[Freeipa-users] 7.x replica install from 6.x master fails
Petr Vobornik
pvoborni at redhat.com
Tue Mar 29 10:42:55 UTC 2016
On 03/24/2016 04:29 PM, Ott, Dennis wrote:
> I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. After working
> through and solving a few issues, my current efforts fail when setting up the
> replica CA.
>
> If I set up a new, pristine master on OS 6.7, I am able to create an OS 7.x
> replica without any problem. However, if I try to create a replica from my two
> year old test lab instance (production will be another matter for the future) it
> fails. The test lab master was created a couple of years ago on OS 6.3 / IPA 2.x
> and has been upgraded to the latest versions in the 6.x chain. It is old enough
> to have had all the certificates renewed, but I believe I have worked through
> all the issues related to that.
>
> Below is what I believe are the useful portions of the pertinent logs. I’ve not
> been able to find anything online that speaks to the errors I am seeing
>
> Thanks for your help.
Hello Dennis,
what are the exact versions of pki-ca and ipa-server on the 6.x master
and 7.x replica?
What kind of CA installation does the old 6.x master install have? Is
standard installation with CA or does it also use external CA?
I assume it is not self-sign (very old unsupported type, which could be
converted in 7.x as CA-less).
>
> /var/log/ipareplica-install.log
>
> 2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd).
> Estimated time: 3 minutes 30 seconds
>
> 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user
>
> 2016-03-23T21:55:11Z DEBUG group pkiuser exists
>
> 2016-03-23T21:55:11Z DEBUG user pkiuser exists
>
> 2016-03-23T21:55:11Z DEBUG duration: 0 seconds
>
> 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server instance
>
> 2016-03-23T21:55:11Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
>
> 2016-03-23T21:55:11Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
>
> 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file (/tmp/tmpGQ59ZC):
>
> [CA]
>
> pki_security_domain_name = IPA
>
> pki_enable_proxy = True
>
> pki_restart_configured_instance = False
>
> pki_backup_keys = True
>
> pki_backup_password = XXXXXXXX
>
> pki_profiles_in_ldap = True
>
> pki_client_database_dir = /tmp/tmp-g0CKZ3
>
> pki_client_database_password = XXXXXXXX
>
> pki_client_database_purge = False
>
> pki_client_pkcs12_password = XXXXXXXX
>
> pki_admin_name = admin
>
> pki_admin_uid = admin
>
> pki_admin_email = root at localhost
>
> pki_admin_password = XXXXXXXX
>
> pki_admin_nickname = ipa-ca-agent
>
> pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM
>
> pki_client_admin_cert_p12 = /root/ca-agent.p12
>
> pki_ds_ldap_port = 389
>
> pki_ds_password = XXXXXXXX
>
> pki_ds_base_dn = o=ipaca
>
> pki_ds_database = ipaca
>
> pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM
>
> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM
>
> pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM
>
> pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM
>
> pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM
>
> pki_subsystem_nickname = subsystemCert cert-pki-ca
>
> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
>
> pki_ssl_server_nickname = Server-Cert cert-pki-ca
>
> pki_audit_signing_nickname = auditSigningCert cert-pki-ca
>
> pki_ca_signing_nickname = caSigningCert cert-pki-ca
>
> pki_ca_signing_key_algorithm = SHA256withRSA
>
> pki_security_domain_hostname = ptipa1.example.com
>
> pki_security_domain_https_port = 443
>
> pki_security_domain_user = admin
>
> pki_security_domain_password = XXXXXXXX
>
> pki_clone = True
>
> pki_clone_pkcs12_path = /tmp/ca.p12
>
> pki_clone_pkcs12_password = XXXXXXXX
>
> pki_clone_replication_security = TLS
>
> pki_clone_replication_master_port = 7389
>
> pki_clone_replication_clone_port = 389
>
> pki_clone_replicate_schema = False
>
> pki_clone_uri = https://ptipa1.example.com:443
>
> 2016-03-23T21:55:11Z DEBUG Starting external process
>
> 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'
>
> 2016-03-23T21:56:51Z DEBUG Process finished, return code=1
>
> 2016-03-23T21:56:51Z DEBUG stdout=Log file:
> /var/log/pki/pki-ca-spawn.20160323175511.log
>
> Loading deployment configuration from /tmp/tmpGQ59ZC.
>
> Installing CA into /var/lib/pki/pki-tomcat.
>
> Storing deployment configuration into
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>
> Installation failed.
>
> 2016-03-23T21:56:51Z DEBUG
> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
> InsecureRequestWarning: Unverified HTTPS request is being made. Adding
> certificate verification is strongly advised. See:
> https://urllib3.readthedocs.org/en/latest/security.html
>
> InsecureRequestWarning)
>
> pkispawn : WARNING ....... unable to validate security domain user/password
> through REST interface. Interface not available
>
> pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500
> Server Error: Internal Server Error
>
> pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line
> 1, column 0:
> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
> while updating security domain: java.io.IOException: 2"}
>
> 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: Command
> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' returned non-zero exit
> status 1
>
> 2016-03-23T21:56:51Z CRITICAL See the installation logs and the following
> files/directories for more information:
>
> 2016-03-23T21:56:51Z CRITICAL /var/log/pki-ca-install.log
>
> 2016-03-23T21:56:51Z CRITICAL /var/log/pki/pki-tomcat
>
> 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last):
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 418, in start_creation
>
> run_step(full_msg, method)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 408, in run_step
>
> method()
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 620, in __spawn_instance
>
> DogtagInstance.spawn_instance(self, cfg_file)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 201, in spawn_instance
>
> self.handle_setup_error(e)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 465, in handle_setup_error
>
> raise RuntimeError("%s configuration failed." % self.subsystem)
>
> RuntimeError: CA configuration failed.
>
> 2016-03-23T21:56:51Z DEBUG [error] RuntimeError: CA configuration failed.
>
> 2016-03-23T21:56:51Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
>
> return_value = self.run()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311,
> in run
>
> cfgr.run()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 281,
> in run
>
> self.execute()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 303,
> in execute
>
> for nothing in self._executor():
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343,
> in __runner
>
> self._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365,
> in _handle_exception
>
> util.raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333,
> in __runner
>
> step()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87,
> in run_generator_with_yield_from
>
> raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65,
> in run_generator_with_yield_from
>
> value = gen.send(prev_value)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 524,
> in _configure
>
> executor.next()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343,
> in __runner
>
> self._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421,
> in _handle_exception
>
> self.__parent._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365,
> in _handle_exception
>
> util.raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418,
> in _handle_exception
>
> super(ComponentBase, self)._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365,
> in _handle_exception
>
> util.raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333,
> in __runner
>
> step()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87,
> in run_generator_with_yield_from
>
> raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65,
> in run_generator_with_yield_from
>
> value = gen.send(prev_value)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63,
> in _install
>
> for nothing in self._installer(self.parent):
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 879, in main
>
> install(self)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 295, in decorated
>
> func(installer)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 584, in install
>
> ca.install(False, config, options)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 106, in
> install
>
> install_step_0(standalone, replica_config, options)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 130, in
> install_step_0
>
> ra_p12=getattr(options, 'ra_p12', None))
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 1543, in install_replica_ca
>
> subject_base=config.subject_base)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 486, in configure_instance
>
> self.start_creation(runtime=210)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 418, in start_creation
>
> run_step(full_msg, method)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 408, in run_step
>
> method()
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 620, in __spawn_instance
>
> DogtagInstance.spawn_instance(self, cfg_file)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 201, in spawn_instance
>
> self.handle_setup_error(e)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> line 465, in handle_setup_error
>
> raise RuntimeError("%s configuration failed." % self.subsystem)
>
> 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, exception:
> RuntimeError: CA configuration failed.
>
> 2016-03-23T21:56:51Z ERROR CA configuration failed.
>
> /var/log/pki/pki-ca-spawn.<date>.log
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f
> /etc/pki/pki-tomcat/ca/noise
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... ln -s
> /lib/systemd/system/pki-tomcatd at .service
> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.service
>
> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown -h 17:17
> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.service
>
> 2016-03-23 17:55:12 pkispawn : INFO ... configuring
> 'pki.server.deployment.scriptlets.configuration'
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... mkdir -p
> /root/.dogtag/pki-tomcat/ca
>
> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 755
> /root/.dogtag/pki-tomcat/ca
>
> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0
> /root/.dogtag/pki-tomcat/ca
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... generating
> '/root/.dogtag/pki-tomcat/ca/password.conf'
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying
> '/root/.dogtag/pki-tomcat/ca/password.conf'
>
> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660
> /root/.dogtag/pki-tomcat/ca/password.conf
>
> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0
> /root/.dogtag/pki-tomcat/ca/password.conf
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... generating
> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying
> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
>
> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660
> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
>
> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 17:17
> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'certutil -N -d
> /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf'
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl
> daemon-reload'
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl start
> pki-tomcatd at pki-tomcat.service'
>
> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - server
> may still be down
>
> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - exception
> thrown: ('Connection aborted.', error(111, 'Connection refused'))
>
> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - server
> may still be down
>
> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - exception
> thrown: ('Connection aborted.', error(111, 'Connection refused'))
>
> 2016-03-23 17:55:24 pkispawn : DEBUG ........... <?xml version="1.0"
> encoding="UTF-8"
> standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.2.5-6.el7</Version></XMLResponse>
>
> 2016-03-23 17:55:25 pkispawn : INFO ....... constructing PKI
> configuration data.
>
> 2016-03-23 17:55:25 pkispawn : INFO ....... configuring PKI configuration
> data.
>
> 2016-03-23 17:56:51 pkispawn : ERROR ....... Exception from Java
> Configuration Servlet: 500 Server Error: Internal Server Error
>
> 2016-03-23 17:56:51 pkispawn : ERROR ....... ParseError: not well-formed
> (invalid token): line 1, column 0:
> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
> while updating security domain: java.io.IOException: 2"}
>
> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Type: ParseError
>
> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Message: not
> well-formed (invalid token): line 1, column 0
>
> 2016-03-23 17:56:51 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn",
> line 597, in main
>
> rv = instance.spawn(deployer)
>
> File
> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
> line 116, in spawn
>
> json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
>
> File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py",
> line 3906, in configure_pki_data
>
> root = ET.fromstring(e.response.text)
>
> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
>
> parser.feed(text)
>
> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
>
> self._raiseerror(v)
>
> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror
>
> raise err
>
> /var/log/pki/pki-tomcat/ca/debug
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store
> in memory cache
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before makeConnection
> errorIfDown is false
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: errorIfDown false
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP connection using
> basic authentication to host pt-idm-vm01.example.com port 389 as cn=Directory
> Manager
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with mininum 3 and
> maximum 15 connections to host pt-idm-vm01.example.com port 389, secure
> connection, false, authentication type 1
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum connections by 3
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available connections 3
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of connections 3
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In LdapBoundConnFactory::getConn()
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: true
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is connected true
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now 2
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS:
> param=preop.internaldb.manager_ldif
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file =
> /usr/share/pki/server/conf/manager.ldif
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to
> /var/lib/pki/pki-tomcat/ca/conf/manager.ldif
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP Errors in
> importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in
> adding entry ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68)
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in
> modifying entry o=ipaca:netscape.ldap.LDAPException: error result (20)
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): start
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating
> LdapBoundConnFactor(ConfigurationUtils)
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: init
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory:doCloning true
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init()
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init begins
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: prompt is
> internaldb
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: try getting
> from memory cache
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: got password
> from memory
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: password found
> for prompt.
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store
> in memory cache
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before makeConnection
> errorIfDown is false
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: errorIfDown false
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP connection using
> basic authentication to host pt-idm-vm01.example.com port 389 as cn=Directory
> Manager
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with mininum 3 and
> maximum 15 connections to host pt-idm-vm01.example.com port 389, secure
> connection, false, authentication type 1
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum connections by 3
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available connections 3
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of connections 3
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In LdapBoundConnFactory::getConn()
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: true
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is connected true
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now 2
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS:
> param=preop.internaldb.post_ldif
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file =
> /usr/share/pki/ca/conf/vlv.ldif
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to
> /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif
>
> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif file =
> /usr/share/pki/ca/conf/vlvtasks.ldif
>
> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to
> /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif
>
> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn
> cn=index1160589769, cn=index, cn=tasks, cn=config
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver'
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]:
> SystemConfigService:processCerts(): san_server_cert not found for tag sslserver
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is local
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is remote (revised)
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: updateConfig() for
> certTag sslserver
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got public key
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got private key
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this Cloned CA,
> always use its Master CA to generate the 'sslserver' certificate to avoid any
> changes which may have been made to the X500Name directory string encoding order.
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: injectSAN=false
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil createRemoteCert: content
> requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalAuthServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true&sessionID=-4495713718673639316
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: status=0
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert:
> MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils:
> handleCertRequest() begins
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: tag=sslserver
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]:
> privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: created cert
> request
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' certificate:
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for cert tag
> 'sslserver' using cert type 'remote'
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process
> remote...import cert
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: nickname=Server-Cert
> cert-pki-ca
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert deleted successfully
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): certchains length=2
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import certificate
> successfully, certTag=sslserver
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' certificate.
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert Panel/SavePKCS12
> Panel ===
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel ===
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel ===
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing security domain
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): Getting
> domain.xml from CA...
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: domainInfo=<?xml
> version="1.0" encoding="UTF-8"
> standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ptipa1.example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clone>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TRUE</DomainManager></CA><SubsystemCount>1</SubsystemCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain master
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML
> start hostname=ptipa1.example.com port=443
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: failed to
> update security domain using admin port 443: org.xml.sax.SAXParseException;
> lineNumber: 1; columnNumber: 50; White spaces are required between publicId and
> systemId.
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: now trying
> agent port with client auth
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML
> start hostname=ptipa1.example.com port=443
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML()
> nickname=subsystemCert cert-pki-ca
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML:
> status=1
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating security
> domain: java.io.IOException: 2
>
> [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, authorization
> for servlet: caProfileList is LDAP based, not XML {1}, use default authz mgr: {2}.
>
> /var/log/pki/pki-tomcat/ca/system
>
> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot build CA
> chain. Error java.security.cert.CertificateException: Certificate is not a PKCS
> #11 certificate
>
> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz instance
> DirAclAuthz initialization failed and skipped, error=Property
> internaldb.ldapconn.port missing value
>
> *Dennis M Ott*
> Infrastructure Administrator
> Infrastructure and Security Operations
>
> *McKesson Corporation
> McKesson Pharmacy Systems and Automation*
> www.mckesson.com <http://www.mckesson.com/>
>
>
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list