On 11.02.2016 13:33, Quasar wrote:

Thank you!
Dodgig the dogtag guys, then ;-)

Do you have CA configured as external CA?

It could be:
https://bugzilla.redhat.com/show_bug.cgi?id=1291747

I don't think that it is already in CentOS


Il giorno Gio 11 Feb 2016 13:26 Martin Basti <mba...@redhat.com <mailto:mba...@redhat.com>> ha scritto:



    On 11.02.2016 12:51, Quasar wrote:
    Martin,

    I've re-tested the replica with a freshly-installed CentOS 7 (1511).
    Installation still fails (damn!) and the log is a bit more
    verbose. I suppose it has something to do with certificate in my
    master server proably due to incremental updates did in the past.

    2016-02-11T11:09:21Z DEBUG Starting external process
    2016-02-11T11:09:21Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA'
    '-f' '/tmp/tmpRHosRn'
    2016-02-11T11:10:58Z DEBUG Process finished, return code=1
    2016-02-11T11:10:58Z DEBUG stdout=Log file:
    /var/log/pki/pki-ca-spawn.20160211120921.log
    Loading deployment configuration from /tmp/tmpRHosRn.
    Installing CA into /var/lib/pki/pki-tomcat.
    Storing deployment configuration into
    /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

    Installation failed.


    2016-02-11T11:10:58Z DEBUG
    stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
    InsecureRequestWarning: Unverified HTTPS request is being made.
    Adding certificate verification is strongly advised. See:
    https://urllib3.readthedocs.org/en/latest/security.html
      InsecureRequestWarning)
    pkispawn    : WARNING  ....... unable to validate security domain
    user/password through REST interface. Interface not available
    pkispawn    : ERROR    ....... Exception from Java Configuration
    Servlet: 500 Server Error: Internal Server Error
    pkispawn    : ERROR    ....... ParseError: not well-formed
    (invalid token): line 1, column 0:
    
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
    while updating security domain: java.io.IOException: 2"}

    2016-02-11T11:10:58Z CRITICAL Failed to configure CA instance:
    Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpRHosRn''
    returned non-zero exit status 1
    2016-02-11T11:10:58Z CRITICAL See the installation logs and the
    following files/directories for more information:
    2016-02-11T11:10:58Z CRITICAL /var/log/pki-ca-install.log
    2016-02-11T11:10:58Z CRITICAL /var/log/pki/pki-tomcat
    2016-02-11T11:10:58Z DEBUG Traceback (most recent call last):
      File
    "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
    line 418, in start_creation
        run_step(full_msg, method)
      File
    "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
    line 408, in run_step
        method()
      File
    "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
    line 620, in __spawn_instance
        DogtagInstance.spawn_instance(self, cfg_file)
      File
    "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
    line 201, in spawn_instance
        self.handle_setup_error(e)
      File
    "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
    line 465, in handle_setup_error
        raise RuntimeError("%s configuration failed." % self.subsystem)
    RuntimeError: CA configuration failed.

    I'm attaching the 3 log files, as usual:



    On Thu, Feb 11, 2016 at 11:28 AM, Quasar <quas...@gmail.com
    <mailto:quas...@gmail.com>> wrote:

        Hi Martin,

        first of all thanks for taking some time to read and provide
        feedback, much appreciated.

        I firstly tried with CentOS 7.x (build 1511) but got the same
        errore during CA configuration. Then I supposed I had to
        upgrade step-by-step, from 3.0 to 3.3 (instead of 3.0 to 4.x)
        and used Fedora 23, 20, 19 and 18 but with no luck.
        If you need the exact log from CentOS 7.x migration I can
        provide them to you.

        About the debug log file, it was attached and these are the
        final lines containing the error:

        [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: getDomainXML:
        domainInfo=<?xml version="1.0" encoding="UTF-8"
        
standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ipaserver.it.fx.lan</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clone>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TRUE</DomainManager></CA><CA><Host>ipaserver-ha.it.fx.lan</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>2&l!
        t;/Subsyst
        
emCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
        [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: Cloning a
        domain master
        [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase
        updateDomainXML start hostname=ipaserver.it.fx.lan port=443
        [09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
        updateSecurityDomain: failed to update security domain using
        admin port 443: org.xml.sax.SAXParseException; lineNumber: 1;
        columnNumber: 50; White spaces are required between publicId
        and systemId.
        [09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
        updateSecurityDomain: now trying agent port with client auth
        [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase
        updateDomainXML start hostname=ipaserver.it.fx.lan port=443
        [09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
        updateDomainXML() nickname=subsystemCert cert-pki-ca
        [09/Feb/2016:15:31:43][http-bio-8443-exec-3]: WizardPanelBase
        updateDomainXML: status=1



-- Giuseppe Calignano




-- Giuseppe Calignano

    I'm not sure but it looks like the known bug in dogtag 9 and 10
    compatibility (I will try to find related bugzillas).
    This should be already fixed in RHEL, so I do not know when it
    will hit CentOS or if it is already there.

    pkispawn    : WARNING  ....... unable to validate security domain
    user/password through REST interface. Interface not available
    pkispawn    : ERROR    ....... Exception from Java Configuration
    Servlet: 500 Server Error: Internal Server Error
    pkispawn    : ERROR    ....... ParseError: not well-formed
    (invalid token): line 1, column 0:
    
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
    while updating security domain: java.io.IOException: 2"}

    But I might be wrong, Dogtag guys can you look at it please? :-)


    Martin


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to