[Freeipa-users] RHEL 7 Upgrade experience so far
Ade Lee
alee at redhat.com
Tue Aug 5 13:25:22 UTC 2014
On Tue, 2014-08-05 at 09:08 +0200, Martin Kosek wrote:
> On 08/05/2014 12:03 AM, Erinn Looney-Triggs wrote:
> > On 08/04/2014 01:51 PM, Ade Lee wrote:
> >> OK - I suspect you may be running into an issue with serial number
> >> generation. Each time we install a clone, we end up allocating a new
> >> range of serial numbers for the clone.
> >
> >> The idea is to keep separate ranges for each CA replica so that no two
> >> replicas can issue certs with the same serial number.
> >
> >> The problem is that you've probably retried the install a whole bunch
> >> of times and now perhaps the serial number range is too high.
> >
> >> This is just a guess - but you can see what ranges have been assigned
> >> by looking in :
> >
> >> 1, ou-ranges, o=ipaca (on the master directory server) 2. CS.cfg for
> >> the master (look for the attributes dbs.* 3. The value of the
> >> attribute nextRange on : ou=certificateRepository, o=ipaca and
> >> ou=Requests, o=ipaca
> >
> >> Please send me that info, and I'll explain how to clean that up.
> >
> >> Ade
> >
> >> On Mon, 2014-08-04 at 12:10 -0700, Erinn Looney-Triggs wrote:
> >>> On 08/04/2014 11:48 AM, Ade Lee wrote:
> >>>> OK - so its not really even getting started on the install. My
> >>>> guess is there is some cruft from previous installs/uninstalls that
> >>>> was not cleaned up. Is there anything in the directory server logs
> >>>> on the RHEL7 machine? What operation is being attempted that the
> >>>> server is refusing to perform?
> >>>>
> >>>> Ade
> >>>>
> >>>
> >>> Ok I moved on past this issue. Problem was minssf was set to 56 on
> >>> the RHEL 7 dirsrv instance, setting it to 0 resolved this issue.
> >>> Thanks for having me check the dir on the RHEL 7 instance I was
> >>> assuming it was hitting against the RHEL 6.5 instance and was finding
> >>> basically nothing there.
> >>>
> >>>
> >>> This run looks like it pulled a lot more information in but it still
> >>> errored out.
> >>>
> >>> ipa : DEBUG stderr=pkispawn : WARNING ....... unable
> >>> to validate security domain user/password through REST interface.
> >>> Interface not available pkispawn : ERROR ....... Exception from
> >>> Java Configuration Servlet: Error in confguring system
> >>> certificatesjava.security.cert.CertificateException: Unable to
> >>> initialize, java.io.IOException: DerInput.getLength(): lengthTag=127,
> >>> too big.
> >>>
> >>> ipa : CRITICAL failed to configure ca instance Command
> >>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpbTnSRM' returned non-zero exit
> >>> status 1
> >>>
> >>> From the /var/log/pki/pki-tomcat/ca/debug log on the RHEL 7 instance:
> >>>
> >>> [04/Aug/2014:19:02:36][http-bio-8443-exec-3]: initializing with
> >>> mininum 3 and maximum 15 connections to host ipa2.abaqis.com port
> >>> 389, secure connection, false, authentication type 1
> >>> [04/Aug/2014:19:02:36][http-bio-8443-exec-3]: increasing minimum
> >>> connections by 3 [04/Aug/2014:19:02:36][http-bio-8443-exec-3]: new
> >>> total available connections 3
> >>> [04/Aug/2014:19:02:36][http-bio-8443-exec-3]: new number of
> >>> connections 3 [04/Aug/2014:19:02:36][http-bio-8443-exec-3]: In
> >>> LdapBoundConnFactory::getConn()
> >>> [04/Aug/2014:19:02:36][http-bio-8443-exec-3]: masterConn is
> >>> connected: true [04/Aug/2014:19:02:36][http-bio-8443-exec-3]: getConn:
> >>> conn is connected true [04/Aug/2014:19:02:36][http-bio-8443-exec-3]:
> >>> getConn: mNumConns now 2
> >>> [04/Aug/2014:19:02:36][http-bio-8443-exec-3]: importLDIFS:
> >>> param=preop.internaldb.post_ldif
> >>> [04/Aug/2014:19:02:36][http-bio-8443-exec-3]: importLDIFS(): ldif
> >>> file = /usr/share/pki/ca/conf/vlv.ldif
> >>> [04/Aug/2014:19:02:36][http-bio-8443-exec-3]: importLDIFS(): ldif
> >>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: importLDIFS(): LDAP
> >>> Errors in importing /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=allCerts-pki-tomcat, cn=ipaca, cn=ldbm
> >>> database, cn=plugins, cn=config:netscape.ldap.LDAPException: error
> >>> result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=allExpiredCerts-pki-tomcat, cn=ipaca,
> >>> cn=ldbm database, cn=plugins, cn=config:netscape.ldap.LDAPException:
> >>> error result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=allInvalidCerts-pki-tomcat, cn=ipaca,
> >>> cn=ldbm database, cn=plugins, cn=config:netscape.ldap.LDAPException:
> >>> error result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=allInValidCertsNotBefore-pki-tomcat,
> >>> cn=ipaca, cn=ldbm database, cn=plugins,
> >>> cn=config:netscape.ldap.LDAPException: error result (32); matchedDN =
> >>> o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=allNonRevokedCerts-pki-tomcat, cn=ipaca,
> >>> cn=ldbm database, cn=plugins, cn=config:netscape.ldap.LDAPException:
> >>> error result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=allRevokedCaCerts-pki-tomcat, cn=ipaca,
> >>> cn=ldbm database, cn=plugins, cn=config:netscape.ldap.LDAPException:
> >>> error result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=allRevokedCerts-pki-tomcat, cn=ipaca,
> >>> cn=ldbm database, cn=plugins, cn=config:netscape.ldap.LDAPException:
> >>> error result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=allRevokedCertsNotAfter-pki-tomcat,
> >>> cn=ipaca, cn=ldbm database, cn=plugins,
> >>> cn=config:netscape.ldap.LDAPException: error result (32); matchedDN =
> >>> o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=allRevokedExpiredCerts-pki-tomcat,
> >>> cn=ipaca, cn=ldbm database, cn=plugins,
> >>> cn=config:netscape.ldap.LDAPException: error result (32); matchedDN =
> >>> o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry
> >>> cn=allRevokedOrRevokedExpiredCaCerts-pki-tomcat, cn=ipaca, cn=ldbm
> >>> database, cn=plugins, cn=config:netscape.ldap.LDAPException: error
> >>> result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry
> >>> cn=allRevokedOrRevokedExpiredCerts-pki-tomcat, cn=ipaca, cn=ldbm
> >>> database, cn=plugins, cn=config:netscape.ldap.LDAPException: error
> >>> result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=allValidCerts-pki-tomcat, cn=ipaca,
> >>> cn=ldbm database, cn=plugins, cn=config:netscape.ldap.LDAPException:
> >>> error result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=allValidCertsNotAfter-pki-tomcat,
> >>> cn=ipaca, cn=ldbm database, cn=plugins,
> >>> cn=config:netscape.ldap.LDAPException: error result (32); matchedDN =
> >>> o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=allValidOrRevokedCerts-pki-tomcat,
> >>> cn=ipaca, cn=ldbm database, cn=plugins,
> >>> cn=config:netscape.ldap.LDAPException: error result (32); matchedDN =
> >>> o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caAll-pki-tomcat, cn=ipaca, cn=ldbm
> >>> database, cn=plugins, cn=config:netscape.ldap.LDAPException: error
> >>> result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caCanceled-pki-tomcat, cn=ipaca, cn=ldbm
> >>> database, cn=plugins, cn=config:netscape.ldap.LDAPException: error
> >>> result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caCanceledEnrollment-pki-tomcat,
> >>> cn=ipaca, cn=ldbm database, cn=plugins,
> >>> cn=config:netscape.ldap.LDAPException: error result (32); matchedDN =
> >>> o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caCanceledRenewal-pki-tomcat, cn=ipaca,
> >>> cn=ldbm database, cn=plugins, cn=config:netscape.ldap.LDAPException:
> >>> error result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caCanceledRevocation-pki-tomcat,
> >>> cn=ipaca, cn=ldbm database, cn=plugins,
> >>> cn=config:netscape.ldap.LDAPException: error result (32); matchedDN =
> >>> o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caComplete-pki-tomcat, cn=ipaca, cn=ldbm
> >>> database, cn=plugins, cn=config:netscape.ldap.LDAPException: error
> >>> result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caCompleteEnrollment-pki-tomcat,
> >>> cn=ipaca, cn=ldbm database, cn=plugins,
> >>> cn=config:netscape.ldap.LDAPException: error result (32); matchedDN =
> >>> o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caCompleteRenewal-pki-tomcat, cn=ipaca,
> >>> cn=ldbm database, cn=plugins, cn=config:netscape.ldap.LDAPException:
> >>> error result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caCompleteRevocation-pki-tomcat,
> >>> cn=ipaca, cn=ldbm database, cn=plugins,
> >>> cn=config:netscape.ldap.LDAPException: error result (32); matchedDN =
> >>> o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caEnrollment-pki-tomcat, cn=ipaca,
> >>> cn=ldbm database, cn=plugins, cn=config:netscape.ldap.LDAPException:
> >>> error result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caPending-pki-tomcat, cn=ipaca, cn=ldbm
> >>> database, cn=plugins, cn=config:netscape.ldap.LDAPException: error
> >>> result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caPendingEnrollment-pki-tomcat,
> >>> cn=ipaca, cn=ldbm database, cn=plugins,
> >>> cn=config:netscape.ldap.LDAPException: error result (32); matchedDN =
> >>> o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caPendingRenewal-pki-tomcat, cn=ipaca,
> >>> cn=ldbm database, cn=plugins, cn=config:netscape.ldap.LDAPException:
> >>> error result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caPendingRevocation-pki-tomcat,
> >>> cn=ipaca, cn=ldbm database, cn=plugins,
> >>> cn=config:netscape.ldap.LDAPException: error result (32); matchedDN =
> >>> o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caRejected-pki-tomcat, cn=ipaca, cn=ldbm
> >>> database, cn=plugins, cn=config:netscape.ldap.LDAPException: error
> >>> result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caRejectedEnrollment-pki-tomcat,
> >>> cn=ipaca, cn=ldbm database, cn=plugins,
> >>> cn=config:netscape.ldap.LDAPException: error result (32); matchedDN =
> >>> o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caRejectedRenewal-pki-tomcat, cn=ipaca,
> >>> cn=ldbm database, cn=plugins, cn=config:netscape.ldap.LDAPException:
> >>> error result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caRejectedRevocation-pki-tomcat,
> >>> cn=ipaca, cn=ldbm database, cn=plugins,
> >>> cn=config:netscape.ldap.LDAPException: error result (32); matchedDN =
> >>> o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caRenewal-pki-tomcat, cn=ipaca, cn=ldbm
> >>> database, cn=plugins, cn=config:netscape.ldap.LDAPException: error
> >>> result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> >>> exception in adding entry cn=caRevocation-pki-tomcat, cn=ipaca,
> >>> cn=ldbm database, cn=plugins, cn=config:netscape.ldap.LDAPException:
> >>> error result (32); matchedDN = o=ipaca
> >>>
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: importLDIFS(): ldif
> >>> file = /usr/share/pki/ca/conf/vlvtasks.ldif
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: importLDIFS(): ldif
> >>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif
> >>> [04/Aug/2014:19:02:37][http-bio-8443-exec-3]: Checking wait_dn
> >>> cn=index1160589769, cn=index, cn=tasks, cn=config
> >>> [04/Aug/2014:19:02:40][http-bio-8443-exec-3]: configCert: caType is
> >>> local [04/Aug/2014:19:02:40][http-bio-8443-exec-3]: NamePanel:
> >>> updateConfig() for certTag sslserver
> >>> [04/Aug/2014:19:02:40][http-bio-8443-exec-3]: updateConfig() done
> >>> [04/Aug/2014:19:02:40][http-bio-8443-exec-3]: Creating local
> >>> certificate... certTag=sslserver
> >>> [04/Aug/2014:19:02:40][http-bio-8443-exec-3]: In
> >>> LdapBoundConnFactory::getConn()
> >>> [04/Aug/2014:19:02:40][http-bio-8443-exec-3]: masterConn is
> >>> connected: true [04/Aug/2014:19:02:40][http-bio-8443-exec-3]: getConn:
> >>> conn is connected true [04/Aug/2014:19:02:40][http-bio-8443-exec-3]:
> >>> getConn: mNumConns now 2
> >>> [04/Aug/2014:19:02:40][http-bio-8443-exec-3]: Repository:
> >>> getSerialNumber. [04/Aug/2014:19:02:40][http-bio-8443-exec-3]:
> >>> returnConn: mNumConns now 3 Record not found at
> >>> com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:179) at
> >>> com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:135) at
> >>> com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:140)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> com.netscape.cmscore.dbs.Repository.initCache(Repository.java:259)
> >>>
> >>>
> > at
> >>> com.netscape.cmscore.dbs.Repository.initCacheIfNeeded(Repository.java:331)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> com.netscape.cmscore.dbs.CertificateRepository.getNextSerialNumber(CertificateRepository.java:261)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:391)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2323)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> com.netscape.cms.servlet.csadmin.SystemConfigService.configure(SystemConfigService.java:517)
> >>>
> >>>
> >
> >>>
> >>>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >>> at
> >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >>>
> >>>
> >
> >>>
> >>>
> at java.lang.reflect.Method.invoke(Method.java:606)
> >>> at
> >>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:211)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
> >>>
> >>>
> >
> >>>
> >>>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >>>
> >>>
> >
> >>>
> >>>
> at java.lang.reflect.Method.invoke(Method.java:606)
> >>> at
> >>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
> >>>
> >>>
> >
> >>>
> >>>
> at java.security.AccessController.doPrivileged(Native Method)
> >>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at
> >>> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:299)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:57)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:193)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189)
> >>>
> >>>
> >
> >>>
> >>>
> at java.security.AccessController.doPrivileged(Native Method)
> >>> at
> >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1024)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> >>>
> >>>
> >
> >>>
> >>>
> at java.lang.Thread.run(Thread.java:745)
> >>> [04/Aug/2014:19:02:40][http-bio-8443-exec-3]: NamePanel configCert()
> >>> exception caught:Record not found
> >>> [04/Aug/2014:19:02:40][http-bio-8443-exec-3]: NamePanel configCert:
> >>> failed to add metainfo. Exception: java.lang.NullPointerException
> >>> [04/Aug/2014:19:02:40][http-bio-8443-exec-3]: In
> >>> LdapBoundConnFactory::getConn()
> >>> [04/Aug/2014:19:02:40][http-bio-8443-exec-3]: masterConn is
> >>> connected: true [04/Aug/2014:19:02:40][http-bio-8443-exec-3]: getConn:
> >>> conn is connected true [04/Aug/2014:19:02:40][http-bio-8443-exec-3]:
> >>> getConn: mNumConns now 2
> >>> [04/Aug/2014:19:02:40][http-bio-8443-exec-3]: returnConn: mNumConns
> >>> now 3 [04/Aug/2014:19:02:40][http-bio-8443-exec-3]: NamePanel
> >>> configCert: failed to add certificate record. Exception:
> >>> java.lang.NullPointerException
> >>> [04/Aug/2014:19:02:40][http-bio-8443-exec-3]: NamePanel update:
> >>> Exception: java.lang.NullPointerException
> >>> [04/Aug/2014:19:02:40][http-bio-8443-exec-3]: handleCertRequest:
> >>> tag=sslserver [04/Aug/2014:19:02:40][http-bio-8443-exec-3]:
> >>> privKeyID=-45cf0bca8e8c04dc7904f4c273f6e3793185c997
> >>> [04/Aug/2014:19:02:40][http-bio-8443-exec-3]: handleCertRequest:
> >>> created cert request [04/Aug/2014:19:02:40][http-bio-8443-exec-3]:
> >>> handleCerts(): for cert tag sslserver
> >>>
> >>>
> >>>
> >>> And from catalina.out on the same system:
> >>> java.security.cert.CertificateException: Unable to initialize,
> >>> java.io.IOException: DerInput.getLength(): lengthTag=127, too big. at
> >>> netscape.security.x509.X509CertImpl.<init>(X509CertImpl.java:186)
> >>>
> >>>
> > at
> >>> netscape.security.x509.X509CertImpl.<init>(X509CertImpl.java:160)
> >>>
> >>>
> > at
> >>> com.netscape.cms.servlet.csadmin.ConfigurationUtils.handleCerts(ConfigurationUtils.java:2718)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> com.netscape.cms.servlet.csadmin.SystemConfigService.configure(SystemConfigService.java:575)
> >>>
> >>>
> >
> >>>
> >>>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >>> at
> >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >>>
> >>>
> >
> >>>
> >>>
> at java.lang.reflect.Method.invoke(Method.java:606)
> >>> at
> >>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:211)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
> >>>
> >>>
> >
> >>>
> >>>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >>>
> >>>
> >
> >>>
> >>>
> at java.lang.reflect.Method.invoke(Method.java:606)
> >>> at
> >>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
> >>>
> >>>
> >
> >>>
> >>>
> at java.security.AccessController.doPrivileged(Native Method)
> >>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at
> >>> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:299)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:57)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:193)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189)
> >>>
> >>>
> >
> >>>
> >>>
> at java.security.AccessController.doPrivileged(Native Method)
> >>> at
> >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1024)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> >>>
> >>>
> >
> >>>
> >>>
> at
> >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> >>>
> >>>
> >
> >>>
> >>>
> at java.lang.Thread.run(Thread.java:745)
> >>>
> >>> And the last bit from pkispawn: 2014-08-04 19:02:40 pkispawn :
> >>> ERROR ....... Exception from Java Configuration Servlet: Error in
> >>> confguring system
> >>> certificatesjava.security.cert.CertificateException: Unable to
> >>> initialize, java.io.IOException: DerInput.getLength(): lengthTag=127,
> >>> too big. 2014-08-04 19:02:40 pkispawn : DEBUG ....... Error Type:
> >>> HTTPError 2014-08-04 19:02:40 pkispawn : DEBUG ....... Error
> >>> Message: 500 Server Error: Internal Server Error 2014-08-04 19:02:40
> >>> pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 374,
> >>> in main rv = instance.spawn() File
> >>> "/usr/lib/python2.7/site-packages/pki/deployment/configuration.py",
> >>>
> >>>
> > line 128, in spawn
> >>> json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File
> >>> "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py", line
> >>> 2998, in configure_pki_data response = client.configure(data) File
> >>> "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in
> >>> configure r = self.connection.post('/rest/installer/configure', data,
> >>> headers) File "/usr/lib/python2.7/site-packages/pki/client.py", line
> >>> 64, in post r.raise_for_status() File
> >>> "/usr/lib/python2.7/site-packages/requests/models.py", line 638, in
> >>> raise_for_status raise http_error
> >>>
> >>>
> >>> -Erinn
> >
> >
> >
> > Here you go: dbs.beginReplicaNumber=1 dbs.beginRequestNumber=1
> > dbs.beginSerialNumber=1 dbs.enableSerialManagement=true
> > dbs.endReplicaNumber=50 dbs.endRequestNumber=9900000
> > dbs.endSerialNumber=ff60000 dbs.ldap=internaldb
> > dbs.newSchemaEntryAdded=true dbs.replicaCloneTransferNumber=5
> > dbs.replicaDN=ou=replica dbs.replicaIncrement=100
> > dbs.replicaLowWaterMark=20 dbs.replicaRangeDN=ou=replica, ou=ranges
> > dbs.requestCloneTransferNumber=10000 dbs.requestDN=ou=ca, ou=requests
> > dbs.requestIncrement=10000000 dbs.requestLowWaterMark=2000000
> > dbs.requestRangeDN=ou=requests, ou=ranges
> > dbs.serialCloneTransferNumber=10000
> > dbs.serialDN=ou=certificateRepository, ou=ca dbs.serialIncrement=10000000
> > dbs.serialLowWaterMark=2000000 dbs.serialRangeDN=ou=certificateRepository,
> > ou=ranges
> >
Erinn, I still need to see the ldap entries I mentioned above.
Those are actually the ones that will need to be changed.
> > Unfortunately, things seem to have gone further south on the RHEL 6.5 CA
> > instance now. This just seems to be my luck on this replica install. From
> > the debug of the ipa-ca-install: ipa : DEBUG Starting external
> > process ipa : DEBUG args=/usr/sbin/pkispawn -s CA -f
> > /tmp/tmp1G6jOw ipa : DEBUG Process finished, return code=1 ipa
> > : DEBUG stdout=Loading deployment configuration from /tmp/tmp1G6jOw.
> > ERROR: Unable to access security domain: 404 Client Error: Not Found
> >
> > ipa : DEBUG stderr= ipa : CRITICAL failed to configure
> > ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp1G6jOw' returned
> > non-zero exit status 1
> >
> > I can see in the apache logs on the RHEL 6.5 instance it errors out: [Mon
> > Aug 04 21:06:02 2014] [error] [client
> > 2001:4870:800e:301:862b:2bff:fe67:704d] File does not exist:
> > /var/www/html/ca
> >
> > This is supposed to be mapped via ajp to localhost:9447 which does appear
> > to be listening. Anyway, I am in the throws of that currently, but let me
> > know if those ranges are out of control big.
> >
> > -Erinn
>
Erinn, I'm a little confused.
Perhaps at this point, it would make sense for you to test out your 6.5
instance and confirm that its working/ can issue certs etc.
Maybe a restart of IPA on that server could help right things.
> Could this be caused by https://bugzilla.redhat.com/show_bug.cgi?id=1083878?
> You could check access log to see what calls are being made by 7.0 replica.
>
> This will be fixed in 6.6, I am afraid that for 6.5 you will have to do the
> update (adding "|^/ca/ee/ca/profileSubmit") yourself.
>
> Martin
More information about the Freeipa-users
mailing list