<p dir="ltr">Thank you!<br>
Dodgig the dogtag guys, then ;-)</p>
<br><div class="gmail_quote"><div dir="ltr">Il giorno Gio 11 Feb 2016 13:26 Martin Basti <<a href="mailto:mbasti@redhat.com">mbasti@redhat.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div>On 11.02.2016 12:51, Quasar wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:verdana,sans-serif">Martin,<br>
<br>
</div>
<div class="gmail_default" style="font-family:verdana,sans-serif">I've re-tested the
replica with a freshly-installed CentOS 7 (1511).<br>
</div>
<div class="gmail_default" style="font-family:verdana,sans-serif">Installation still
fails (damn!) and the log is a bit more verbose. I suppose it
has something to do with certificate in my master server
proably due to incremental updates did in the past.<br>
<br>
</div>
<div class="gmail_default" style="font-family:verdana,sans-serif"><span style="font-family:monospace,monospace">2016-02-11T11:09:21Z
DEBUG Starting external process<br>
2016-02-11T11:09:21Z DEBUG args='/usr/sbin/pkispawn' '-s'
'CA' '-f' '/tmp/tmpRHosRn'<br>
2016-02-11T11:10:58Z DEBUG Process finished, return code=1<br>
2016-02-11T11:10:58Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20160211120921.log<br>
Loading deployment configuration from /tmp/tmpRHosRn.<br>
Installing CA into /var/lib/pki/pki-tomcat.<br>
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.<br>
<br>
Installation failed.<br>
<br>
<br>
2016-02-11T11:10:58Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being
made. Adding certificate verification is strongly advised.
See: <a href="https://urllib3.readthedocs.org/en/latest/security.html" target="_blank">https://urllib3.readthedocs.org/en/latest/security.html</a><br>
InsecureRequestWarning)<br>
pkispawn : WARNING ....... unable to validate security
domain user/password through REST interface. Interface not
available<br>
pkispawn : ERROR ....... Exception from Java
Configuration Servlet: 500 Server Error: Internal Server
Error<br>
pkispawn : ERROR ....... ParseError: not well-formed
(invalid token): line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
while updating security domain: java.io.IOException: 2"} <br>
<br>
2016-02-11T11:10:58Z CRITICAL Failed to configure CA
instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpRHosRn'' returned non-zero exit status 1<br>
2016-02-11T11:10:58Z CRITICAL See the installation logs and
the following files/directories for more information:<br>
2016-02-11T11:10:58Z CRITICAL /var/log/pki-ca-install.log<br>
2016-02-11T11:10:58Z CRITICAL /var/log/pki/pki-tomcat<br>
2016-02-11T11:10:58Z DEBUG Traceback (most recent call
last):<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation<br>
run_step(full_msg, method)<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step<br>
method()<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 620, in __spawn_instance<br>
DogtagInstance.spawn_instance(self, cfg_file)<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance<br>
self.handle_setup_error(e)<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error<br>
raise RuntimeError("%s configuration failed." %
self.subsystem)<br>
RuntimeError: CA configuration failed.</span><br>
<br>
<div class="gmail_default" style="font-family:verdana,sans-serif">I'm attaching the 3
log files, as usual:<br>
</div>
<br>
<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Feb 11, 2016 at 11:28 AM,
Quasar <span dir="ltr"><<a href="mailto:quasar7@gmail.com" target="_blank">quasar7@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default" style="font-family:verdana,sans-serif">Hi Martin,<br>
<br>
</div>
<div class="gmail_default" style="font-family:verdana,sans-serif">first of all
thanks for taking some time to read and provide
feedback, much appreciated.<br>
<br>
</div>
<div class="gmail_default" style="font-family:verdana,sans-serif">I firstly tried
with CentOS 7.x (build 1511) but got the same errore
during CA configuration. Then I supposed I had to
upgrade step-by-step, from 3.0 to 3.3 (instead of 3.0 to
4.x) and used Fedora 23, 20, 19 and 18 but with no luck.<br>
</div>
<div class="gmail_default" style="font-family:verdana,sans-serif">If you need the
exact log from CentOS 7.x migration I can provide them
to you.<br>
<br>
</div>
<div class="gmail_default" style="font-family:verdana,sans-serif">About the debug
log file, it was attached and these are the final lines
containing the error:<br>
<br>
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
getDomainXML: domainInfo=<?xml version="1.0"
encoding="UTF-8"
standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ipaserver.it.fx.lan</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clone>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TRUE</DomainManager></CA><CA><Host>ipaserver-ha.it.fx.lan</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>2&l!
t;/Subsyst
emCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo><br>
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: Cloning a
domain master<br>
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
WizardPanelBase updateDomainXML start
hostname=ipaserver.it.fx.lan port=443<br>
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
updateSecurityDomain: failed to update security domain
using admin port 443: org.xml.sax.SAXParseException;
lineNumber: 1; columnNumber: 50; White spaces are
required between publicId and systemId.<br>
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
updateSecurityDomain: now trying agent port with client
auth<br>
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
WizardPanelBase updateDomainXML start
hostname=ipaserver.it.fx.lan port=443<br>
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
updateDomainXML() nickname=subsystemCert cert-pki-ca<br>
[09/Feb/2016:15:31:43][http-bio-8443-exec-3]:
WizardPanelBase updateDomainXML: status=1<span><font color="#888888"><br>
</font></span></div>
<span><font color="#888888">
<div class="gmail_extra"><br>
<br clear="all">
<br>
-- <br>
<div>
<div dir="ltr"><span style="font-family:verdana,sans-serif">Giuseppe
Calignano</span><br>
</div>
</div>
</div>
</font></span></div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>
<div dir="ltr"><span style="font-family:verdana,sans-serif">Giuseppe
Calignano</span><br>
</div>
</div>
</div>
</blockquote>
<br>
I'm not sure but it looks like the known bug in dogtag 9 and 10
compatibility (I will try to find related bugzillas).<br>
This should be already fixed in RHEL, so I do not know when it will
hit CentOS or if it is already there.<br>
<br>
<span style="font-family:monospace,monospace">pkispawn : WARNING
....... unable to validate security domain user/password through
REST interface. Interface not available<br>
pkispawn : ERROR ....... Exception from Java Configuration
Servlet: 500 Server Error: Internal Server Error<br>
pkispawn : ERROR ....... ParseError: not well-formed
(invalid token): line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
while updating security domain: java.io.IOException: 2"} </span><br>
<br>
But I might be wrong, Dogtag guys can you look at it please? :-)</div><div text="#000000" bgcolor="#FFFFFF"><br>
<br>
Martin<br>
</div></blockquote></div>