I too ran into this issue of certificate serial mismatch. Just wanted to
shoot a note thanking the two of you for helping. Your questions and
answers were very well articulated and very detailed. I used the info in
this thread to get my replica installed. Thank you! =)

___________________________________________
Ryan Clough
Information Systems
Decision Sciences <http://www.decisionsciencescorp.com/>

On Fri, Apr 15, 2016 at 8:53 AM, Petr Vobornik <pvobo...@redhat.com> wrote:

> On 04/15/2016 05:13 PM, Ott, Dennis wrote:
> > My master began life as OS 6.2 / IPA 2.1.3 / pki-9.0.3 and does not have
> a cert database at:
> >
> > /etc/pki/pki-tomcat/alias
> >
> > At:
> >
> > /var/lib/pki-ca/alias
>
> right
>
> >
> > subsystemCert cert-pki-ca has a serial number of 18 (0x12)
> >
> > At:
> >
> > uid=CA-$HOST-8443,ou=people,o=ipaca
> >
> > the certificate has a serial number of 4.
> >
> >
> > What is the best way to fix this?
> >
> > If it matters, the master installation is old enough to have had its
> certs auto-renewed.
>
> Yes, certs were renewed but the PKI user entry was not which causes the
> issue. This has been seen on very old IPA installations.
>
> 1) Login into IPA Master (RHEL 6) - as root.
>
> 2) Redirect "subsystemCert cert-pki-ca" to a file.
>
> # certutil -L -d /var/lib/pki-ca/alias/ -n "subsystemCert cert-pki-ca"
> -a > /tmp/subsystemcert.pem
>
> 3) Drop the header/footer and combine this into a single line.
>
> # echo && cat /tmp/subsystemcert.pem | sed -rn '/^-----BEGIN
> CERTIFICATE-----$/{:1;n;/^-----END
> CERTIFICATE-----$/b2;H;b1};:2;${x;s/\s//g;p}'
>
> 4) String generated in step 3 needs to be added under attribute
> "usercertificate;binary:" below.
>
>
> ===================================================================================
> # ldapmodify -x -h 127.0.0.1 -p 7389 -D 'cn=Directory Manager' -W << EOF
> dn: uid=CA-ptipa1.example.com-9443,ou=people,o=ipaca
> changetype: modify
> add: usercertificate;binary
> usercertificate;binary: MIIDyTCCAr..Y4EKCneFA== <-- ADD the full string
> from step 3.
> -
> replace: description
> description: 2;18;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA
> Subsystem,O=EXAMPLE.COM
> EOF
>
> ===================================================================================
>
> Note: the description field attribute has format:
>    <version_number - always 2>:<serial number>:<issuer subjectdn>:<cert
> subjectdn>
>
>
> 5) Once the above command is successful restart IPA service
>
> # service ipa restart
>
> 6) Check if the mapping is now correct.
>
> # pki-server ca-user-show CA-ptipa1.example.com-9443 | egrep "User
> ID|Description"
>
> >
> > Dennis
> >
> >
> > -----Original Message-----
> > From: Petr Vobornik [mailto:pvobo...@redhat.com]
> > Sent: Friday, April 15, 2016 10:06 AM
> > To: Ott, Dennis; Freeipa-users@redhat.com
> > Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails
> >
> > On 04/15/2016 03:51 PM, Ott, Dennis wrote:
> >> Looks like we're out of ideas.
> >>
> >> I'll proceed with Plan B.
> >>
> >
> > A possibility is also to check if
> >
> > Serial number of
> >
> > certutil -d /etc/pki/pki-tomcat/alias -L -n 'subsystemCert cert-pki-ca'
> >
> > matches serial number of the cert below (4) and if
> >
> > uid=CA-$HOST-8443,ou=people,o=ipaca
> >
> > has actually the same cert in userCertificate attribute
> >
> > Or maybe to do the same with other PKI users in ou=people,o=ipaca
> >
> >> -----Original Message-----
> >> From: Ott, Dennis
> >> Sent: Monday, April 11, 2016 12:27 PM
> >> To: Ott, Dennis; Petr Vobornik; Freeipa-users@redhat.com
> >> Subject: RE: [Freeipa-users] 7.x replica install from 6.x master fails
> >>
> >> As a test, I attempted to do a replica install on a Fedora 23 machine.
> It fails with the same error.
> >>
> >> Dennis
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: freeipa-users-boun...@redhat.com
> >> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ott, Dennis
> >> Sent: Thursday, April 07, 2016 5:39 PM
> >> To: Petr Vobornik; Freeipa-users@redhat.com
> >> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails
> >>
> >> It doesn't look like that is my problem. The output of pki-server
> ca-group-member-find "Subsystem Group" gives:
> >>
> >>
> >>   User ID: CA-ptipa1.example.com-9443
> >>   Common Name: CA-ptipa1.example.com-9443
> >>   Surname: CA-ptipa1.example.com-9443
> >>   Type: agentType
> >>   Description: 2;4;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA
> Subsystem,O=EXAMPLE.COM
> >>   E-mail:
> >>
> >> All the certs seem valid:
> >>
> >> # getcert list | grep expires
> >>         expires: 2017-07-18 00:55:14 UTC
> >>         expires: 2017-07-18 00:54:14 UTC
> >>         expires: 2017-07-18 00:54:14 UTC
> >>         expires: 2017-07-18 00:54:14 UTC
> >>         expires: 2017-07-18 00:54:14 UTC
> >>         expires: 2017-08-09 00:54:19 UTC
> >>         expires: 2017-08-09 00:54:19 UTC
> >>         expires: 2017-08-09 00:54:21 UTC #
> >>
> >> I was wondering if I might be hitting this:
> >>
> >> http://cp.mcafee.com/d/1jWVIi6x8SyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPpI
> >> SHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJh
> >> bctZ2It9RFfQe00UX7_AJKjBoHYYvhjd79IQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalI
> >> l-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh
> >> 0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh
> >> http://cp.mcafee.com/d/5fHCNEg3zqb3BXKfI3D3pJ55d5VBdZZ4SyyCyYOCUOyrdCP
> >> qJyLQFm7bCNPFEV72GtD3hOaEXHbdQZ5hTS82H3W6yHOrJNlNRSRTD64XqOrdCPpIDeqR4
> >> INTQaNQDmA_gU03yNmmjBoHYYhod7bVIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-B
> >> aMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VM
> >> uq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh
> >>
> >> It says it is fixed in pki 10.2.6. 10.2.6 has been released for Fedora
> (many months ago), but is not yet available for enterprise.
> >>
> >> Dennis
> >>
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: Petr Vobornik [mailto:pvobo...@redhat.com]
> >> Sent: Thursday, April 07, 2016 10:56 AM
> >> To: Ott, Dennis; Freeipa-users@redhat.com
> >> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails
> >>
> >> Sorry for the late response.
> >>
> >> It looks like a bug
> >> http://cp.mcafee.com/d/1jWVIe4xAe3zqb3BXInd7b1EVdCQkkQnCkTTQjqaaqbParz
> >> a9ISrdGSa_iBosKr7eLqaEF-waI47nQ7LQl8m7f2H3ab0Ggvhv5mtKqek4Q4hPEVwSrdCP
> >> pesRG9px1IyaiffTE-wjSvbVgDkMaA6Of08iAwsyCqekhP0US5LD4Qg1CF2IoiaCy0Qub6
> >> qAaNx85hZ0DI-nd7NJ5CZNPxI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDC
> >> y1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh
> >> But it should be fixed in pki-core-9.0.3-45.el6_7 so I'm not sure.
> >>
> >> Anyway,
> >> java.io.IOException: 2 actually means authentication failure.
> >>
> >> The authentication problem might be caused by a missing subsystem user
> >> (bug #1225589) and there's already a tool to restore it. However,
> >> before running the script, please run this command on the master to
> >> verify the
> >> problem:
> >>
> >> $ pki-server ca-group-member-find "Subsystem Group"
> >>
> >> Ideally it should return a user ID "CA-<hostname>-9443" and the
> description attribute should contain the subsystem certificate in this
> format "<version>;<serial>;<issuer DN>;<subject DN>".
> >>
> >> If that's not the case, please run this tool to restore the subsystem
> user:
> >>
> >> $ python /usr/share/pki/scripts/restore-subsystem-user.py
> >>
> >> Then run this command again to verify the fix:
> >>
> >> $ pki-server ca-group-member-find "Subsystem Group"
> >>
> >> If everything works well, please try installing the replica again.
> >>
> >> Also verify that all certificates in `getcert list` output are not
> expired.
> >>
> >>
> >> On 03/31/2016 09:07 PM, Ott, Dennis wrote:
> >>> Petr,
> >>>
> >>> Original 6.x master installed at:
> >>>
> >>> ipa-server-2.1.3-9
> >>>
> >>> pki-ca-9.0.3-20
> >>>
> >>>
> >>> At the time the migration was attempted, the 6.x master had been
> updated to:
> >>>
> >>> ipa-server-3.0.0-47
> >>>
> >>> pki-ca-9.0.3-45
> >>>
> >>>
> >>> The 7.x replica install has been attempted using a variety of
> versions. The log excerpts at the beginning of this email were from an
> installation attempt using:
> >>>
> >>> ipa-server-4.2.0-15.0.1
> >>>
> >>> pki-ca-10.2.5-6
> >>>
> >>>
> >>> It's a standard CA installation. This line is from
> /var/log/ipaserverinstall.log showing selfsign as False:
> >>>
> >>> 2013-09-04T18:41:20Z DEBUG /usr/sbin/ipa-server-install was invoked
> >>> with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name':
> >>> None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False,
> >>> 'subject': None, 'no_forwarders': False, 'persistent_search': True,
> >>> 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow':
> >>> True, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended':
> >>> False,
> >>> 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': None,
> >>> 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False,
> >>> 'forwarders': None, 'idstart': 900000000, 'external_ca': False,
> >>> 'ip_address': None, 'conf_ssh': False, 'serial_autoincrement': True,
> >>> 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug':
> >>> False, 'external_cert_file': None, 'uninstall': False}
> >>> 2013-09-04T18:41:20Z DEBUG missing options might be asked for
> >>> interactively later
> >>>
> >>>
> >>> -----Original Message-----
> >>> From: Petr Vobornik [mailto:pvobo...@redhat.com]
> >>> Sent: Tuesday, March 29, 2016 6:43 AM
> >>> To: Ott, Dennis; Freeipa-users@redhat.com
> >>> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master
> >>> fails
> >>>
> >>> On 03/24/2016 04:29 PM, Ott, Dennis wrote:
> >>>> I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x.
> >>>> After working through and solving a few issues, my current efforts
> >>>> fail when setting up the replica CA.
> >>>>
> >>>> If I set up a new, pristine master on OS 6.7, I am able to create an
> >>>> OS 7.x replica without any problem. However, if I try to create a
> >>>> replica from my two year old test lab instance (production will be
> >>>> another matter for the future) it fails. The test lab master was
> >>>> created a couple of years ago on OS 6.3 / IPA 2.x and has been
> >>>> upgraded to the latest versions in the 6.x chain. It is old enough
> >>>> to have had all the certificates renewed, but I believe I have worked
> through all the issues related to that.
> >>>>
> >>>> Below is what I believe are the useful portions of the pertinent logs.
> >>>> I’ve not been able to find anything online that speaks to the errors
> >>>> I am seeing
> >>>>
> >>>> Thanks for your help.
> >>>
> >>> Hello Dennis,
> >>>
> >>> what are the exact versions of pki-ca and ipa-server on the 6.x master
> and 7.x replica?
> >>>
> >>> What kind of CA installation does the old 6.x master install have? Is
> standard installation with CA or does it also use external CA?
> >>>
> >>> I assume it is not self-sign (very old unsupported type, which could
> be converted in 7.x as CA-less).
> >>>
> >>>>
> >>>> /var/log/ipareplica-install.log
> >>>>
> >>>> 2016-03-23T21:55:11Z DEBUG Configuring certificate server
> (pki-tomcatd).
> >>>> Estimated time: 3 minutes 30 seconds
> >>>>
> >>>> 2016-03-23T21:55:11Z DEBUG   [1/23]: creating certificate server user
> >>>>
> >>>> 2016-03-23T21:55:11Z DEBUG group pkiuser exists
> >>>>
> >>>> 2016-03-23T21:55:11Z DEBUG user pkiuser exists
> >>>>
> >>>> 2016-03-23T21:55:11Z DEBUG   duration: 0 seconds
> >>>>
> >>>> 2016-03-23T21:55:11Z DEBUG   [2/23]: configuring certificate server
> instance
> >>>>
> >>>> 2016-03-23T21:55:11Z DEBUG Loading StateFile from
> >>>> '/var/lib/ipa/sysrestore/sysrestore.state'
> >>>>
> >>>> 2016-03-23T21:55:11Z DEBUG Saving StateFile to
> >>>> '/var/lib/ipa/sysrestore/sysrestore.state'
> >>>>
> >>>> 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file
> (/tmp/tmpGQ59ZC):
> >>>>
> >>>> [CA]
> >>>>
> >>>> pki_security_domain_name = IPA
> >>>>
> >>>> pki_enable_proxy = True
> >>>>
> >>>> pki_restart_configured_instance = False
> >>>>
> >>>> pki_backup_keys = True
> >>>>
> >>>> pki_backup_password = XXXXXXXX
> >>>>
> >>>> pki_profiles_in_ldap = True
> >>>>
> >>>> pki_client_database_dir = /tmp/tmp-g0CKZ3
> >>>>
> >>>> pki_client_database_password = XXXXXXXX
> >>>>
> >>>> pki_client_database_purge = False
> >>>>
> >>>> pki_client_pkcs12_password = XXXXXXXX
> >>>>
> >>>> pki_admin_name = admin
> >>>>
> >>>> pki_admin_uid = admin
> >>>>
> >>>> pki_admin_email = root@localhost
> >>>>
> >>>> pki_admin_password = XXXXXXXX
> >>>>
> >>>> pki_admin_nickname = ipa-ca-agent
> >>>>
> >>>> pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM
> >>>>
> >>>> pki_client_admin_cert_p12 = /root/ca-agent.p12
> >>>>
> >>>> pki_ds_ldap_port = 389
> >>>>
> >>>> pki_ds_password = XXXXXXXX
> >>>>
> >>>> pki_ds_base_dn = o=ipaca
> >>>>
> >>>> pki_ds_database = ipaca
> >>>>
> >>>> pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM
> >>>>
> >>>> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM
> >>>>
> >>>> pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM
> >>>>
> >>>> pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM
> >>>>
> >>>> pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM
> >>>>
> >>>> pki_subsystem_nickname = subsystemCert cert-pki-ca
> >>>>
> >>>> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
> >>>>
> >>>> pki_ssl_server_nickname = Server-Cert cert-pki-ca
> >>>>
> >>>> pki_audit_signing_nickname = auditSigningCert cert-pki-ca
> >>>>
> >>>> pki_ca_signing_nickname = caSigningCert cert-pki-ca
> >>>>
> >>>> pki_ca_signing_key_algorithm = SHA256withRSA
> >>>>
> >>>> pki_security_domain_hostname = ptipa1.example.com
> >>>>
> >>>> pki_security_domain_https_port = 443
> >>>>
> >>>> pki_security_domain_user = admin
> >>>>
> >>>> pki_security_domain_password = XXXXXXXX
> >>>>
> >>>> pki_clone = True
> >>>>
> >>>> pki_clone_pkcs12_path = /tmp/ca.p12
> >>>>
> >>>> pki_clone_pkcs12_password = XXXXXXXX
> >>>>
> >>>> pki_clone_replication_security = TLS
> >>>>
> >>>> pki_clone_replication_master_port = 7389
> >>>>
> >>>> pki_clone_replication_clone_port = 389
> >>>>
> >>>> pki_clone_replicate_schema = False
> >>>>
> >>>> pki_clone_uri =
> >>>> http://cp.mcafee.com/d/k-Kr6zqb3VEVjouhuodCQkkQnCkTTQjqaaqbParza9ISr
> >>>> d
> >>>> G
> >>>> Sa_iBosKrKVXMGgog82KA1N1BeTyH93t5m7hOoHH3b8GOxvQd8e89K8CPpISr9PCJhbc
> >>>> m
> >>>> D
> >>>> 9rkuYf21_YLxIbve9Ew3di5oMAld41EYmcR8lz2gazW1fpYKqfzqaabyr1I5-Aq83iSb
> >>>> N
> >>>> _
> >>>> VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNK
> >>>> V
> >>>> J
> >>>> USyrh
> >>>>
> >>>> 2016-03-23T21:55:11Z DEBUG Starting external process
> >>>>
> >>>> 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpGQ59ZC'
> >>>>
> >>>> 2016-03-23T21:56:51Z DEBUG Process finished, return code=1
> >>>>
> >>>> 2016-03-23T21:56:51Z DEBUG stdout=Log file:
> >>>> /var/log/pki/pki-ca-spawn.20160323175511.log
> >>>>
> >>>> Loading deployment configuration from /tmp/tmpGQ59ZC.
> >>>>
> >>>> Installing CA into /var/lib/pki/pki-tomcat.
> >>>>
> >>>> Storing deployment configuration into
> >>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
> >>>>
> >>>> Installation failed.
> >>>>
> >>>> 2016-03-23T21:56:51Z DEBUG
> >>>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
> >>>> InsecureRequestWarning: Unverified HTTPS request is being made.
> >>>> Adding certificate verification is strongly advised. See:
> >>>> http://cp.mcafee.com/d/5fHCNAi6hESyM-qekS7AnC3pJ55d5VBdZZ4SyyCyYOCUO
> >>>> y
> >>>> r
> >>>> dCPqJyLQFm7bCXKuYaA6420HF0sgpjJUGOgThlxQsCaWMOOaIEnZ3i3y2ry9ISrdCOsV
> >>>> H
> >>>> k
> >>>> iP6UDDO8cZ7ZgCjZ2JGs01PUovI_FfavpKcFBK1NIbve9Ew3di5oMAld41EYmcR8lz2g
> >>>> a
> >>>> z
> >>>> W1fpYKqfzqaabyr1I5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdlj
> >>>> h
> >>>> 0
> >>>> VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh
> >>>>
> >>>>     InsecureRequestWarning)
> >>>>
> >>>> pkispawn    : WARNING  ....... unable to validate security domain
> user/password
> >>>> through REST interface. Interface not available
> >>>>
> >>>> pkispawn    : ERROR    ....... Exception from Java Configuration
> Servlet: 500
> >>>> Server Error: Internal Server Error
> >>>>
> >>>> pkispawn    : ERROR    ....... ParseError: not well-formed (invalid
> token): line
> >>>> 1, column 0:
> >>>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.
> >>>> PKIException","Code":500,"Message":"Error
> >>>> while updating security domain: java.io.IOException: 2"}
> >>>>
> >>>> 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance:
> >>>> Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC''
> >>>> returned non-zero exit status 1
> >>>>
> >>>> 2016-03-23T21:56:51Z CRITICAL See the installation logs and the
> >>>> following files/directories for more information:
> >>>>
> >>>> 2016-03-23T21:56:51Z CRITICAL   /var/log/pki-ca-install.log
> >>>>
> >>>> 2016-03-23T21:56:51Z CRITICAL   /var/log/pki/pki-tomcat
> >>>>
> >>>> 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last):
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> >>>> line 418, in start_creation
> >>>>
> >>>>       run_step(full_msg, method)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> >>>> line 408, in run_step
> >>>>
> >>>>       method()
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> >>>> line 620, in __spawn_instance
> >>>>
> >>>>       DogtagInstance.spawn_instance(self, cfg_file)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py"
> >>>> ,
> >>>> line 201, in spawn_instance
> >>>>
> >>>>       self.handle_setup_error(e)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py"
> >>>> ,
> >>>> line 465, in handle_setup_error
> >>>>
> >>>>       raise RuntimeError("%s configuration failed." %
> >>>> self.subsystem)
> >>>>
> >>>> RuntimeError: CA configuration failed.
> >>>>
> >>>> 2016-03-23T21:56:51Z DEBUG   [error] RuntimeError: CA configuration
> failed.
> >>>>
> >>>> 2016-03-23T21:56:51Z DEBUG   File
> >>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171,
> >>>> in execute
> >>>>
> >>>>       return_value = self.run()
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
> >>>> line 311, in run
> >>>>
> >>>>       cfgr.run()
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> >>>> line 281, in run
> >>>>
> >>>>       self.execute()
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> >>>> line 303, in execute
> >>>>
> >>>>       for nothing in self._executor():
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> >>>> line 343, in __runner
> >>>>
> >>>>       self._handle_exception(exc_info)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> >>>> line 365, in _handle_exception
> >>>>
> >>>>       util.raise_exc_info(exc_info)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> >>>> line 333, in __runner
> >>>>
> >>>>       step()
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> >>>> line 87, in run_generator_with_yield_from
> >>>>
> >>>>       raise_exc_info(exc_info)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> >>>> line 65, in run_generator_with_yield_from
> >>>>
> >>>>       value = gen.send(prev_value)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> >>>> line 524, in _configure
> >>>>
> >>>>       executor.next()
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> >>>> line 343, in __runner
> >>>>
> >>>>       self._handle_exception(exc_info)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> >>>> line 421, in _handle_exception
> >>>>
> >>>>       self.__parent._handle_exception(exc_info)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> >>>> line 365, in _handle_exception
> >>>>
> >>>>       util.raise_exc_info(exc_info)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> >>>> line 418, in _handle_exception
> >>>>
> >>>>       super(ComponentBase, self)._handle_exception(exc_info)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> >>>> line 365, in _handle_exception
> >>>>
> >>>>       util.raise_exc_info(exc_info)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> >>>> line 333, in __runner
> >>>>
> >>>>       step()
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> >>>> line 87, in run_generator_with_yield_from
> >>>>
> >>>>       raise_exc_info(exc_info)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> >>>> line 65, in run_generator_with_yield_from
> >>>>
> >>>>       value = gen.send(prev_value)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line
> >>>> 63, in _install
> >>>>
> >>>>       for nothing in self._installer(self.parent):
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicain
> >>>> s
> >>>> t
> >>>> all.py",
> >>>> line 879, in main
> >>>>
> >>>>       install(self)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicain
> >>>> s
> >>>> t
> >>>> all.py",
> >>>> line 295, in decorated
> >>>>
> >>>>       func(installer)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicain
> >>>> s
> >>>> t
> >>>> all.py",
> >>>> line 584, in install
> >>>>
> >>>>       ca.install(False, config, options)
> >>>>
> >>>>     File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py",
> >>>> line 106, in install
> >>>>
> >>>>       install_step_0(standalone, replica_config, options)
> >>>>
> >>>>     File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py",
> >>>> line 130, in
> >>>> install_step_0
> >>>>
> >>>>       ra_p12=getattr(options, 'ra_p12', None))
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> >>>> line 1543, in install_replica_ca
> >>>>
> >>>>       subject_base=config.subject_base)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> >>>> line 486, in configure_instance
> >>>>
> >>>>       self.start_creation(runtime=210)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> >>>> line 418, in start_creation
> >>>>
> >>>>       run_step(full_msg, method)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> >>>> line 408, in run_step
> >>>>
> >>>>       method()
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> >>>> line 620, in __spawn_instance
> >>>>
> >>>>       DogtagInstance.spawn_instance(self, cfg_file)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py"
> >>>> ,
> >>>> line 201, in spawn_instance
> >>>>
> >>>>       self.handle_setup_error(e)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py"
> >>>> ,
> >>>> line 465, in handle_setup_error
> >>>>
> >>>>       raise RuntimeError("%s configuration failed." %
> >>>> self.subsystem)
> >>>>
> >>>> 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed,
> exception:
> >>>> RuntimeError: CA configuration failed.
> >>>>
> >>>> 2016-03-23T21:56:51Z ERROR CA configuration failed.
> >>>>
> >>>> /var/log/pki/pki-ca-spawn.<date>.log
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... rm -f
> >>>> /etc/pki/pki-tomcat/ca/noise
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... rm -f
> /etc/pki/pki-tomcat/pfile
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... ln -s
> >>>> /lib/systemd/system/pki-tomcatd@.service
> >>>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.
> >>>> s
> >>>> e
> >>>> rvice
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown -h 17:17
> >>>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.
> >>>> s
> >>>> e
> >>>> rvice
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : INFO     ... configuring
> >>>> 'pki.server.deployment.scriptlets.configuration'
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... mkdir -p
> >>>> /root/.dogtag/pki-tomcat/ca
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chmod 755
> >>>> /root/.dogtag/pki-tomcat/ca
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown 0:0
> >>>> /root/.dogtag/pki-tomcat/ca
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... generating
> >>>> '/root/.dogtag/pki-tomcat/ca/password.conf'
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... modifying
> >>>> '/root/.dogtag/pki-tomcat/ca/password.conf'
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chmod 660
> >>>> /root/.dogtag/pki-tomcat/ca/password.conf
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown 0:0
> >>>> /root/.dogtag/pki-tomcat/ca/password.conf
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... generating
> >>>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... modifying
> >>>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chmod 660
> >>>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : DEBUG    ........... chown 17:17
> >>>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... executing
> 'certutil -N -d
> >>>> /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf'
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... executing
> 'systemctl
> >>>> daemon-reload'
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : INFO     ....... executing
> 'systemctl start
> >>>> pki-tomcatd@pki-tomcat.service'
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : DEBUG    ........... No connection
> - server
> >>>> may still be down
> >>>>
> >>>> 2016-03-23 17:55:12 pkispawn    : DEBUG    ........... No connection
> - exception
> >>>> thrown: ('Connection aborted.', error(111, 'Connection refused'))
> >>>>
> >>>> 2016-03-23 17:55:13 pkispawn    : DEBUG    ........... No connection
> - server
> >>>> may still be down
> >>>>
> >>>> 2016-03-23 17:55:13 pkispawn    : DEBUG    ........... No connection
> - exception
> >>>> thrown: ('Connection aborted.', error(111, 'Connection refused'))
> >>>>
> >>>> 2016-03-23 17:55:24 pkispawn    : DEBUG    ........... <?xml
> version="1.0"
> >>>> encoding="UTF-8"
> >>>> standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status
> >>>>> r unning</Status><Version>10.2.5-6.el7</Version></XMLResponse>
> >>>>
> >>>> 2016-03-23 17:55:25 pkispawn    : INFO     ....... constructing PKI
> >>>> configuration data.
> >>>>
> >>>> 2016-03-23 17:55:25 pkispawn    : INFO     ....... configuring PKI
> configuration
> >>>> data.
> >>>>
> >>>> 2016-03-23 17:56:51 pkispawn    : ERROR    ....... Exception from Java
> >>>> Configuration Servlet: 500 Server Error: Internal Server Error
> >>>>
> >>>> 2016-03-23 17:56:51 pkispawn    : ERROR    ....... ParseError: not
> well-formed
> >>>> (invalid token): line 1, column 0:
> >>>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.
> >>>> PKIException","Code":500,"Message":"Error
> >>>> while updating security domain: java.io.IOException: 2"}
> >>>>
> >>>> 2016-03-23 17:56:51 pkispawn    : DEBUG    ....... Error Type:
> ParseError
> >>>>
> >>>> 2016-03-23 17:56:51 pkispawn    : DEBUG    ....... Error Message: not
> >>>> well-formed (invalid token): line 1, column 0
> >>>>
> >>>> 2016-03-23 17:56:51 pkispawn    : DEBUG    .......   File
> "/usr/sbin/pkispawn",
> >>>> line 597, in main
> >>>>
> >>>>       rv = instance.spawn(deployer)
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/c
> >>>> o
> >>>> n
> >>>> figuration.py",
> >>>> line 116, in spawn
> >>>>
> >>>>       json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
> >>>>
> >>>>     File
> >>>> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py"
> >>>> ,
> >>>> line 3906, in configure_pki_data
> >>>>
> >>>>       root = ET.fromstring(e.response.text)
> >>>>
> >>>>     File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300,
> >>>> in XML
> >>>>
> >>>>       parser.feed(text)
> >>>>
> >>>>     File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642,
> >>>> in feed
> >>>>
> >>>>       self._raiseerror(v)
> >>>>
> >>>>     File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506,
> >>>> in _raiseerror
> >>>>
> >>>>       raise err
> >>>>
> >>>> /var/log/pki/pki-tomcat/ca/debug
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password
> >>>> ok: store in memory cache
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init
> >>>> ends
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before
> >>>> makeConnection errorIfDown is false
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection:
> >>>> errorIfDown false
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP
> >>>> connection using basic authentication to host
> >>>> pt-idm-vm01.example.com port 389 as cn=Directory Manager
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with
> >>>> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com
> >>>> port 389, secure connection, false, authentication type 1
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum
> >>>> connections by 3
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available
> >>>> connections 3
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of
> >>>> connections 3
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In
> >>>> LdapBoundConnFactory::getConn()
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected:
> >>>> true
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is
> >>>> connected true
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now
> >>>> 2
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS:
> >>>> param=preop.internaldb.manager_ldif
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif
> >>>> file = /usr/share/pki/server/conf/manager.ldif
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif
> >>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/manager.ldif
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP
> >>>> Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>>> exception in adding entry
> >>>> ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68)
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>>> exception in modifying entry o=ipaca:netscape.ldap.LDAPException:
> >>>> error result (20)
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes():
> >>>> start
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating
> >>>> LdapBoundConnFactor(ConfigurationUtils)
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory:
> >>>> init
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]:
> >>>> LdapBoundConnFactory:doCloning true
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init()
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init
> >>>> begins
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init:
> >>>> prompt is internaldb
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init:
> >>>> try getting from memory cache
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init:
> >>>> got password from memory
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init:
> >>>> password found for prompt.
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password
> >>>> ok: store in memory cache
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init
> >>>> ends
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before
> >>>> makeConnection errorIfDown is false
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection:
> >>>> errorIfDown false
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP
> >>>> connection using basic authentication to host
> >>>> pt-idm-vm01.example.com port 389 as cn=Directory Manager
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with
> >>>> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com
> >>>> port 389, secure connection, false, authentication type 1
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum
> >>>> connections by 3
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available
> >>>> connections 3
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of
> >>>> connections 3
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In
> >>>> LdapBoundConnFactory::getConn()
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected:
> >>>> true
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is
> >>>> connected true
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now
> >>>> 2
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS:
> >>>> param=preop.internaldb.post_ldif
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif
> >>>> file = /usr/share/pki/ca/conf/vlv.ldif
> >>>>
> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif
> >>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif
> >>>>
> >>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif
> >>>> file = /usr/share/pki/ca/conf/vlvtasks.ldif
> >>>>
> >>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif
> >>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif
> >>>>
> >>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn
> >>>> cn=index1160589769, cn=index, cn=tasks, cn=config
> >>>>
> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for
> 'sslserver'
> >>>>
> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]:
> >>>> SystemConfigService:processCerts(): san_server_cert not found for
> >>>> tag sslserver
> >>>>
> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is
> >>>> local
> >>>>
> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is
> >>>> remote (revised)
> >>>>
> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel:
> >>>> updateConfig() for certTag sslserver
> >>>>
> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done
> >>>>
> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA
> >>>>
> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got
> >>>> public key
> >>>>
> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got
> >>>> private key
> >>>>
> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this
> >>>> Cloned CA, always use its Master CA to generate the 'sslserver'
> >>>> certificate to avoid any changes which may have been made to the
> X500Name directory string encoding order.
> >>>>
> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils:
> >>>> injectSAN=false
> >>>>
> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil
> >>>> createRemoteCert: content
> >>>> requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalA
> >>>> u
> >>>> t
> >>>> hServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxx
> >>>> x
> >>>> x
> >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> >>>> x
> >>>> x
> >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> >>>> x
> >>>> x
> >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> >>>> x
> >>>> x
> >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> >>>> x
> >>>> x
> >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> >>>> x
> >>>> x
> >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true
> >>>> &
> >>>> s
> >>>> essionID=-4495713718673639316
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil
> >>>> createRemoteCert: status=0
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil
> createRemoteCert:
> >>>> MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> >>>> x
> >>>> x
> >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> >>>> x
> >>>> x
> >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> >>>> x
> >>>> x
> >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> >>>> x
> >>>> x
> >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> >>>> x
> >>>> x
> >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils:
> >>>> handleCertRequest() begins
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest:
> >>>> tag=sslserver
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]:
> >>>> privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest:
> >>>> created cert request
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver'
> certificate:
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for
> >>>> cert tag 'sslserver' using cert type 'remote'
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process
> >>>> remote...import cert
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert:
> >>>> nickname=Server-Cert cert-pki-ca
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert
> >>>> deleted successfully
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts():
> >>>> certchains length=2
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import
> >>>> certificate successfully, certTag=sslserver
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver'
> certificate.
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert
> >>>> Panel/SavePKCS12 Panel ===
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel ===
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel ===
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing
> >>>> security domain
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster():
> >>>> Getting domain.xml from CA...
> >>>>
> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start
> >>>>
> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0
> >>>>
> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML:
> >>>> domainInfo=<?xml version="1.0" encoding="UTF-8"
> >>>> standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ptipa1.
> >>>> example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443</
> >>>> S
> >>>> e
> >>>> cureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientA
> >>>> cureAgentPort>u
> >>>> cureAgentPort>t
> >>>> hPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Cl
> >>>> hPort>o
> >>>> hPort>n
> >>>> e>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>
> >>>> e>T
> >>>> e>R
> >>>> UE</DomainManager></CA><SubsystemCount>1</SubsystemCount></CAList><O
> >>>> C
> >>>> S
> >>>> PList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><Subsyst
> >>>> PList>e
> >>>> PList>m
> >>>> Count>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</Subsyst
> >>>> Count>e
> >>>> Count>m
> >>>> Count></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList>
> >>>> Count><
> >>>> Count>T
> >>>> PSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
> >>>>
> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain
> >>>> master
> >>>>
> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase
> >>>> updateDomainXML start hostname=ptipa1.example.com port=443
> >>>>
> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain:
> >>>> failed to update security domain using admin port 443:
> >>>> org.xml.sax.SAXParseException;
> >>>> lineNumber: 1; columnNumber: 50; White spaces are required between
> >>>> publicId and systemId.
> >>>>
> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain:
> >>>> now trying agent port with client auth
> >>>>
> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase
> >>>> updateDomainXML start hostname=ptipa1.example.com port=443
> >>>>
> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML()
> >>>> nickname=subsystemCert cert-pki-ca
> >>>>
> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase
> updateDomainXML:
> >>>> status=1
> >>>>
> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating
> >>>> security
> >>>> domain: java.io.IOException: 2
> >>>>
> >>>> [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode,
> >>>> authorization for servlet: caProfileList is LDAP based, not XML {1},
> use default authz mgr: {2}.
> >>>>
> >>>> /var/log/pki/pki-tomcat/ca/system
> >>>>
> >>>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot
> >>>> build CA chain. Error java.security.cert.CertificateException:
> >>>> Certificate is not a PKCS
> >>>> #11 certificate
> >>>>
> >>>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz
> >>>> instance DirAclAuthz initialization failed and skipped,
> >>>> error=Property internaldb.ldapconn.port missing value
> >>>>
> >>>> *Dennis M Ott*
> >>>> Infrastructure Administrator
> >>>> Infrastructure and Security Operations
> >>>>
> >>>> *McKesson Corporation
> >>>> McKesson Pharmacy Systems and Automation* www.mckesson.com
> >>>> <http://www.mckesson.com/>
> >>>>> --
> >>> Petr Vobornik
> >>>
> >> --
> >> Petr Vobornik
> >>
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> http://cp.mcafee.com/d/5fHCMUe6gUSyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPp
> >> ISHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJ
> >> hbcat7Q2uPVv1dnoovaAVgtHzIv-iSBSWv6xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoa
> >> lIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdl
> >> jh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh
> >> Go to
> >> http://cp.mcafee.com/d/FZsSd3gArhosLtNZwsUrdEEFELcFLLECQkkQnCkT6kjpISr
> >> lIl-BaMVsSetd78UljIUqehl7tppKDEGe-N0lovgQlujtKaKeKSKYUMDrmjpISrdw0To_Y
> >> BJU03xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN
> >>
> _VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh
> for more info on the project
> >>
> >
> >
> > --
> > Petr Vobornik
> >
>
>
> --
> Petr Vobornik
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>

-- 
This email and its contents are confidential. If you are not the intended 
recipient, please do not disclose or use the information within this email 
or its attachments. If you have received this email in error, please report 
the error to the sender by return email and delete this communication from 
your records.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to