[Freeipa-users] 7.x replica install from 6.x master fails
Ott, Dennis
Dennis.Ott at mckesson.com
Thu Apr 7 21:38:49 UTC 2016
It doesn't look like that is my problem. The output of pki-server ca-group-member-find "Subsystem Group" gives:
User ID: CA-ptipa1.example.com-9443
Common Name: CA-ptipa1.example.com-9443
Surname: CA-ptipa1.example.com-9443
Type: agentType
Description: 2;4;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA Subsystem,O=EXAMPLE.COM
E-mail:
All the certs seem valid:
# getcert list | grep expires
expires: 2017-07-18 00:55:14 UTC
expires: 2017-07-18 00:54:14 UTC
expires: 2017-07-18 00:54:14 UTC
expires: 2017-07-18 00:54:14 UTC
expires: 2017-07-18 00:54:14 UTC
expires: 2017-08-09 00:54:19 UTC
expires: 2017-08-09 00:54:19 UTC
expires: 2017-08-09 00:54:21 UTC
#
I was wondering if I might be hitting this:
https://fedorahosted.org/freeipa/ticket/5129
https://fedorahosted.org/pki/ticket/1495
It says it is fixed in pki 10.2.6. 10.2.6 has been released for Fedora (many months ago), but is not yet available for enterprise.
Dennis
-----Original Message-----
From: Petr Vobornik [mailto:pvoborni at redhat.com]
Sent: Thursday, April 07, 2016 10:56 AM
To: Ott, Dennis; Freeipa-users at redhat.com
Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails
Sorry for the late response.
It looks like a bug http://cp.mcafee.com/d/1jWVIe4xAe3zqb3BXInd7b1EVdCQkkQnCkTTQjqaaqbParza9ISrdGSa_iBosKr7eLqaEF-waI47nQ7LQl8m7f2H3ab0Ggvhv5mtKqek4Q4hPEVwSrdCPpesRG9px1IyaiffTE-wjSvbVgDkMaA6Of08iAwsyCqekhP0US5LD4Qg1CF2IoiaCy0Qub6qAaNx85hZ0DI-nd7NJ5CZNPxI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh
But it should be fixed in pki-core-9.0.3-45.el6_7 so I'm not sure.
Anyway,
java.io.IOException: 2 actually means authentication failure.
The authentication problem might be caused by a missing subsystem user (bug #1225589) and there's already a tool to restore it. However, before running the script, please run this command on the master to verify the
problem:
$ pki-server ca-group-member-find "Subsystem Group"
Ideally it should return a user ID "CA-<hostname>-9443" and the description attribute should contain the subsystem certificate in this format "<version>;<serial>;<issuer DN>;<subject DN>".
If that's not the case, please run this tool to restore the subsystem user:
$ python /usr/share/pki/scripts/restore-subsystem-user.py
Then run this command again to verify the fix:
$ pki-server ca-group-member-find "Subsystem Group"
If everything works well, please try installing the replica again.
Also verify that all certificates in `getcert list` output are not expired.
On 03/31/2016 09:07 PM, Ott, Dennis wrote:
> Petr,
>
> Original 6.x master installed at:
>
> ipa-server-2.1.3-9
>
> pki-ca-9.0.3-20
>
>
> At the time the migration was attempted, the 6.x master had been updated to:
>
> ipa-server-3.0.0-47
>
> pki-ca-9.0.3-45
>
>
> The 7.x replica install has been attempted using a variety of versions. The log excerpts at the beginning of this email were from an installation attempt using:
>
> ipa-server-4.2.0-15.0.1
>
> pki-ca-10.2.5-6
>
>
> It's a standard CA installation. This line is from /var/log/ipaserverinstall.log showing selfsign as False:
>
> 2013-09-04T18:41:20Z DEBUG /usr/sbin/ipa-server-install was invoked
> with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name':
> None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False,
> 'subject': None, 'no_forwarders': False, 'persistent_search': True,
> 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow':
> True, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': False,
> 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': None,
> 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False,
> 'forwarders': None, 'idstart': 900000000, 'external_ca': False,
> 'ip_address': None, 'conf_ssh': False, 'serial_autoincrement': True,
> 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug':
> False, 'external_cert_file': None, 'uninstall': False}
> 2013-09-04T18:41:20Z DEBUG missing options might be asked for
> interactively later
>
>
> -----Original Message-----
> From: Petr Vobornik [mailto:pvoborni at redhat.com]
> Sent: Tuesday, March 29, 2016 6:43 AM
> To: Ott, Dennis; Freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails
>
> On 03/24/2016 04:29 PM, Ott, Dennis wrote:
>> I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x.
>> After working through and solving a few issues, my current efforts
>> fail when setting up the replica CA.
>>
>> If I set up a new, pristine master on OS 6.7, I am able to create an
>> OS 7.x replica without any problem. However, if I try to create a
>> replica from my two year old test lab instance (production will be
>> another matter for the future) it fails. The test lab master was
>> created a couple of years ago on OS 6.3 / IPA 2.x and has been
>> upgraded to the latest versions in the 6.x chain. It is old enough to
>> have had all the certificates renewed, but I believe I have worked through all the issues related to that.
>>
>> Below is what I believe are the useful portions of the pertinent logs.
>> I’ve not been able to find anything online that speaks to the errors
>> I am seeing
>>
>> Thanks for your help.
>
> Hello Dennis,
>
> what are the exact versions of pki-ca and ipa-server on the 6.x master and 7.x replica?
>
> What kind of CA installation does the old 6.x master install have? Is standard installation with CA or does it also use external CA?
>
> I assume it is not self-sign (very old unsupported type, which could be converted in 7.x as CA-less).
>
>>
>> /var/log/ipareplica-install.log
>>
>> 2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd).
>> Estimated time: 3 minutes 30 seconds
>>
>> 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user
>>
>> 2016-03-23T21:55:11Z DEBUG group pkiuser exists
>>
>> 2016-03-23T21:55:11Z DEBUG user pkiuser exists
>>
>> 2016-03-23T21:55:11Z DEBUG duration: 0 seconds
>>
>> 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server instance
>>
>> 2016-03-23T21:55:11Z DEBUG Loading StateFile from
>> '/var/lib/ipa/sysrestore/sysrestore.state'
>>
>> 2016-03-23T21:55:11Z DEBUG Saving StateFile to
>> '/var/lib/ipa/sysrestore/sysrestore.state'
>>
>> 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file (/tmp/tmpGQ59ZC):
>>
>> [CA]
>>
>> pki_security_domain_name = IPA
>>
>> pki_enable_proxy = True
>>
>> pki_restart_configured_instance = False
>>
>> pki_backup_keys = True
>>
>> pki_backup_password = XXXXXXXX
>>
>> pki_profiles_in_ldap = True
>>
>> pki_client_database_dir = /tmp/tmp-g0CKZ3
>>
>> pki_client_database_password = XXXXXXXX
>>
>> pki_client_database_purge = False
>>
>> pki_client_pkcs12_password = XXXXXXXX
>>
>> pki_admin_name = admin
>>
>> pki_admin_uid = admin
>>
>> pki_admin_email = root at localhost
>>
>> pki_admin_password = XXXXXXXX
>>
>> pki_admin_nickname = ipa-ca-agent
>>
>> pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM
>>
>> pki_client_admin_cert_p12 = /root/ca-agent.p12
>>
>> pki_ds_ldap_port = 389
>>
>> pki_ds_password = XXXXXXXX
>>
>> pki_ds_base_dn = o=ipaca
>>
>> pki_ds_database = ipaca
>>
>> pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM
>>
>> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM
>>
>> pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM
>>
>> pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM
>>
>> pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM
>>
>> pki_subsystem_nickname = subsystemCert cert-pki-ca
>>
>> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
>>
>> pki_ssl_server_nickname = Server-Cert cert-pki-ca
>>
>> pki_audit_signing_nickname = auditSigningCert cert-pki-ca
>>
>> pki_ca_signing_nickname = caSigningCert cert-pki-ca
>>
>> pki_ca_signing_key_algorithm = SHA256withRSA
>>
>> pki_security_domain_hostname = ptipa1.example.com
>>
>> pki_security_domain_https_port = 443
>>
>> pki_security_domain_user = admin
>>
>> pki_security_domain_password = XXXXXXXX
>>
>> pki_clone = True
>>
>> pki_clone_pkcs12_path = /tmp/ca.p12
>>
>> pki_clone_pkcs12_password = XXXXXXXX
>>
>> pki_clone_replication_security = TLS
>>
>> pki_clone_replication_master_port = 7389
>>
>> pki_clone_replication_clone_port = 389
>>
>> pki_clone_replicate_schema = False
>>
>> pki_clone_uri =
>> http://cp.mcafee.com/d/k-Kr6zqb3VEVjouhuodCQkkQnCkTTQjqaaqbParza9ISrd
>> G
>> Sa_iBosKrKVXMGgog82KA1N1BeTyH93t5m7hOoHH3b8GOxvQd8e89K8CPpISr9PCJhbcm
>> D
>> 9rkuYf21_YLxIbve9Ew3di5oMAld41EYmcR8lz2gazW1fpYKqfzqaabyr1I5-Aq83iSbN
>> _
>> VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKV
>> J
>> USyrh
>>
>> 2016-03-23T21:55:11Z DEBUG Starting external process
>>
>> 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'
>>
>> 2016-03-23T21:56:51Z DEBUG Process finished, return code=1
>>
>> 2016-03-23T21:56:51Z DEBUG stdout=Log file:
>> /var/log/pki/pki-ca-spawn.20160323175511.log
>>
>> Loading deployment configuration from /tmp/tmpGQ59ZC.
>>
>> Installing CA into /var/lib/pki/pki-tomcat.
>>
>> Storing deployment configuration into
>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>>
>> Installation failed.
>>
>> 2016-03-23T21:56:51Z DEBUG
>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
>> InsecureRequestWarning: Unverified HTTPS request is being made.
>> Adding certificate verification is strongly advised. See:
>> http://cp.mcafee.com/d/5fHCNAi6hESyM-qekS7AnC3pJ55d5VBdZZ4SyyCyYOCUOy
>> r
>> dCPqJyLQFm7bCXKuYaA6420HF0sgpjJUGOgThlxQsCaWMOOaIEnZ3i3y2ry9ISrdCOsVH
>> k
>> iP6UDDO8cZ7ZgCjZ2JGs01PUovI_FfavpKcFBK1NIbve9Ew3di5oMAld41EYmcR8lz2ga
>> z
>> W1fpYKqfzqaabyr1I5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh
>> 0
>> VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh
>>
>> InsecureRequestWarning)
>>
>> pkispawn : WARNING ....... unable to validate security domain user/password
>> through REST interface. Interface not available
>>
>> pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500
>> Server Error: Internal Server Error
>>
>> pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line
>> 1, column 0:
>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.
>> PKIException","Code":500,"Message":"Error
>> while updating security domain: java.io.IOException: 2"}
>>
>> 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance:
>> Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC''
>> returned non-zero exit status 1
>>
>> 2016-03-23T21:56:51Z CRITICAL See the installation logs and the
>> following files/directories for more information:
>>
>> 2016-03-23T21:56:51Z CRITICAL /var/log/pki-ca-install.log
>>
>> 2016-03-23T21:56:51Z CRITICAL /var/log/pki/pki-tomcat
>>
>> 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last):
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>> 418, in start_creation
>>
>> run_step(full_msg, method)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>> 408, in run_step
>>
>> method()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> line 620, in __spawn_instance
>>
>> DogtagInstance.spawn_instance(self, cfg_file)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py"
>> ,
>> line 201, in spawn_instance
>>
>> self.handle_setup_error(e)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py"
>> ,
>> line 465, in handle_setup_error
>>
>> raise RuntimeError("%s configuration failed." % self.subsystem)
>>
>> RuntimeError: CA configuration failed.
>>
>> 2016-03-23T21:56:51Z DEBUG [error] RuntimeError: CA configuration failed.
>>
>> 2016-03-23T21:56:51Z DEBUG File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171,
>> in execute
>>
>> return_value = self.run()
>>
>> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
>> line 311, in run
>>
>> cfgr.run()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 281, in run
>>
>> self.execute()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 303, in execute
>>
>> for nothing in self._executor():
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 343, in __runner
>>
>> self._handle_exception(exc_info)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 365, in _handle_exception
>>
>> util.raise_exc_info(exc_info)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 333, in __runner
>>
>> step()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 87, in run_generator_with_yield_from
>>
>> raise_exc_info(exc_info)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 65, in run_generator_with_yield_from
>>
>> value = gen.send(prev_value)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 524, in _configure
>>
>> executor.next()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 343, in __runner
>>
>> self._handle_exception(exc_info)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 421, in _handle_exception
>>
>> self.__parent._handle_exception(exc_info)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 365, in _handle_exception
>>
>> util.raise_exc_info(exc_info)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 418, in _handle_exception
>>
>> super(ComponentBase, self)._handle_exception(exc_info)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 365, in _handle_exception
>>
>> util.raise_exc_info(exc_info)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 333, in __runner
>>
>> step()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 87, in run_generator_with_yield_from
>>
>> raise_exc_info(exc_info)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 65, in run_generator_with_yield_from
>>
>> value = gen.send(prev_value)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line
>> 63, in _install
>>
>> for nothing in self._installer(self.parent):
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicains
>> t
>> all.py",
>> line 879, in main
>>
>> install(self)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicains
>> t
>> all.py",
>> line 295, in decorated
>>
>> func(installer)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicains
>> t
>> all.py",
>> line 584, in install
>>
>> ca.install(False, config, options)
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py",
>> line 106, in install
>>
>> install_step_0(standalone, replica_config, options)
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py",
>> line 130, in
>> install_step_0
>>
>> ra_p12=getattr(options, 'ra_p12', None))
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> line 1543, in install_replica_ca
>>
>> subject_base=config.subject_base)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> line 486, in configure_instance
>>
>> self.start_creation(runtime=210)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>> 418, in start_creation
>>
>> run_step(full_msg, method)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>> 408, in run_step
>>
>> method()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> line 620, in __spawn_instance
>>
>> DogtagInstance.spawn_instance(self, cfg_file)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py"
>> ,
>> line 201, in spawn_instance
>>
>> self.handle_setup_error(e)
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py"
>> ,
>> line 465, in handle_setup_error
>>
>> raise RuntimeError("%s configuration failed." % self.subsystem)
>>
>> 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, exception:
>> RuntimeError: CA configuration failed.
>>
>> 2016-03-23T21:56:51Z ERROR CA configuration failed.
>>
>> /var/log/pki/pki-ca-spawn.<date>.log
>>
>> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f
>> /etc/pki/pki-tomcat/ca/noise
>>
>> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile
>>
>> 2016-03-23 17:55:12 pkispawn : INFO ....... ln -s
>> /lib/systemd/system/pki-tomcatd at .service
>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.s
>> e
>> rvice
>>
>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown -h 17:17
>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.s
>> e
>> rvice
>>
>> 2016-03-23 17:55:12 pkispawn : INFO ... configuring
>> 'pki.server.deployment.scriptlets.configuration'
>>
>> 2016-03-23 17:55:12 pkispawn : INFO ....... mkdir -p
>> /root/.dogtag/pki-tomcat/ca
>>
>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 755
>> /root/.dogtag/pki-tomcat/ca
>>
>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0
>> /root/.dogtag/pki-tomcat/ca
>>
>> 2016-03-23 17:55:12 pkispawn : INFO ....... generating
>> '/root/.dogtag/pki-tomcat/ca/password.conf'
>>
>> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying
>> '/root/.dogtag/pki-tomcat/ca/password.conf'
>>
>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660
>> /root/.dogtag/pki-tomcat/ca/password.conf
>>
>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0
>> /root/.dogtag/pki-tomcat/ca/password.conf
>>
>> 2016-03-23 17:55:12 pkispawn : INFO ....... generating
>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
>>
>> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying
>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
>>
>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660
>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
>>
>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 17:17
>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
>>
>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'certutil -N -d
>> /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf'
>>
>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl
>> daemon-reload'
>>
>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl start
>> pki-tomcatd at pki-tomcat.service'
>>
>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - server
>> may still be down
>>
>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - exception
>> thrown: ('Connection aborted.', error(111, 'Connection refused'))
>>
>> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - server
>> may still be down
>>
>> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - exception
>> thrown: ('Connection aborted.', error(111, 'Connection refused'))
>>
>> 2016-03-23 17:55:24 pkispawn : DEBUG ........... <?xml version="1.0"
>> encoding="UTF-8"
>> standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>
>> r unning</Status><Version>10.2.5-6.el7</Version></XMLResponse>
>>
>> 2016-03-23 17:55:25 pkispawn : INFO ....... constructing PKI
>> configuration data.
>>
>> 2016-03-23 17:55:25 pkispawn : INFO ....... configuring PKI configuration
>> data.
>>
>> 2016-03-23 17:56:51 pkispawn : ERROR ....... Exception from Java
>> Configuration Servlet: 500 Server Error: Internal Server Error
>>
>> 2016-03-23 17:56:51 pkispawn : ERROR ....... ParseError: not well-formed
>> (invalid token): line 1, column 0:
>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.
>> PKIException","Code":500,"Message":"Error
>> while updating security domain: java.io.IOException: 2"}
>>
>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Type: ParseError
>>
>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Message: not
>> well-formed (invalid token): line 1, column 0
>>
>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn",
>> line 597, in main
>>
>> rv = instance.spawn(deployer)
>>
>> File
>> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/co
>> n
>> figuration.py",
>> line 116, in spawn
>>
>> json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
>>
>> File
>> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py"
>> ,
>> line 3906, in configure_pki_data
>>
>> root = ET.fromstring(e.response.text)
>>
>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300,
>> in XML
>>
>> parser.feed(text)
>>
>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642,
>> in feed
>>
>> self._raiseerror(v)
>>
>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506,
>> in _raiseerror
>>
>> raise err
>>
>> /var/log/pki/pki-tomcat/ca/debug
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password
>> ok: store in memory cache
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before
>> makeConnection errorIfDown is false
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection:
>> errorIfDown false
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP
>> connection using basic authentication to host pt-idm-vm01.example.com
>> port 389 as cn=Directory Manager
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with
>> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com
>> port 389, secure connection, false, authentication type 1
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum
>> connections by 3
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available
>> connections 3
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of
>> connections 3
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In
>> LdapBoundConnFactory::getConn()
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected:
>> true
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is
>> connected true
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now
>> 2
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS:
>> param=preop.internaldb.manager_ldif
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif
>> file = /usr/share/pki/server/conf/manager.ldif
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif
>> file copy to /var/lib/pki/pki-tomcat/ca/conf/manager.ldif
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP
>> Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
>> exception in adding entry
>> ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68)
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
>> exception in modifying entry o=ipaca:netscape.ldap.LDAPException:
>> error result (20)
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes():
>> start
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating
>> LdapBoundConnFactor(ConfigurationUtils)
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory:
>> init
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]:
>> LdapBoundConnFactory:doCloning true
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init()
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init
>> begins
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init:
>> prompt is internaldb
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: try
>> getting from memory cache
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: got
>> password from memory
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init:
>> password found for prompt.
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password
>> ok: store in memory cache
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before
>> makeConnection errorIfDown is false
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection:
>> errorIfDown false
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP
>> connection using basic authentication to host pt-idm-vm01.example.com
>> port 389 as cn=Directory Manager
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with
>> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com
>> port 389, secure connection, false, authentication type 1
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum
>> connections by 3
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available
>> connections 3
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of
>> connections 3
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In
>> LdapBoundConnFactory::getConn()
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected:
>> true
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is
>> connected true
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now
>> 2
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS:
>> param=preop.internaldb.post_ldif
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif
>> file = /usr/share/pki/ca/conf/vlv.ldif
>>
>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif
>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif
>>
>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif
>> file = /usr/share/pki/ca/conf/vlvtasks.ldif
>>
>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif
>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif
>>
>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn
>> cn=index1160589769, cn=index, cn=tasks, cn=config
>>
>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver'
>>
>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]:
>> SystemConfigService:processCerts(): san_server_cert not found for tag
>> sslserver
>>
>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is
>> local
>>
>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is
>> remote (revised)
>>
>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel:
>> updateConfig() for certTag sslserver
>>
>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done
>>
>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA
>>
>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got
>> public key
>>
>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got
>> private key
>>
>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this
>> Cloned CA, always use its Master CA to generate the 'sslserver'
>> certificate to avoid any changes which may have been made to the X500Name directory string encoding order.
>>
>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils:
>> injectSAN=false
>>
>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil
>> createRemoteCert: content
>> requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalAu
>> t
>> hServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxxx
>> x
>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> x
>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> x
>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> x
>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> x
>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> x
>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true&
>> s
>> essionID=-4495713718673639316
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil
>> createRemoteCert: status=0
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert:
>> MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> x
>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> x
>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> x
>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> x
>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> x
>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils:
>> handleCertRequest() begins
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest:
>> tag=sslserver
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]:
>> privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest:
>> created cert request
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' certificate:
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for cert
>> tag 'sslserver' using cert type 'remote'
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process
>> remote...import cert
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert:
>> nickname=Server-Cert cert-pki-ca
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert
>> deleted successfully
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts():
>> certchains length=2
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import
>> certificate successfully, certTag=sslserver
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' certificate.
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert
>> Panel/SavePKCS12 Panel ===
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel ===
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel ===
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing
>> security domain
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster():
>> Getting domain.xml from CA...
>>
>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start
>>
>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0
>>
>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML:
>> domainInfo=<?xml version="1.0" encoding="UTF-8"
>> standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ptipa1.
>> example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443</S
>> e
>> cureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAu
>> cureAgentPort>t
>> hPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clo
>> hPort>n
>> e>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>T
>> e>R
>> UE</DomainManager></CA><SubsystemCount>1</SubsystemCount></CAList><OC
>> S
>> PList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><Subsyste
>> PList>m
>> Count>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</Subsyste
>> Count>m
>> Count></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><
>> Count>T
>> PSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
>>
>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain master
>>
>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase
>> updateDomainXML start hostname=ptipa1.example.com port=443
>>
>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain:
>> failed to update security domain using admin port 443:
>> org.xml.sax.SAXParseException;
>> lineNumber: 1; columnNumber: 50; White spaces are required between
>> publicId and systemId.
>>
>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain:
>> now trying agent port with client auth
>>
>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase
>> updateDomainXML start hostname=ptipa1.example.com port=443
>>
>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML()
>> nickname=subsystemCert cert-pki-ca
>>
>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML:
>> status=1
>>
>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating
>> security
>> domain: java.io.IOException: 2
>>
>> [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode,
>> authorization for servlet: caProfileList is LDAP based, not XML {1}, use default authz mgr: {2}.
>>
>> /var/log/pki/pki-tomcat/ca/system
>>
>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot
>> build CA chain. Error java.security.cert.CertificateException:
>> Certificate is not a PKCS
>> #11 certificate
>>
>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz
>> instance DirAclAuthz initialization failed and skipped,
>> error=Property internaldb.ldapconn.port missing value
>>
>> *Dennis M Ott*
>> Infrastructure Administrator
>> Infrastructure and Security Operations
>>
>> *McKesson Corporation
>> McKesson Pharmacy Systems and Automation* www.mckesson.com
>> <http://www.mckesson.com/>
>>> --
> Petr Vobornik
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list