[Freeipa-users] Re: Issues installing replica
On Thu, Nov 08, 2018 at 09:27:14PM +0100, Alex Corcoles via FreeIPA-users wrote: > On Thu, Nov 8, 2018 at 8:03 PM Alex Corcoles wrote: > > > This is not timestamped, but I guess it is the thing. Weird, I don't > > remember my provisioning does anything JRE-related, but I will do some > > digging myself. > > > > Yay, I'm an idiot. I have automatic updates via yum-cron and OpenJDK had > been updated. A reboot solved the issue. > > I'm not sure if it's worth filing a bug about this, but I don't mind doing > so. > > Sorry for wasting everyone's time :( > > Álex > No worries Alex; glad the server is working again. Cheers, Fraser > -- >___ > {~._.~} > ( Y ) > ()~*~() mail: alex at corcoles dot net > (_)-(_) http://alex.corcoles.net/ > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
On Thu, Nov 8, 2018 at 8:03 PM Alex Corcoles wrote: > This is not timestamped, but I guess it is the thing. Weird, I don't > remember my provisioning does anything JRE-related, but I will do some > digging myself. > Yay, I'm an idiot. I have automatic updates via yum-cron and OpenJDK had been updated. A reboot solved the issue. I'm not sure if it's worth filing a bug about this, but I don't mind doing so. Sorry for wasting everyone's time :( Álex -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/ ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
Hi Fraser and the new guys! I think this may be it: https://gist.github.com/alexpdp7/358626a92a07c787fbf246b2761dddb3#file-_var_log_pki_pki-tomcat_localhost-2018-11-07-log snip: SEVERE: Servlet.service() for servlet [caUpdateNumberRange] in context with path [/ca] threw exception [Could not initialize class sun.security.ssl.SSLContextImpl$TLSContext] with root cause java.lang.NoClassDefFoundError: Could not initialize class sun.security.ssl.SSLContextImpl$TLSContext at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:264) at java.security.Provider$Service.getImplClass(Provider.java:1634) at java.security.Provider$Service.newInstance(Provider.java:1592) at sun.security.jca.GetInstance.getInstance(GetInstance.java:236) at sun.security.jca.GetInstance.getInstance(GetInstance.java:164) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156) at org.apache.http.conn.ssl.SSLSocketFactory.getSocketFactory(SSLSocketFactory.java:171) at org.apache.http.impl.conn.SchemeRegistryFactory.createDefault(SchemeRegistryFactory.java:49) at org.apache.http.impl.client.AbstractHttpClient.createClientConnectionManager(AbstractHttpClient.java:306) at org.apache.http.impl.client.AbstractHttpClient.getConnectionManager(AbstractHttpClient.java:466) at com.netscape.certsrv.client.PKIConnection.(PKIConnection.java:114) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.post(ConfigurationUtils.java:273) at com.netscape.cms.authentication.TokenAuthentication.sendAuthRequest(TokenAuthentication.java:216) at com.netscape.cms.authentication.TokenAuthentication.authenticate(TokenAuthentication.java:147) at com.netscape.cms.servlet.common.CMSGateway.checkAuthManager(CMSGateway.java:196) at com.netscape.cms.servlet.base.CMSServlet.authenticate(CMSServlet.java:1792) at com.netscape.cms.servlet.base.CMSServlet.authenticate(CMSServlet.java:1700) at com.netscape.cms.servlet.base.CMSServlet.authenticate(CMSServlet.java:1690) at com.netscape.cms.servlet.csadmin.UpdateNumberRange.process(UpdateNumberRange.java:88) This is not timestamped, but I guess it is the thing. Weird, I don't remember my provisioning does anything JRE-related, but I will do some digging myself. One more question: is this a replica created from a replica? > I fixed an issue quite recently that can occur under such a > scenario, the symptoms of which are similar to yours. > Nope, I think this is my original freeipa-server. I might have done something unlawful here, but I don't think so. BTW: On Thu, Nov 8, 2018 at 5:51 AM Fraser Tweedale wrote: > (Which is fair enough; we didn't ask for this extra stuff until > now.) > I'm sorry- I could have actually poked at those logs myself (I am- or was- a Java web dev). Looking at my previous post, my "did the song and dance again" might have been impolite (if it does any good- this was more out of frustration because my provisioning setup is unnecessarily slow). FreeIPA is an awesome piece of software I get for free, I get support for free on this mailing list from the authors, so I don't think I'm entitled to much more. I suppose I'm also doing some free testing for RedHat, but I think I'm the one getting the most benefit out of this, so thank you guys and apologies. Cheers, Álex -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/ ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
Hi Alex, (Cc some other engineers for Dogtag cloning troubleshooting exposure). Thanks for the additional logs. Can we please see [temporally relevant snippets of] any other log files under /var/log/pki/pki-tomcat and /var/log/pki/pki-tomcat/ca , as well as the journal (`journalctl -u pki-tomcatd@pki-tomcat`)? The original server is returning status 500 upon /updateNumberRange request from the new replica, but the cause is unknown. There is likely to be a stack trace hiding in the journal or one of the other log files that was not included in the data you provided. (Which is fair enough; we didn't ask for this extra stuff until now.) One more question: is this a replica created from a replica? I fixed an issue quite recently that can occur under such a scenario, the symptoms of which are similar to yours. Thanks, Fraser On Wed, Nov 07, 2018 at 08:44:05PM +0100, Alex Corcoles via FreeIPA-users wrote: > OK, did the whole song and dance again (btw, it takes about 6m, I'm not > sure if that's normal), and extracted logs again: > > https://gist.github.com/alexpdp7/358626a92a07c787fbf246b2761dddb3 > > Thanks for your time, guys, > > Álex > > On Tue, Nov 6, 2018 at 5:17 PM Rob Crittenden wrote: > > > Alex Corcoles via FreeIPA-users wrote: > > > So I solved my LXC problems (thanks Rob, again), but now: > > > > > > ipa-replica-install -U --setup-ca -N > > > > > > fails when rebuilding my replica from scratch, see: > > > > > > https://gist.github.com/alexpdp7/4431da5e11afe6029e2baa01bc1f2251 > > > > > > , where I think I've copied the relevant logs. I think I saw someone > > > recommending revoking the replica certs, which makes sense as I'm using > > > the same hostname that I used on the previous replica, but that doesn't > > > seem to fix things. > > > > > > (I'm removing the previous replica via the admin interface, IPA Server > > > -> Topology -> IPA Servers, select my replica and "Delete Server". This > > > removes it too from the host list). > > > > I don't know what it is but it isn't related to existing entries in IPA > > (nor un-revoked certs). > > > > The dogtag installer is asking for a serial # range and getting a > > NotFound. Maybe Fraser knows. > > > > rob > > > > > -- >___ > {~._.~} > ( Y ) > ()~*~() mail: alex at corcoles dot net > (_)-(_) http://alex.corcoles.net/ > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
OK, did the whole song and dance again (btw, it takes about 6m, I'm not sure if that's normal), and extracted logs again: https://gist.github.com/alexpdp7/358626a92a07c787fbf246b2761dddb3 Thanks for your time, guys, Álex On Tue, Nov 6, 2018 at 5:17 PM Rob Crittenden wrote: > Alex Corcoles via FreeIPA-users wrote: > > So I solved my LXC problems (thanks Rob, again), but now: > > > > ipa-replica-install -U --setup-ca -N > > > > fails when rebuilding my replica from scratch, see: > > > > https://gist.github.com/alexpdp7/4431da5e11afe6029e2baa01bc1f2251 > > > > , where I think I've copied the relevant logs. I think I saw someone > > recommending revoking the replica certs, which makes sense as I'm using > > the same hostname that I used on the previous replica, but that doesn't > > seem to fix things. > > > > (I'm removing the previous replica via the admin interface, IPA Server > > -> Topology -> IPA Servers, select my replica and "Delete Server". This > > removes it too from the host list). > > I don't know what it is but it isn't related to existing entries in IPA > (nor un-revoked certs). > > The dogtag installer is asking for a serial # range and getting a > NotFound. Maybe Fraser knows. > > rob > -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/ ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
Alex Corcoles via FreeIPA-users wrote: > So I solved my LXC problems (thanks Rob, again), but now: > > ipa-replica-install -U --setup-ca -N > > fails when rebuilding my replica from scratch, see: > > https://gist.github.com/alexpdp7/4431da5e11afe6029e2baa01bc1f2251 > > , where I think I've copied the relevant logs. I think I saw someone > recommending revoking the replica certs, which makes sense as I'm using > the same hostname that I used on the previous replica, but that doesn't > seem to fix things. > > (I'm removing the previous replica via the admin interface, IPA Server > -> Topology -> IPA Servers, select my replica and "Delete Server". This > removes it too from the host list). I don't know what it is but it isn't related to existing entries in IPA (nor un-revoked certs). The dogtag installer is asking for a serial # range and getting a NotFound. Maybe Fraser knows. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
OK, will to that this afternoon. Is creating a new replica reusing an old replica's name a supported thing? My replica is automatically provisioned, so it's appealing to me to rebuild it if there's any problem with it, but having to change its name is a chore (replica names should not be important, but some software does not seem to behave correctly). I'm not sure of what's the good practice here. In any case, I will try to also create a second replica with a different name to see if the problem is caused by reusing the name. On Tue, Nov 6, 2018 at 1:25 AM Fraser Tweedale wrote: > On Mon, Nov 05, 2018 at 09:48:40PM +0100, Alex Corcoles via FreeIPA-users > wrote: > > Might this be related to: > > > > https://pagure.io/freeipa/issue/7654 > > > > Maybe? > > > Possibly. Need the HTTP access log, the Dogtag access log > (/var/log/pki/pki-tomcat/localhost_access_log.txt) and the Dogtag > debug log (/var/log/pki/pki-tomcat/ca/debug) from the master being > contacted (ovh1.pdp7.net) to analyse further. > > Cheers, > Fraser > -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/ ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
On Mon, Nov 05, 2018 at 09:48:40PM +0100, Alex Corcoles via FreeIPA-users wrote: > Might this be related to: > > https://pagure.io/freeipa/issue/7654 > > Maybe? > Possibly. Need the HTTP access log, the Dogtag access log (/var/log/pki/pki-tomcat/localhost_access_log.txt) and the Dogtag debug log (/var/log/pki/pki-tomcat/ca/debug) from the master being contacted (ovh1.pdp7.net) to analyse further. Cheers, Fraser ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
Might this be related to: https://pagure.io/freeipa/issue/7654 Maybe? -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/ ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org