I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. After working 
through and solving a few issues, my current efforts fail when setting up the 
replica CA.

If I set up a new, pristine master on OS 6.7, I am able to create an OS 7.x 
replica without any problem. However, if I try to create a replica from my two 
year old test lab instance (production will be another matter for the future) 
it fails. The test lab master was created a couple of years ago on OS 6.3 / IPA 
2.x and has been upgraded to the latest versions in the 6.x chain. It is old 
enough to have had all the certificates renewed, but I believe I have worked 
through all the issues related to that.

Below is what I believe are the useful portions of the pertinent logs. I've not 
been able to find anything online that speaks to the errors I am seeing

Thanks for your help.



/var/log/ipareplica-install.log


2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd). 
Estimated time: 3 minutes 30 seconds
2016-03-23T21:55:11Z DEBUG   [1/23]: creating certificate server user
2016-03-23T21:55:11Z DEBUG group pkiuser exists
2016-03-23T21:55:11Z DEBUG user pkiuser exists
2016-03-23T21:55:11Z DEBUG   duration: 0 seconds
2016-03-23T21:55:11Z DEBUG   [2/23]: configuring certificate server instance
2016-03-23T21:55:11Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-03-23T21:55:11Z DEBUG Saving StateFile to 
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file 
(/tmp/tmpGQ59ZC):
[CA]
pki_security_domain_name = IPA
pki_enable_proxy = True
pki_restart_configured_instance = False
pki_backup_keys = True
pki_backup_password = XXXXXXXX
pki_profiles_in_ldap = True
pki_client_database_dir = /tmp/tmp-g0CKZ3
pki_client_database_password = XXXXXXXX
pki_client_database_purge = False
pki_client_pkcs12_password = XXXXXXXX
pki_admin_name = admin
pki_admin_uid = admin
pki_admin_email = root@localhost
pki_admin_password = XXXXXXXX
pki_admin_nickname = ipa-ca-agent
pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_ds_ldap_port = 389
pki_ds_password = XXXXXXXX
pki_ds_base_dn = o=ipaca
pki_ds_database = ipaca
pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM
pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM
pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM
pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ssl_server_nickname = Server-Cert cert-pki-ca
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_ca_signing_nickname = caSigningCert cert-pki-ca
pki_ca_signing_key_algorithm = SHA256withRSA
pki_security_domain_hostname = ptipa1.example.com
pki_security_domain_https_port = 443
pki_security_domain_user = admin
pki_security_domain_password = XXXXXXXX
pki_clone = True
pki_clone_pkcs12_path = /tmp/ca.p12
pki_clone_pkcs12_password = XXXXXXXX
pki_clone_replication_security = TLS
pki_clone_replication_master_port = 7389
pki_clone_replication_clone_port = 389
pki_clone_replicate_schema = False
pki_clone_uri = https://ptipa1.example.com:443


2016-03-23T21:55:11Z DEBUG Starting external process
2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' 
'/tmp/tmpGQ59ZC'
2016-03-23T21:56:51Z DEBUG Process finished, return code=1
2016-03-23T21:56:51Z DEBUG stdout=Log file: 
/var/log/pki/pki-ca-spawn.20160323175511.log
Loading deployment configuration from /tmp/tmpGQ59ZC.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into 
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.
2016-03-23T21:56:51Z DEBUG 
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: 
InsecureRequestWarning: Unverified HTTPS request is being made. Adding 
certificate verification is strongly advised. See: 
https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
pkispawn    : WARNING  ....... unable to validate security domain user/password 
through REST interface. Interface not available
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500 
Server Error: Internal Server Error
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token): 
line 1, column 0: 
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
 while updating security domain: java.io.IOException: 2"}

2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: Command 
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' returned non-zero exit 
status 1
2016-03-23T21:56:51Z CRITICAL See the installation logs and the following 
files/directories for more information:
2016-03-23T21:56:51Z CRITICAL   /var/log/pki-ca-install.log
2016-03-23T21:56:51Z CRITICAL   /var/log/pki/pki-tomcat
2016-03-23T21:56:51Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
418, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
408, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
620, in __spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 201, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 465, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2016-03-23T21:56:51Z DEBUG   [error] RuntimeError: CA configuration failed.
2016-03-23T21:56:51Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311, 
in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 281, 
in run
    self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 303, 
in execute
    for nothing in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, 
in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, 
in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, 
in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, 
in run_generator_with_yield_from
    raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, 
in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 524, 
in _configure
    executor.next()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, 
in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, 
in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, 
in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, 
in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, 
in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, 
in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, 
in run_generator_with_yield_from
    raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, 
in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, 
in _install
    for nothing in self._installer(self.parent):
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
line 879, in main
    install(self)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
line 295, in decorated
    func(installer)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", 
line 584, in install
    ca.install(False, config, options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 106, in 
install
    install_step_0(standalone, replica_config, options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 130, in 
install_step_0
    ra_p12=getattr(options, 'ra_p12', None))
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
1543, in install_replica_ca
    subject_base=config.subject_base)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
486, in configure_instance
    self.start_creation(runtime=210)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
418, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
408, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
620, in __spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 201, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", 
line 465, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)

2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, exception: 
RuntimeError: CA configuration failed.
2016-03-23T21:56:51Z ERROR CA configuration failed.




/var/log/pki/pki-ca-spawn.<date>.log


2016-03-23 17:55:12 pkispawn    : INFO     ....... rm -f 
/etc/pki/pki-tomcat/ca/noise
2016-03-23 17:55:12 pkispawn    : INFO     ....... rm -f 
/etc/pki/pki-tomcat/pfile
2016-03-23 17:55:12 pkispawn    : INFO     ....... ln -s 
/lib/systemd/system/pki-tomcatd@.service 
/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service
2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown -h 17:17 
/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service
2016-03-23 17:55:12 pkispawn    : INFO     ... configuring 
'pki.server.deployment.scriptlets.configuration'
2016-03-23 17:55:12 pkispawn    : INFO     ....... mkdir -p 
/root/.dogtag/pki-tomcat/ca
2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chmod 755 
/root/.dogtag/pki-tomcat/ca
2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown 0:0 
/root/.dogtag/pki-tomcat/ca
2016-03-23 17:55:12 pkispawn    : INFO     ....... generating 
'/root/.dogtag/pki-tomcat/ca/password.conf'
2016-03-23 17:55:12 pkispawn    : INFO     ....... modifying 
'/root/.dogtag/pki-tomcat/ca/password.conf'
2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chmod 660 
/root/.dogtag/pki-tomcat/ca/password.conf
2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown 0:0 
/root/.dogtag/pki-tomcat/ca/password.conf
2016-03-23 17:55:12 pkispawn    : INFO     ....... generating 
'/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
2016-03-23 17:55:12 pkispawn    : INFO     ....... modifying 
'/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chmod 660 
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown 17:17 
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2016-03-23 17:55:12 pkispawn    : INFO     ....... executing 'certutil -N -d 
/tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf'
2016-03-23 17:55:12 pkispawn    : INFO     ....... executing 'systemctl 
daemon-reload'
2016-03-23 17:55:12 pkispawn    : INFO     ....... executing 'systemctl start 
pki-tomcatd@pki-tomcat.service'
2016-03-23 17:55:12 pkispawn    : DEBUG    ........... No connection - server 
may still be down
2016-03-23 17:55:12 pkispawn    : DEBUG    ........... No connection - 
exception thrown: ('Connection aborted.', error(111, 'Connection refused'))
2016-03-23 17:55:13 pkispawn    : DEBUG    ........... No connection - server 
may still be down
2016-03-23 17:55:13 pkispawn    : DEBUG    ........... No connection - 
exception thrown: ('Connection aborted.', error(111, 'Connection refused'))
2016-03-23 17:55:24 pkispawn    : DEBUG    ........... <?xml version="1.0" 
encoding="UTF-8" 
standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.2.5-6.el7</Version></XMLResponse>
2016-03-23 17:55:25 pkispawn    : INFO     ....... constructing PKI 
configuration data.
2016-03-23 17:55:25 pkispawn    : INFO     ....... configuring PKI 
configuration data.
2016-03-23 17:56:51 pkispawn    : ERROR    ....... Exception from Java 
Configuration Servlet: 500 Server Error: Internal Server Error
2016-03-23 17:56:51 pkispawn    : ERROR    ....... ParseError: not well-formed 
(invalid token): line 1, column 0: 
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
 while updating security domain: java.io.IOException: 2"}
2016-03-23 17:56:51 pkispawn    : DEBUG    ....... Error Type: ParseError
2016-03-23 17:56:51 pkispawn    : DEBUG    ....... Error Message: not 
well-formed (invalid token): line 1, column 0
2016-03-23 17:56:51 pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", 
line 597, in main
    rv = instance.spawn(deployer)
  File 
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
 line 116, in spawn
    json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", 
line 3906, in configure_pki_data
    root = ET.fromstring(e.response.text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
    parser.feed(text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
    self._raiseerror(v)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in 
_raiseerror
    raise err





/var/log/pki/pki-tomcat/ca/debug

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store 
in memory cache
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before makeConnection 
errorIfDown is false
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: errorIfDown false
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP connection using 
basic authentication to host pt-idm-vm01.example.com port 389 as cn=Directory 
Manager
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with mininum 3 and 
maximum 15 connections to host pt-idm-vm01.example.com port 389, secure 
connection, false, authentication type 1
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum connections by 
3
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available connections 3
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of connections 3
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In LdapBoundConnFactory::getConn()
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: true
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is connected true
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now 2
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: 
param=preop.internaldb.manager_ldif
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file = 
/usr/share/pki/server/conf/manager.ldif
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to 
/var/lib/pki/pki-tomcat/ca/conf/manager.ldif
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP Errors in 
importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in 
adding entry ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68)

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in 
modifying entry o=ipaca:netscape.ldap.LDAPException: error result (20)
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): start
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating 
LdapBoundConnFactor(ConfigurationUtils)
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: init
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory:doCloning 
true
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init()
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init begins
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: prompt is 
internaldb
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: try getting 
from memory cache
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: got password 
from memory
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: password 
found for prompt.
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store 
in memory cache
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before makeConnection 
errorIfDown is false
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: errorIfDown false
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP connection using 
basic authentication to host pt-idm-vm01.example.com port 389 as cn=Directory 
Manager
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with mininum 3 and 
maximum 15 connections to host pt-idm-vm01.example.com port 389, secure 
connection, false, authentication type 1
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum connections by 
3
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available connections 3
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of connections 3
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In LdapBoundConnFactory::getConn()
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: true
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is connected true
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now 2
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: 
param=preop.internaldb.post_ldif
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file = 
/usr/share/pki/ca/conf/vlv.ldif
[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to 
/var/lib/pki/pki-tomcat/ca/conf/vlv.ldif
[23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif file = 
/usr/share/pki/ca/conf/vlvtasks.ldif
[23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to 
/var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif
[23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn 
cn=index1160589769, cn=index, cn=tasks, cn=config
[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver'
[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: 
SystemConfigService:processCerts(): san_server_cert not found for tag sslserver
[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is local
[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is remote 
(revised)
[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: updateConfig() for 
certTag sslserver
[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done
[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA
[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got public key
[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got private key
[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this Cloned CA, 
always use its Master CA to generate the 'sslserver' certificate to avoid any 
changes which may have been made to the X500Name directory string encoding 
order.
[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: 
injectSAN=false
[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil createRemoteCert: 
content 
requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalAuthServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true&sessionID=-4495713718673639316
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: 
status=0
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: 
MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils: 
handleCertRequest() begins
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: tag=sslserver
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: 
privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: created cert 
request
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' 
certificate:
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for cert tag 
'sslserver' using cert type 'remote'
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process 
remote...import cert
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: nickname=Server-Cert 
cert-pki-ca
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert deleted 
successfully
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): certchains length=2
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import certificate 
successfully, certTag=sslserver
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' certificate.
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert 
Panel/SavePKCS12 Panel ===
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel ===
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel ===
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing security domain
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): Getting 
domain.xml from CA...
[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start
[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0
[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: domainInfo=<?xml 
version="1.0" encoding="UTF-8" 
standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ptipa1.example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clone>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TRUE</DomainManager></CA><SubsystemCount>1</SubsystemCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain master
[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML 
start hostname=ptipa1.example.com port=443
[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: failed to 
update security domain using admin port 443: org.xml.sax.SAXParseException; 
lineNumber: 1; columnNumber: 50; White spaces are required between publicId and 
systemId.
[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: now trying 
agent port with client auth
[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML 
start hostname=ptipa1.example.com port=443
[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML() 
nickname=subsystemCert cert-pki-ca
[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML: 
status=1
[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating security 
domain: java.io.IOException: 2
[23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, 
authorization for servlet: caProfileList is LDAP based, not XML {1}, use 
default authz mgr: {2}.



/var/log/pki/pki-tomcat/ca/system

0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot build CA 
chain. Error java.security.cert.CertificateException: Certificate is not a PKCS 
#11 certificate
0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz instance 
DirAclAuthz initialization failed and skipped, error=Property 
internaldb.ldapconn.port missing value




Dennis M Ott
Infrastructure Administrator
Infrastructure and Security Operations

McKesson Corporation
McKesson Pharmacy Systems and Automation
www.mckesson.com<http://www.mckesson.com/>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to