From alee at redhat.com Mon Oct 3 13:53:40 2011 From: alee at redhat.com (Ade Lee) Date: Mon, 03 Oct 2011 09:53:40 -0400 Subject: [Pki-users] CA Cloning : Failed to setup the replication for cloning In-Reply-To: References: Message-ID: <1317650020.3453.11.camel@localhost.localdomain> This situation occasionally occurs when an error occurs on the DS side, and the replication is not started. The way the code is written, the CS will spin while continuing to wait for all the entries to be replicated over. The upstream code has been patched with a fix for this issue as described in : https://bugzilla.redhat.com/show_bug.cgi?id=683990 https://bugzilla.redhat.com/show_bug.cgi?id=726785 The new code checks the replication status more intelligently. It is checked into the upstream Dogtag code as well as the code for 8.2. That said - if what you are seeing is reproducible - i.e. not just a one time blip - then we need to try and understand why the replication is failing to start. For this, I'll need debug and catalina logs for the master and clone, as well as DS logs for both. Ade On Thu, 2011-09-29 at 11:12 -0400, Patrick.Raspante at gdc4s.com wrote: > I?ve been working through the steps in this document: > http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Install_Guide/cloning-a-ca.html > > Made it through step 11. Stuck on the step where the wizard connects > to my new directory server instance. CA hangs and spins forever, > eventually erroring with "Failed to setup the replication for > cloning". > > I think I'm running into similar issues found in these bug-zillas: > https://bugzilla.redhat.com/show_bug.cgi?id=487739 > https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=486191 > http://www.redhat.com/archives/fedora-directory-users/2009-May/msg00128.html -- (I'm not using local host for the fqdn though) > > > > I mentioned before that I?m using CS 8.0 GA. > > pki-ca-8.0.3-1.el5pki > > pki-common-8.0.3-3.el5pki > > > > I?ve been told that the above issues have been already resolved in the > 8.0 GA release. > > > > Looking through my GDd directory server access and debug logs, I see > the new GD CA sets up the new CA backend in the directory server, and > then does the indexing, but the subsequent replication agreement setup > never begins. > > > > Master = GD-CA-1 > > Clone = GD-CA-2 > > > > ## Log snippits from=m the GD-CA-2 directory server: > > ==> errors <== > > [28/Sep/2011:18:53:28 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:18:53:28 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Finished > indexing. > > [28/Sep/2011:19:07:54 +0000] - slapd shutting down - signaling > operation threads > > [28/Sep/2011:19:07:54 +0000] - slapd shutting down - waiting for 22 > threads to terminate > > [28/Sep/2011:19:07:54 +0000] - slapd shutting down - closing down > internal subsystems and plugins > > [28/Sep/2011:19:07:54 +0000] - Waiting for 4 database threads to stop > > [28/Sep/2011:19:07:54 +0000] - All database threads now stopped > > [28/Sep/2011:19:07:54 +0000] - slapd stopped. > > [28/Sep/2011:19:07:59 +0000] - Red Hat-Directory/8.1.0 B2009.111.1832 > starting up > > [28/Sep/2011:19:07:59 +0000] - slapd started. Listening on All > Interfaces port 3389 for LDAP requests > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (allCerts-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (allExpiredCerts-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (allInvalidCerts-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (allInValidCertsNotBefore-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (allNonRevokedCerts-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (allRevokedCaCerts-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (allRevokedCerts-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (allRevokedCertsNotAfter-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (allRevokedExpiredCerts-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (allRevokedOrRevokedExpiredCaCerts-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (allRevokedOrRevokedExpiredCerts-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (allValidCerts-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (allValidCertsNotAfter-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (allValidOrRevokedCerts-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caAll-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caCanceled-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caCanceledEnrollment-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caCanceledRenewal-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caCanceledRevocation-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caComplete-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caCompleteEnrollment-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caCompleteRenewal-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caCompleteRevocation-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caEnrollment-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caPending-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caPendingEnrollment-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caPendingRenewal-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caPendingRevocation-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caRejected-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caRejectedEnrollment-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caRejectedRenewal-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caRejectedRevocation-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caRenewal-GD-CA-2). > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Index. > > [28/Sep/2011:19:11:36 +0000] - Deleted Virtual List View Search > (caRevocation-GD-CA-2). > > [28/Sep/2011:19:11:37 +0000] - ldbm: Bringing > GD-ca-1.mydomain.com-GD-CA-1 offline... > > [28/Sep/2011:19:11:37 +0000] - ldbm: removing > 'GD-ca-1.mydomain.com-GD-CA-1'. > > [28/Sep/2011:19:11:37 +0000] - Destructor for instance > GD-ca-1.mydomain.com-GD-CA-1 called > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: allCerts-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: allExpiredCerts-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: allInvalidCerts-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: allInValidCertsNotBefore-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: allNonRevokedCerts-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: allRevokedCaCerts-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: allRevokedCerts-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: allRevokedCertsNotAfter-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: allRevokedExpiredCerts-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: allRevokedOrRevokedExpiredCaCerts-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: allRevokedOrRevokedExpiredCerts-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: allValidCerts-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: allValidCertsNotAfter-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: allValidOrRevokedCerts-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caAll-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caCanceled-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caCanceledEnrollment-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caCanceledRenewal-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caCanceledRevocation-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caComplete-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caCompleteEnrollment-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caCompleteRenewal-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caCompleteRevocation-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caEnrollment-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caPending-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caPendingEnrollment-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caPendingRenewal-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caPendingRevocation-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caRejected-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caRejectedEnrollment-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caRejectedRenewal-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caRejectedRevocation-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caRenewal-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Indexing > VLV: caRevocation-GD-CA-2Index > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; > entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 > may not be added to the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; > entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 > may not be added to the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; > entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 > may not be added to the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; > entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 > may not be added to the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; > entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 > may not be added to the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; > entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 > may not be added to the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; > entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 > may not be added to the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; > entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 > may not be added to the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; > entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 > may not be added to the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; > entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 > may not be added to the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; > entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 > may not be added to the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; > entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 > may not be added to the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; > entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 > may not be added to the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1'; > entry ou=certificaterepository,ou=ca,dc=GD-ca-1.mydomain.com-GD-ca-1 > may not be added to the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1'; entry > ou=ca,ou=requests,dc=GD-ca-1.mydomain.com-GD-ca-1 may not be added to > the database yet. > > [28/Sep/2011:19:11:39 +0000] - GD-ca-1.mydomain.com-GD-CA-1: Finished > indexing. > > ? > > ==> access <== > > ?.. > > [28/Sep/2011:19:11:39 +0000] conn=24 op=85 ADD > dn="cn=caRejected-GD-CA-2Index, cn=caRejected-GD-CA-2, > cn=GD-ca-1.mydomain.com-GD-CA-1, cn=ldbm database, cn=plugins, > cn=config" > > [28/Sep/2011:19:11:39 +0000] conn=24 op=85 RESULT err=0 tag=105 > nentries=0 etime=0 > > [28/Sep/2011:19:11:39 +0000] conn=24 op=86 ADD > dn="cn=caRejectedEnrollment-GD-CA-2Index, > cn=caRejectedEnrollment-GD-CA-2, cn=GD-ca-1.mydomain.com-GD-CA-1, > cn=ldbm database, cn=plugins, cn=config" > > [28/Sep/2011:19:11:39 +0000] conn=24 op=86 RESULT err=0 tag=105 > nentries=0 etime=0 > > [28/Sep/2011:19:11:39 +0000] conn=24 op=87 ADD > dn="cn=caRejectedRenewal-GD-CA-2Index, cn=caRejectedRenewal-GD-CA-2, > cn=GD-ca-1.mydomain.com-GD-CA-1, cn=ldbm database, cn=plugins, > cn=config" > > [28/Sep/2011:19:11:39 +0000] conn=24 op=87 RESULT err=0 tag=105 > nentries=0 etime=0 > > [28/Sep/2011:19:11:39 +0000] conn=24 op=88 ADD > dn="cn=caRejectedRevocation-GD-CA-2Index, > cn=caRejectedRevocation-GD-CA-2, cn=GD-ca-1.mydomain.com-GD-CA-1, > cn=ldbm database, cn=plugins, cn=config" > > [28/Sep/2011:19:11:39 +0000] conn=24 op=88 RESULT err=0 tag=105 > nentries=0 etime=0 > > [28/Sep/2011:19:11:39 +0000] conn=24 op=89 ADD > dn="cn=caRenewal-GD-CA-2Index, cn=caRenewal-GD-CA-2, > cn=GD-ca-1.mydomain.com-GD-CA-1, cn=ldbm database, cn=plugins, > cn=config" > > [28/Sep/2011:19:11:39 +0000] conn=24 op=89 RESULT err=0 tag=105 > nentries=0 etime=0 > > [28/Sep/2011:19:11:39 +0000] conn=24 op=90 ADD > dn="cn=caRevocation-GD-CA-2Index, cn=caRevocation-GD-CA-2, > cn=GD-ca-1.mydomain.com-GD-CA-1, cn=ldbm database, cn=plugins, > cn=config" > > [28/Sep/2011:19:11:39 +0000] conn=24 op=90 RESULT err=0 tag=105 > nentries=0 etime=0 > > [28/Sep/2011:19:11:39 +0000] conn=24 op=91 ADD dn="cn=index1160589769, > cn=index, cn=tasks, cn=config" > > [28/Sep/2011:19:11:39 +0000] conn=24 op=91 RESULT err=0 tag=105 > nentries=0 etime=0 > > [28/Sep/2011:19:11:40 +0000] conn=24 op=92 SRCH > base="cn=index1160589769, cn=index, cn=tasks, cn=config" scope=0 > filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL > > [28/Sep/2011:19:11:40 +0000] conn=24 op=92 RESULT err=0 tag=101 > nentries=1 etime=0 > > [28/Sep/2011:19:11:40 +0000] conn=24 op=93 UNBIND > > [28/Sep/2011:19:11:40 +0000] conn=24 op=93 fd=80 closed - U1 > > > > ## And that?s it. > > > > ## I never get to this stage ( this is from making clones of brand new > CA and DS instances ? not an existing master CA): > > [24/Sep/2011:16:46:28 +0000] NSMMReplicationPlugin - > agmt="cn=cloneAgreement1-mydomain.com-GD-CA-3" (GD-ds-1:3389): Replica > has a different generation ID than the local data. > > [24/Sep/2011:16:46:29 +0000] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=mydomain.com-GD-ca-2 is going > offline; disabling replication > > [24/Sep/2011:16:46:29 +0000] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > > [24/Sep/2011:16:46:33 +0000] - import mydomain.com-GD-CA-2: Workers > finished; cleaning up... > > [24/Sep/2011:16:46:34 +0000] - import mydomain.com-GD-CA-2: Workers > cleaned up. > > [24/Sep/2011:16:46:34 +0000] - import mydomain.com-GD-CA-2: Indexing > complete. Post-processing... > > [24/Sep/2011:16:46:34 +0000] - import mydomain.com-GD-CA-2: Flushing > caches... > > [24/Sep/2011:16:46:34 +0000] - import mydomain.com-GD-CA-2: Closing > files... > > [24/Sep/2011:16:46:34 +0000] - import mydomain.com-GD-CA-2: Import > complete. Processed 57 entries in 4 seconds. (14.25 entries/sec) > > [24/Sep/2011:16:46:34 +0000] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=mydomain.com-GD-ca-2 is coming > online; enabling replication > > > > > > > > Thanks, > > Patrick > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From awnuk at redhat.com Mon Oct 3 23:13:50 2011 From: awnuk at redhat.com (Andrew Wnuk) Date: Mon, 03 Oct 2011 16:13:50 -0700 Subject: [Pki-users] Subject content ? Where are ST and L ? In-Reply-To: <4E83A5B1.6090407@iseek.com.au> References: <4E83A5B1.6090407@iseek.com.au> Message-ID: <4E8A41AE.5040404@redhat.com> On 09/28/2011 03:54 PM, Thomas Guthmann wrote: > Hi, > > Before using dogtag 1.3, I used CA.pl or tinyCA and in the subject we > had STate and Location which seem to not exist anymore when I create > an user certificate (profile=caUserCert). Is STate and Location > deprecated by any RFCs or has it proved useless for an user cert ? > > With dogtag 1.3 we can only enable/disable the following inputs in the > Subject by tuning the profile : > * UID (the LDAP directory user ID) > * Email > * Common Name (the name of the user) > * Organizational Unit > * Organization (the organization name) > * Country (the country where the user is located) > Ref: > > > So my questions are : > 1. is it possible to enable ST and L in the subject for a user cert ? > 2. If not, is there an alternative ? Thomas, You may need to customize the following file: pki/base/common/src/com/netscape/cms/profile/input/SubjectNameInput.java > > I hope it is not too noob-ish questions :) > > Cheers, > Thomas > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users