On 11.02.2016 12:51, Quasar wrote:
Martin,

I've re-tested the replica with a freshly-installed CentOS 7 (1511).
Installation still fails (damn!) and the log is a bit more verbose. I suppose it has something to do with certificate in my master server proably due to incremental updates did in the past.

2016-02-11T11:09:21Z DEBUG Starting external process
2016-02-11T11:09:21Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpRHosRn'
2016-02-11T11:10:58Z DEBUG Process finished, return code=1
2016-02-11T11:10:58Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20160211120921.log
Loading deployment configuration from /tmp/tmpRHosRn.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.


2016-02-11T11:10:58Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
pkispawn : WARNING ....... unable to validate security domain user/password through REST interface. Interface not available pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error while updating security domain: java.io.IOException: 2"}

2016-02-11T11:10:58Z CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpRHosRn'' returned non-zero exit status 1 2016-02-11T11:10:58Z CRITICAL See the installation logs and the following files/directories for more information:
2016-02-11T11:10:58Z CRITICAL   /var/log/pki-ca-install.log
2016-02-11T11:10:58Z CRITICAL   /var/log/pki/pki-tomcat
2016-02-11T11:10:58Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation
    run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step
    method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 620, in __spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 201, in spawn_instance
    self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 465, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

I'm attaching the 3 log files, as usual:



On Thu, Feb 11, 2016 at 11:28 AM, Quasar <quas...@gmail.com <mailto:quas...@gmail.com>> wrote:

    Hi Martin,

    first of all thanks for taking some time to read and provide
    feedback, much appreciated.

    I firstly tried with CentOS 7.x (build 1511) but got the same
    errore during CA configuration. Then I supposed I had to upgrade
    step-by-step, from 3.0 to 3.3 (instead of 3.0 to 4.x) and used
    Fedora 23, 20, 19 and 18 but with no luck.
    If you need the exact log from CentOS 7.x migration I can provide
    them to you.

    About the debug log file, it was attached and these are the final
    lines containing the error:

    [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: getDomainXML:
    domainInfo=<?xml version="1.0" encoding="UTF-8"
    
standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ipaserver.it.fx.lan</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clone>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TRUE</DomainManager></CA><CA><Host>ipaserver-ha.it.fx.lan</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>2</SubsystemCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
    [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: Cloning a domain master
    [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase
    updateDomainXML start hostname=ipaserver.it.fx.lan port=443
    [09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
    updateSecurityDomain: failed to update security domain using admin
    port 443: org.xml.sax.SAXParseException; lineNumber: 1;
    columnNumber: 50; White spaces are required between publicId and
    systemId.
    [09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
    updateSecurityDomain: now trying agent port with client auth
    [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase
    updateDomainXML start hostname=ipaserver.it.fx.lan port=443
    [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: updateDomainXML()
    nickname=subsystemCert cert-pki-ca
    [09/Feb/2016:15:31:43][http-bio-8443-exec-3]: WizardPanelBase
    updateDomainXML: status=1



-- Giuseppe Calignano




--
Giuseppe Calignano

I'm not sure but it looks like the known bug in dogtag 9 and 10 compatibility (I will try to find related bugzillas). This should be already fixed in RHEL, so I do not know when it will hit CentOS or if it is already there.

pkispawn : WARNING ....... unable to validate security domain user/password through REST interface. Interface not available pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error while updating security domain: java.io.IOException: 2"}

But I might be wrong, Dogtag guys can you look at it please? :-)

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to