[Pki-users] Unable to retrieve CA chain: request failed with HTTP status 500

Marc Sauton msauton at redhat.com
Tue Aug 29 20:14:06 UTC 2017 

it seem this may be in the context of IPA, which versions on replica that
fails to install and on master?
cat /etc/redhat-release ; rpm -q ipa-server pki-ca ; ls -l
/etc/alternatives/java

there are several LDAP error 68 and 20 about existing entries, try to first
uninstall the IPA replica before re-installing

I will add some more notes, but it really seem an IPA replica
install/configuration failed, and it should be removed before trying again.
Thanks,
M.

extra notes:

the CA debug log seem to show other errors that are unrelated to the the
ipa-replica-install command with "RuntimeError: Unable to retrieve CA
chain: request failed with HTTP status 500"
try to get more lines before that error in the log file
/var/log/ipareplica-install.log
and if there are any matching entries in
/var/log/httpd/error_log

otherwise, on the system with the error
[22/Aug/2017:17:13:08][SerialNumberUpdateTask]: DBSubsystem: getNextRange.
Unable to provide next range :netscape.ldap.LDAPException: error result (68)
try to match the LDAP messages related to that time stamp and with err=68,
find the conn=xx and match the corresponding search that generated the
"already exist" error, it would be interesting to see the fileter and base
DN in that search
it should be one of the LDAP connections bound for example, as  "TLS1.2
client bound as uid=pkidbuser,ou=people,o=ipaca "
and, it should , for example, have LDAP searches in
"ou=certificateRepository,ou=ranges,o=ipaca" and
"ou=requests,ou=ranges,o=ipaca"

on the master, try to list the DNA ranges that are available:
ipa-replica-manage dnarange-show
it should list for example
ipaserver1.example.com: aaaaaa-bbbbb
ipaserver2.example.com: cccccc-dddddd
and there should be no common ranges

see:
14.3. Displaying Currently Assigned ID Rangess
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/display-id-range.html

and
14.5. Manual ID Range Extension and Assigning a New ID Range
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/man-set-extend-id-ranges.html

example of what we should see in /var/log/pki/pki-tomcat/ca/debug
for getNextRange
[09/Mar/2017:02:49:31][localhost-startStop-1]: DBSubsystem: getNextRange
 Next range has been added: 10000001 - 20000000


On Tue, Aug 29, 2017 at 8:56 AM, pgb205 <pgb205 at yahoo.com> wrote:

> I have an install that fails at the following stage:
> importing CA chain to RA certificate database
>   [error] RuntimeError: Unable to retrieve CA chain: request failed with
> HTTP status 500
>
> the logs are not showing anything obvious
> 22/Aug/2017:17:02:52][http-bio-8443-exec-3]: importLDIFS(): LDAP Errors
> in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif
> [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> exception in adding entry ou=csusers,cn=config:netscape.ldap.LDAPException:
> error result (68)
> [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
> exception in modifying entry o=ipaca:netscape.ldap.LDAPException: error
> result (20)
> [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: init: before makeConnection
> errorIfDown is false
> [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: makeConnection: errorIfDown
> false
> [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection
> errorIfDown is true
> [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown
> true
> [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection
> errorIfDown is false
> [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown
> false
> [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection
> errorIfDown is false
> [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown
> false
> [22/Aug/2017:17:02:58][http-bio-8443-exec-3]: init: before makeConnection
> errorIfDown is false
> [22/Aug/2017:17:02:58][http-bio-8443-exec-3]: makeConnection: errorIfDown
> false
> [22/Aug/2017:17:03:07][localhost-startStop-1]: init: before
> makeConnection errorIfDown is true
> [22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection:
> errorIfDown true
> [22/Aug/2017:17:03:07][localhost-startStop-1]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:03:08][localhost-startStop-1]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:03:08][localhost-startStop-1]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation -
> caDirUserRenewal caEnrollImpl com.netscape.cms.profile.
> common.CAEnrollProfile
> [22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation -
> caDirUserRenewal
> [22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation -
> IECUserRoles caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile
> [22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation -
> IECUserRoles
> [22/Aug/2017:17:03:08][localhost-startStop-1]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:03:09][localhost-startStop-1]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:03:09][localhost-startStop-1]: init: before
> makeConnection errorIfDown is false
> [22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection:
> errorIfDown false
> [22/Aug/2017:17:03:09][localhost-startStop-1]: DBSubsystem: getNextRange.
> Unable to provide next range :netscape.ldap.LDAPException: error result (68)
> [22/Aug/2017:17:13:08][SerialNumberUpdateTask]: DBSubsystem:
> getNextRange. Unable to provide next range :netscape.ldap.LDAPException:
> error result (68)
>
> and
>
> [23/Aug/2017:15:24:09][CertStatusUpdateTask]: returnConn: mNumConns now 5
> [23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: searching
> for entry 20170823152409Z
> [23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList.getEntries()
> [23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: entries: 1
> [23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: top: 0
> [23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: size: 640
> [23/Aug/2017:15:24:09][CertStatusUpdateTask]:
> transitRevokedExpiredCertificates: list size: 640
> [23/Aug/2017:15:24:09][CertStatusUpdateTask]:
> transitRevokedExpiredCertificates: ltSize 1
> [23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitRevokedExpired:
> curRec: 0 CertRecord:     76
> [23/Aug/2017:15:24:09][CertStatusUpdateTask]: Record does not
> qualify,notAfter Mon Aug 28 16:47:53 UTC 2017 date Wed Aug 23 15:24:09 UTC
> 2017
> [23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitCertList
> REVOKED_EXPIRED
> [23/Aug/2017:15:24:09][CertStatusUpdateTask]: updateCertStatus done
>
> I have full logs if necessary. but I'm unable to determine the  cause for
> the failure. Asking on freeipa forums this is a problem on the CA server
> but thats as far as I got with this.
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20170829/5ea5bf09/attachment.htm>

More information about the Pki-users mailing list