<div dir="ltr">I reran the replica-install and interrupted the script to set debug=1. The debug log didn't change very much at startup since the failure seems to occur already in the pre-start selftest. So it is still the same "java.lang.Exception: SystemCertsVerification: system certs verification failure"<div><br></div><div><div>[04/Feb/2016:13:19:45][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Success][CertNickName=auditSigningCert cert-pki-ca] CIMC certificate verification</div><div><br></div><div>java.lang.Exception: SystemCertsVerification: system certs verification failure</div><div>        at com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)</div><div>        at com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)</div><div>        at com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)</div><div>        at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701)</div><div>        at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148)</div><div>        at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)</div><div>        at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)</div><div>        at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)</div><div>        at javax.servlet.GenericServlet.init(GenericServlet.java:158)</div><div>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)</div><div>        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</div><div>        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</div><div>        at java.lang.reflect.Method.invoke(Method.java:497)</div><div>        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)</div><div>        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)</div><div>        at java.security.AccessController.doPrivileged(Native Method)</div><div>        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)</div><div>        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)</div><div>        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)</div><div>        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)</div><div>        at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)</div><div>        at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)</div><div>        at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)</div><div>        at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)</div><div>        at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)</div><div>        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)</div><div>        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)</div><div>        at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)</div><div>        at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)</div><div>        at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)</div><div>        at java.security.AccessController.doPrivileged(Native Method)</div><div>        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)</div><div>        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)</div><div>        at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)</div><div>        at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)</div><div>        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)</div><div>        at java.util.concurrent.FutureTask.run(FutureTask.java:266)</div><div>        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)</div><div>        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)</div><div>        at java.lang.Thread.run(Thread.java:745)</div><div>[04/Feb/2016:13:19:45][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] self tests execution (see selftests.log for details)</div></div><div><br></div><div>Where can I manually check the certificates that were imported from the existing master?</div><div><br></div><div>-rob</div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, 2 Feb 2016 at 11:20 Martin Kosek <<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 02/02/2016 11:51 AM, Robert van Veelen wrote:<br>
> Unfortunately not. I saw that thread and grabbed the patch and updated spec<br>
> to give it a try. Same issue.<br>
> cheers,<br>
<br>
Ah, pity. Let me CC Endi in this thread then. I suspect he will be interested<br>
in the same log files as in the referred thread.<br>
<br>
> On Tue, 2 Feb 2016 at 08:46 Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>> wrote:<br>
><br>
>> On 02/02/2016 02:18 AM, Robert van Veelen wrote:<br>
>>> Hi,<br>
>>> I'm trying to create an ipa replica from<br>
>>> ipa-server-3.0.0-47/pki-ca-9.0.3-45 to<br>
>> ipa-server-4.2.0-15/pki-ca-10.2.5-6<br>
>>> and cannot get the install to complete. The CS is configured as a sub to<br>
>> an<br>
>>> external CA. I keep getting the same error when running the<br>
>>> replica-install. Digging into pki-ca's debug log, I find the following<br>
>>> errors:<br>
>>><br>
>>>  java.lang.Exception: SystemCertsVerification: system certs verification<br>
>>> failure<br>
>>> &<br>
>>>  CertUtils: verifySystemCertByNickname() failed: caSigningCert<br>
>> cert-pki-ca<br>
>>><br>
>>> I've tried regenerating the source cacert.p12, upgrading pki-ca to<br>
>> latest,<br>
>>> etc. It just seems like the new replica is unable to verify the certs<br>
>> while<br>
>>> running selftests. any good tips for a next step to work out whats going<br>
>> on?<br>
>>><br>
>>> Thanks,<br>
>>><br>
>>> -rob<br>
>><br>
>> Can this be the same problem as answered by Endi here:<br>
>> <a href="https://www.redhat.com/archives/freeipa-users/2016-January/msg00564.html" rel="noreferrer" target="_blank">https://www.redhat.com/archives/freeipa-users/2016-January/msg00564.html</a><br>
>> ?<br>
>><br>
>><br>
><br>
<br>
</blockquote></div>