Re: [Freeipa-users] 7.x replica install from 6.x master fails

Petr Vobornik Tue, 29 Mar 2016 03:47:46 -0700

On 03/24/2016 04:29 PM, Ott, Dennis wrote:

I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. After working
through and solving a few issues, my current efforts fail when setting up the
replica CA.


If I set up a new, pristine master on OS 6.7, I am able to create an OS 7.x
replica without any problem. However, if I try to create a replica from my two
year old test lab instance (production will be another matter for the future) it
fails. The test lab master was created a couple of years ago on OS 6.3 / IPA 2.x
and has been upgraded to the latest versions in the 6.x chain. It is old enough
to have had all the certificates renewed, but I believe I have worked through
all the issues related to that.

Below is what I believe are the useful portions of the pertinent logs. I’ve not
been able to find anything online that speaks to the errors I am seeing

Thanks for your help.


Hello Dennis,

what are the exact versions of pki-ca and ipa-server on the 6.x masterand 7.x replica?

What kind of CA installation does the old 6.x master install have? Isstandard installation with CA or does it also use external CA?

I assume it is not self-sign (very old unsupported type, which could beconverted in 7.x as CA-less).


/var/log/ipareplica-install.log

2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd).
Estimated time: 3 minutes 30 seconds

2016-03-23T21:55:11Z DEBUG   [1/23]: creating certificate server user

2016-03-23T21:55:11Z DEBUG group pkiuser exists

2016-03-23T21:55:11Z DEBUG user pkiuser exists

2016-03-23T21:55:11Z DEBUG   duration: 0 seconds

2016-03-23T21:55:11Z DEBUG   [2/23]: configuring certificate server instance

2016-03-23T21:55:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'

2016-03-23T21:55:11Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'

2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file 
(/tmp/tmpGQ59ZC):

[CA]

pki_security_domain_name = IPA

pki_enable_proxy = True

pki_restart_configured_instance = False

pki_backup_keys = True

pki_backup_password = XXXXXXXX

pki_profiles_in_ldap = True

pki_client_database_dir = /tmp/tmp-g0CKZ3

pki_client_database_password = XXXXXXXX

pki_client_database_purge = False

pki_client_pkcs12_password = XXXXXXXX

pki_admin_name = admin

pki_admin_uid = admin

pki_admin_email = root@localhost

pki_admin_password = XXXXXXXX

pki_admin_nickname = ipa-ca-agent

pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM

pki_client_admin_cert_p12 = /root/ca-agent.p12

pki_ds_ldap_port = 389

pki_ds_password = XXXXXXXX

pki_ds_base_dn = o=ipaca

pki_ds_database = ipaca

pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM

pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM

pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM

pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM

pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM

pki_subsystem_nickname = subsystemCert cert-pki-ca

pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca

pki_ssl_server_nickname = Server-Cert cert-pki-ca

pki_audit_signing_nickname = auditSigningCert cert-pki-ca

pki_ca_signing_nickname = caSigningCert cert-pki-ca

pki_ca_signing_key_algorithm = SHA256withRSA

pki_security_domain_hostname = ptipa1.example.com

pki_security_domain_https_port = 443

pki_security_domain_user = admin

pki_security_domain_password = XXXXXXXX

pki_clone = True

pki_clone_pkcs12_path = /tmp/ca.p12

pki_clone_pkcs12_password = XXXXXXXX

pki_clone_replication_security = TLS

pki_clone_replication_master_port = 7389

pki_clone_replication_clone_port = 389

pki_clone_replicate_schema = False

pki_clone_uri = https://ptipa1.example.com:443

2016-03-23T21:55:11Z DEBUG Starting external process

2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' 
'/tmp/tmpGQ59ZC'

2016-03-23T21:56:51Z DEBUG Process finished, return code=1

2016-03-23T21:56:51Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20160323175511.log

Loading deployment configuration from /tmp/tmpGQ59ZC.

Installing CA into /var/lib/pki/pki-tomcat.

Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.

2016-03-23T21:56:51Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html

    InsecureRequestWarning)

pkispawn    : WARNING  ....... unable to validate security domain user/password
through REST interface. Interface not available

pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500
Server Error: Internal Server Error

pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token): line
1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
while updating security domain: java.io.IOException: 2"}

2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' returned non-zero exit
status 1

2016-03-23T21:56:51Z CRITICAL See the installation logs and the following
files/directories for more information:

2016-03-23T21:56:51Z CRITICAL   /var/log/pki-ca-install.log

2016-03-23T21:56:51Z CRITICAL   /var/log/pki/pki-tomcat

2016-03-23T21:56:51Z DEBUG Traceback (most recent call last):

    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
418, in start_creation

      run_step(full_msg, method)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
408, in run_step

      method()

    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
line
620, in __spawn_instance

      DogtagInstance.spawn_instance(self, cfg_file)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance

      self.handle_setup_error(e)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error

      raise RuntimeError("%s configuration failed." % self.subsystem)

RuntimeError: CA configuration failed.

2016-03-23T21:56:51Z DEBUG   [error] RuntimeError: CA configuration failed.

2016-03-23T21:56:51Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute

      return_value = self.run()

    File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311,
in run

      cfgr.run()

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 281,
in run

      self.execute()

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 303,
in execute

      for nothing in self._executor():

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343,
in __runner

      self._handle_exception(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365,
in _handle_exception

      util.raise_exc_info(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333,
in __runner

      step()

    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87,
in run_generator_with_yield_from

      raise_exc_info(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65,
in run_generator_with_yield_from

      value = gen.send(prev_value)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 524,
in _configure

      executor.next()

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343,
in __runner

      self._handle_exception(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421,
in _handle_exception

      self.__parent._handle_exception(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365,
in _handle_exception

      util.raise_exc_info(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418,
in _handle_exception

      super(ComponentBase, self)._handle_exception(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365,
in _handle_exception

      util.raise_exc_info(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333,
in __runner

      step()

    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87,
in run_generator_with_yield_from

      raise_exc_info(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65,
in run_generator_with_yield_from

      value = gen.send(prev_value)

    File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 
63,
in _install

      for nothing in self._installer(self.parent):

    File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 879, in main

      install(self)

    File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 295, in decorated

      func(installer)

    File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 584, in install

      ca.install(False, config, options)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 106, 
in
install

      install_step_0(standalone, replica_config, options)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 130, 
in
install_step_0

      ra_p12=getattr(options, 'ra_p12', None))

    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
line
1543, in install_replica_ca

      subject_base=config.subject_base)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
line
486, in configure_instance

      self.start_creation(runtime=210)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
418, in start_creation

      run_step(full_msg, method)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
408, in run_step

      method()

    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
line
620, in __spawn_instance

      DogtagInstance.spawn_instance(self, cfg_file)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance

      self.handle_setup_error(e)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error

      raise RuntimeError("%s configuration failed." % self.subsystem)

2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, exception:
RuntimeError: CA configuration failed.

2016-03-23T21:56:51Z ERROR CA configuration failed.

/var/log/pki/pki-ca-spawn.<date>.log

2016-03-23 17:55:12 pkispawn    : INFO     ....... rm -f
/etc/pki/pki-tomcat/ca/noise

2016-03-23 17:55:12 pkispawn    : INFO     ....... rm -f 
/etc/pki/pki-tomcat/pfile

2016-03-23 17:55:12 pkispawn    : INFO     ....... ln -s
/lib/systemd/system/[email protected]
/etc/systemd/system/pki-tomcatd.target.wants/[email protected]

2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown -h 17:17
/etc/systemd/system/pki-tomcatd.target.wants/[email protected]

2016-03-23 17:55:12 pkispawn    : INFO     ... configuring
'pki.server.deployment.scriptlets.configuration'

2016-03-23 17:55:12 pkispawn    : INFO     ....... mkdir -p
/root/.dogtag/pki-tomcat/ca

2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chmod 755
/root/.dogtag/pki-tomcat/ca

2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown 0:0
/root/.dogtag/pki-tomcat/ca

2016-03-23 17:55:12 pkispawn    : INFO     ....... generating
'/root/.dogtag/pki-tomcat/ca/password.conf'

2016-03-23 17:55:12 pkispawn    : INFO     ....... modifying
'/root/.dogtag/pki-tomcat/ca/password.conf'

2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chmod 660
/root/.dogtag/pki-tomcat/ca/password.conf

2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown 0:0
/root/.dogtag/pki-tomcat/ca/password.conf

2016-03-23 17:55:12 pkispawn    : INFO     ....... generating
'/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'

2016-03-23 17:55:12 pkispawn    : INFO     ....... modifying
'/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'

2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chmod 660
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf

2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown 17:17
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf

2016-03-23 17:55:12 pkispawn    : INFO     ....... executing 'certutil -N -d
/tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf'

2016-03-23 17:55:12 pkispawn    : INFO     ....... executing 'systemctl
daemon-reload'

2016-03-23 17:55:12 pkispawn    : INFO     ....... executing 'systemctl start
[email protected]'

2016-03-23 17:55:12 pkispawn    : DEBUG    ........... No connection - server
may still be down

2016-03-23 17:55:12 pkispawn    : DEBUG    ........... No connection - exception
thrown: ('Connection aborted.', error(111, 'Connection refused'))

2016-03-23 17:55:13 pkispawn    : DEBUG    ........... No connection - server
may still be down

2016-03-23 17:55:13 pkispawn    : DEBUG    ........... No connection - exception
thrown: ('Connection aborted.', error(111, 'Connection refused'))

2016-03-23 17:55:24 pkispawn    : DEBUG    ........... <?xml version="1.0"
encoding="UTF-8"
standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.2.5-6.el7</Version></XMLResponse>

2016-03-23 17:55:25 pkispawn    : INFO     ....... constructing PKI
configuration data.

2016-03-23 17:55:25 pkispawn    : INFO     ....... configuring PKI configuration
data.

2016-03-23 17:56:51 pkispawn    : ERROR    ....... Exception from Java
Configuration Servlet: 500 Server Error: Internal Server Error

2016-03-23 17:56:51 pkispawn    : ERROR    ....... ParseError: not well-formed
(invalid token): line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
while updating security domain: java.io.IOException: 2"}

2016-03-23 17:56:51 pkispawn    : DEBUG    ....... Error Type: ParseError

2016-03-23 17:56:51 pkispawn    : DEBUG    ....... Error Message: not
well-formed (invalid token): line 1, column 0

2016-03-23 17:56:51 pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn",
line 597, in main

      rv = instance.spawn(deployer)

    File
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 116, in spawn

      json.dumps(data, cls=pki.encoder.CustomTypeEncoder))

    File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py",
line 3906, in configure_pki_data

      root = ET.fromstring(e.response.text)

    File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML

      parser.feed(text)

    File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed

      self._raiseerror(v)

    File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in 
_raiseerror

      raise err

/var/log/pki/pki-tomcat/ca/debug

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store
in memory cache

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before makeConnection
errorIfDown is false

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: errorIfDown false

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP connection using
basic authentication to host pt-idm-vm01.example.com port 389 as cn=Directory
Manager

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with mininum 3 and
maximum 15 connections to host pt-idm-vm01.example.com port 389, secure
connection, false, authentication type 1

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum connections by 
3

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available connections 3

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of connections 3

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In LdapBoundConnFactory::getConn()

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: true

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is connected true

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now 2

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS:
param=preop.internaldb.manager_ldif

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file =
/usr/share/pki/server/conf/manager.ldif

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to
/var/lib/pki/pki-tomcat/ca/conf/manager.ldif

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP Errors in
importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in
adding entry ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68)

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in
modifying entry o=ipaca:netscape.ldap.LDAPException: error result (20)

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): start

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating
LdapBoundConnFactor(ConfigurationUtils)

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: init

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory:doCloning 
true

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init()

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init begins

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: prompt is
internaldb

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: try getting
from memory cache

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: got password
from memory

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: password found
for prompt.

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store
in memory cache

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before makeConnection
errorIfDown is false

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: errorIfDown false

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP connection using
basic authentication to host pt-idm-vm01.example.com port 389 as cn=Directory
Manager

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with mininum 3 and
maximum 15 connections to host pt-idm-vm01.example.com port 389, secure
connection, false, authentication type 1

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum connections by 
3

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available connections 3

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of connections 3

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In LdapBoundConnFactory::getConn()

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: true

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is connected true

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now 2

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS:
param=preop.internaldb.post_ldif

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file =
/usr/share/pki/ca/conf/vlv.ldif

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to
/var/lib/pki/pki-tomcat/ca/conf/vlv.ldif

[23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif file =
/usr/share/pki/ca/conf/vlvtasks.ldif

[23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to
/var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif

[23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn
cn=index1160589769, cn=index, cn=tasks, cn=config

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver'

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]:
SystemConfigService:processCerts(): san_server_cert not found for tag sslserver

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is local

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is remote 
(revised)

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: updateConfig() for
certTag sslserver

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got public key

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got private key

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this Cloned CA,
always use its Master CA to generate the 'sslserver' certificate to avoid any
changes which may have been made to the X500Name directory string encoding 
order.

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: 
injectSAN=false

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil createRemoteCert: content
requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalAuthServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true&sessionID=-4495713718673639316

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: 
status=0

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert:
MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils:
handleCertRequest() begins

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: tag=sslserver

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]:
privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: created cert
request

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' 
certificate:

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for cert tag
'sslserver' using cert type 'remote'

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process
remote...import cert

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: nickname=Server-Cert
cert-pki-ca

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert deleted 
successfully

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): certchains length=2

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import certificate
successfully, certTag=sslserver

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' certificate.

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert Panel/SavePKCS12
Panel ===

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel ===

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel ===

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing security domain

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): Getting
domain.xml from CA...

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: domainInfo=<?xml
version="1.0" encoding="UTF-8"
standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ptipa1.example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clone>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TRUE</DomainManager></CA><SubsystemCount>1</SubsystemCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain master

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML
start hostname=ptipa1.example.com port=443

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: failed to
update security domain using admin port 443: org.xml.sax.SAXParseException;
lineNumber: 1; columnNumber: 50; White spaces are required between publicId and
systemId.

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: now trying
agent port with client auth

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML
start hostname=ptipa1.example.com port=443

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML()
nickname=subsystemCert cert-pki-ca

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML:
status=1

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating security
domain: java.io.IOException: 2

[23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, authorization
for servlet: caProfileList is LDAP based, not XML {1}, use default authz mgr: 
{2}.

/var/log/pki/pki-tomcat/ca/system

0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot build CA
chain. Error java.security.cert.CertificateException: Certificate is not a PKCS
#11 certificate

0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz instance
DirAclAuthz initialization failed and skipped, error=Property
internaldb.ldapconn.port missing value

*Dennis M Ott*
Infrastructure Administrator
Infrastructure and Security Operations

*McKesson Corporation
McKesson Pharmacy Systems and Automation*
www.mckesson.com <http://www.mckesson.com/>



--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 7.x replica install from 6.x master fails

Reply via email to