[Freeipa-users] 7.x replica install from 6.x master fails
Ott, Dennis
Dennis.Ott at mckesson.com
Thu Mar 31 19:07:40 UTC 2016
Petr,
Original 6.x master installed at:
ipa-server-2.1.3-9
pki-ca-9.0.3-20
At the time the migration was attempted, the 6.x master had been updated to:
ipa-server-3.0.0-47
pki-ca-9.0.3-45
The 7.x replica install has been attempted using a variety of versions. The log excerpts at the beginning of this email were from an installation attempt using:
ipa-server-4.2.0-15.0.1
pki-ca-10.2.5-6
It's a standard CA installation. This line is from /var/log/ipaserverinstall.log showing selfsign as False:
2013-09-04T18:41:20Z DEBUG /usr/sbin/ipa-server-install was invoked with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name': None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False, 'subject': None, 'no_forwarders': False, 'persistent_search': True, 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': True, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': False, 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': None, 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False, 'forwarders': None, 'idstart': 900000000, 'external_ca': False, 'ip_address': None, 'conf_ssh': False, 'serial_autoincrement': True, 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': False, 'external_cert_file': None, 'uninstall': False}
2013-09-04T18:41:20Z DEBUG missing options might be asked for interactively later
-----Original Message-----
From: Petr Vobornik [mailto:pvoborni at redhat.com]
Sent: Tuesday, March 29, 2016 6:43 AM
To: Ott, Dennis; Freeipa-users at redhat.com
Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails
On 03/24/2016 04:29 PM, Ott, Dennis wrote:
> I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x.
> After working through and solving a few issues, my current efforts
> fail when setting up the replica CA.
>
> If I set up a new, pristine master on OS 6.7, I am able to create an
> OS 7.x replica without any problem. However, if I try to create a
> replica from my two year old test lab instance (production will be
> another matter for the future) it fails. The test lab master was
> created a couple of years ago on OS 6.3 / IPA 2.x and has been
> upgraded to the latest versions in the 6.x chain. It is old enough to
> have had all the certificates renewed, but I believe I have worked through all the issues related to that.
>
> Below is what I believe are the useful portions of the pertinent logs.
> I’ve not been able to find anything online that speaks to the errors I
> am seeing
>
> Thanks for your help.
Hello Dennis,
what are the exact versions of pki-ca and ipa-server on the 6.x master and 7.x replica?
What kind of CA installation does the old 6.x master install have? Is standard installation with CA or does it also use external CA?
I assume it is not self-sign (very old unsupported type, which could be converted in 7.x as CA-less).
>
> /var/log/ipareplica-install.log
>
> 2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd).
> Estimated time: 3 minutes 30 seconds
>
> 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user
>
> 2016-03-23T21:55:11Z DEBUG group pkiuser exists
>
> 2016-03-23T21:55:11Z DEBUG user pkiuser exists
>
> 2016-03-23T21:55:11Z DEBUG duration: 0 seconds
>
> 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server instance
>
> 2016-03-23T21:55:11Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
>
> 2016-03-23T21:55:11Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
>
> 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file (/tmp/tmpGQ59ZC):
>
> [CA]
>
> pki_security_domain_name = IPA
>
> pki_enable_proxy = True
>
> pki_restart_configured_instance = False
>
> pki_backup_keys = True
>
> pki_backup_password = XXXXXXXX
>
> pki_profiles_in_ldap = True
>
> pki_client_database_dir = /tmp/tmp-g0CKZ3
>
> pki_client_database_password = XXXXXXXX
>
> pki_client_database_purge = False
>
> pki_client_pkcs12_password = XXXXXXXX
>
> pki_admin_name = admin
>
> pki_admin_uid = admin
>
> pki_admin_email = root at localhost
>
> pki_admin_password = XXXXXXXX
>
> pki_admin_nickname = ipa-ca-agent
>
> pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM
>
> pki_client_admin_cert_p12 = /root/ca-agent.p12
>
> pki_ds_ldap_port = 389
>
> pki_ds_password = XXXXXXXX
>
> pki_ds_base_dn = o=ipaca
>
> pki_ds_database = ipaca
>
> pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM
>
> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM
>
> pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM
>
> pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM
>
> pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM
>
> pki_subsystem_nickname = subsystemCert cert-pki-ca
>
> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
>
> pki_ssl_server_nickname = Server-Cert cert-pki-ca
>
> pki_audit_signing_nickname = auditSigningCert cert-pki-ca
>
> pki_ca_signing_nickname = caSigningCert cert-pki-ca
>
> pki_ca_signing_key_algorithm = SHA256withRSA
>
> pki_security_domain_hostname = ptipa1.example.com
>
> pki_security_domain_https_port = 443
>
> pki_security_domain_user = admin
>
> pki_security_domain_password = XXXXXXXX
>
> pki_clone = True
>
> pki_clone_pkcs12_path = /tmp/ca.p12
>
> pki_clone_pkcs12_password = XXXXXXXX
>
> pki_clone_replication_security = TLS
>
> pki_clone_replication_master_port = 7389
>
> pki_clone_replication_clone_port = 389
>
> pki_clone_replicate_schema = False
>
> pki_clone_uri =
> http://cp.mcafee.com/d/k-Kr6zqb3VEVjouhuodCQkkQnCkTTQjqaaqbParza9ISrdG
> Sa_iBosKrKVXMGgog82KA1N1BeTyH93t5m7hOoHH3b8GOxvQd8e89K8CPpISr9PCJhbcmD
> 9rkuYf21_YLxIbve9Ew3di5oMAld41EYmcR8lz2gazW1fpYKqfzqaabyr1I5-Aq83iSbN_
> VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJ
> USyrh
>
> 2016-03-23T21:55:11Z DEBUG Starting external process
>
> 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'
>
> 2016-03-23T21:56:51Z DEBUG Process finished, return code=1
>
> 2016-03-23T21:56:51Z DEBUG stdout=Log file:
> /var/log/pki/pki-ca-spawn.20160323175511.log
>
> Loading deployment configuration from /tmp/tmpGQ59ZC.
>
> Installing CA into /var/lib/pki/pki-tomcat.
>
> Storing deployment configuration into
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
>
> Installation failed.
>
> 2016-03-23T21:56:51Z DEBUG
> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
> InsecureRequestWarning: Unverified HTTPS request is being made. Adding
> certificate verification is strongly advised. See:
> http://cp.mcafee.com/d/5fHCNAi6hESyM-qekS7AnC3pJ55d5VBdZZ4SyyCyYOCUOyr
> dCPqJyLQFm7bCXKuYaA6420HF0sgpjJUGOgThlxQsCaWMOOaIEnZ3i3y2ry9ISrdCOsVHk
> iP6UDDO8cZ7ZgCjZ2JGs01PUovI_FfavpKcFBK1NIbve9Ew3di5oMAld41EYmcR8lz2gaz
> W1fpYKqfzqaabyr1I5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0
> VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh
>
> InsecureRequestWarning)
>
> pkispawn : WARNING ....... unable to validate security domain user/password
> through REST interface. Interface not available
>
> pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500
> Server Error: Internal Server Error
>
> pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line
> 1, column 0:
> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.
> PKIException","Code":500,"Message":"Error
> while updating security domain: java.io.IOException: 2"}
>
> 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: Command
> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' returned
> non-zero exit status 1
>
> 2016-03-23T21:56:51Z CRITICAL See the installation logs and the
> following files/directories for more information:
>
> 2016-03-23T21:56:51Z CRITICAL /var/log/pki-ca-install.log
>
> 2016-03-23T21:56:51Z CRITICAL /var/log/pki/pki-tomcat
>
> 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last):
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 418, in start_creation
>
> run_step(full_msg, method)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 408, in run_step
>
> method()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 620, in __spawn_instance
>
> DogtagInstance.spawn_instance(self, cfg_file)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py"
> ,
> line 201, in spawn_instance
>
> self.handle_setup_error(e)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py"
> ,
> line 465, in handle_setup_error
>
> raise RuntimeError("%s configuration failed." % self.subsystem)
>
> RuntimeError: CA configuration failed.
>
> 2016-03-23T21:56:51Z DEBUG [error] RuntimeError: CA configuration failed.
>
> 2016-03-23T21:56:51Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171,
> in execute
>
> return_value = self.run()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
> line 311, in run
>
> cfgr.run()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 281, in run
>
> self.execute()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 303, in execute
>
> for nothing in self._executor():
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 343, in __runner
>
> self._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 365, in _handle_exception
>
> util.raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 333, in __runner
>
> step()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 87, in run_generator_with_yield_from
>
> raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 65, in run_generator_with_yield_from
>
> value = gen.send(prev_value)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 524, in _configure
>
> executor.next()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 343, in __runner
>
> self._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 421, in _handle_exception
>
> self.__parent._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 365, in _handle_exception
>
> util.raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 418, in _handle_exception
>
> super(ComponentBase, self)._handle_exception(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 365, in _handle_exception
>
> util.raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 333, in __runner
>
> step()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 87, in run_generator_with_yield_from
>
> raise_exc_info(exc_info)
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 65, in run_generator_with_yield_from
>
> value = gen.send(prev_value)
>
> File
> "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line
> 63, in _install
>
> for nothing in self._installer(self.parent):
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainst
> all.py",
> line 879, in main
>
> install(self)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainst
> all.py",
> line 295, in decorated
>
> func(installer)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainst
> all.py",
> line 584, in install
>
> ca.install(False, config, options)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py",
> line 106, in install
>
> install_step_0(standalone, replica_config, options)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py",
> line 130, in
> install_step_0
>
> ra_p12=getattr(options, 'ra_p12', None))
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 1543, in install_replica_ca
>
> subject_base=config.subject_base)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 486, in configure_instance
>
> self.start_creation(runtime=210)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 418, in start_creation
>
> run_step(full_msg, method)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 408, in run_step
>
> method()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 620, in __spawn_instance
>
> DogtagInstance.spawn_instance(self, cfg_file)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py"
> ,
> line 201, in spawn_instance
>
> self.handle_setup_error(e)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py"
> ,
> line 465, in handle_setup_error
>
> raise RuntimeError("%s configuration failed." % self.subsystem)
>
> 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, exception:
> RuntimeError: CA configuration failed.
>
> 2016-03-23T21:56:51Z ERROR CA configuration failed.
>
> /var/log/pki/pki-ca-spawn.<date>.log
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f
> /etc/pki/pki-tomcat/ca/noise
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... ln -s
> /lib/systemd/system/pki-tomcatd at .service
> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.se
> rvice
>
> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown -h 17:17
> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.se
> rvice
>
> 2016-03-23 17:55:12 pkispawn : INFO ... configuring
> 'pki.server.deployment.scriptlets.configuration'
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... mkdir -p
> /root/.dogtag/pki-tomcat/ca
>
> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 755
> /root/.dogtag/pki-tomcat/ca
>
> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0
> /root/.dogtag/pki-tomcat/ca
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... generating
> '/root/.dogtag/pki-tomcat/ca/password.conf'
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying
> '/root/.dogtag/pki-tomcat/ca/password.conf'
>
> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660
> /root/.dogtag/pki-tomcat/ca/password.conf
>
> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0
> /root/.dogtag/pki-tomcat/ca/password.conf
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... generating
> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying
> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
>
> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660
> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
>
> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 17:17
> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'certutil -N -d
> /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf'
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl
> daemon-reload'
>
> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl start
> pki-tomcatd at pki-tomcat.service'
>
> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - server
> may still be down
>
> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - exception
> thrown: ('Connection aborted.', error(111, 'Connection refused'))
>
> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - server
> may still be down
>
> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - exception
> thrown: ('Connection aborted.', error(111, 'Connection refused'))
>
> 2016-03-23 17:55:24 pkispawn : DEBUG ........... <?xml version="1.0"
> encoding="UTF-8"
> standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>r
> unning</Status><Version>10.2.5-6.el7</Version></XMLResponse>
>
> 2016-03-23 17:55:25 pkispawn : INFO ....... constructing PKI
> configuration data.
>
> 2016-03-23 17:55:25 pkispawn : INFO ....... configuring PKI configuration
> data.
>
> 2016-03-23 17:56:51 pkispawn : ERROR ....... Exception from Java
> Configuration Servlet: 500 Server Error: Internal Server Error
>
> 2016-03-23 17:56:51 pkispawn : ERROR ....... ParseError: not well-formed
> (invalid token): line 1, column 0:
> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.
> PKIException","Code":500,"Message":"Error
> while updating security domain: java.io.IOException: 2"}
>
> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Type: ParseError
>
> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Message: not
> well-formed (invalid token): line 1, column 0
>
> 2016-03-23 17:56:51 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn",
> line 597, in main
>
> rv = instance.spawn(deployer)
>
> File
> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/con
> figuration.py",
> line 116, in spawn
>
> json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
>
> File
> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py",
> line 3906, in configure_pki_data
>
> root = ET.fromstring(e.response.text)
>
> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300,
> in XML
>
> parser.feed(text)
>
> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642,
> in feed
>
> self._raiseerror(v)
>
> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506,
> in _raiseerror
>
> raise err
>
> /var/log/pki/pki-tomcat/ca/debug
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password
> ok: store in memory cache
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before
> makeConnection errorIfDown is false
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection:
> errorIfDown false
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP
> connection using basic authentication to host pt-idm-vm01.example.com
> port 389 as cn=Directory Manager
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with
> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com
> port 389, secure connection, false, authentication type 1
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum
> connections by 3
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available
> connections 3
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of
> connections 3
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In
> LdapBoundConnFactory::getConn()
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected:
> true
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is
> connected true
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now 2
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS:
> param=preop.internaldb.manager_ldif
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file
> = /usr/share/pki/server/conf/manager.ldif
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file
> copy to /var/lib/pki/pki-tomcat/ca/conf/manager.ldif
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP
> Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> exception in adding entry
> ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68)
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> exception in modifying entry o=ipaca:netscape.ldap.LDAPException:
> error result (20)
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes():
> start
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating
> LdapBoundConnFactor(ConfigurationUtils)
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory:
> init
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]:
> LdapBoundConnFactory:doCloning true
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init()
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init
> begins
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init:
> prompt is internaldb
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: try
> getting from memory cache
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: got
> password from memory
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init:
> password found for prompt.
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password
> ok: store in memory cache
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before
> makeConnection errorIfDown is false
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection:
> errorIfDown false
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP
> connection using basic authentication to host pt-idm-vm01.example.com
> port 389 as cn=Directory Manager
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with
> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com
> port 389, secure connection, false, authentication type 1
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum
> connections by 3
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available
> connections 3
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of
> connections 3
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In
> LdapBoundConnFactory::getConn()
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected:
> true
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is
> connected true
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now 2
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS:
> param=preop.internaldb.post_ldif
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file
> = /usr/share/pki/ca/conf/vlv.ldif
>
> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file
> copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif
>
> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif file
> = /usr/share/pki/ca/conf/vlvtasks.ldif
>
> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif file
> copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif
>
> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn
> cn=index1160589769, cn=index, cn=tasks, cn=config
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver'
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]:
> SystemConfigService:processCerts(): san_server_cert not found for tag
> sslserver
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is
> local
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is
> remote (revised)
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel:
> updateConfig() for certTag sslserver
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got
> public key
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got
> private key
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this
> Cloned CA, always use its Master CA to generate the 'sslserver'
> certificate to avoid any changes which may have been made to the X500Name directory string encoding order.
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils:
> injectSAN=false
>
> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil
> createRemoteCert: content
> requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalAut
> hServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true&s
> essionID=-4495713718673639316
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil
> createRemoteCert: status=0
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert:
> MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils:
> handleCertRequest() begins
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest:
> tag=sslserver
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]:
> privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest:
> created cert request
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' certificate:
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for cert
> tag 'sslserver' using cert type 'remote'
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process
> remote...import cert
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert:
> nickname=Server-Cert cert-pki-ca
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert deleted
> successfully
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts():
> certchains length=2
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import
> certificate successfully, certTag=sslserver
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' certificate.
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert
> Panel/SavePKCS12 Panel ===
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel ===
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel ===
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing
> security domain
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster():
> Getting domain.xml from CA...
>
> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML:
> domainInfo=<?xml version="1.0" encoding="UTF-8"
> standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ptipa1.
> example.com</Host><SecurePort>443</SecurePort><SecureAgentPort>443</Se
> cureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAut
> hPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clon
> e>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TR
> UE</DomainManager></CA><SubsystemCount>1</SubsystemCount></CAList><OCS
> PList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><Subsystem
> Count>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</Subsystem
> Count></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><T
> PSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain master
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase
> updateDomainXML start hostname=ptipa1.example.com port=443
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain:
> failed to update security domain using admin port 443:
> org.xml.sax.SAXParseException;
> lineNumber: 1; columnNumber: 50; White spaces are required between
> publicId and systemId.
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain:
> now trying agent port with client auth
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase
> updateDomainXML start hostname=ptipa1.example.com port=443
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML()
> nickname=subsystemCert cert-pki-ca
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML:
> status=1
>
> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating
> security
> domain: java.io.IOException: 2
>
> [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode,
> authorization for servlet: caProfileList is LDAP based, not XML {1}, use default authz mgr: {2}.
>
> /var/log/pki/pki-tomcat/ca/system
>
> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot
> build CA chain. Error java.security.cert.CertificateException:
> Certificate is not a PKCS
> #11 certificate
>
> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz
> instance DirAclAuthz initialization failed and skipped, error=Property
> internaldb.ldapconn.port missing value
>
> *Dennis M Ott*
> Infrastructure Administrator
> Infrastructure and Security Operations
>
> *McKesson Corporation
> McKesson Pharmacy Systems and Automation* www.mckesson.com
> <http://www.mckesson.com/>
>
>
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list