[Freeipa-users] Re: Issues installing replica
On Thu, Nov 08, 2018 at 09:27:14PM +0100, Alex Corcoles via FreeIPA-users wrote:
> On Thu, Nov 8, 2018 at 8:03 PM Alex Corcoles wrote:
>
> > This is not timestamped, but I guess it is the thing. Weird, I don't
> > remember my provisioning does anything JRE-related, but I will do some
> > digging myself.
> >
>
> Yay, I'm an idiot. I have automatic updates via yum-cron and OpenJDK had
> been updated. A reboot solved the issue.
>
> I'm not sure if it's worth filing a bug about this, but I don't mind doing
> so.
>
> Sorry for wasting everyone's time :(
>
> Álex
>
No worries Alex; glad the server is working again.
Cheers,
Fraser
> --
>___
> {~._.~}
> ( Y )
> ()~*~() mail: alex at corcoles dot net
> (_)-(_) http://alex.corcoles.net/
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
On Thu, Nov 8, 2018 at 8:03 PM Alex Corcoles wrote:
> This is not timestamped, but I guess it is the thing. Weird, I don't
> remember my provisioning does anything JRE-related, but I will do some
> digging myself.
>
Yay, I'm an idiot. I have automatic updates via yum-cron and OpenJDK had
been updated. A reboot solved the issue.
I'm not sure if it's worth filing a bug about this, but I don't mind doing
so.
Sorry for wasting everyone's time :(
Álex
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_) http://alex.corcoles.net/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
Hi Fraser and the new guys!
I think this may be it:
https://gist.github.com/alexpdp7/358626a92a07c787fbf246b2761dddb3#file-_var_log_pki_pki-tomcat_localhost-2018-11-07-log
snip:
SEVERE: Servlet.service() for servlet [caUpdateNumberRange] in context with
path [/ca] threw exception [Could not initialize class
sun.security.ssl.SSLContextImpl$TLSContext] with root cause
java.lang.NoClassDefFoundError: Could not initialize class
sun.security.ssl.SSLContextImpl$TLSContext
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:264)
at java.security.Provider$Service.getImplClass(Provider.java:1634)
at java.security.Provider$Service.newInstance(Provider.java:1592)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
at
org.apache.http.conn.ssl.SSLSocketFactory.getSocketFactory(SSLSocketFactory.java:171)
at
org.apache.http.impl.conn.SchemeRegistryFactory.createDefault(SchemeRegistryFactory.java:49)
at
org.apache.http.impl.client.AbstractHttpClient.createClientConnectionManager(AbstractHttpClient.java:306)
at
org.apache.http.impl.client.AbstractHttpClient.getConnectionManager(AbstractHttpClient.java:466)
at com.netscape.certsrv.client.PKIConnection.(PKIConnection.java:114)
at
com.netscape.cms.servlet.csadmin.ConfigurationUtils.post(ConfigurationUtils.java:273)
at
com.netscape.cms.authentication.TokenAuthentication.sendAuthRequest(TokenAuthentication.java:216)
at
com.netscape.cms.authentication.TokenAuthentication.authenticate(TokenAuthentication.java:147)
at
com.netscape.cms.servlet.common.CMSGateway.checkAuthManager(CMSGateway.java:196)
at
com.netscape.cms.servlet.base.CMSServlet.authenticate(CMSServlet.java:1792)
at
com.netscape.cms.servlet.base.CMSServlet.authenticate(CMSServlet.java:1700)
at
com.netscape.cms.servlet.base.CMSServlet.authenticate(CMSServlet.java:1690)
at
com.netscape.cms.servlet.csadmin.UpdateNumberRange.process(UpdateNumberRange.java:88)
This is not timestamped, but I guess it is the thing. Weird, I don't
remember my provisioning does anything JRE-related, but I will do some
digging myself.
One more question: is this a replica created from a replica?
> I fixed an issue quite recently that can occur under such a
> scenario, the symptoms of which are similar to yours.
>
Nope, I think this is my original freeipa-server. I might have done
something unlawful here, but I don't think so.
BTW:
On Thu, Nov 8, 2018 at 5:51 AM Fraser Tweedale wrote:
> (Which is fair enough; we didn't ask for this extra stuff until
> now.)
>
I'm sorry- I could have actually poked at those logs myself (I am- or was-
a Java web dev). Looking at my previous post, my "did the song and dance
again" might have been impolite (if it does any good- this was more out of
frustration because my provisioning setup is unnecessarily slow). FreeIPA
is an awesome piece of software I get for free, I get support for free on
this mailing list from the authors, so I don't think I'm entitled to much
more. I suppose I'm also doing some free testing for RedHat, but I think
I'm the one getting the most benefit out of this, so thank you guys and
apologies.
Cheers,
Álex
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_) http://alex.corcoles.net/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
Hi Alex,
(Cc some other engineers for Dogtag cloning troubleshooting
exposure).
Thanks for the additional logs. Can we please see [temporally
relevant snippets of] any other log files under
/var/log/pki/pki-tomcat and /var/log/pki/pki-tomcat/ca , as well as
the journal (`journalctl -u pki-tomcatd@pki-tomcat`)?
The original server is returning status 500 upon /updateNumberRange
request from the new replica, but the cause is unknown. There is
likely to be a stack trace hiding in the journal or one of the other
log files that was not included in the data you provided.
(Which is fair enough; we didn't ask for this extra stuff until
now.)
One more question: is this a replica created from a replica?
I fixed an issue quite recently that can occur under such a
scenario, the symptoms of which are similar to yours.
Thanks,
Fraser
On Wed, Nov 07, 2018 at 08:44:05PM +0100, Alex Corcoles via FreeIPA-users wrote:
> OK, did the whole song and dance again (btw, it takes about 6m, I'm not
> sure if that's normal), and extracted logs again:
>
> https://gist.github.com/alexpdp7/358626a92a07c787fbf246b2761dddb3
>
> Thanks for your time, guys,
>
> Álex
>
> On Tue, Nov 6, 2018 at 5:17 PM Rob Crittenden wrote:
>
> > Alex Corcoles via FreeIPA-users wrote:
> > > So I solved my LXC problems (thanks Rob, again), but now:
> > >
> > > ipa-replica-install -U --setup-ca -N
> > >
> > > fails when rebuilding my replica from scratch, see:
> > >
> > > https://gist.github.com/alexpdp7/4431da5e11afe6029e2baa01bc1f2251
> > >
> > > , where I think I've copied the relevant logs. I think I saw someone
> > > recommending revoking the replica certs, which makes sense as I'm using
> > > the same hostname that I used on the previous replica, but that doesn't
> > > seem to fix things.
> > >
> > > (I'm removing the previous replica via the admin interface, IPA Server
> > > -> Topology -> IPA Servers, select my replica and "Delete Server". This
> > > removes it too from the host list).
> >
> > I don't know what it is but it isn't related to existing entries in IPA
> > (nor un-revoked certs).
> >
> > The dogtag installer is asking for a serial # range and getting a
> > NotFound. Maybe Fraser knows.
> >
> > rob
> >
>
>
> --
>___
> {~._.~}
> ( Y )
> ()~*~() mail: alex at corcoles dot net
> (_)-(_) http://alex.corcoles.net/
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
OK, did the whole song and dance again (btw, it takes about 6m, I'm not
sure if that's normal), and extracted logs again:
https://gist.github.com/alexpdp7/358626a92a07c787fbf246b2761dddb3
Thanks for your time, guys,
Álex
On Tue, Nov 6, 2018 at 5:17 PM Rob Crittenden wrote:
> Alex Corcoles via FreeIPA-users wrote:
> > So I solved my LXC problems (thanks Rob, again), but now:
> >
> > ipa-replica-install -U --setup-ca -N
> >
> > fails when rebuilding my replica from scratch, see:
> >
> > https://gist.github.com/alexpdp7/4431da5e11afe6029e2baa01bc1f2251
> >
> > , where I think I've copied the relevant logs. I think I saw someone
> > recommending revoking the replica certs, which makes sense as I'm using
> > the same hostname that I used on the previous replica, but that doesn't
> > seem to fix things.
> >
> > (I'm removing the previous replica via the admin interface, IPA Server
> > -> Topology -> IPA Servers, select my replica and "Delete Server". This
> > removes it too from the host list).
>
> I don't know what it is but it isn't related to existing entries in IPA
> (nor un-revoked certs).
>
> The dogtag installer is asking for a serial # range and getting a
> NotFound. Maybe Fraser knows.
>
> rob
>
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_) http://alex.corcoles.net/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
Alex Corcoles via FreeIPA-users wrote: > So I solved my LXC problems (thanks Rob, again), but now: > > ipa-replica-install -U --setup-ca -N > > fails when rebuilding my replica from scratch, see: > > https://gist.github.com/alexpdp7/4431da5e11afe6029e2baa01bc1f2251 > > , where I think I've copied the relevant logs. I think I saw someone > recommending revoking the replica certs, which makes sense as I'm using > the same hostname that I used on the previous replica, but that doesn't > seem to fix things. > > (I'm removing the previous replica via the admin interface, IPA Server > -> Topology -> IPA Servers, select my replica and "Delete Server". This > removes it too from the host list). I don't know what it is but it isn't related to existing entries in IPA (nor un-revoked certs). The dogtag installer is asking for a serial # range and getting a NotFound. Maybe Fraser knows. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
OK, will to that this afternoon.
Is creating a new replica reusing an old replica's name a supported thing?
My replica is automatically provisioned, so it's appealing to me to rebuild
it if there's any problem with it, but having to change its name is a chore
(replica names should not be important, but some software does not seem to
behave correctly). I'm not sure of what's the good practice here.
In any case, I will try to also create a second replica with a different
name to see if the problem is caused by reusing the name.
On Tue, Nov 6, 2018 at 1:25 AM Fraser Tweedale wrote:
> On Mon, Nov 05, 2018 at 09:48:40PM +0100, Alex Corcoles via FreeIPA-users
> wrote:
> > Might this be related to:
> >
> > https://pagure.io/freeipa/issue/7654
> >
> > Maybe?
> >
> Possibly. Need the HTTP access log, the Dogtag access log
> (/var/log/pki/pki-tomcat/localhost_access_log.txt) and the Dogtag
> debug log (/var/log/pki/pki-tomcat/ca/debug) from the master being
> contacted (ovh1.pdp7.net) to analyse further.
>
> Cheers,
> Fraser
>
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_) http://alex.corcoles.net/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
On Mon, Nov 05, 2018 at 09:48:40PM +0100, Alex Corcoles via FreeIPA-users wrote: > Might this be related to: > > https://pagure.io/freeipa/issue/7654 > > Maybe? > Possibly. Need the HTTP access log, the Dogtag access log (/var/log/pki/pki-tomcat/localhost_access_log.txt) and the Dogtag debug log (/var/log/pki/pki-tomcat/ca/debug) from the master being contacted (ovh1.pdp7.net) to analyse further. Cheers, Fraser ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Issues installing replica
Might this be related to:
https://pagure.io/freeipa/issue/7654
Maybe?
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_) http://alex.corcoles.net/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
