This allowed the replica install to complete. Thank you.

However, when I try to kinit admin on the replica I get:

kinit: Invalid UID in persistent keyring name while getting default ccache

After some research I found that by commenting out this line in /etc/krb5.conf

default_ccache_name = KEYRING:persistent:%{uid}

and restarting IPA, I was able to use kinit.

What is the correct way to fix this, or what are the implications of just 
leaving it commented out?


Dennis



-----Original Message-----
From: Petr Vobornik [mailto:pvobo...@redhat.com] 
Sent: Friday, April 15, 2016 11:54 AM
To: Ott, Dennis; Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails

On 04/15/2016 05:13 PM, Ott, Dennis wrote:
> My master began life as OS 6.2 / IPA 2.1.3 / pki-9.0.3 and does not have a 
> cert database at:
> 
> /etc/pki/pki-tomcat/alias
> 
> At:
> 
> /var/lib/pki-ca/alias

right

> 
> subsystemCert cert-pki-ca has a serial number of 18 (0x12)
> 
> At:
> 
> uid=CA-$HOST-8443,ou=people,o=ipaca
> 
> the certificate has a serial number of 4.
> 
> 
> What is the best way to fix this?
> 
> If it matters, the master installation is old enough to have had its certs 
> auto-renewed.

Yes, certs were renewed but the PKI user entry was not which causes the issue. 
This has been seen on very old IPA installations.

1) Login into IPA Master (RHEL 6) - as root.

2) Redirect "subsystemCert cert-pki-ca" to a file.

# certutil -L -d /var/lib/pki-ca/alias/ -n "subsystemCert cert-pki-ca"
-a > /tmp/subsystemcert.pem

3) Drop the header/footer and combine this into a single line.

# echo && cat /tmp/subsystemcert.pem | sed -rn '/^-----BEGIN 
CERTIFICATE-----$/{:1;n;/^-----END
CERTIFICATE-----$/b2;H;b1};:2;${x;s/\s//g;p}'

4) String generated in step 3 needs to be added under attribute 
"usercertificate;binary:" below.

===================================================================================
# ldapmodify -x -h 127.0.0.1 -p 7389 -D 'cn=Directory Manager' -W << EOF
dn: uid=CA-ptipa1.example.com-9443,ou=people,o=ipaca
changetype: modify
add: usercertificate;binary
usercertificate;binary: MIIDyTCCAr..Y4EKCneFA== <-- ADD the full string from 
step 3.
-
replace: description
description: 2;18;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA 
Subsystem,O=EXAMPLE.COM EOF 
===================================================================================

Note: the description field attribute has format:
   <version_number - always 2>:<serial number>:<issuer subjectdn>:<cert
subjectdn>


5) Once the above command is successful restart IPA service

# service ipa restart

6) Check if the mapping is now correct.

# pki-server ca-user-show CA-ptipa1.example.com-9443 | egrep "User
ID|Description"

> 
> Dennis
> 
> 
> -----Original Message-----
> From: Petr Vobornik [mailto:pvobo...@redhat.com]
> Sent: Friday, April 15, 2016 10:06 AM
> To: Ott, Dennis; Freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails
> 
> On 04/15/2016 03:51 PM, Ott, Dennis wrote:
>> Looks like we're out of ideas.
>>
>> I'll proceed with Plan B.
>>
> 
> A possibility is also to check if
> 
> Serial number of
> 
> certutil -d /etc/pki/pki-tomcat/alias -L -n 'subsystemCert cert-pki-ca'
> 
> matches serial number of the cert below (4) and if
> 
> uid=CA-$HOST-8443,ou=people,o=ipaca
> 
> has actually the same cert in userCertificate attribute
> 
> Or maybe to do the same with other PKI users in ou=people,o=ipaca
> 
>> -----Original Message-----
>> From: Ott, Dennis
>> Sent: Monday, April 11, 2016 12:27 PM
>> To: Ott, Dennis; Petr Vobornik; Freeipa-users@redhat.com
>> Subject: RE: [Freeipa-users] 7.x replica install from 6.x master 
>> fails
>>
>> As a test, I attempted to do a replica install on a Fedora 23 machine. It 
>> fails with the same error.
>>
>> Dennis
>>
>>
>>
>> -----Original Message-----
>> From: freeipa-users-boun...@redhat.com 
>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ott, Dennis
>> Sent: Thursday, April 07, 2016 5:39 PM
>> To: Petr Vobornik; Freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master 
>> fails
>>
>> It doesn't look like that is my problem. The output of pki-server 
>> ca-group-member-find "Subsystem Group" gives:
>>
>>
>>   User ID: CA-ptipa1.example.com-9443
>>   Common Name: CA-ptipa1.example.com-9443
>>   Surname: CA-ptipa1.example.com-9443
>>   Type: agentType
>>   Description: 2;4;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA 
>> Subsystem,O=EXAMPLE.COM
>>   E-mail:
>>
>> All the certs seem valid:
>>
>> # getcert list | grep expires
>>         expires: 2017-07-18 00:55:14 UTC
>>         expires: 2017-07-18 00:54:14 UTC
>>         expires: 2017-07-18 00:54:14 UTC
>>         expires: 2017-07-18 00:54:14 UTC
>>         expires: 2017-07-18 00:54:14 UTC
>>         expires: 2017-08-09 00:54:19 UTC
>>         expires: 2017-08-09 00:54:19 UTC
>>         expires: 2017-08-09 00:54:21 UTC #
>>
>> I was wondering if I might be hitting this:
>>
>> http://cp.mcafee.com/d/1jWVIi6x8SyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPp
>> I 
>> SHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJ
>> h 
>> bctZ2It9RFfQe00UX7_AJKjBoHYYvhjd79IQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoal
>> I 
>> l-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdlj
>> h
>> 0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh
>> http://cp.mcafee.com/d/5fHCNEg3zqb3BXKfI3D3pJ55d5VBdZZ4SyyCyYOCUOyrdC
>> P
>> qJyLQFm7bCNPFEV72GtD3hOaEXHbdQZ5hTS82H3W6yHOrJNlNRSRTD64XqOrdCPpIDeqR
>> 4 
>> INTQaNQDmA_gU03yNmmjBoHYYhod7bVIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-
>> B 
>> aMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0V
>> M
>> uq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh
>>
>> It says it is fixed in pki 10.2.6. 10.2.6 has been released for Fedora (many 
>> months ago), but is not yet available for enterprise.
>>
>> Dennis
>>
>>
>>
>>
>> -----Original Message-----
>> From: Petr Vobornik [mailto:pvobo...@redhat.com]
>> Sent: Thursday, April 07, 2016 10:56 AM
>> To: Ott, Dennis; Freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master 
>> fails
>>
>> Sorry for the late response.
>>
>> It looks like a bug
>> http://cp.mcafee.com/d/1jWVIe4xAe3zqb3BXInd7b1EVdCQkkQnCkTTQjqaaqbPar
>> z 
>> a9ISrdGSa_iBosKr7eLqaEF-waI47nQ7LQl8m7f2H3ab0Ggvhv5mtKqek4Q4hPEVwSrdC
>> P
>> pesRG9px1IyaiffTE-wjSvbVgDkMaA6Of08iAwsyCqekhP0US5LD4Qg1CF2IoiaCy0Qub
>> 6 
>> qAaNx85hZ0DI-nd7NJ5CZNPxI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDD
>> C y1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh
>> But it should be fixed in pki-core-9.0.3-45.el6_7 so I'm not sure.
>>
>> Anyway,
>> java.io.IOException: 2 actually means authentication failure.
>>
>> The authentication problem might be caused by a missing subsystem 
>> user (bug #1225589) and there's already a tool to restore it. 
>> However, before running the script, please run this command on the 
>> master to verify the
>> problem:
>>
>> $ pki-server ca-group-member-find "Subsystem Group"
>>
>> Ideally it should return a user ID "CA-<hostname>-9443" and the description 
>> attribute should contain the subsystem certificate in this format 
>> "<version>;<serial>;<issuer DN>;<subject DN>".
>>
>> If that's not the case, please run this tool to restore the subsystem user:
>>
>> $ python /usr/share/pki/scripts/restore-subsystem-user.py
>>
>> Then run this command again to verify the fix:
>>
>> $ pki-server ca-group-member-find "Subsystem Group"
>>
>> If everything works well, please try installing the replica again.
>>
>> Also verify that all certificates in `getcert list` output are not expired.
>>
>>
>> On 03/31/2016 09:07 PM, Ott, Dennis wrote:
>>> Petr,
>>>
>>> Original 6.x master installed at:
>>>
>>> ipa-server-2.1.3-9
>>>
>>> pki-ca-9.0.3-20
>>>
>>>
>>> At the time the migration was attempted, the 6.x master had been updated to:
>>>
>>> ipa-server-3.0.0-47
>>>
>>> pki-ca-9.0.3-45
>>>
>>>
>>> The 7.x replica install has been attempted using a variety of versions. The 
>>> log excerpts at the beginning of this email were from an installation 
>>> attempt using:
>>>
>>> ipa-server-4.2.0-15.0.1
>>>
>>> pki-ca-10.2.5-6
>>>
>>>
>>> It's a standard CA installation. This line is from 
>>> /var/log/ipaserverinstall.log showing selfsign as False:
>>>
>>> 2013-09-04T18:41:20Z DEBUG /usr/sbin/ipa-server-install was invoked 
>>> with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name':
>>> None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False,
>>> 'subject': None, 'no_forwarders': False, 'persistent_search': True,
>>> 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': 
>>> True, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': 
>>> False,
>>> 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': None,
>>> 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False,
>>> 'forwarders': None, 'idstart': 900000000, 'external_ca': False,
>>> 'ip_address': None, 'conf_ssh': False, 'serial_autoincrement': True,
>>> 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': 
>>> False, 'external_cert_file': None, 'uninstall': False} 
>>> 2013-09-04T18:41:20Z DEBUG missing options might be asked for 
>>> interactively later
>>>
>>>
>>> -----Original Message-----
>>> From: Petr Vobornik [mailto:pvobo...@redhat.com]
>>> Sent: Tuesday, March 29, 2016 6:43 AM
>>> To: Ott, Dennis; Freeipa-users@redhat.com
>>> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master 
>>> fails
>>>
>>> On 03/24/2016 04:29 PM, Ott, Dennis wrote:
>>>> I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. 
>>>> After working through and solving a few issues, my current efforts 
>>>> fail when setting up the replica CA.
>>>>
>>>> If I set up a new, pristine master on OS 6.7, I am able to create 
>>>> an OS 7.x replica without any problem. However, if I try to create 
>>>> a replica from my two year old test lab instance (production will 
>>>> be another matter for the future) it fails. The test lab master was 
>>>> created a couple of years ago on OS 6.3 / IPA 2.x and has been 
>>>> upgraded to the latest versions in the 6.x chain. It is old enough 
>>>> to have had all the certificates renewed, but I believe I have worked 
>>>> through all the issues related to that.
>>>>
>>>> Below is what I believe are the useful portions of the pertinent logs. 
>>>> I’ve not been able to find anything online that speaks to the 
>>>> errors I am seeing
>>>>
>>>> Thanks for your help.
>>>
>>> Hello Dennis,
>>>
>>> what are the exact versions of pki-ca and ipa-server on the 6.x master and 
>>> 7.x replica?
>>>
>>> What kind of CA installation does the old 6.x master install have? Is 
>>> standard installation with CA or does it also use external CA?
>>>
>>> I assume it is not self-sign (very old unsupported type, which could be 
>>> converted in 7.x as CA-less).
>>>
>>>>
>>>> /var/log/ipareplica-install.log
>>>>
>>>> 2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd).
>>>> Estimated time: 3 minutes 30 seconds
>>>>
>>>> 2016-03-23T21:55:11Z DEBUG   [1/23]: creating certificate server user
>>>>
>>>> 2016-03-23T21:55:11Z DEBUG group pkiuser exists
>>>>
>>>> 2016-03-23T21:55:11Z DEBUG user pkiuser exists
>>>>
>>>> 2016-03-23T21:55:11Z DEBUG   duration: 0 seconds
>>>>
>>>> 2016-03-23T21:55:11Z DEBUG   [2/23]: configuring certificate server 
>>>> instance
>>>>
>>>> 2016-03-23T21:55:11Z DEBUG Loading StateFile from 
>>>> '/var/lib/ipa/sysrestore/sysrestore.state'
>>>>
>>>> 2016-03-23T21:55:11Z DEBUG Saving StateFile to 
>>>> '/var/lib/ipa/sysrestore/sysrestore.state'
>>>>
>>>> 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file 
>>>> (/tmp/tmpGQ59ZC):
>>>>
>>>> [CA]
>>>>
>>>> pki_security_domain_name = IPA
>>>>
>>>> pki_enable_proxy = True
>>>>
>>>> pki_restart_configured_instance = False
>>>>
>>>> pki_backup_keys = True
>>>>
>>>> pki_backup_password = XXXXXXXX
>>>>
>>>> pki_profiles_in_ldap = True
>>>>
>>>> pki_client_database_dir = /tmp/tmp-g0CKZ3
>>>>
>>>> pki_client_database_password = XXXXXXXX
>>>>
>>>> pki_client_database_purge = False
>>>>
>>>> pki_client_pkcs12_password = XXXXXXXX
>>>>
>>>> pki_admin_name = admin
>>>>
>>>> pki_admin_uid = admin
>>>>
>>>> pki_admin_email = root@localhost
>>>>
>>>> pki_admin_password = XXXXXXXX
>>>>
>>>> pki_admin_nickname = ipa-ca-agent
>>>>
>>>> pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM
>>>>
>>>> pki_client_admin_cert_p12 = /root/ca-agent.p12
>>>>
>>>> pki_ds_ldap_port = 389
>>>>
>>>> pki_ds_password = XXXXXXXX
>>>>
>>>> pki_ds_base_dn = o=ipaca
>>>>
>>>> pki_ds_database = ipaca
>>>>
>>>> pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM
>>>>
>>>> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM
>>>>
>>>> pki_ssl_server_subject_dn = 
>>>> cn=pt-idm-vm01.example.com,O=EXAMPLE.COM
>>>>
>>>> pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM
>>>>
>>>> pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM
>>>>
>>>> pki_subsystem_nickname = subsystemCert cert-pki-ca
>>>>
>>>> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
>>>>
>>>> pki_ssl_server_nickname = Server-Cert cert-pki-ca
>>>>
>>>> pki_audit_signing_nickname = auditSigningCert cert-pki-ca
>>>>
>>>> pki_ca_signing_nickname = caSigningCert cert-pki-ca
>>>>
>>>> pki_ca_signing_key_algorithm = SHA256withRSA
>>>>
>>>> pki_security_domain_hostname = ptipa1.example.com
>>>>
>>>> pki_security_domain_https_port = 443
>>>>
>>>> pki_security_domain_user = admin
>>>>
>>>> pki_security_domain_password = XXXXXXXX
>>>>
>>>> pki_clone = True
>>>>
>>>> pki_clone_pkcs12_path = /tmp/ca.p12
>>>>
>>>> pki_clone_pkcs12_password = XXXXXXXX
>>>>
>>>> pki_clone_replication_security = TLS
>>>>
>>>> pki_clone_replication_master_port = 7389
>>>>
>>>> pki_clone_replication_clone_port = 389
>>>>
>>>> pki_clone_replicate_schema = False
>>>>
>>>> pki_clone_uri =
>>>> http://cp.mcafee.com/d/k-Kr6zqb3VEVjouhuodCQkkQnCkTTQjqaaqbParza9IS
>>>> r
>>>> d
>>>> G
>>>> Sa_iBosKrKVXMGgog82KA1N1BeTyH93t5m7hOoHH3b8GOxvQd8e89K8CPpISr9PCJhb
>>>> c
>>>> m
>>>> D
>>>> 9rkuYf21_YLxIbve9Ew3di5oMAld41EYmcR8lz2gazW1fpYKqfzqaabyr1I5-Aq83iS
>>>> b
>>>> N
>>>> _
>>>> VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrN
>>>> K
>>>> V
>>>> J
>>>> USyrh
>>>>
>>>> 2016-03-23T21:55:11Z DEBUG Starting external process
>>>>
>>>> 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' 
>>>> '/tmp/tmpGQ59ZC'
>>>>
>>>> 2016-03-23T21:56:51Z DEBUG Process finished, return code=1
>>>>
>>>> 2016-03-23T21:56:51Z DEBUG stdout=Log file:
>>>> /var/log/pki/pki-ca-spawn.20160323175511.log
>>>>
>>>> Loading deployment configuration from /tmp/tmpGQ59ZC.
>>>>
>>>> Installing CA into /var/lib/pki/pki-tomcat.
>>>>
>>>> Storing deployment configuration into 
>>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>>>>
>>>> Installation failed.
>>>>
>>>> 2016-03-23T21:56:51Z DEBUG
>>>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
>>>> InsecureRequestWarning: Unverified HTTPS request is being made. 
>>>> Adding certificate verification is strongly advised. See:
>>>> http://cp.mcafee.com/d/5fHCNAi6hESyM-qekS7AnC3pJ55d5VBdZZ4SyyCyYOCU
>>>> O
>>>> y
>>>> r
>>>> dCPqJyLQFm7bCXKuYaA6420HF0sgpjJUGOgThlxQsCaWMOOaIEnZ3i3y2ry9ISrdCOs
>>>> V
>>>> H
>>>> k
>>>> iP6UDDO8cZ7ZgCjZ2JGs01PUovI_FfavpKcFBK1NIbve9Ew3di5oMAld41EYmcR8lz2
>>>> g
>>>> a
>>>> z
>>>> W1fpYKqfzqaabyr1I5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdl
>>>> j
>>>> h
>>>> 0
>>>> VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh
>>>>
>>>>     InsecureRequestWarning)
>>>>
>>>> pkispawn    : WARNING  ....... unable to validate security domain 
>>>> user/password
>>>> through REST interface. Interface not available
>>>>
>>>> pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 
>>>> 500
>>>> Server Error: Internal Server Error
>>>>
>>>> pkispawn    : ERROR    ....... ParseError: not well-formed (invalid 
>>>> token): line
>>>> 1, column 0:
>>>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.
>>>> PKIException","Code":500,"Message":"Error
>>>> while updating security domain: java.io.IOException: 2"}
>>>>
>>>> 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: 
>>>> Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' 
>>>> returned non-zero exit status 1
>>>>
>>>> 2016-03-23T21:56:51Z CRITICAL See the installation logs and the 
>>>> following files/directories for more information:
>>>>
>>>> 2016-03-23T21:56:51Z CRITICAL   /var/log/pki-ca-install.log
>>>>
>>>> 2016-03-23T21:56:51Z CRITICAL   /var/log/pki/pki-tomcat
>>>>
>>>> 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last):
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 418, in start_creation
>>>>
>>>>       run_step(full_msg, method)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 408, in run_step
>>>>
>>>>       method()
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line 620, in __spawn_instance
>>>>
>>>>       DogtagInstance.spawn_instance(self, cfg_file)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py"
>>>> ,
>>>> line 201, in spawn_instance
>>>>
>>>>       self.handle_setup_error(e)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py"
>>>> ,
>>>> line 465, in handle_setup_error
>>>>
>>>>       raise RuntimeError("%s configuration failed." %
>>>> self.subsystem)
>>>>
>>>> RuntimeError: CA configuration failed.
>>>>
>>>> 2016-03-23T21:56:51Z DEBUG   [error] RuntimeError: CA configuration failed.
>>>>
>>>> 2016-03-23T21:56:51Z DEBUG   File
>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 
>>>> 171, in execute
>>>>
>>>>       return_value = self.run()
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
>>>> line 311, in run
>>>>
>>>>       cfgr.run()
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 281, in run
>>>>
>>>>       self.execute()
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 303, in execute
>>>>
>>>>       for nothing in self._executor():
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 343, in __runner
>>>>
>>>>       self._handle_exception(exc_info)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 365, in _handle_exception
>>>>
>>>>       util.raise_exc_info(exc_info)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 333, in __runner
>>>>
>>>>       step()
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>>> line 87, in run_generator_with_yield_from
>>>>
>>>>       raise_exc_info(exc_info)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>>> line 65, in run_generator_with_yield_from
>>>>
>>>>       value = gen.send(prev_value)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 524, in _configure
>>>>
>>>>       executor.next()
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 343, in __runner
>>>>
>>>>       self._handle_exception(exc_info)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 421, in _handle_exception
>>>>
>>>>       self.__parent._handle_exception(exc_info)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 365, in _handle_exception
>>>>
>>>>       util.raise_exc_info(exc_info)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 418, in _handle_exception
>>>>
>>>>       super(ComponentBase, self)._handle_exception(exc_info)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 365, in _handle_exception
>>>>
>>>>       util.raise_exc_info(exc_info)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>>> line 333, in __runner
>>>>
>>>>       step()
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>>> line 87, in run_generator_with_yield_from
>>>>
>>>>       raise_exc_info(exc_info)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>>> line 65, in run_generator_with_yield_from
>>>>
>>>>       value = gen.send(prev_value)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipapython/install/common.py", 
>>>> line 63, in _install
>>>>
>>>>       for nothing in self._installer(self.parent):
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicai
>>>> n
>>>> s
>>>> t
>>>> all.py",
>>>> line 879, in main
>>>>
>>>>       install(self)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicai
>>>> n
>>>> s
>>>> t
>>>> all.py",
>>>> line 295, in decorated
>>>>
>>>>       func(installer)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicai
>>>> n
>>>> s
>>>> t
>>>> all.py",
>>>> line 584, in install
>>>>
>>>>       ca.install(False, config, options)
>>>>
>>>>     File 
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py",
>>>> line 106, in install
>>>>
>>>>       install_step_0(standalone, replica_config, options)
>>>>
>>>>     File 
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py",
>>>> line 130, in
>>>> install_step_0
>>>>
>>>>       ra_p12=getattr(options, 'ra_p12', None))
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line 1543, in install_replica_ca
>>>>
>>>>       subject_base=config.subject_base)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line 486, in configure_instance
>>>>
>>>>       self.start_creation(runtime=210)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 418, in start_creation
>>>>
>>>>       run_step(full_msg, method)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 408, in run_step
>>>>
>>>>       method()
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line 620, in __spawn_instance
>>>>
>>>>       DogtagInstance.spawn_instance(self, cfg_file)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py"
>>>> ,
>>>> line 201, in spawn_instance
>>>>
>>>>       self.handle_setup_error(e)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py"
>>>> ,
>>>> line 465, in handle_setup_error
>>>>
>>>>       raise RuntimeError("%s configuration failed." %
>>>> self.subsystem)
>>>>
>>>> 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, 
>>>> exception:
>>>> RuntimeError: CA configuration failed.
>>>>
>>>> 2016-03-23T21:56:51Z ERROR CA configuration failed.
>>>>
>>>> /var/log/pki/pki-ca-spawn.<date>.log
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... rm -f
>>>> /etc/pki/pki-tomcat/ca/noise
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... rm -f 
>>>> /etc/pki/pki-tomcat/pfile
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... ln -s
>>>> /lib/systemd/system/pki-tomcatd@.service
>>>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.
>>>> s
>>>> e
>>>> rvice
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown -h 17:17
>>>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.
>>>> s
>>>> e
>>>> rvice
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : INFO     ... configuring
>>>> 'pki.server.deployment.scriptlets.configuration'
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... mkdir -p
>>>> /root/.dogtag/pki-tomcat/ca
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chmod 755
>>>> /root/.dogtag/pki-tomcat/ca
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown 0:0
>>>> /root/.dogtag/pki-tomcat/ca
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... generating
>>>> '/root/.dogtag/pki-tomcat/ca/password.conf'
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... modifying
>>>> '/root/.dogtag/pki-tomcat/ca/password.conf'
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chmod 660
>>>> /root/.dogtag/pki-tomcat/ca/password.conf
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown 0:0
>>>> /root/.dogtag/pki-tomcat/ca/password.conf
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... generating
>>>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... modifying
>>>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chmod 660
>>>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown 17:17
>>>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... executing 'certutil -N 
>>>> -d
>>>> /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf'
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... executing 'systemctl
>>>> daemon-reload'
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... executing 'systemctl 
>>>> start
>>>> pki-tomcatd@pki-tomcat.service'
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : DEBUG    ........... No connection - 
>>>> server
>>>> may still be down
>>>>
>>>> 2016-03-23 17:55:12 pkispawn    : DEBUG    ........... No connection - 
>>>> exception
>>>> thrown: ('Connection aborted.', error(111, 'Connection refused'))
>>>>
>>>> 2016-03-23 17:55:13 pkispawn    : DEBUG    ........... No connection - 
>>>> server
>>>> may still be down
>>>>
>>>> 2016-03-23 17:55:13 pkispawn    : DEBUG    ........... No connection - 
>>>> exception
>>>> thrown: ('Connection aborted.', error(111, 'Connection refused'))
>>>>
>>>> 2016-03-23 17:55:24 pkispawn    : DEBUG    ........... <?xml version="1.0"
>>>> encoding="UTF-8"
>>>> standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Statu
>>>> s
>>>>> r unning</Status><Version>10.2.5-6.el7</Version></XMLResponse>
>>>>
>>>> 2016-03-23 17:55:25 pkispawn    : INFO     ....... constructing PKI
>>>> configuration data.
>>>>
>>>> 2016-03-23 17:55:25 pkispawn    : INFO     ....... configuring PKI 
>>>> configuration
>>>> data.
>>>>
>>>> 2016-03-23 17:56:51 pkispawn    : ERROR    ....... Exception from Java
>>>> Configuration Servlet: 500 Server Error: Internal Server Error
>>>>
>>>> 2016-03-23 17:56:51 pkispawn    : ERROR    ....... ParseError: not 
>>>> well-formed
>>>> (invalid token): line 1, column 0:
>>>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.
>>>> PKIException","Code":500,"Message":"Error
>>>> while updating security domain: java.io.IOException: 2"}
>>>>
>>>> 2016-03-23 17:56:51 pkispawn    : DEBUG    ....... Error Type: ParseError
>>>>
>>>> 2016-03-23 17:56:51 pkispawn    : DEBUG    ....... Error Message: not
>>>> well-formed (invalid token): line 1, column 0
>>>>
>>>> 2016-03-23 17:56:51 pkispawn    : DEBUG    .......   File 
>>>> "/usr/sbin/pkispawn",
>>>> line 597, in main
>>>>
>>>>       rv = instance.spawn(deployer)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/
>>>> c
>>>> o
>>>> n
>>>> figuration.py",
>>>> line 116, in spawn
>>>>
>>>>       json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py"
>>>> ,
>>>> line 3906, in configure_pki_data
>>>>
>>>>       root = ET.fromstring(e.response.text)
>>>>
>>>>     File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 
>>>> 1300, in XML
>>>>
>>>>       parser.feed(text)
>>>>
>>>>     File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 
>>>> 1642, in feed
>>>>
>>>>       self._raiseerror(v)
>>>>
>>>>     File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 
>>>> 1506, in _raiseerror
>>>>
>>>>       raise err
>>>>
>>>> /var/log/pki/pki-tomcat/ca/debug
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: 
>>>> password
>>>> ok: store in memory cache
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init 
>>>> ends
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before 
>>>> makeConnection errorIfDown is false
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: 
>>>> errorIfDown false
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP 
>>>> connection using basic authentication to host 
>>>> pt-idm-vm01.example.com port 389 as cn=Directory Manager
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with 
>>>> mininum 3 and maximum 15 connections to host 
>>>> pt-idm-vm01.example.com port 389, secure connection, false, 
>>>> authentication type 1
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum 
>>>> connections by 3
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available 
>>>> connections 3
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of 
>>>> connections 3
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In
>>>> LdapBoundConnFactory::getConn()
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: 
>>>> true
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is 
>>>> connected true
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns 
>>>> now
>>>> 2
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS:
>>>> param=preop.internaldb.manager_ldif
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif 
>>>> file = /usr/share/pki/server/conf/manager.ldif
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif 
>>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/manager.ldif
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP 
>>>> Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: 
>>>> exception in adding entry
>>>> ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68)
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: 
>>>> exception in modifying entry o=ipaca:netscape.ldap.LDAPException: 
>>>> error result (20)
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): 
>>>> start
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating
>>>> LdapBoundConnFactor(ConfigurationUtils)
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: 
>>>> init
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: 
>>>> LdapBoundConnFactory:doCloning true
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init()
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init 
>>>> begins
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: 
>>>> prompt is internaldb
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: 
>>>> try getting from memory cache
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: 
>>>> got password from memory
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: 
>>>> password found for prompt.
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: 
>>>> password
>>>> ok: store in memory cache
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init 
>>>> ends
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before 
>>>> makeConnection errorIfDown is false
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: 
>>>> errorIfDown false
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP 
>>>> connection using basic authentication to host 
>>>> pt-idm-vm01.example.com port 389 as cn=Directory Manager
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with 
>>>> mininum 3 and maximum 15 connections to host 
>>>> pt-idm-vm01.example.com port 389, secure connection, false, 
>>>> authentication type 1
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum 
>>>> connections by 3
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available 
>>>> connections 3
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of 
>>>> connections 3
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In
>>>> LdapBoundConnFactory::getConn()
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: 
>>>> true
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is 
>>>> connected true
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns 
>>>> now
>>>> 2
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS:
>>>> param=preop.internaldb.post_ldif
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif 
>>>> file = /usr/share/pki/ca/conf/vlv.ldif
>>>>
>>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif 
>>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif
>>>>
>>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif 
>>>> file = /usr/share/pki/ca/conf/vlvtasks.ldif
>>>>
>>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif 
>>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif
>>>>
>>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn 
>>>> cn=index1160589769, cn=index, cn=tasks, cn=config
>>>>
>>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver'
>>>>
>>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]:
>>>> SystemConfigService:processCerts(): san_server_cert not found for 
>>>> tag sslserver
>>>>
>>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is 
>>>> local
>>>>
>>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is 
>>>> remote (revised)
>>>>
>>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: 
>>>> updateConfig() for certTag sslserver
>>>>
>>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done
>>>>
>>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA
>>>>
>>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got 
>>>> public key
>>>>
>>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got 
>>>> private key
>>>>
>>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this 
>>>> Cloned CA, always use its Master CA to generate the 'sslserver'
>>>> certificate to avoid any changes which may have been made to the X500Name 
>>>> directory string encoding order.
>>>>
>>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: 
>>>> injectSAN=false
>>>>
>>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil
>>>> createRemoteCert: content
>>>> requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternal
>>>> A
>>>> u
>>>> t
>>>> hServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxx
>>>> x
>>>> x
>>>> x
>>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> x
>>>> x
>>>> x
>>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> x
>>>> x
>>>> x
>>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> x
>>>> x
>>>> x
>>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> x
>>>> x
>>>> x
>>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> x
>>>> x
>>>> x
>>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=tru
>>>> e
>>>> &
>>>> s
>>>> essionID=-4495713718673639316
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil
>>>> createRemoteCert: status=0
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert:
>>>> MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> x
>>>> x
>>>> x
>>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> x
>>>> x
>>>> x
>>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> x
>>>> x
>>>> x
>>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> x
>>>> x
>>>> x
>>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> x
>>>> x
>>>> x
>>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils:
>>>> handleCertRequest() begins
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: 
>>>> tag=sslserver
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]:
>>>> privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: 
>>>> created cert request
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' 
>>>> certificate:
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for 
>>>> cert tag 'sslserver' using cert type 'remote'
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): 
>>>> process remote...import cert
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: 
>>>> nickname=Server-Cert cert-pki-ca
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert 
>>>> deleted successfully
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): 
>>>> certchains length=2
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import 
>>>> certificate successfully, certTag=sslserver
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' 
>>>> certificate.
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert
>>>> Panel/SavePKCS12 Panel ===
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel ===
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel ===
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing 
>>>> security domain
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): 
>>>> Getting domain.xml from CA...
>>>>
>>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start
>>>>
>>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: 
>>>> status=0
>>>>
>>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: 
>>>> domainInfo=<?xml version="1.0" encoding="UTF-8"
>>>> standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ptipa1.
>>>> example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443<
>>>> /
>>>> S
>>>> e
>>>> cureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClient
>>>> cureAgentPort>A
>>>> cureAgentPort>u
>>>> cureAgentPort>t
>>>> hPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><C
>>>> hPort>l
>>>> hPort>o
>>>> hPort>n
>>>> e>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager
>>>> e>>
>>>> e>T
>>>> e>R
>>>> UE</DomainManager></CA><SubsystemCount>1</SubsystemCount></CAList><
>>>> O
>>>> C
>>>> S
>>>> PList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><Subsys
>>>> PList>t
>>>> PList>e
>>>> PList>m
>>>> Count>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</Subsys
>>>> Count>t
>>>> Count>e
>>>> Count>m
>>>> Count></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList
>>>> Count>>
>>>> Count><
>>>> Count>T
>>>> PSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
>>>>
>>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain 
>>>> master
>>>>
>>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase 
>>>> updateDomainXML start hostname=ptipa1.example.com port=443
>>>>
>>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: 
>>>> failed to update security domain using admin port 443: 
>>>> org.xml.sax.SAXParseException;
>>>> lineNumber: 1; columnNumber: 50; White spaces are required between 
>>>> publicId and systemId.
>>>>
>>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: 
>>>> now trying agent port with client auth
>>>>
>>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase 
>>>> updateDomainXML start hostname=ptipa1.example.com port=443
>>>>
>>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML() 
>>>> nickname=subsystemCert cert-pki-ca
>>>>
>>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase 
>>>> updateDomainXML:
>>>> status=1
>>>>
>>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating 
>>>> security
>>>> domain: java.io.IOException: 2
>>>>
>>>> [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, 
>>>> authorization for servlet: caProfileList is LDAP based, not XML {1}, use 
>>>> default authz mgr: {2}.
>>>>
>>>> /var/log/pki/pki-tomcat/ca/system
>>>>
>>>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot 
>>>> build CA chain. Error java.security.cert.CertificateException:
>>>> Certificate is not a PKCS
>>>> #11 certificate
>>>>
>>>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz 
>>>> instance DirAclAuthz initialization failed and skipped, 
>>>> error=Property internaldb.ldapconn.port missing value
>>>>
>>>> *Dennis M Ott*
>>>> Infrastructure Administrator
>>>> Infrastructure and Security Operations
>>>>
>>>> *McKesson Corporation
>>>> McKesson Pharmacy Systems and Automation* www.mckesson.com 
>>>> <http://www.mckesson.com/>
>>>>> --
>>> Petr Vobornik
>>>
>> --
>> Petr Vobornik
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> http://cp.mcafee.com/d/5fHCMUe6gUSyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECP
>> p 
>> ISHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PC
>> J 
>> hbcat7Q2uPVv1dnoovaAVgtHzIv-iSBSWv6xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeo
>> a 
>> lIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sd
>> l
>> jh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh
>> Go to
>> http://cp.mcafee.com/d/FZsSd3gArhosLtNZwsUrdEEFELcFLLECQkkQnCkT6kjpIS
>> r 
>> lIl-BaMVsSetd78UljIUqehl7tppKDEGe-N0lovgQlujtKaKeKSKYUMDrmjpISrdw0To_
>> Y 
>> BJU03xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSb
>> N 
>> _VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNK
>> VJUSyrh for more info on the project
>>
> 
> 
> --
> Petr Vobornik
> 


--
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to