 'kra']
2023-04-06T15:52:45Z DEBUG Process finished, return code=1
2023-04-06T15:52:45Z DEBUG stdout=
2023-04-06T15:52:45Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
2023-04-06T15:52:45Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-04-06T15:52:45Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2023-04-06T15:52:45Z DEBUG Trying to find certificate subject base in sysupgrade
2023-04-06T15:52:45Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-04-06T15:52:45Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-04-06T15:52:45Z DEBUG Found certificate subject base in sysupgrade: O=IMLADRIS.LAN
2023-04-06T15:52:45Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-IMLADRIS-LAN.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f04e4a41210>
2023-04-06T15:52:45Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-04-06T15:52:45Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2023-04-06T15:52:45Z DEBUG Starting external process
2023-04-06T15:52:45Z DEBUG args=['pki-server', 'subsystem-show', 'kra']
2023-04-06T15:52:45Z DEBUG Process finished, return code=1
2023-04-06T15:52:45Z DEBUG stdout=
2023-04-06T15:52:45Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
2023-04-06T15:52:45Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-04-06T15:52:45Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2023-04-06T15:52:45Z DEBUG Starting external process
2023-04-06T15:52:45Z DEBUG args=['pki-server', 'subsystem-show', 'ca']
2023-04-06T15:52:46Z DEBUG Process finished, return code=0
2023-04-06T15:52:46Z DEBUG stdout= Subsystem ID: ca
Instance ID: pki-tomcat
Enabled: True
2023-04-06T15:52:46Z DEBUG stderr=
2023-04-06T15:52:46Z DEBUG Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes
2023-04-06T15:52:46Z DEBUG [1/9]: configuring KRA instance
2023-04-06T15:52:46Z DEBUG Trying to find the certificate for the admin user
2023-04-06T15:52:46Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-IMLADRIS-LAN.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f04e444c050>
2023-04-06T15:52:46Z DEBUG Contents of pkispawn configuration file (/tmp/tmp5fpy0lmt):
[KRA]
pki_admin_cert_file = /root/.dogtag/pki-tomcat/ca_admin.cert
pki_admin_cert_request_type = pkcs10
pki_admin_dualkey = False
pki_admin_email = root@localhost
pki_admin_name = admin
pki_admin_nickname = ipa-ca-agent
pki_admin_password = XXXXXXXX
pki_admin_subject_dn = cn=ipa-ca-agent,O=IMLADRIS.LAN
pki_admin_uid = admin
pki_ajp_secret = 1StjXBHWFXT42YM1QXz2ruqvG3xddqw6xpWb143lFFLr
pki_audit_group = pkiaudit
pki_audit_signing_key_algorithm = SHA256withRSA
pki_audit_signing_key_size = 2048
pki_audit_signing_key_type = rsa
pki_audit_signing_nickname = auditSigningCert cert-pki-kra
pki_audit_signing_signing_algorithm = SHA256withRSA
pki_audit_signing_subject_dn = cn=KRA Audit,O=IMLADRIS.LAN
pki_audit_signing_token = internal
pki_backup_keys = True
pki_backup_password = XXXXXXXX
pki_ca_hostname = srv-ds-2.imladris.lan
pki_ca_port = 443
pki_ca_signing_cert_path = /etc/pki/pki-tomcat/external_ca.cert
pki_ca_signing_nickname = caSigningCert cert-pki-ca
pki_cert_chain_nickname = caSigningCert External CA
pki_cert_chain_path = /etc/pki/pki-tomcat/external_ca_chain.cert
pki_client_admin_cert_p12 = /tmp/tmpger3zwff
pki_client_database_dir = /var/lib/ipa/tmp-uiz3auyo
pki_client_database_password = XXXXXXXX
pki_client_database_purge = True
pki_client_dir = /root/.dogtag/pki-tomcat
pki_client_pkcs12_password = XXXXXXXX
pki_configuration_path = /etc/pki
pki_dns_domainname = imladris.lan
pki_ds_base_dn = o=kra,o=ipaca
pki_ds_bind_dn = cn=Directory Manager
pki_ds_create_new_db = False
pki_ds_database = ipaca
pki_ds_hostname = srv-ds-2.imladris.lan
pki_ds_ldap_port = 389
pki_ds_ldaps_port = 636
pki_ds_password = XXXXXXXX
pki_ds_remove_data = True
pki_ds_secure_connection = True
pki_ds_secure_connection_ca_nickname = Directory Server CA certificate
pki_ds_secure_connection_ca_pem_file = /etc/ipa/ca.crt
pki_enable_proxy = True
pki_existing = False
pki_external_step_two = False
pki_group = pkiuser
pki_hostname = srv-ds-2.imladris.lan
pki_hsm_enable = False
pki_hsm_libfile =
pki_hsm_modulename =
pki_import_admin_cert = False
pki_instance_configuration_path = /etc/pki/pki-tomcat
pki_instance_name = pki-tomcat
pki_issuing_ca = https://srv-ds-2.imladris.lan:443
pki_issuing_ca_hostname = srv-ds-2.imladris.lan
pki_issuing_ca_https_port = 443
pki_issuing_ca_uri = https://srv-ds-2.imladris.lan:443
pki_key_id_generator = legacy
pki_kra_ephemeral_requests = True
pki_pkcs12_password =
pki_pkcs12_path =
pki_replication_password =
pki_request_id_generator = legacy
pki_san_for_server_cert =
pki_san_inject = False
pki_security_domain_hostname = srv-ds-2.imladris.lan
pki_security_domain_https_port = 443
pki_security_domain_name = IPA
pki_security_domain_password = XXXXXXXX
pki_security_domain_user = admin
pki_self_signed_token = internal
pki_share_db = True
pki_share_dbuser_dn = uid=pkidbuser,ou=people,o=ipaca
pki_skip_configuration = False
pki_skip_ds_verify = False
pki_skip_installation = False
pki_skip_sd_verify = False
pki_sslserver_key_algorithm = SHA256withRSA
pki_sslserver_key_size = 2048
pki_sslserver_key_type = rsa
pki_sslserver_nickname = Server-Cert cert-pki-ca
pki_sslserver_subject_dn = cn=srv-ds-2.imladris.lan,O=IMLADRIS.LAN
pki_sslserver_token = internal
pki_standalone = False
pki_status_request_timeout = 15
pki_storage_key_algorithm = SHA256withRSA
pki_storage_key_size = 2048
pki_storage_key_type = rsa
pki_storage_nickname = storageCert cert-pki-kra
pki_storage_signing_algorithm = SHA256withRSA
pki_storage_subject_dn = cn=KRA Storage Certificate,O=IMLADRIS.LAN
pki_storage_token = internal
pki_subsystem = KRA
pki_subsystem_key_algorithm = SHA256withRSA
pki_subsystem_key_size = 2048
pki_subsystem_key_type = rsa
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_subsystem_subject_dn = cn=CA Subsystem,O=IMLADRIS.LAN
pki_subsystem_token = internal
pki_subsystem_type = kra
pki_theme_enable = True
pki_theme_server_dir = /usr/share/pki/common-ui
pki_token_name = internal
pki_transport_key_algorithm = SHA256withRSA
pki_transport_key_size = 2048
pki_transport_key_type = rsa
pki_transport_nickname = transportCert cert-pki-kra
pki_transport_signing_algorithm = SHA256withRSA
pki_transport_subject_dn = cn=KRA Transport Certificate,O=IMLADRIS.LAN
pki_transport_token = internal
pki_user = pkiuser
2023-04-06T15:52:46Z DEBUG Starting external process
2023-04-06T15:52:46Z DEBUG args=['/usr/sbin/pkispawn', '-s', 'KRA', '-f', '/tmp/tmp5fpy0lmt', '--debug', '--log-file', '/var/log/pki/pki-kra-spawn.20230406105246.log']
2023-04-06T15:52:59Z DEBUG Process finished, return code=1
2023-04-06T15:52:59Z DEBUG stdout=Loading deployment configuration from /tmp/tmp5fpy0lmt.
Installation log: /var/log/pki/pki-kra-spawn.20230406105246.log
Installing KRA into /var/lib/pki/pki-tomcat.
Installation failed: Command failed: /usr/sbin/runuser -u pkiuser -- /usr/lib/jvm/jre-11-openjdk/bin/java -classpath /usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/kra/webapps/kra/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/* -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dcom.redhat.fips=false org.dogtagpki.server.cli.PKIServerCLI kra-db-empty --force --debug
Please check pkispawn logs in /var/log/pki/pki-kra-spawn.20230406105246.log
2023-04-06T15:52:59Z DEBUG stderr=INFO: Connecting to LDAP server at ldaps://srv-ds-2.imladris.lan:636
INFO: Connecting to LDAP server at ldaps://srv-ds-2.imladris.lan:636
INFO: Connecting to security domain at https://srv-ds-2.imladris.lan:443
INFO: Getting security domain info
INFO: BEGIN spawning KRA subsystem in pki-tomcat instance
INFO: Loading instance: pki-tomcat
INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
INFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
INFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg
INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
DEBUG: - user: pkiuser
DEBUG: - group: pkiuser
INFO: Setting up pkiuser group
INFO: Reusing existing pkiuser group with GID 17
INFO: Setting up pkiuser user
INFO: Reusing existing pkiuser user with UID 17
DEBUG: Retrieving UID for 'pkiuser'
DEBUG: UID of 'pkiuser' is 17
DEBUG: Retrieving GID for 'pkiuser'
DEBUG: GID of 'pkiuser' is 17
INFO: Initialization
INFO: Setting up infrastructure
INFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat
INFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat/kra
DEBUG: Command: mkdir -p /etc/sysconfig/pki/tomcat/pki-tomcat/kra
DEBUG: Command: chmod 770 /etc/sysconfig/pki/tomcat/pki-tomcat/kra
DEBUG: Command: chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/kra
INFO: Creating /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg
DEBUG: Command: cp -p /usr/share/pki/server/etc/default.cfg /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg
DEBUG: Command: chmod 660 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg
DEBUG: Command: chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/default.cfg
DEBUG: Command: touch /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg
DEBUG: Command: chmod 660 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg
DEBUG: Command: chown 17:17 /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg
INFO: Creating /var/lib/pki/pki-tomcat
INFO: Creating /var/lib/pki/pki-tomcat/kra
DEBUG: Command: mkdir -p /var/lib/pki/pki-tomcat/kra
DEBUG: Command: chmod 770 /var/lib/pki/pki-tomcat/kra
DEBUG: Command: chown 17:17 /var/lib/pki/pki-tomcat/kra
INFO: Preparing pki-tomcat instance
INFO: Loading instance: pki-tomcat
INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
INFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
INFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg
INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
DEBUG: - user: pkiuser
DEBUG: - group: pkiuser
INFO: Creating /etc/pki/pki-tomcat
INFO: Creating /etc/pki/pki-tomcat
WARNING: Directory already exists: /etc/pki/pki-tomcat
INFO: Creating /etc/pki/pki-tomcat/password.conf
INFO: Reusing server NSS database password
INFO: Using specified internal database password
INFO: Reusing replication manager password
INFO: Installing pki-tomcat instance
INFO: Creating KRA subsystem
INFO: Creating /var/log/pki/pki-tomcat/kra
DEBUG: Command: mkdir /var/log/pki/pki-tomcat/kra
INFO: Creating /var/log/pki/pki-tomcat/kra/archive
DEBUG: Command: mkdir /var/log/pki/pki-tomcat/kra/archive
INFO: Creating /var/log/pki/pki-tomcat/kra/signedAudit
DEBUG: Command: mkdir /var/log/pki/pki-tomcat/kra/signedAudit
INFO: Creating /etc/pki/pki-tomcat/kra
DEBUG: Command: mkdir /etc/pki/pki-tomcat/kra
INFO: Creating /etc/pki/pki-tomcat/kra/CS.cfg
DEBUG: Command: cp /usr/share/pki/kra/conf/CS.cfg /etc/pki/pki-tomcat/kra/CS.cfg
INFO: Creating /etc/pki/pki-tomcat/kra/registry.cfg
INFO: Creating /var/lib/pki/pki-tomcat/kra/conf
DEBUG: Command: ln -s /etc/pki/pki-tomcat/kra /var/lib/pki/pki-tomcat/kra/conf
INFO: Creating /var/lib/pki/pki-tomcat/kra/logs
DEBUG: Command: ln -s /var/log/pki/pki-tomcat/kra /var/lib/pki/pki-tomcat/kra/logs
INFO: Creating /var/lib/pki/pki-tomcat/kra/registry
DEBUG: Command: ln -s /etc/sysconfig/pki/tomcat/pki-tomcat /var/lib/pki/pki-tomcat/kra/registry
INFO: Loading instance: pki-tomcat
INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
INFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
INFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg
INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
DEBUG: - user: pkiuser
DEBUG: - group: pkiuser
DEBUG: PKISubsystem.get_subsystem_cert(transport)
INFO: Getting transport cert info from CS.cfg
DEBUG: PKISubsystem.get_subsystem_cert(storage)
INFO: Getting storage cert info from CS.cfg
DEBUG: PKISubsystem.get_subsystem_cert(sslserver)
INFO: Getting sslserver cert info from CS.cfg
DEBUG: PKISubsystem.get_subsystem_cert(subsystem)
INFO: Getting subsystem cert info from CS.cfg
DEBUG: PKISubsystem.get_subsystem_cert(audit_signing)
INFO: Getting audit_signing cert info from CS.cfg
INFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
INFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg
INFO: Loading instance: pki-tomcat
INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
INFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
INFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg
INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
INFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg
INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
DEBUG: - user: pkiuser
DEBUG: - group: pkiuser
INFO: Creating password file: /etc/pki/pki-tomcat/pfile
INFO: Updating /etc/pki/pki-tomcat/password.conf
DEBUG: Command: chmod 660 /etc/pki/pki-tomcat/password.conf
DEBUG: Command: chown 17:17 /etc/pki/pki-tomcat/password.conf
INFO: Creating /var/lib/pki/pki-tomcat/kra/alias
DEBUG: Command: ln -s /var/lib/pki/pki-tomcat/alias /var/lib/pki/pki-tomcat/kra/alias
INFO: Removing /etc/pki/pki-tomcat/pfile
DEBUG: Command: rm -f /etc/pki/pki-tomcat/pfile
DEBUG: PKISubsystem.get_subsystem_cert(transport)
INFO: Getting transport cert info from CS.cfg
DEBUG: PKISubsystem.get_subsystem_cert(storage)
INFO: Getting storage cert info from CS.cfg
DEBUG: PKISubsystem.get_subsystem_cert(sslserver)
INFO: Getting sslserver cert info from CS.cfg
DEBUG: PKISubsystem.get_subsystem_cert(subsystem)
INFO: Getting subsystem cert info from CS.cfg
DEBUG: PKISubsystem.get_subsystem_cert(audit_signing)
INFO: Getting audit_signing cert info from CS.cfg
INFO: Injecting SAN: False
INFO: SSL server cert SAN:
INFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
INFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg
INFO: Creating /root/.dogtag/pki-tomcat/kra
DEBUG: Command: mkdir -p /root/.dogtag/pki-tomcat/kra
DEBUG: Command: chmod 755 /root/.dogtag/pki-tomcat/kra
DEBUG: Command: chown 0:0 /root/.dogtag/pki-tomcat/kra
INFO: Creating password file: /root/.dogtag/pki-tomcat/kra/password.conf
INFO: Updating /root/.dogtag/pki-tomcat/kra/password.conf
DEBUG: Command: chmod 660 /root/.dogtag/pki-tomcat/kra/password.conf
DEBUG: Command: chown 0:0 /root/.dogtag/pki-tomcat/kra/password.conf
INFO: Storing PKCS #12 password in /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf
INFO: Updating /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf
DEBUG: Command: chmod 660 /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf
DEBUG: Command: chown 17:17 /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf
WARNING: Directory already exists: /var/lib/ipa/tmp-uiz3auyo
DEBUG: Command: certutil -N -d /var/lib/ipa/tmp-uiz3auyo -f /root/.dogtag/pki-tomcat/kra/password.conf
INFO: Creating SELinux contexts
INFO: Generating system keys
INFO: Loading instance: pki-tomcat
INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
INFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
INFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg
INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
INFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg
INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
DEBUG: - user: pkiuser
DEBUG: - group: pkiuser
INFO: Configuring subsystem
INFO: Loading instance: pki-tomcat
INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
INFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
INFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg
INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
INFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg
INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
DEBUG: - user: pkiuser
DEBUG: - group: pkiuser
DEBUG: Setting ephemeral requests to true
INFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
INFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg
INFO: Importing sslserver cert data from CA
INFO: Importing subsystem cert data from CA
INFO: Importing sslserver request data from CA
INFO: Importing subsystem request data from CA
INFO: Joining existing domain
INFO: Searching for srv-ds-2.imladris.lan:443
INFO: - srv-ds-2.imladris.lan:443
INFO: Getting install token
INFO: Using CA at https://srv-ds-2.imladris.lan:443
INFO: Retrieving CA certificate chain from https://srv-ds-2.imladris.lan:443
DEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://srv-ds-2.imladris.lan:443 --ignore-cert-status UNTRUSTED_ISSUER --ignore-banner ca-cert-signing-export --pkcs7 --debug
INFO: Connecting to https://srv-ds-2.imladris.lan:443
INFO: HTTP request: GET /pki/rest/info HTTP/1.1
INFO: Accept: application/json
INFO: Host: srv-ds-2.imladris.lan:443
INFO: Connection: Keep-Alive
INFO: User-Agent: Apache-HttpClient/4.5.13 (Java/17.0.6)
FINE: Request:
INFO: Server certificate: CN=srv-ds-2.imladris.lan,O=IMLADRIS.LAN
INFO: HTTP response: HTTP/1.1 200 200
INFO: Date: Thu, 06 Apr 2023 15:52:56 GMT
INFO: Server: Apache/2.4.56 (Fedora Linux) OpenSSL/3.0.8 mod_wsgi/4.9.1 Python/3.11 mod_auth_gssapi/1.6.3
INFO: Set-Cookie: JSESSIONID=6E45EEC763EB29FC773FFDA7B2BF3AB2; Path=/pki; Secure; HttpOnly
INFO: Content-Type: application/json
INFO: Content-Length: 50
INFO: Vary: Accept-Encoding
INFO: Keep-Alive: timeout=30, max=100
INFO: Connection: Keep-Alive
FINE: Response:
{"Version":"10.7.3","Attributes":{"Attribute":[]}}
INFO: Server Name: null
INFO: Server Version: 10.7.3
INFO: Gettting CA signing certificate chain through REST service
INFO: HTTP request: GET /ca/rest/config/cert/signing HTTP/1.1
INFO: Accept: application/json
INFO: Host: srv-ds-2.imladris.lan:443
INFO: Connection: Keep-Alive
INFO: User-Agent: Apache-HttpClient/4.5.13 (Java/17.0.6)
FINE: Request:
INFO: HTTP response: HTTP/1.1 200 200
INFO: Date: Thu, 06 Apr 2023 15:52:56 GMT
INFO: Server: Apache/2.4.56 (Fedora Linux) OpenSSL/3.0.8 mod_wsgi/4.9.1 Python/3.11 mod_auth_gssapi/1.6.3
INFO: Cache-Control: no-transform, max-age=1000
INFO: ETag: "5747047"
INFO: Content-Type: application/json
INFO: Content-Length: 2869
INFO: Vary: Accept-Encoding
INFO: Keep-Alive: timeout=30, max=99
INFO: Connection: Keep-Alive
FINE: Response:
{"id":"0x1","IssuerDN":"CN=Certificate Authority,O=IMLADRIS.LAN","SubjectDN":"CN=Certificate Authority,O=IMLADRIS.LAN","Encoded":"-----BEGIN CERTIFICATE-----\nMIIDjjCCAnagAwIBAgIBATANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxJTUxBRFJJUy5MQU4x\r\nHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjExMzAxODU0MzNaFw0zNjExMzAx\r\nODU0MzNaMDcxFTATBgNVBAoMDElNTEFEUklTLkxBTjEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0\r\naG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzGIY7t3hkMEJDCTa9plc5qdy\r\n6/P/RXYkm1xQ8JsleH9stWW8JiGf1aeFQSC3nVnweOU8HbHdpSmRjfmMTau+N92XYRUigHL98E0n\r\nOuWvzhxGblXtJOADIWiDdYLdeKAfdgXgIY7eXGAm5yG+Yoqa0bsRcGsXy4rorKBMxaQvNBqfFDj9\r\nIzNSrkXTmP1p9QDXmjcXJ59mgioFUOKhKa+NmsLPdidyDmfFaJmGoMVOp/MwSLc8COt5gSPkOD+Z\r\n5ASCsT7EisRGcORnMRWFMHb9SEWRN/sEXKQ4fLwWbvQjpXKWk7vzWnAPa7XCpZZ9gKiZ69EgpMzq\r\nZ3fhXDITTXcSRQIDAQABo4GkMIGhMB8GA1UdIwQYMBaAFOJjUTKWj5T/bnzw3HzXXRmRNYPyMA8G\r\nA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBTiY1Eylo+U/2588Nx8110Z\r\nkTWD8jA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9pcGEtY2EuaW1sYWRyaXMu\r\nbGFuL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAKanBYbE7Bf9rVJcdIYHqhU1nC9SN+KvDDrP\r\nOr9Nezd53gRzCs7DcXlLd2kJGUkUGgZWHUF3F2TacLKBnM3u+NQ6yek16WrPSfWgcKNKhzbNADcK\r\nULNTKsYQBTNT6o2CFTxGbX8dWW0tlSZVJOw3smG7dwq9y3zORDHIqplwlHr3lsUyACDhC/ZjCRZs\r\nOvr+p1sE5itqyzItJfHX2z0sHxuxJxOXGqSC5JyrsVpOT4GgDHSFT1s9xba8PcPjdlWG+1DHwpzJ\r\n66UP4MrNFX3qfLqVNTr4BaZx6qSyLvm6fTU/Sz2e33CXXB25lYtumx7LFrqrbeuP7cjYiHL+eaKo\r\nKAw=\r\n-----END CERTIFICATE-----\n","PKCS7CertChain":"MIIDwQYJKoZIhvcNAQcCoIIDsjCCA64CAQExADAPBgkqhkiG9w0BBwGgAgQAoIIDkjCCA44wggJ2oAMCAQICAQEwDQYJKoZIhvcNAQELBQAwNzEVMBMGA1UECgwMSU1MQURSSVMuTEFOMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYxMTMwMTg1NDMzWhcNMzYxMTMwMTg1NDMzWjA3MRUwEwYDVQQKDAxJTUxBRFJJUy5MQU4xHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxiGO7d4ZDBCQwk2vaZXOancuvz/0V2JJtcUPCbJXh/bLVlvCYhn9WnhUEgt51Z8HjlPB2x3aUpkY35jE2rvjfdl2EVIoBy/fBNJzrlr84cRm5V7STgAyFog3WC3XigH3YF4CGO3lxgJuchvmKKmtG7EXBrF8uK6KygTMWkLzQanxQ4/SMzUq5F05j9afUA15o3FyefZoIqBVDioSmvjZrCz3Yncg5nxWiZhqDFTqfzMEi3PAjreYEj5Dg/meQEgrE+xIrERnDkZzEVhTB2/UhFkTf7BFykOHy8Fm70I6VylpO781pwD2u1wqWWfYComevRIKTM6md34VwyE013EkUCAwEAAaOBpDCBoTAfBgNVHSMEGDAWgBTiY1Eylo+U/2588Nx8110ZkTWD8jAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQU4mNRMpaPlP9ufPDcfNddGZE1g/IwPgYIKwYBBQUHAQEEMjAwMC4GCCsGAQUFBzABhiJodHRwOi8vaXBhLWNhLmltbGFkcmlzLmxhbi9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQCmpwWGxOwX/a1SXHSGB6oVNZwvUjfirww6zzq/TXs3ed4EcwrOw3F5S3dpCRlJFBoGVh1Bdxdk2nCygZzN7vjUOsnpNelqz0n1oHCjSoc2zQA3ClCzUyrGEAUzU+qNghU8Rm1/HVltLZUmVSTsN7Jhu3cKvct8zkQxyKqZcJR695bFMgAg4Qv2YwkWbDr6/qdbBOYrassyLSXx19s9LB8bsScTlxqkguScq7FaTk+BoAx0hU9bPcW2vD3D43ZVhvtQx8KcyeulD+DKzRV96ny6lTU6+AWmceqksi75un01P0s9nt9wl1wduZWLbpseyxa6q23rj+3I2Ihy/nmiqCgMMQA=","NotBefore":"Wed Nov 30 12:54:33 CST 2016","NotAfter":"Sun Nov 30 12:54:33 CST 2036"}
INFO: Importing CA certificate chain
DEBUG: NSSDatabase.import_pkcs7()
DEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -C /tmp/tmpbcvioqq8/internal_password.txt pkcs7-import --trust CT,C,C --debug
INFO: Loading PKCS #7 data from standard input
INFO: Initializing NSS
INFO: Logging into internal token
INFO: Using internal token
INFO: - CN=Certificate Authority,O=IMLADRIS.LAN
INFO: Storing subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
INFO: Storing registry config: /var/lib/pki/pki-tomcat/kra/conf/registry.cfg
INFO: Emptying existing database
DEBUG: Command: /usr/sbin/runuser -u pkiuser -- /usr/lib/jvm/jre-11-openjdk/bin/java -classpath /usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/kra/webapps/kra/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/* -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dcom.redhat.fips=false org.dogtagpki.server.cli.PKIServerCLI kra-db-empty --force --debug
Error: LinkageError occurred while loading main class org.dogtagpki.server.cli.PKIServerCLI
java.lang.UnsupportedClassVersionError: org/dogtagpki/server/cli/PKIServerCLI has been compiled by a more recent version of the Java Runtime (class file version 61.0), this version of the Java Runtime only recognizes class file versions up to 55.0
CalledProcessError: Command '['/usr/sbin/runuser', '-u', 'pkiuser', '--', '/usr/lib/jvm/jre-11-openjdk/bin/java', '-classpath', '/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/kra/webapps/kra/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*', '-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory', '-Dcatalina.base=/var/lib/pki/pki-tomcat', '-Dcatalina.home=/usr/share/tomcat', '-Djava.endorsed.dirs=', '-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp', '-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties', '-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager', '-Dcom.redhat.fips=false', 'org.dogtagpki.server.cli.PKIServerCLI', 'kra-db-empty', '--force', '--debug']' returned non-zero exit status 1.
File "/usr/lib/python3.11/site-packages/pki/server/pkispawn.py", line 589, in main
scriptlet.spawn(deployer)
File "/usr/lib/python3.11/site-packages/pki/server/deployment/scriptlets/configuration.py", line 493, in spawn
subsystem.empty_database(force=True)
File "/usr/lib/python3.11/site-packages/pki/server/subsystem.py", line 994, in empty_database
self.run(cmd, as_current_user=as_current_user)
File "/usr/lib/python3.11/site-packages/pki/server/subsystem.py", line 1695, in run
return subprocess.run(
^^^^^^^^^^^^^^^
File "/usr/lib64/python3.11/subprocess.py", line 571, in run
raise CalledProcessError(retcode, process.args,
2023-04-06T15:52:59Z CRITICAL Failed to configure KRA instance
2023-04-06T15:52:59Z CRITICAL See the installation logs and the following files/directories for more information:
2023-04-06T15:52:59Z CRITICAL /var/log/pki/pki-tomcat
2023-04-06T15:52:59Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 686, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 672, in run_step
method()
File "/usr/lib/python3.11/site-packages/ipaserver/install/krainstance.py", line 223, in __spawn_instance
DogtagInstance.spawn_instance(
File "/usr/lib/python3.11/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python3.11/site-packages/ipaserver/install/dogtaginstance.py", line 604, in handle_setup_error
raise RuntimeError(
RuntimeError: KRA configuration failed.
2023-04-06T15:52:59Z DEBUG [error] RuntimeError: KRA configuration failed.
2023-04-06T15:52:59Z DEBUG Removing /var/lib/ipa/tmp-uiz3auyo
2023-04-06T15:52:59Z DEBUG Removing /root/.dogtag/pki-tomcat/kra
2023-04-06T15:52:59Z ERROR
Your system may be partly configured.
If you run into issues, you may have to re-install IPA on this server.
2023-04-06T15:52:59Z DEBUG File "/usr/lib/python3.11/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/ipaserver/install/ipa_kra_install.py", line 218, in run
kra.install(api, config, self.options, custodia=custodia)
File "/usr/lib/python3.11/site-packages/ipaserver/install/kra.py", line 100, in install
kra.configure_instance(
File "/usr/lib/python3.11/site-packages/ipaserver/install/krainstance.py", line 139, in configure_instance
self.start_creation(runtime=120)
File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 686, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.11/site-packages/ipaserver/install/service.py", line 672, in run_step
method()
File "/usr/lib/python3.11/site-packages/ipaserver/install/krainstance.py", line 223, in __spawn_instance
DogtagInstance.spawn_instance(
File "/usr/lib/python3.11/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python3.11/site-packages/ipaserver/install/dogtaginstance.py", line 604, in handle_setup_error
raise RuntimeError(
2023-04-06T15:52:59Z DEBUG The ipa-kra-install command failed, exception: RuntimeError: KRA configuration failed.
2023-04-06T15:52:59Z ERROR KRA configuration failed.
2023-04-06T15:52:59Z ERROR The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
