On 04/15/2016 05:13 PM, Ott, Dennis wrote: > My master began life as OS 6.2 / IPA 2.1.3 / pki-9.0.3 and does not have a > cert database at: > > /etc/pki/pki-tomcat/alias > > At: > > /var/lib/pki-ca/alias
right > > subsystemCert cert-pki-ca has a serial number of 18 (0x12) > > At: > > uid=CA-$HOST-8443,ou=people,o=ipaca > > the certificate has a serial number of 4. > > > What is the best way to fix this? > > If it matters, the master installation is old enough to have had its certs > auto-renewed. Yes, certs were renewed but the PKI user entry was not which causes the issue. This has been seen on very old IPA installations. 1) Login into IPA Master (RHEL 6) - as root. 2) Redirect "subsystemCert cert-pki-ca" to a file. # certutil -L -d /var/lib/pki-ca/alias/ -n "subsystemCert cert-pki-ca" -a > /tmp/subsystemcert.pem 3) Drop the header/footer and combine this into a single line. # echo && cat /tmp/subsystemcert.pem | sed -rn '/^-----BEGIN CERTIFICATE-----$/{:1;n;/^-----END CERTIFICATE-----$/b2;H;b1};:2;${x;s/\s//g;p}' 4) String generated in step 3 needs to be added under attribute "usercertificate;binary:" below. =================================================================================== # ldapmodify -x -h 127.0.0.1 -p 7389 -D 'cn=Directory Manager' -W << EOF dn: uid=CA-ptipa1.example.com-9443,ou=people,o=ipaca changetype: modify add: usercertificate;binary usercertificate;binary: MIIDyTCCAr..Y4EKCneFA== <-- ADD the full string from step 3. - replace: description description: 2;18;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA Subsystem,O=EXAMPLE.COM EOF =================================================================================== Note: the description field attribute has format: <version_number - always 2>:<serial number>:<issuer subjectdn>:<cert subjectdn> 5) Once the above command is successful restart IPA service # service ipa restart 6) Check if the mapping is now correct. # pki-server ca-user-show CA-ptipa1.example.com-9443 | egrep "User ID|Description" > > Dennis > > > -----Original Message----- > From: Petr Vobornik [mailto:pvobo...@redhat.com] > Sent: Friday, April 15, 2016 10:06 AM > To: Ott, Dennis; Freeipa-users@redhat.com > Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails > > On 04/15/2016 03:51 PM, Ott, Dennis wrote: >> Looks like we're out of ideas. >> >> I'll proceed with Plan B. >> > > A possibility is also to check if > > Serial number of > > certutil -d /etc/pki/pki-tomcat/alias -L -n 'subsystemCert cert-pki-ca' > > matches serial number of the cert below (4) and if > > uid=CA-$HOST-8443,ou=people,o=ipaca > > has actually the same cert in userCertificate attribute > > Or maybe to do the same with other PKI users in ou=people,o=ipaca > >> -----Original Message----- >> From: Ott, Dennis >> Sent: Monday, April 11, 2016 12:27 PM >> To: Ott, Dennis; Petr Vobornik; Freeipa-users@redhat.com >> Subject: RE: [Freeipa-users] 7.x replica install from 6.x master fails >> >> As a test, I attempted to do a replica install on a Fedora 23 machine. It >> fails with the same error. >> >> Dennis >> >> >> >> -----Original Message----- >> From: freeipa-users-boun...@redhat.com >> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ott, Dennis >> Sent: Thursday, April 07, 2016 5:39 PM >> To: Petr Vobornik; Freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails >> >> It doesn't look like that is my problem. The output of pki-server >> ca-group-member-find "Subsystem Group" gives: >> >> >> User ID: CA-ptipa1.example.com-9443 >> Common Name: CA-ptipa1.example.com-9443 >> Surname: CA-ptipa1.example.com-9443 >> Type: agentType >> Description: 2;4;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA >> Subsystem,O=EXAMPLE.COM >> E-mail: >> >> All the certs seem valid: >> >> # getcert list | grep expires >> expires: 2017-07-18 00:55:14 UTC >> expires: 2017-07-18 00:54:14 UTC >> expires: 2017-07-18 00:54:14 UTC >> expires: 2017-07-18 00:54:14 UTC >> expires: 2017-07-18 00:54:14 UTC >> expires: 2017-08-09 00:54:19 UTC >> expires: 2017-08-09 00:54:19 UTC >> expires: 2017-08-09 00:54:21 UTC # >> >> I was wondering if I might be hitting this: >> >> http://cp.mcafee.com/d/1jWVIi6x8SyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPpI >> SHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJh >> bctZ2It9RFfQe00UX7_AJKjBoHYYvhjd79IQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalI >> l-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh >> 0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >> http://cp.mcafee.com/d/5fHCNEg3zqb3BXKfI3D3pJ55d5VBdZZ4SyyCyYOCUOyrdCP >> qJyLQFm7bCNPFEV72GtD3hOaEXHbdQZ5hTS82H3W6yHOrJNlNRSRTD64XqOrdCPpIDeqR4 >> INTQaNQDmA_gU03yNmmjBoHYYhod7bVIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-B >> aMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VM >> uq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >> >> It says it is fixed in pki 10.2.6. 10.2.6 has been released for Fedora (many >> months ago), but is not yet available for enterprise. >> >> Dennis >> >> >> >> >> -----Original Message----- >> From: Petr Vobornik [mailto:pvobo...@redhat.com] >> Sent: Thursday, April 07, 2016 10:56 AM >> To: Ott, Dennis; Freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails >> >> Sorry for the late response. >> >> It looks like a bug >> http://cp.mcafee.com/d/1jWVIe4xAe3zqb3BXInd7b1EVdCQkkQnCkTTQjqaaqbParz >> a9ISrdGSa_iBosKr7eLqaEF-waI47nQ7LQl8m7f2H3ab0Ggvhv5mtKqek4Q4hPEVwSrdCP >> pesRG9px1IyaiffTE-wjSvbVgDkMaA6Of08iAwsyCqekhP0US5LD4Qg1CF2IoiaCy0Qub6 >> qAaNx85hZ0DI-nd7NJ5CZNPxI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDC >> y1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >> But it should be fixed in pki-core-9.0.3-45.el6_7 so I'm not sure. >> >> Anyway, >> java.io.IOException: 2 actually means authentication failure. >> >> The authentication problem might be caused by a missing subsystem user >> (bug #1225589) and there's already a tool to restore it. However, >> before running the script, please run this command on the master to >> verify the >> problem: >> >> $ pki-server ca-group-member-find "Subsystem Group" >> >> Ideally it should return a user ID "CA-<hostname>-9443" and the description >> attribute should contain the subsystem certificate in this format >> "<version>;<serial>;<issuer DN>;<subject DN>". >> >> If that's not the case, please run this tool to restore the subsystem user: >> >> $ python /usr/share/pki/scripts/restore-subsystem-user.py >> >> Then run this command again to verify the fix: >> >> $ pki-server ca-group-member-find "Subsystem Group" >> >> If everything works well, please try installing the replica again. >> >> Also verify that all certificates in `getcert list` output are not expired. >> >> >> On 03/31/2016 09:07 PM, Ott, Dennis wrote: >>> Petr, >>> >>> Original 6.x master installed at: >>> >>> ipa-server-2.1.3-9 >>> >>> pki-ca-9.0.3-20 >>> >>> >>> At the time the migration was attempted, the 6.x master had been updated to: >>> >>> ipa-server-3.0.0-47 >>> >>> pki-ca-9.0.3-45 >>> >>> >>> The 7.x replica install has been attempted using a variety of versions. The >>> log excerpts at the beginning of this email were from an installation >>> attempt using: >>> >>> ipa-server-4.2.0-15.0.1 >>> >>> pki-ca-10.2.5-6 >>> >>> >>> It's a standard CA installation. This line is from >>> /var/log/ipaserverinstall.log showing selfsign as False: >>> >>> 2013-09-04T18:41:20Z DEBUG /usr/sbin/ipa-server-install was invoked >>> with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name': >>> None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False, >>> 'subject': None, 'no_forwarders': False, 'persistent_search': True, >>> 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': >>> True, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': >>> False, >>> 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': None, >>> 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False, >>> 'forwarders': None, 'idstart': 900000000, 'external_ca': False, >>> 'ip_address': None, 'conf_ssh': False, 'serial_autoincrement': True, >>> 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': >>> False, 'external_cert_file': None, 'uninstall': False} >>> 2013-09-04T18:41:20Z DEBUG missing options might be asked for >>> interactively later >>> >>> >>> -----Original Message----- >>> From: Petr Vobornik [mailto:pvobo...@redhat.com] >>> Sent: Tuesday, March 29, 2016 6:43 AM >>> To: Ott, Dennis; Freeipa-users@redhat.com >>> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master >>> fails >>> >>> On 03/24/2016 04:29 PM, Ott, Dennis wrote: >>>> I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. >>>> After working through and solving a few issues, my current efforts >>>> fail when setting up the replica CA. >>>> >>>> If I set up a new, pristine master on OS 6.7, I am able to create an >>>> OS 7.x replica without any problem. However, if I try to create a >>>> replica from my two year old test lab instance (production will be >>>> another matter for the future) it fails. The test lab master was >>>> created a couple of years ago on OS 6.3 / IPA 2.x and has been >>>> upgraded to the latest versions in the 6.x chain. It is old enough >>>> to have had all the certificates renewed, but I believe I have worked >>>> through all the issues related to that. >>>> >>>> Below is what I believe are the useful portions of the pertinent logs. >>>> I’ve not been able to find anything online that speaks to the errors >>>> I am seeing >>>> >>>> Thanks for your help. >>> >>> Hello Dennis, >>> >>> what are the exact versions of pki-ca and ipa-server on the 6.x master and >>> 7.x replica? >>> >>> What kind of CA installation does the old 6.x master install have? Is >>> standard installation with CA or does it also use external CA? >>> >>> I assume it is not self-sign (very old unsupported type, which could be >>> converted in 7.x as CA-less). >>> >>>> >>>> /var/log/ipareplica-install.log >>>> >>>> 2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd). >>>> Estimated time: 3 minutes 30 seconds >>>> >>>> 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user >>>> >>>> 2016-03-23T21:55:11Z DEBUG group pkiuser exists >>>> >>>> 2016-03-23T21:55:11Z DEBUG user pkiuser exists >>>> >>>> 2016-03-23T21:55:11Z DEBUG duration: 0 seconds >>>> >>>> 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server >>>> instance >>>> >>>> 2016-03-23T21:55:11Z DEBUG Loading StateFile from >>>> '/var/lib/ipa/sysrestore/sysrestore.state' >>>> >>>> 2016-03-23T21:55:11Z DEBUG Saving StateFile to >>>> '/var/lib/ipa/sysrestore/sysrestore.state' >>>> >>>> 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file >>>> (/tmp/tmpGQ59ZC): >>>> >>>> [CA] >>>> >>>> pki_security_domain_name = IPA >>>> >>>> pki_enable_proxy = True >>>> >>>> pki_restart_configured_instance = False >>>> >>>> pki_backup_keys = True >>>> >>>> pki_backup_password = XXXXXXXX >>>> >>>> pki_profiles_in_ldap = True >>>> >>>> pki_client_database_dir = /tmp/tmp-g0CKZ3 >>>> >>>> pki_client_database_password = XXXXXXXX >>>> >>>> pki_client_database_purge = False >>>> >>>> pki_client_pkcs12_password = XXXXXXXX >>>> >>>> pki_admin_name = admin >>>> >>>> pki_admin_uid = admin >>>> >>>> pki_admin_email = root@localhost >>>> >>>> pki_admin_password = XXXXXXXX >>>> >>>> pki_admin_nickname = ipa-ca-agent >>>> >>>> pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM >>>> >>>> pki_client_admin_cert_p12 = /root/ca-agent.p12 >>>> >>>> pki_ds_ldap_port = 389 >>>> >>>> pki_ds_password = XXXXXXXX >>>> >>>> pki_ds_base_dn = o=ipaca >>>> >>>> pki_ds_database = ipaca >>>> >>>> pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM >>>> >>>> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM >>>> >>>> pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM >>>> >>>> pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM >>>> >>>> pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM >>>> >>>> pki_subsystem_nickname = subsystemCert cert-pki-ca >>>> >>>> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca >>>> >>>> pki_ssl_server_nickname = Server-Cert cert-pki-ca >>>> >>>> pki_audit_signing_nickname = auditSigningCert cert-pki-ca >>>> >>>> pki_ca_signing_nickname = caSigningCert cert-pki-ca >>>> >>>> pki_ca_signing_key_algorithm = SHA256withRSA >>>> >>>> pki_security_domain_hostname = ptipa1.example.com >>>> >>>> pki_security_domain_https_port = 443 >>>> >>>> pki_security_domain_user = admin >>>> >>>> pki_security_domain_password = XXXXXXXX >>>> >>>> pki_clone = True >>>> >>>> pki_clone_pkcs12_path = /tmp/ca.p12 >>>> >>>> pki_clone_pkcs12_password = XXXXXXXX >>>> >>>> pki_clone_replication_security = TLS >>>> >>>> pki_clone_replication_master_port = 7389 >>>> >>>> pki_clone_replication_clone_port = 389 >>>> >>>> pki_clone_replicate_schema = False >>>> >>>> pki_clone_uri = >>>> http://cp.mcafee.com/d/k-Kr6zqb3VEVjouhuodCQkkQnCkTTQjqaaqbParza9ISr >>>> d >>>> G >>>> Sa_iBosKrKVXMGgog82KA1N1BeTyH93t5m7hOoHH3b8GOxvQd8e89K8CPpISr9PCJhbc >>>> m >>>> D >>>> 9rkuYf21_YLxIbve9Ew3di5oMAld41EYmcR8lz2gazW1fpYKqfzqaabyr1I5-Aq83iSb >>>> N >>>> _ >>>> VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNK >>>> V >>>> J >>>> USyrh >>>> >>>> 2016-03-23T21:55:11Z DEBUG Starting external process >>>> >>>> 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' >>>> '/tmp/tmpGQ59ZC' >>>> >>>> 2016-03-23T21:56:51Z DEBUG Process finished, return code=1 >>>> >>>> 2016-03-23T21:56:51Z DEBUG stdout=Log file: >>>> /var/log/pki/pki-ca-spawn.20160323175511.log >>>> >>>> Loading deployment configuration from /tmp/tmpGQ59ZC. >>>> >>>> Installing CA into /var/lib/pki/pki-tomcat. >>>> >>>> Storing deployment configuration into >>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. >>>> >>>> Installation failed. >>>> >>>> 2016-03-23T21:56:51Z DEBUG >>>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: >>>> InsecureRequestWarning: Unverified HTTPS request is being made. >>>> Adding certificate verification is strongly advised. See: >>>> http://cp.mcafee.com/d/5fHCNAi6hESyM-qekS7AnC3pJ55d5VBdZZ4SyyCyYOCUO >>>> y >>>> r >>>> dCPqJyLQFm7bCXKuYaA6420HF0sgpjJUGOgThlxQsCaWMOOaIEnZ3i3y2ry9ISrdCOsV >>>> H >>>> k >>>> iP6UDDO8cZ7ZgCjZ2JGs01PUovI_FfavpKcFBK1NIbve9Ew3di5oMAld41EYmcR8lz2g >>>> a >>>> z >>>> W1fpYKqfzqaabyr1I5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdlj >>>> h >>>> 0 >>>> VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >>>> >>>> InsecureRequestWarning) >>>> >>>> pkispawn : WARNING ....... unable to validate security domain >>>> user/password >>>> through REST interface. Interface not available >>>> >>>> pkispawn : ERROR ....... Exception from Java Configuration Servlet: >>>> 500 >>>> Server Error: Internal Server Error >>>> >>>> pkispawn : ERROR ....... ParseError: not well-formed (invalid >>>> token): line >>>> 1, column 0: >>>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >>>> PKIException","Code":500,"Message":"Error >>>> while updating security domain: java.io.IOException: 2"} >>>> >>>> 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: >>>> Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' >>>> returned non-zero exit status 1 >>>> >>>> 2016-03-23T21:56:51Z CRITICAL See the installation logs and the >>>> following files/directories for more information: >>>> >>>> 2016-03-23T21:56:51Z CRITICAL /var/log/pki-ca-install.log >>>> >>>> 2016-03-23T21:56:51Z CRITICAL /var/log/pki/pki-tomcat >>>> >>>> 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last): >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 418, in start_creation >>>> >>>> run_step(full_msg, method) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 408, in run_step >>>> >>>> method() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line 620, in __spawn_instance >>>> >>>> DogtagInstance.spawn_instance(self, cfg_file) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>>> , >>>> line 201, in spawn_instance >>>> >>>> self.handle_setup_error(e) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>>> , >>>> line 465, in handle_setup_error >>>> >>>> raise RuntimeError("%s configuration failed." % >>>> self.subsystem) >>>> >>>> RuntimeError: CA configuration failed. >>>> >>>> 2016-03-23T21:56:51Z DEBUG [error] RuntimeError: CA configuration failed. >>>> >>>> 2016-03-23T21:56:51Z DEBUG File >>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >>>> in execute >>>> >>>> return_value = self.run() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >>>> line 311, in run >>>> >>>> cfgr.run() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 281, in run >>>> >>>> self.execute() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 303, in execute >>>> >>>> for nothing in self._executor(): >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 343, in __runner >>>> >>>> self._handle_exception(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 365, in _handle_exception >>>> >>>> util.raise_exc_info(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 333, in __runner >>>> >>>> step() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 87, in run_generator_with_yield_from >>>> >>>> raise_exc_info(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 65, in run_generator_with_yield_from >>>> >>>> value = gen.send(prev_value) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 524, in _configure >>>> >>>> executor.next() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 343, in __runner >>>> >>>> self._handle_exception(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 421, in _handle_exception >>>> >>>> self.__parent._handle_exception(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 365, in _handle_exception >>>> >>>> util.raise_exc_info(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 418, in _handle_exception >>>> >>>> super(ComponentBase, self)._handle_exception(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 365, in _handle_exception >>>> >>>> util.raise_exc_info(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 333, in __runner >>>> >>>> step() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 87, in run_generator_with_yield_from >>>> >>>> raise_exc_info(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 65, in run_generator_with_yield_from >>>> >>>> value = gen.send(prev_value) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line >>>> 63, in _install >>>> >>>> for nothing in self._installer(self.parent): >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicain >>>> s >>>> t >>>> all.py", >>>> line 879, in main >>>> >>>> install(self) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicain >>>> s >>>> t >>>> all.py", >>>> line 295, in decorated >>>> >>>> func(installer) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicain >>>> s >>>> t >>>> all.py", >>>> line 584, in install >>>> >>>> ca.install(False, config, options) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >>>> line 106, in install >>>> >>>> install_step_0(standalone, replica_config, options) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >>>> line 130, in >>>> install_step_0 >>>> >>>> ra_p12=getattr(options, 'ra_p12', None)) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line 1543, in install_replica_ca >>>> >>>> subject_base=config.subject_base) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line 486, in configure_instance >>>> >>>> self.start_creation(runtime=210) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 418, in start_creation >>>> >>>> run_step(full_msg, method) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 408, in run_step >>>> >>>> method() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line 620, in __spawn_instance >>>> >>>> DogtagInstance.spawn_instance(self, cfg_file) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>>> , >>>> line 201, in spawn_instance >>>> >>>> self.handle_setup_error(e) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>>> , >>>> line 465, in handle_setup_error >>>> >>>> raise RuntimeError("%s configuration failed." % >>>> self.subsystem) >>>> >>>> 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, >>>> exception: >>>> RuntimeError: CA configuration failed. >>>> >>>> 2016-03-23T21:56:51Z ERROR CA configuration failed. >>>> >>>> /var/log/pki/pki-ca-spawn.<date>.log >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f >>>> /etc/pki/pki-tomcat/ca/noise >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f >>>> /etc/pki/pki-tomcat/pfile >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... ln -s >>>> /lib/systemd/system/pki-tomcatd@.service >>>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat. >>>> s >>>> e >>>> rvice >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown -h 17:17 >>>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat. >>>> s >>>> e >>>> rvice >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ... configuring >>>> 'pki.server.deployment.scriptlets.configuration' >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... mkdir -p >>>> /root/.dogtag/pki-tomcat/ca >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 755 >>>> /root/.dogtag/pki-tomcat/ca >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >>>> /root/.dogtag/pki-tomcat/ca >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >>>> '/root/.dogtag/pki-tomcat/ca/password.conf' >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >>>> '/root/.dogtag/pki-tomcat/ca/password.conf' >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >>>> /root/.dogtag/pki-tomcat/ca/password.conf >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >>>> /root/.dogtag/pki-tomcat/ca/password.conf >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >>>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >>>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >>>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 17:17 >>>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'certutil -N >>>> -d >>>> /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf' >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl >>>> daemon-reload' >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl >>>> start >>>> pki-tomcatd@pki-tomcat.service' >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - >>>> server >>>> may still be down >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - >>>> exception >>>> thrown: ('Connection aborted.', error(111, 'Connection refused')) >>>> >>>> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - >>>> server >>>> may still be down >>>> >>>> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - >>>> exception >>>> thrown: ('Connection aborted.', error(111, 'Connection refused')) >>>> >>>> 2016-03-23 17:55:24 pkispawn : DEBUG ........... <?xml version="1.0" >>>> encoding="UTF-8" >>>> standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status >>>>> r unning</Status><Version>10.2.5-6.el7</Version></XMLResponse> >>>> >>>> 2016-03-23 17:55:25 pkispawn : INFO ....... constructing PKI >>>> configuration data. >>>> >>>> 2016-03-23 17:55:25 pkispawn : INFO ....... configuring PKI >>>> configuration >>>> data. >>>> >>>> 2016-03-23 17:56:51 pkispawn : ERROR ....... Exception from Java >>>> Configuration Servlet: 500 Server Error: Internal Server Error >>>> >>>> 2016-03-23 17:56:51 pkispawn : ERROR ....... ParseError: not >>>> well-formed >>>> (invalid token): line 1, column 0: >>>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >>>> PKIException","Code":500,"Message":"Error >>>> while updating security domain: java.io.IOException: 2"} >>>> >>>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Type: ParseError >>>> >>>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Message: not >>>> well-formed (invalid token): line 1, column 0 >>>> >>>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... File >>>> "/usr/sbin/pkispawn", >>>> line 597, in main >>>> >>>> rv = instance.spawn(deployer) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/c >>>> o >>>> n >>>> figuration.py", >>>> line 116, in spawn >>>> >>>> json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py" >>>> , >>>> line 3906, in configure_pki_data >>>> >>>> root = ET.fromstring(e.response.text) >>>> >>>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, >>>> in XML >>>> >>>> parser.feed(text) >>>> >>>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, >>>> in feed >>>> >>>> self._raiseerror(v) >>>> >>>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, >>>> in _raiseerror >>>> >>>> raise err >>>> >>>> /var/log/pki/pki-tomcat/ca/debug >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password >>>> ok: store in memory cache >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init >>>> ends >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >>>> makeConnection errorIfDown is false >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >>>> errorIfDown false >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >>>> connection using basic authentication to host >>>> pt-idm-vm01.example.com port 389 as cn=Directory Manager >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >>>> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com >>>> port 389, secure connection, false, authentication type 1 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >>>> connections by 3 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >>>> connections 3 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >>>> connections 3 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >>>> LdapBoundConnFactory::getConn() >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >>>> true >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >>>> connected true >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now >>>> 2 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >>>> param=preop.internaldb.manager_ldif >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>>> file = /usr/share/pki/server/conf/manager.ldif >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP >>>> Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >>>> exception in adding entry >>>> ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68) >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >>>> exception in modifying entry o=ipaca:netscape.ldap.LDAPException: >>>> error result (20) >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): >>>> start >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating >>>> LdapBoundConnFactor(ConfigurationUtils) >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: >>>> init >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: >>>> LdapBoundConnFactory:doCloning true >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init() >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init >>>> begins >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >>>> prompt is internaldb >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >>>> try getting from memory cache >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >>>> got password from memory >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >>>> password found for prompt. >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password >>>> ok: store in memory cache >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init >>>> ends >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >>>> makeConnection errorIfDown is false >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >>>> errorIfDown false >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >>>> connection using basic authentication to host >>>> pt-idm-vm01.example.com port 389 as cn=Directory Manager >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >>>> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com >>>> port 389, secure connection, false, authentication type 1 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >>>> connections by 3 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >>>> connections 3 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >>>> connections 3 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >>>> LdapBoundConnFactory::getConn() >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >>>> true >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >>>> connected true >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now >>>> 2 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >>>> param=preop.internaldb.post_ldif >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>>> file = /usr/share/pki/ca/conf/vlv.ldif >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif >>>> >>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif >>>> file = /usr/share/pki/ca/conf/vlvtasks.ldif >>>> >>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif >>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif >>>> >>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn >>>> cn=index1160589769, cn=index, cn=tasks, cn=config >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver' >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: >>>> SystemConfigService:processCerts(): san_server_cert not found for >>>> tag sslserver >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >>>> local >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >>>> remote (revised) >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: >>>> updateConfig() for certTag sslserver >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >>>> public key >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >>>> private key >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this >>>> Cloned CA, always use its Master CA to generate the 'sslserver' >>>> certificate to avoid any changes which may have been made to the X500Name >>>> directory string encoding order. >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: >>>> injectSAN=false >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil >>>> createRemoteCert: content >>>> requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalA >>>> u >>>> t >>>> hServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true >>>> & >>>> s >>>> essionID=-4495713718673639316 >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil >>>> createRemoteCert: status=0 >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: >>>> MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7 >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils: >>>> handleCertRequest() begins >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >>>> tag=sslserver >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: >>>> privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7 >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >>>> created cert request >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' >>>> certificate: >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for >>>> cert tag 'sslserver' using cert type 'remote' >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process >>>> remote...import cert >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: >>>> nickname=Server-Cert cert-pki-ca >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert >>>> deleted successfully >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): >>>> certchains length=2 >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import >>>> certificate successfully, certTag=sslserver >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' >>>> certificate. >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert >>>> Panel/SavePKCS12 Panel === >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel === >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel === >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing >>>> security domain >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): >>>> Getting domain.xml from CA... >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0 >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: >>>> domainInfo=<?xml version="1.0" encoding="UTF-8" >>>> standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ptipa1. >>>> example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443</ >>>> S >>>> e >>>> cureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientA >>>> cureAgentPort>u >>>> cureAgentPort>t >>>> hPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Cl >>>> hPort>o >>>> hPort>n >>>> e>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager> >>>> e>T >>>> e>R >>>> UE</DomainManager></CA><SubsystemCount>1</SubsystemCount></CAList><O >>>> C >>>> S >>>> PList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><Subsyst >>>> PList>e >>>> PList>m >>>> Count>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</Subsyst >>>> Count>e >>>> Count>m >>>> Count></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList> >>>> Count>< >>>> Count>T >>>> PSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo> >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain >>>> master >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >>>> updateDomainXML start hostname=ptipa1.example.com port=443 >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >>>> failed to update security domain using admin port 443: >>>> org.xml.sax.SAXParseException; >>>> lineNumber: 1; columnNumber: 50; White spaces are required between >>>> publicId and systemId. >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >>>> now trying agent port with client auth >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >>>> updateDomainXML start hostname=ptipa1.example.com port=443 >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML() >>>> nickname=subsystemCert cert-pki-ca >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >>>> updateDomainXML: >>>> status=1 >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating >>>> security >>>> domain: java.io.IOException: 2 >>>> >>>> [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, >>>> authorization for servlet: caProfileList is LDAP based, not XML {1}, use >>>> default authz mgr: {2}. >>>> >>>> /var/log/pki/pki-tomcat/ca/system >>>> >>>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot >>>> build CA chain. Error java.security.cert.CertificateException: >>>> Certificate is not a PKCS >>>> #11 certificate >>>> >>>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz >>>> instance DirAclAuthz initialization failed and skipped, >>>> error=Property internaldb.ldapconn.port missing value >>>> >>>> *Dennis M Ott* >>>> Infrastructure Administrator >>>> Infrastructure and Security Operations >>>> >>>> *McKesson Corporation >>>> McKesson Pharmacy Systems and Automation* www.mckesson.com >>>> <http://www.mckesson.com/> >>>>> -- >>> Petr Vobornik >>> >> -- >> Petr Vobornik >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> http://cp.mcafee.com/d/5fHCMUe6gUSyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPp >> ISHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJ >> hbcat7Q2uPVv1dnoovaAVgtHzIv-iSBSWv6xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoa >> lIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdl >> jh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >> Go to >> http://cp.mcafee.com/d/FZsSd3gArhosLtNZwsUrdEEFELcFLLECQkkQnCkT6kjpISr >> lIl-BaMVsSetd78UljIUqehl7tppKDEGe-N0lovgQlujtKaKeKSKYUMDrmjpISrdw0To_Y >> BJU03xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN >> _VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >> for more info on the project >> > > > -- > Petr Vobornik > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project