<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 11.02.2016 13:33, Quasar wrote:<br>
</div>
<blockquote
cite="mid:CA+uTVjKrjTTi0KH8v8LdyQLAwc9yNvRrwvc5njqPmcn1rxOZ0A@mail.gmail.com"
type="cite">
<p dir="ltr">Thank you!<br>
Dodgig the dogtag guys, then ;-)</p>
</blockquote>
Do you have CA configured as external CA?<br>
<br>
It could be:<br>
<a class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/show_bug.cgi?id=1291747">https://bugzilla.redhat.com/show_bug.cgi?id=1291747</a><br>
<br>
I don't think that it is already in CentOS<br>
<br>
<blockquote
cite="mid:CA+uTVjKrjTTi0KH8v8LdyQLAwc9yNvRrwvc5njqPmcn1rxOZ0A@mail.gmail.com"
type="cite">
<br>
<div class="gmail_quote">
<div dir="ltr">Il giorno Gio 11 Feb 2016 13:26 Martin Basti <<a
moz-do-not-send="true" href="mailto:mbasti@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:mbasti@redhat.com">mbasti@redhat.com</a></a>>
ha scritto:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> <br>
<br>
<div>On 11.02.2016 12:51, Quasar wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:verdana,sans-serif">Martin,<br>
<br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif">I've re-tested
the replica with a freshly-installed CentOS 7 (1511).<br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif">Installation
still fails (damn!) and the log is a bit more verbose.
I suppose it has something to do with certificate in
my master server proably due to incremental updates
did in the past.<br>
<br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif"><span
style="font-family:monospace,monospace">2016-02-11T11:09:21Z
DEBUG Starting external process<br>
2016-02-11T11:09:21Z DEBUG args='/usr/sbin/pkispawn'
'-s' 'CA' '-f' '/tmp/tmpRHosRn'<br>
2016-02-11T11:10:58Z DEBUG Process finished, return
code=1<br>
2016-02-11T11:10:58Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20160211120921.log<br>
Loading deployment configuration from
/tmp/tmpRHosRn.<br>
Installing CA into /var/lib/pki/pki-tomcat.<br>
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.<br>
<br>
Installation failed.<br>
<br>
<br>
2016-02-11T11:10:58Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is
being made. Adding certificate verification is
strongly advised. See: <a moz-do-not-send="true"
href="https://urllib3.readthedocs.org/en/latest/security.html"
target="_blank">https://urllib3.readthedocs.org/en/latest/security.html</a><br>
InsecureRequestWarning)<br>
pkispawn : WARNING ....... unable to validate
security domain user/password through REST
interface. Interface not available<br>
pkispawn : ERROR ....... Exception from Java
Configuration Servlet: 500 Server Error: Internal
Server Error<br>
pkispawn : ERROR ....... ParseError: not
well-formed (invalid token): line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
while updating security domain: java.io.IOException:
2"} <br>
<br>
2016-02-11T11:10:58Z CRITICAL Failed to configure CA
instance: Command ''/usr/sbin/pkispawn' '-s' 'CA'
'-f' '/tmp/tmpRHosRn'' returned non-zero exit status
1<br>
2016-02-11T11:10:58Z CRITICAL See the installation
logs and the following files/directories for more
information:<br>
2016-02-11T11:10:58Z CRITICAL
/var/log/pki-ca-install.log<br>
2016-02-11T11:10:58Z CRITICAL
/var/log/pki/pki-tomcat<br>
2016-02-11T11:10:58Z DEBUG Traceback (most recent
call last):<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation<br>
run_step(full_msg, method)<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step<br>
method()<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 620, in __spawn_instance<br>
DogtagInstance.spawn_instance(self, cfg_file)<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance<br>
self.handle_setup_error(e)<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error<br>
raise RuntimeError("%s configuration failed." %
self.subsystem)<br>
RuntimeError: CA configuration failed.</span><br>
<br>
<div class="gmail_default"
style="font-family:verdana,sans-serif">I'm attaching
the 3 log files, as usual:<br>
</div>
<br>
<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Feb 11, 2016 at 11:28
AM, Quasar <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:quasar7@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:quasar7@gmail.com">quasar7@gmail.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default"
style="font-family:verdana,sans-serif">Hi
Martin,<br>
<br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif">first of
all thanks for taking some time to read and
provide feedback, much appreciated.<br>
<br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif">I firstly
tried with CentOS 7.x (build 1511) but got the
same errore during CA configuration. Then I
supposed I had to upgrade step-by-step, from 3.0
to 3.3 (instead of 3.0 to 4.x) and used Fedora
23, 20, 19 and 18 but with no luck.<br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif">If you
need the exact log from CentOS 7.x migration I
can provide them to you.<br>
<br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif">About the
debug log file, it was attached and these are
the final lines containing the error:<br>
<br>
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
getDomainXML: domainInfo=<?xml version="1.0"
encoding="UTF-8"
standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ipaserver.it.fx.lan</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clone>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TRUE</DomainManager></CA><CA><Host>ipaserver-ha.it.fx.lan</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA>&!
lt;Subsyst
emCount>2&l!
t;/Subsyst
emCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo><br>
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
Cloning a domain master<br>
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
WizardPanelBase updateDomainXML start
hostname=ipaserver.it.fx.lan port=443<br>
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
updateSecurityDomain: failed to update security
domain using admin port 443:
org.xml.sax.SAXParseException; lineNumber: 1;
columnNumber: 50; White spaces are required
between publicId and systemId.<br>
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
updateSecurityDomain: now trying agent port with
client auth<br>
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
WizardPanelBase updateDomainXML start
hostname=ipaserver.it.fx.lan port=443<br>
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
updateDomainXML() nickname=subsystemCert
cert-pki-ca<br>
[09/Feb/2016:15:31:43][http-bio-8443-exec-3]:
WizardPanelBase updateDomainXML: status=1<span><font
color="#888888"><br>
</font></span></div>
<span><font color="#888888">
<div class="gmail_extra"><br>
<br clear="all">
<br>
-- <br>
<div>
<div dir="ltr"><span
style="font-family:verdana,sans-serif">Giuseppe
Calignano</span><br>
</div>
</div>
</div>
</font></span></div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>
<div dir="ltr"><span
style="font-family:verdana,sans-serif">Giuseppe
Calignano</span><br>
</div>
</div>
</div>
</blockquote>
<br>
I'm not sure but it looks like the known bug in dogtag 9 and
10 compatibility (I will try to find related bugzillas).<br>
This should be already fixed in RHEL, so I do not know when
it will hit CentOS or if it is already there.<br>
<br>
<span style="font-family:monospace,monospace">pkispawn :
WARNING ....... unable to validate security domain
user/password through REST interface. Interface not
available<br>
pkispawn : ERROR ....... Exception from Java
Configuration Servlet: 500 Server Error: Internal Server
Error<br>
pkispawn : ERROR ....... ParseError: not well-formed
(invalid token): line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
while updating security domain: java.io.IOException: 2"} </span><br>
<br>
But I might be wrong, Dogtag guys can you look at it please?
:-)</div>
<div text="#000000" bgcolor="#FFFFFF"><br>
<br>
Martin<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>