As a test, I attempted to do a replica install on a Fedora 23 machine. It fails with the same error.
Dennis -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Ott, Dennis Sent: Thursday, April 07, 2016 5:39 PM To: Petr Vobornik; [email protected] Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails It doesn't look like that is my problem. The output of pki-server ca-group-member-find "Subsystem Group" gives: User ID: CA-ptipa1.example.com-9443 Common Name: CA-ptipa1.example.com-9443 Surname: CA-ptipa1.example.com-9443 Type: agentType Description: 2;4;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA Subsystem,O=EXAMPLE.COM E-mail: All the certs seem valid: # getcert list | grep expires expires: 2017-07-18 00:55:14 UTC expires: 2017-07-18 00:54:14 UTC expires: 2017-07-18 00:54:14 UTC expires: 2017-07-18 00:54:14 UTC expires: 2017-07-18 00:54:14 UTC expires: 2017-08-09 00:54:19 UTC expires: 2017-08-09 00:54:19 UTC expires: 2017-08-09 00:54:21 UTC # I was wondering if I might be hitting this: http://cp.mcafee.com/d/1jWVIi6x8SyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPpISHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJhbctZ2It9RFfQe00UX7_AJKjBoHYYvhjd79IQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh http://cp.mcafee.com/d/5fHCNEg3zqb3BXKfI3D3pJ55d5VBdZZ4SyyCyYOCUOyrdCPqJyLQFm7bCNPFEV72GtD3hOaEXHbdQZ5hTS82H3W6yHOrJNlNRSRTD64XqOrdCPpIDeqR4INTQaNQDmA_gU03yNmmjBoHYYhod7bVIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh It says it is fixed in pki 10.2.6. 10.2.6 has been released for Fedora (many months ago), but is not yet available for enterprise. Dennis -----Original Message----- From: Petr Vobornik [mailto:[email protected]] Sent: Thursday, April 07, 2016 10:56 AM To: Ott, Dennis; [email protected] Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails Sorry for the late response. It looks like a bug http://cp.mcafee.com/d/1jWVIe4xAe3zqb3BXInd7b1EVdCQkkQnCkTTQjqaaqbParza9ISrdGSa_iBosKr7eLqaEF-waI47nQ7LQl8m7f2H3ab0Ggvhv5mtKqek4Q4hPEVwSrdCPpesRG9px1IyaiffTE-wjSvbVgDkMaA6Of08iAwsyCqekhP0US5LD4Qg1CF2IoiaCy0Qub6qAaNx85hZ0DI-nd7NJ5CZNPxI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh But it should be fixed in pki-core-9.0.3-45.el6_7 so I'm not sure. Anyway, java.io.IOException: 2 actually means authentication failure. The authentication problem might be caused by a missing subsystem user (bug #1225589) and there's already a tool to restore it. However, before running the script, please run this command on the master to verify the problem: $ pki-server ca-group-member-find "Subsystem Group" Ideally it should return a user ID "CA-<hostname>-9443" and the description attribute should contain the subsystem certificate in this format "<version>;<serial>;<issuer DN>;<subject DN>". If that's not the case, please run this tool to restore the subsystem user: $ python /usr/share/pki/scripts/restore-subsystem-user.py Then run this command again to verify the fix: $ pki-server ca-group-member-find "Subsystem Group" If everything works well, please try installing the replica again. Also verify that all certificates in `getcert list` output are not expired. On 03/31/2016 09:07 PM, Ott, Dennis wrote: > Petr, > > Original 6.x master installed at: > > ipa-server-2.1.3-9 > > pki-ca-9.0.3-20 > > > At the time the migration was attempted, the 6.x master had been updated to: > > ipa-server-3.0.0-47 > > pki-ca-9.0.3-45 > > > The 7.x replica install has been attempted using a variety of versions. The > log excerpts at the beginning of this email were from an installation attempt > using: > > ipa-server-4.2.0-15.0.1 > > pki-ca-10.2.5-6 > > > It's a standard CA installation. This line is from > /var/log/ipaserverinstall.log showing selfsign as False: > > 2013-09-04T18:41:20Z DEBUG /usr/sbin/ipa-server-install was invoked > with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name': > None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False, > 'subject': None, 'no_forwarders': False, 'persistent_search': True, > 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': > True, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': False, > 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': None, > 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False, > 'forwarders': None, 'idstart': 900000000, 'external_ca': False, > 'ip_address': None, 'conf_ssh': False, 'serial_autoincrement': True, > 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': > False, 'external_cert_file': None, 'uninstall': False} > 2013-09-04T18:41:20Z DEBUG missing options might be asked for > interactively later > > > -----Original Message----- > From: Petr Vobornik [mailto:[email protected]] > Sent: Tuesday, March 29, 2016 6:43 AM > To: Ott, Dennis; [email protected] > Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails > > On 03/24/2016 04:29 PM, Ott, Dennis wrote: >> I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. >> After working through and solving a few issues, my current efforts >> fail when setting up the replica CA. >> >> If I set up a new, pristine master on OS 6.7, I am able to create an >> OS 7.x replica without any problem. However, if I try to create a >> replica from my two year old test lab instance (production will be >> another matter for the future) it fails. The test lab master was >> created a couple of years ago on OS 6.3 / IPA 2.x and has been >> upgraded to the latest versions in the 6.x chain. It is old enough to >> have had all the certificates renewed, but I believe I have worked through >> all the issues related to that. >> >> Below is what I believe are the useful portions of the pertinent logs. >> I’ve not been able to find anything online that speaks to the errors >> I am seeing >> >> Thanks for your help. > > Hello Dennis, > > what are the exact versions of pki-ca and ipa-server on the 6.x master and > 7.x replica? > > What kind of CA installation does the old 6.x master install have? Is > standard installation with CA or does it also use external CA? > > I assume it is not self-sign (very old unsupported type, which could be > converted in 7.x as CA-less). > >> >> /var/log/ipareplica-install.log >> >> 2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd). >> Estimated time: 3 minutes 30 seconds >> >> 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user >> >> 2016-03-23T21:55:11Z DEBUG group pkiuser exists >> >> 2016-03-23T21:55:11Z DEBUG user pkiuser exists >> >> 2016-03-23T21:55:11Z DEBUG duration: 0 seconds >> >> 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server instance >> >> 2016-03-23T21:55:11Z DEBUG Loading StateFile from >> '/var/lib/ipa/sysrestore/sysrestore.state' >> >> 2016-03-23T21:55:11Z DEBUG Saving StateFile to >> '/var/lib/ipa/sysrestore/sysrestore.state' >> >> 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file >> (/tmp/tmpGQ59ZC): >> >> [CA] >> >> pki_security_domain_name = IPA >> >> pki_enable_proxy = True >> >> pki_restart_configured_instance = False >> >> pki_backup_keys = True >> >> pki_backup_password = XXXXXXXX >> >> pki_profiles_in_ldap = True >> >> pki_client_database_dir = /tmp/tmp-g0CKZ3 >> >> pki_client_database_password = XXXXXXXX >> >> pki_client_database_purge = False >> >> pki_client_pkcs12_password = XXXXXXXX >> >> pki_admin_name = admin >> >> pki_admin_uid = admin >> >> pki_admin_email = root@localhost >> >> pki_admin_password = XXXXXXXX >> >> pki_admin_nickname = ipa-ca-agent >> >> pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM >> >> pki_client_admin_cert_p12 = /root/ca-agent.p12 >> >> pki_ds_ldap_port = 389 >> >> pki_ds_password = XXXXXXXX >> >> pki_ds_base_dn = o=ipaca >> >> pki_ds_database = ipaca >> >> pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM >> >> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM >> >> pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM >> >> pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM >> >> pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM >> >> pki_subsystem_nickname = subsystemCert cert-pki-ca >> >> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca >> >> pki_ssl_server_nickname = Server-Cert cert-pki-ca >> >> pki_audit_signing_nickname = auditSigningCert cert-pki-ca >> >> pki_ca_signing_nickname = caSigningCert cert-pki-ca >> >> pki_ca_signing_key_algorithm = SHA256withRSA >> >> pki_security_domain_hostname = ptipa1.example.com >> >> pki_security_domain_https_port = 443 >> >> pki_security_domain_user = admin >> >> pki_security_domain_password = XXXXXXXX >> >> pki_clone = True >> >> pki_clone_pkcs12_path = /tmp/ca.p12 >> >> pki_clone_pkcs12_password = XXXXXXXX >> >> pki_clone_replication_security = TLS >> >> pki_clone_replication_master_port = 7389 >> >> pki_clone_replication_clone_port = 389 >> >> pki_clone_replicate_schema = False >> >> pki_clone_uri = >> http://cp.mcafee.com/d/k-Kr6zqb3VEVjouhuodCQkkQnCkTTQjqaaqbParza9ISrd >> G >> Sa_iBosKrKVXMGgog82KA1N1BeTyH93t5m7hOoHH3b8GOxvQd8e89K8CPpISr9PCJhbcm >> D >> 9rkuYf21_YLxIbve9Ew3di5oMAld41EYmcR8lz2gazW1fpYKqfzqaabyr1I5-Aq83iSbN >> _ >> VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKV >> J >> USyrh >> >> 2016-03-23T21:55:11Z DEBUG Starting external process >> >> 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' >> '/tmp/tmpGQ59ZC' >> >> 2016-03-23T21:56:51Z DEBUG Process finished, return code=1 >> >> 2016-03-23T21:56:51Z DEBUG stdout=Log file: >> /var/log/pki/pki-ca-spawn.20160323175511.log >> >> Loading deployment configuration from /tmp/tmpGQ59ZC. >> >> Installing CA into /var/lib/pki/pki-tomcat. >> >> Storing deployment configuration into >> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. >> >> Installation failed. >> >> 2016-03-23T21:56:51Z DEBUG >> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: >> InsecureRequestWarning: Unverified HTTPS request is being made. >> Adding certificate verification is strongly advised. See: >> http://cp.mcafee.com/d/5fHCNAi6hESyM-qekS7AnC3pJ55d5VBdZZ4SyyCyYOCUOy >> r >> dCPqJyLQFm7bCXKuYaA6420HF0sgpjJUGOgThlxQsCaWMOOaIEnZ3i3y2ry9ISrdCOsVH >> k >> iP6UDDO8cZ7ZgCjZ2JGs01PUovI_FfavpKcFBK1NIbve9Ew3di5oMAld41EYmcR8lz2ga >> z >> W1fpYKqfzqaabyr1I5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh >> 0 >> VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >> >> InsecureRequestWarning) >> >> pkispawn : WARNING ....... unable to validate security domain >> user/password >> through REST interface. Interface not available >> >> pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 >> Server Error: Internal Server Error >> >> pkispawn : ERROR ....... ParseError: not well-formed (invalid token): >> line >> 1, column 0: >> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >> PKIException","Code":500,"Message":"Error >> while updating security domain: java.io.IOException: 2"} >> >> 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: >> Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' >> returned non-zero exit status 1 >> >> 2016-03-23T21:56:51Z CRITICAL See the installation logs and the >> following files/directories for more information: >> >> 2016-03-23T21:56:51Z CRITICAL /var/log/pki-ca-install.log >> >> 2016-03-23T21:56:51Z CRITICAL /var/log/pki/pki-tomcat >> >> 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last): >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 418, in start_creation >> >> run_step(full_msg, method) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 408, in run_step >> >> method() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 620, in __spawn_instance >> >> DogtagInstance.spawn_instance(self, cfg_file) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 201, in spawn_instance >> >> self.handle_setup_error(e) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 465, in handle_setup_error >> >> raise RuntimeError("%s configuration failed." % self.subsystem) >> >> RuntimeError: CA configuration failed. >> >> 2016-03-23T21:56:51Z DEBUG [error] RuntimeError: CA configuration failed. >> >> 2016-03-23T21:56:51Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >> in execute >> >> return_value = self.run() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >> line 311, in run >> >> cfgr.run() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 281, in run >> >> self.execute() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 303, in execute >> >> for nothing in self._executor(): >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> >> self._handle_exception(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> >> step() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> >> raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> >> value = gen.send(prev_value) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 524, in _configure >> >> executor.next() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> >> self._handle_exception(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 421, in _handle_exception >> >> self.__parent._handle_exception(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 418, in _handle_exception >> >> super(ComponentBase, self)._handle_exception(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> >> step() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> >> raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> >> value = gen.send(prev_value) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line >> 63, in _install >> >> for nothing in self._installer(self.parent): >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicains >> t >> all.py", >> line 879, in main >> >> install(self) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicains >> t >> all.py", >> line 295, in decorated >> >> func(installer) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicains >> t >> all.py", >> line 584, in install >> >> ca.install(False, config, options) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >> line 106, in install >> >> install_step_0(standalone, replica_config, options) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >> line 130, in >> install_step_0 >> >> ra_p12=getattr(options, 'ra_p12', None)) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 1543, in install_replica_ca >> >> subject_base=config.subject_base) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 486, in configure_instance >> >> self.start_creation(runtime=210) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 418, in start_creation >> >> run_step(full_msg, method) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 408, in run_step >> >> method() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 620, in __spawn_instance >> >> DogtagInstance.spawn_instance(self, cfg_file) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 201, in spawn_instance >> >> self.handle_setup_error(e) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 465, in handle_setup_error >> >> raise RuntimeError("%s configuration failed." % self.subsystem) >> >> 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, exception: >> RuntimeError: CA configuration failed. >> >> 2016-03-23T21:56:51Z ERROR CA configuration failed. >> >> /var/log/pki/pki-ca-spawn.<date>.log >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f >> /etc/pki/pki-tomcat/ca/noise >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f >> /etc/pki/pki-tomcat/pfile >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... ln -s >> /lib/systemd/system/[email protected] >> /etc/systemd/system/pki-tomcatd.target.wants/[email protected] >> e >> rvice >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown -h 17:17 >> /etc/systemd/system/pki-tomcatd.target.wants/[email protected] >> e >> rvice >> >> 2016-03-23 17:55:12 pkispawn : INFO ... configuring >> 'pki.server.deployment.scriptlets.configuration' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... mkdir -p >> /root/.dogtag/pki-tomcat/ca >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 755 >> /root/.dogtag/pki-tomcat/ca >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >> /root/.dogtag/pki-tomcat/ca >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >> '/root/.dogtag/pki-tomcat/ca/password.conf' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >> '/root/.dogtag/pki-tomcat/ca/password.conf' >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >> /root/.dogtag/pki-tomcat/ca/password.conf >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >> /root/.dogtag/pki-tomcat/ca/password.conf >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 17:17 >> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'certutil -N -d >> /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl >> daemon-reload' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl start >> [email protected]' >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - server >> may still be down >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - >> exception >> thrown: ('Connection aborted.', error(111, 'Connection refused')) >> >> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - server >> may still be down >> >> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - >> exception >> thrown: ('Connection aborted.', error(111, 'Connection refused')) >> >> 2016-03-23 17:55:24 pkispawn : DEBUG ........... <?xml version="1.0" >> encoding="UTF-8" >> standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status> >> r unning</Status><Version>10.2.5-6.el7</Version></XMLResponse> >> >> 2016-03-23 17:55:25 pkispawn : INFO ....... constructing PKI >> configuration data. >> >> 2016-03-23 17:55:25 pkispawn : INFO ....... configuring PKI >> configuration >> data. >> >> 2016-03-23 17:56:51 pkispawn : ERROR ....... Exception from Java >> Configuration Servlet: 500 Server Error: Internal Server Error >> >> 2016-03-23 17:56:51 pkispawn : ERROR ....... ParseError: not >> well-formed >> (invalid token): line 1, column 0: >> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >> PKIException","Code":500,"Message":"Error >> while updating security domain: java.io.IOException: 2"} >> >> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Type: ParseError >> >> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Message: not >> well-formed (invalid token): line 1, column 0 >> >> 2016-03-23 17:56:51 pkispawn : DEBUG ....... File >> "/usr/sbin/pkispawn", >> line 597, in main >> >> rv = instance.spawn(deployer) >> >> File >> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/co >> n >> figuration.py", >> line 116, in spawn >> >> json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) >> >> File >> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py" >> , >> line 3906, in configure_pki_data >> >> root = ET.fromstring(e.response.text) >> >> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, >> in XML >> >> parser.feed(text) >> >> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, >> in feed >> >> self._raiseerror(v) >> >> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, >> in _raiseerror >> >> raise err >> >> /var/log/pki/pki-tomcat/ca/debug >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password >> ok: store in memory cache >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >> makeConnection errorIfDown is false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >> errorIfDown false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >> connection using basic authentication to host pt-idm-vm01.example.com >> port 389 as cn=Directory Manager >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com >> port 389, secure connection, false, authentication type 1 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >> connections by 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >> LdapBoundConnFactory::getConn() >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >> true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >> connected true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now >> 2 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >> param=preop.internaldb.manager_ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >> file = /usr/share/pki/server/conf/manager.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >> file copy to /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP >> Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >> exception in adding entry >> ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68) >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >> exception in modifying entry o=ipaca:netscape.ldap.LDAPException: >> error result (20) >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): >> start >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating >> LdapBoundConnFactor(ConfigurationUtils) >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: >> init >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: >> LdapBoundConnFactory:doCloning true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init() >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init >> begins >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >> prompt is internaldb >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: try >> getting from memory cache >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: got >> password from memory >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >> password found for prompt. >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password >> ok: store in memory cache >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >> makeConnection errorIfDown is false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >> errorIfDown false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >> connection using basic authentication to host pt-idm-vm01.example.com >> port 389 as cn=Directory Manager >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com >> port 389, secure connection, false, authentication type 1 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >> connections by 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >> LdapBoundConnFactory::getConn() >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >> true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >> connected true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now >> 2 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >> param=preop.internaldb.post_ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >> file = /usr/share/pki/ca/conf/vlv.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif >> >> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif >> file = /usr/share/pki/ca/conf/vlvtasks.ldif >> >> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif >> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif >> >> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn >> cn=index1160589769, cn=index, cn=tasks, cn=config >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver' >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: >> SystemConfigService:processCerts(): san_server_cert not found for tag >> sslserver >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >> local >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >> remote (revised) >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: >> updateConfig() for certTag sslserver >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >> public key >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >> private key >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this >> Cloned CA, always use its Master CA to generate the 'sslserver' >> certificate to avoid any changes which may have been made to the X500Name >> directory string encoding order. >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: >> injectSAN=false >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil >> createRemoteCert: content >> requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalAu >> t >> hServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true& >> s >> essionID=-4495713718673639316 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil >> createRemoteCert: status=0 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: >> MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils: >> handleCertRequest() begins >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >> tag=sslserver >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: >> privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >> created cert request >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' >> certificate: >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for cert >> tag 'sslserver' using cert type 'remote' >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process >> remote...import cert >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: >> nickname=Server-Cert cert-pki-ca >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert >> deleted successfully >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): >> certchains length=2 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import >> certificate successfully, certTag=sslserver >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' >> certificate. >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert >> Panel/SavePKCS12 Panel === >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel === >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel === >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing >> security domain >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): >> Getting domain.xml from CA... >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: >> domainInfo=<?xml version="1.0" encoding="UTF-8" >> standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ptipa1. >> example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443</S >> e >> cureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAu >> cureAgentPort>t >> hPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clo >> hPort>n >> e>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>T >> e>R >> UE</DomainManager></CA><SubsystemCount>1</SubsystemCount></CAList><OC >> S >> PList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><Subsyste >> PList>m >> Count>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</Subsyste >> Count>m >> Count></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList>< >> Count>T >> PSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo> >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain master >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >> updateDomainXML start hostname=ptipa1.example.com port=443 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >> failed to update security domain using admin port 443: >> org.xml.sax.SAXParseException; >> lineNumber: 1; columnNumber: 50; White spaces are required between >> publicId and systemId. >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >> now trying agent port with client auth >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >> updateDomainXML start hostname=ptipa1.example.com port=443 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML() >> nickname=subsystemCert cert-pki-ca >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >> updateDomainXML: >> status=1 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating >> security >> domain: java.io.IOException: 2 >> >> [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, >> authorization for servlet: caProfileList is LDAP based, not XML {1}, use >> default authz mgr: {2}. >> >> /var/log/pki/pki-tomcat/ca/system >> >> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot >> build CA chain. Error java.security.cert.CertificateException: >> Certificate is not a PKCS >> #11 certificate >> >> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz >> instance DirAclAuthz initialization failed and skipped, >> error=Property internaldb.ldapconn.port missing value >> >> *Dennis M Ott* >> Infrastructure Administrator >> Infrastructure and Security Operations >> >> *McKesson Corporation >> McKesson Pharmacy Systems and Automation* www.mckesson.com >> <http://www.mckesson.com/> >>> -- > Petr Vobornik > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: http://cp.mcafee.com/d/5fHCMUe6gUSyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPpISHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJhbcat7Q2uPVv1dnoovaAVgtHzIv-iSBSWv6xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh Go to http://cp.mcafee.com/d/FZsSd3gArhosLtNZwsUrdEEFELcFLLECQkkQnCkT6kjpISrlIl-BaMVsSetd78UljIUqehl7tppKDEGe-N0lovgQlujtKaKeKSKYUMDrmjpISrdw0To_YBJU03xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
