it seem this may be in the context of IPA, which versions on replica that fails to install and on master? cat /etc/redhat-release ; rpm -q ipa-server pki-ca ; ls -l /etc/alternatives/java
there are several LDAP error 68 and 20 about existing entries, try to first uninstall the IPA replica before re-installing I will add some more notes, but it really seem an IPA replica install/configuration failed, and it should be removed before trying again. Thanks, M. extra notes: the CA debug log seem to show other errors that are unrelated to the the ipa-replica-install command with "RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500" try to get more lines before that error in the log file /var/log/ipareplica-install.log and if there are any matching entries in /var/log/httpd/error_log otherwise, on the system with the error [22/Aug/2017:17:13:08][SerialNumberUpdateTask]: DBSubsystem: getNextRange. Unable to provide next range :netscape.ldap.LDAPException: error result (68) try to match the LDAP messages related to that time stamp and with err=68, find the conn=xx and match the corresponding search that generated the "already exist" error, it would be interesting to see the fileter and base DN in that search it should be one of the LDAP connections bound for example, as "TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipaca " and, it should , for example, have LDAP searches in "ou=certificateRepository,ou=ranges,o=ipaca" and "ou=requests,ou=ranges,o=ipaca" on the master, try to list the DNA ranges that are available: ipa-replica-manage dnarange-show it should list for example ipaserver1.example.com: aaaaaa-bbbbb ipaserver2.example.com: cccccc-dddddd and there should be no common ranges see: 14.3. Displaying Currently Assigned ID Rangess https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/display-id-range.html and 14.5. Manual ID Range Extension and Assigning a New ID Range https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/man-set-extend-id-ranges.html example of what we should see in /var/log/pki/pki-tomcat/ca/debug for getNextRange [09/Mar/2017:02:49:31][localhost-startStop-1]: DBSubsystem: getNextRange Next range has been added: 10000001 - 20000000 On Tue, Aug 29, 2017 at 8:56 AM, pgb205 <[email protected]> wrote: > I have an install that fails at the following stage: > importing CA chain to RA certificate database > [error] RuntimeError: Unable to retrieve CA chain: request failed with > HTTP status 500 > > the logs are not showing anything obvious > 22/Aug/2017:17:02:52][http-bio-8443-exec-3]: importLDIFS(): LDAP Errors > in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif > [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF: > exception in adding entry ou=csusers,cn=config:netscape.ldap.LDAPException: > error result (68) > [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF: > exception in modifying entry o=ipaca:netscape.ldap.LDAPException: error > result (20) > [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: init: before makeConnection > errorIfDown is false > [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: makeConnection: errorIfDown > false > [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection > errorIfDown is true > [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown > true > [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection > errorIfDown is false > [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown > false > [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection > errorIfDown is false > [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown > false > [22/Aug/2017:17:02:58][http-bio-8443-exec-3]: init: before makeConnection > errorIfDown is false > [22/Aug/2017:17:02:58][http-bio-8443-exec-3]: makeConnection: errorIfDown > false > [22/Aug/2017:17:03:07][localhost-startStop-1]: init: before > makeConnection errorIfDown is true > [22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection: > errorIfDown true > [22/Aug/2017:17:03:07][localhost-startStop-1]: init: before > makeConnection errorIfDown is false > [22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection: > errorIfDown false > [22/Aug/2017:17:03:08][localhost-startStop-1]: init: before > makeConnection errorIfDown is false > [22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: > errorIfDown false > [22/Aug/2017:17:03:08][localhost-startStop-1]: init: before > makeConnection errorIfDown is false > [22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: > errorIfDown false > [22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation - > caDirUserRenewal caEnrollImpl com.netscape.cms.profile. > common.CAEnrollProfile > [22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation - > caDirUserRenewal > [22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation - > IECUserRoles caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile > [22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation - > IECUserRoles > [22/Aug/2017:17:03:08][localhost-startStop-1]: init: before > makeConnection errorIfDown is false > [22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: > errorIfDown false > [22/Aug/2017:17:03:09][localhost-startStop-1]: init: before > makeConnection errorIfDown is false > [22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection: > errorIfDown false > [22/Aug/2017:17:03:09][localhost-startStop-1]: init: before > makeConnection errorIfDown is false > [22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection: > errorIfDown false > [22/Aug/2017:17:03:09][localhost-startStop-1]: DBSubsystem: getNextRange. > Unable to provide next range :netscape.ldap.LDAPException: error result (68) > [22/Aug/2017:17:13:08][SerialNumberUpdateTask]: DBSubsystem: > getNextRange. Unable to provide next range :netscape.ldap.LDAPException: > error result (68) > > and > > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: returnConn: mNumConns now 5 > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: searching > for entry 20170823152409Z > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList.getEntries() > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: entries: 1 > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: top: 0 > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: size: 640 > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: > transitRevokedExpiredCertificates: list size: 640 > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: > transitRevokedExpiredCertificates: ltSize 1 > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitRevokedExpired: > curRec: 0 CertRecord: 76 > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: Record does not > qualify,notAfter Mon Aug 28 16:47:53 UTC 2017 date Wed Aug 23 15:24:09 UTC > 2017 > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitCertList > REVOKED_EXPIRED > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: updateCertStatus done > > I have full logs if necessary. but I'm unable to determine the cause for > the failure. Asking on freeipa forums this is a problem on the CA server > but thats as far as I got with this. > > _______________________________________________ > Pki-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/pki-users >
_______________________________________________ Pki-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-users
