On 03/24/2016 04:29 PM, Ott, Dennis wrote:
I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. After working
through and solving a few issues, my current efforts fail when setting up the
replica CA.

If I set up a new, pristine master on OS 6.7, I am able to create an OS 7.x
replica without any problem. However, if I try to create a replica from my two
year old test lab instance (production will be another matter for the future) it
fails. The test lab master was created a couple of years ago on OS 6.3 / IPA 2.x
and has been upgraded to the latest versions in the 6.x chain. It is old enough
to have had all the certificates renewed, but I believe I have worked through
all the issues related to that.

Below is what I believe are the useful portions of the pertinent logs. I’ve not
been able to find anything online that speaks to the errors I am seeing

Thanks for your help.

Hello Dennis,

what are the exact versions of pki-ca and ipa-server on the 6.x master and 7.x replica?

What kind of CA installation does the old 6.x master install have? Is standard installation with CA or does it also use external CA?

I assume it is not self-sign (very old unsupported type, which could be converted in 7.x as CA-less).


/var/log/ipareplica-install.log

2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd).
Estimated time: 3 minutes 30 seconds

2016-03-23T21:55:11Z DEBUG   [1/23]: creating certificate server user

2016-03-23T21:55:11Z DEBUG group pkiuser exists

2016-03-23T21:55:11Z DEBUG user pkiuser exists

2016-03-23T21:55:11Z DEBUG   duration: 0 seconds

2016-03-23T21:55:11Z DEBUG   [2/23]: configuring certificate server instance

2016-03-23T21:55:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'

2016-03-23T21:55:11Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'

2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file 
(/tmp/tmpGQ59ZC):

[CA]

pki_security_domain_name = IPA

pki_enable_proxy = True

pki_restart_configured_instance = False

pki_backup_keys = True

pki_backup_password = XXXXXXXX

pki_profiles_in_ldap = True

pki_client_database_dir = /tmp/tmp-g0CKZ3

pki_client_database_password = XXXXXXXX

pki_client_database_purge = False

pki_client_pkcs12_password = XXXXXXXX

pki_admin_name = admin

pki_admin_uid = admin

pki_admin_email = root@localhost

pki_admin_password = XXXXXXXX

pki_admin_nickname = ipa-ca-agent

pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM

pki_client_admin_cert_p12 = /root/ca-agent.p12

pki_ds_ldap_port = 389

pki_ds_password = XXXXXXXX

pki_ds_base_dn = o=ipaca

pki_ds_database = ipaca

pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM

pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM

pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM

pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM

pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM

pki_subsystem_nickname = subsystemCert cert-pki-ca

pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca

pki_ssl_server_nickname = Server-Cert cert-pki-ca

pki_audit_signing_nickname = auditSigningCert cert-pki-ca

pki_ca_signing_nickname = caSigningCert cert-pki-ca

pki_ca_signing_key_algorithm = SHA256withRSA

pki_security_domain_hostname = ptipa1.example.com

pki_security_domain_https_port = 443

pki_security_domain_user = admin

pki_security_domain_password = XXXXXXXX

pki_clone = True

pki_clone_pkcs12_path = /tmp/ca.p12

pki_clone_pkcs12_password = XXXXXXXX

pki_clone_replication_security = TLS

pki_clone_replication_master_port = 7389

pki_clone_replication_clone_port = 389

pki_clone_replicate_schema = False

pki_clone_uri = https://ptipa1.example.com:443

2016-03-23T21:55:11Z DEBUG Starting external process

2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' 
'/tmp/tmpGQ59ZC'

2016-03-23T21:56:51Z DEBUG Process finished, return code=1

2016-03-23T21:56:51Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20160323175511.log

Loading deployment configuration from /tmp/tmpGQ59ZC.

Installing CA into /var/lib/pki/pki-tomcat.

Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

Installation failed.

2016-03-23T21:56:51Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html

    InsecureRequestWarning)

pkispawn    : WARNING  ....... unable to validate security domain user/password
through REST interface. Interface not available

pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500
Server Error: Internal Server Error

pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token): line
1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
while updating security domain: java.io.IOException: 2"}

2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' returned non-zero exit
status 1

2016-03-23T21:56:51Z CRITICAL See the installation logs and the following
files/directories for more information:

2016-03-23T21:56:51Z CRITICAL   /var/log/pki-ca-install.log

2016-03-23T21:56:51Z CRITICAL   /var/log/pki/pki-tomcat

2016-03-23T21:56:51Z DEBUG Traceback (most recent call last):

    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
418, in start_creation

      run_step(full_msg, method)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
408, in run_step

      method()

    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
line
620, in __spawn_instance

      DogtagInstance.spawn_instance(self, cfg_file)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance

      self.handle_setup_error(e)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error

      raise RuntimeError("%s configuration failed." % self.subsystem)

RuntimeError: CA configuration failed.

2016-03-23T21:56:51Z DEBUG   [error] RuntimeError: CA configuration failed.

2016-03-23T21:56:51Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute

      return_value = self.run()

    File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311,
in run

      cfgr.run()

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 281,
in run

      self.execute()

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 303,
in execute

      for nothing in self._executor():

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343,
in __runner

      self._handle_exception(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365,
in _handle_exception

      util.raise_exc_info(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333,
in __runner

      step()

    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87,
in run_generator_with_yield_from

      raise_exc_info(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65,
in run_generator_with_yield_from

      value = gen.send(prev_value)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 524,
in _configure

      executor.next()

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343,
in __runner

      self._handle_exception(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421,
in _handle_exception

      self.__parent._handle_exception(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365,
in _handle_exception

      util.raise_exc_info(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418,
in _handle_exception

      super(ComponentBase, self)._handle_exception(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365,
in _handle_exception

      util.raise_exc_info(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333,
in __runner

      step()

    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87,
in run_generator_with_yield_from

      raise_exc_info(exc_info)

    File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65,
in run_generator_with_yield_from

      value = gen.send(prev_value)

    File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 
63,
in _install

      for nothing in self._installer(self.parent):

    File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 879, in main

      install(self)

    File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 295, in decorated

      func(installer)

    File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 584, in install

      ca.install(False, config, options)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 106, 
in
install

      install_step_0(standalone, replica_config, options)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 130, 
in
install_step_0

      ra_p12=getattr(options, 'ra_p12', None))

    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
line
1543, in install_replica_ca

      subject_base=config.subject_base)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
line
486, in configure_instance

      self.start_creation(runtime=210)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
418, in start_creation

      run_step(full_msg, method)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
408, in run_step

      method()

    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
line
620, in __spawn_instance

      DogtagInstance.spawn_instance(self, cfg_file)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance

      self.handle_setup_error(e)

    File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error

      raise RuntimeError("%s configuration failed." % self.subsystem)

2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, exception:
RuntimeError: CA configuration failed.

2016-03-23T21:56:51Z ERROR CA configuration failed.

/var/log/pki/pki-ca-spawn.<date>.log

2016-03-23 17:55:12 pkispawn    : INFO     ....... rm -f
/etc/pki/pki-tomcat/ca/noise

2016-03-23 17:55:12 pkispawn    : INFO     ....... rm -f 
/etc/pki/pki-tomcat/pfile

2016-03-23 17:55:12 pkispawn    : INFO     ....... ln -s
/lib/systemd/system/pki-tomcatd@.service
/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service

2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown -h 17:17
/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service

2016-03-23 17:55:12 pkispawn    : INFO     ... configuring
'pki.server.deployment.scriptlets.configuration'

2016-03-23 17:55:12 pkispawn    : INFO     ....... mkdir -p
/root/.dogtag/pki-tomcat/ca

2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chmod 755
/root/.dogtag/pki-tomcat/ca

2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown 0:0
/root/.dogtag/pki-tomcat/ca

2016-03-23 17:55:12 pkispawn    : INFO     ....... generating
'/root/.dogtag/pki-tomcat/ca/password.conf'

2016-03-23 17:55:12 pkispawn    : INFO     ....... modifying
'/root/.dogtag/pki-tomcat/ca/password.conf'

2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chmod 660
/root/.dogtag/pki-tomcat/ca/password.conf

2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown 0:0
/root/.dogtag/pki-tomcat/ca/password.conf

2016-03-23 17:55:12 pkispawn    : INFO     ....... generating
'/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'

2016-03-23 17:55:12 pkispawn    : INFO     ....... modifying
'/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'

2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chmod 660
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf

2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown 17:17
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf

2016-03-23 17:55:12 pkispawn    : INFO     ....... executing 'certutil -N -d
/tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf'

2016-03-23 17:55:12 pkispawn    : INFO     ....... executing 'systemctl
daemon-reload'

2016-03-23 17:55:12 pkispawn    : INFO     ....... executing 'systemctl start
pki-tomcatd@pki-tomcat.service'

2016-03-23 17:55:12 pkispawn    : DEBUG    ........... No connection - server
may still be down

2016-03-23 17:55:12 pkispawn    : DEBUG    ........... No connection - exception
thrown: ('Connection aborted.', error(111, 'Connection refused'))

2016-03-23 17:55:13 pkispawn    : DEBUG    ........... No connection - server
may still be down

2016-03-23 17:55:13 pkispawn    : DEBUG    ........... No connection - exception
thrown: ('Connection aborted.', error(111, 'Connection refused'))

2016-03-23 17:55:24 pkispawn    : DEBUG    ........... <?xml version="1.0"
encoding="UTF-8"
standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.2.5-6.el7</Version></XMLResponse>

2016-03-23 17:55:25 pkispawn    : INFO     ....... constructing PKI
configuration data.

2016-03-23 17:55:25 pkispawn    : INFO     ....... configuring PKI configuration
data.

2016-03-23 17:56:51 pkispawn    : ERROR    ....... Exception from Java
Configuration Servlet: 500 Server Error: Internal Server Error

2016-03-23 17:56:51 pkispawn    : ERROR    ....... ParseError: not well-formed
(invalid token): line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
while updating security domain: java.io.IOException: 2"}

2016-03-23 17:56:51 pkispawn    : DEBUG    ....... Error Type: ParseError

2016-03-23 17:56:51 pkispawn    : DEBUG    ....... Error Message: not
well-formed (invalid token): line 1, column 0

2016-03-23 17:56:51 pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn",
line 597, in main

      rv = instance.spawn(deployer)

    File
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 116, in spawn

      json.dumps(data, cls=pki.encoder.CustomTypeEncoder))

    File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py",
line 3906, in configure_pki_data

      root = ET.fromstring(e.response.text)

    File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML

      parser.feed(text)

    File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed

      self._raiseerror(v)

    File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in 
_raiseerror

      raise err

/var/log/pki/pki-tomcat/ca/debug

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store
in memory cache

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before makeConnection
errorIfDown is false

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: errorIfDown false

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP connection using
basic authentication to host pt-idm-vm01.example.com port 389 as cn=Directory
Manager

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with mininum 3 and
maximum 15 connections to host pt-idm-vm01.example.com port 389, secure
connection, false, authentication type 1

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum connections by 
3

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available connections 3

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of connections 3

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In LdapBoundConnFactory::getConn()

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: true

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is connected true

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now 2

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS:
param=preop.internaldb.manager_ldif

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file =
/usr/share/pki/server/conf/manager.ldif

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to
/var/lib/pki/pki-tomcat/ca/conf/manager.ldif

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP Errors in
importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in
adding entry ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68)

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in
modifying entry o=ipaca:netscape.ldap.LDAPException: error result (20)

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): start

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating
LdapBoundConnFactor(ConfigurationUtils)

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: init

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory:doCloning 
true

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init()

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init begins

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: prompt is
internaldb

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: try getting
from memory cache

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: got password
from memory

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: password found
for prompt.

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store
in memory cache

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before makeConnection
errorIfDown is false

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: errorIfDown false

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP connection using
basic authentication to host pt-idm-vm01.example.com port 389 as cn=Directory
Manager

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with mininum 3 and
maximum 15 connections to host pt-idm-vm01.example.com port 389, secure
connection, false, authentication type 1

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum connections by 
3

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available connections 3

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of connections 3

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In LdapBoundConnFactory::getConn()

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: true

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is connected true

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now 2

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS:
param=preop.internaldb.post_ldif

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file =
/usr/share/pki/ca/conf/vlv.ldif

[23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to
/var/lib/pki/pki-tomcat/ca/conf/vlv.ldif

[23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif file =
/usr/share/pki/ca/conf/vlvtasks.ldif

[23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to
/var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif

[23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn
cn=index1160589769, cn=index, cn=tasks, cn=config

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver'

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]:
SystemConfigService:processCerts(): san_server_cert not found for tag sslserver

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is local

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is remote 
(revised)

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: updateConfig() for
certTag sslserver

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got public key

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got private key

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this Cloned CA,
always use its Master CA to generate the 'sslserver' certificate to avoid any
changes which may have been made to the X500Name directory string encoding 
order.

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: 
injectSAN=false

[23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil createRemoteCert: content
requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalAuthServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true&sessionID=-4495713718673639316

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: 
status=0

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert:
MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils:
handleCertRequest() begins

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: tag=sslserver

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]:
privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: created cert
request

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' 
certificate:

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for cert tag
'sslserver' using cert type 'remote'

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process
remote...import cert

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: nickname=Server-Cert
cert-pki-ca

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert deleted 
successfully

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): certchains length=2

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import certificate
successfully, certTag=sslserver

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' certificate.

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert Panel/SavePKCS12
Panel ===

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel ===

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel ===

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing security domain

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): Getting
domain.xml from CA...

[23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: domainInfo=<?xml
version="1.0" encoding="UTF-8"
standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ptipa1.example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clone>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TRUE</DomainManager></CA><SubsystemCount>1</SubsystemCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain master

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML
start hostname=ptipa1.example.com port=443

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: failed to
update security domain using admin port 443: org.xml.sax.SAXParseException;
lineNumber: 1; columnNumber: 50; White spaces are required between publicId and
systemId.

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: now trying
agent port with client auth

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML
start hostname=ptipa1.example.com port=443

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML()
nickname=subsystemCert cert-pki-ca

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML:
status=1

[23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating security
domain: java.io.IOException: 2

[23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, authorization
for servlet: caProfileList is LDAP based, not XML {1}, use default authz mgr: 
{2}.

/var/log/pki/pki-tomcat/ca/system

0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot build CA
chain. Error java.security.cert.CertificateException: Certificate is not a PKCS
#11 certificate

0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz instance
DirAclAuthz initialization failed and skipped, error=Property
internaldb.ldapconn.port missing value

*Dennis M Ott*
Infrastructure Administrator
Infrastructure and Security Operations

*McKesson Corporation
McKesson Pharmacy Systems and Automation*
www.mckesson.com <http://www.mckesson.com/>





--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to