[Freeipa-users] ca install fails upgrading to 4.2.0

Thu Feb 4 13:27:30 UTC 2016

I reran the replica-install and interrupted the script to set debug=1. The
debug log didn't change very much at startup since the failure seems to
occur already in the pre-start selftest. So it is still the same
"java.lang.Exception: SystemCertsVerification: system certs verification
failure"

[04/Feb/2016:13:19:45][localhost-startStop-1]: SignedAuditEventFactory:
create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Success][CertNickName=auditSigningCert
cert-pki-ca] CIMC certificate verification

java.lang.Exception: SystemCertsVerification: system certs verification
failure
        at
com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)
        at
com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)
        at
com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)
        at
com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701)
        at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148)
        at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
        at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
        at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
        at javax.servlet.GenericServlet.init(GenericServlet.java:158)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:497)
        at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
        at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
        at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
        at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
        at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
        at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
        at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
        at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
        at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
        at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
        at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
        at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
        at java.security.AccessController.doPrivileged(Native Method)
        at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
        at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
        at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
        at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
        at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
[04/Feb/2016:13:19:45][localhost-startStop-1]: SignedAuditEventFactory:
create()
message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure]
self tests execution (see selftests.log for details)

Where can I manually check the certificates that were imported from the
existing master?

-rob

On Tue, 2 Feb 2016 at 11:20 Martin Kosek <mkosek at redhat.com> wrote:

> On 02/02/2016 11:51 AM, Robert van Veelen wrote:
> > Unfortunately not. I saw that thread and grabbed the patch and updated
> spec
> > to give it a try. Same issue.
> > cheers,
>
> Ah, pity. Let me CC Endi in this thread then. I suspect he will be
> interested
> in the same log files as in the referred thread.
>
> > On Tue, 2 Feb 2016 at 08:46 Martin Kosek <mkosek at redhat.com> wrote:
> >
> >> On 02/02/2016 02:18 AM, Robert van Veelen wrote:
> >>> Hi,
> >>> I'm trying to create an ipa replica from
> >>> ipa-server-3.0.0-47/pki-ca-9.0.3-45 to
> >> ipa-server-4.2.0-15/pki-ca-10.2.5-6
> >>> and cannot get the install to complete. The CS is configured as a sub
> to
> >> an
> >>> external CA. I keep getting the same error when running the
> >>> replica-install. Digging into pki-ca's debug log, I find the following
> >>> errors:
> >>>
> >>>  java.lang.Exception: SystemCertsVerification: system certs
> verification
> >>> failure
> >>> &
> >>>  CertUtils: verifySystemCertByNickname() failed: caSigningCert
> >> cert-pki-ca
> >>>
> >>> I've tried regenerating the source cacert.p12, upgrading pki-ca to
> >> latest,
> >>> etc. It just seems like the new replica is unable to verify the certs
> >> while
> >>> running selftests. any good tips for a next step to work out whats
> going
> >> on?
> >>>
> >>> Thanks,
> >>>
> >>> -rob
> >>
> >> Can this be the same problem as answered by Endi here:
> >>
> https://www.redhat.com/archives/freeipa-users/2016-January/msg00564.html
> >> ?
> >>
> >>
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160204/751cd6b9/attachment.htm>