From vlk at lcpe.uni-sofia.bg  Mon Sep 25 05:53:28 2017
From: vlk at lcpe.uni-sofia.bg (Vesselin Kolev)
Date: Sun, 24 Sep 2017 22:53:28 -0700
Subject: [Pki-users] Cannot install Dogtag on CentOS 7.4.1708
Message-ID: <cb0e039a-d3b2-4156-86ce-feab63cd4c91@lcpe.uni-sofia.bg>

Hello All,


I thing something is wrong with dogtag packages included in the new
CentOS 7 release. Once CentOS 7.4.1708 arrived in the distro
repositories we got our systems updated. But when we rebooted the PKI
infrastructure server nodes we realized that pki-tomcat somehow cannot
load the certificates and some of the other settings.

We started analyzing the problem by presuming that we made some mistake
in the configuration but when we tried to create from scratch CA
subsystem on freshly installed system (CentOS 7.4.1708, 389 server, and
the pki-* packages installed), we failed:

Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]:

Tomcat:
? Instance [pki-tomcat]:
? HTTP port [8080]:
? Secure HTTP port [8443]:
? AJP port [8009]:
? Management port [8005]:

Administrator:
? Username [caadmin]:
? Password:
? Verify password:
? Import certificate (Yes/No) [N]?
? Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]:

Directory Server:
? Hostname [ds.example.com]:
? Use a secure LDAPS connection (Yes/No/Quit) [N]?
? LDAP Port [389]:
? Bind DN [cn=Directory Manager]:
? Password:
? Base DN [o=pki-tomcat-CA]:

Security Domain:
? Name [example.com Security Domain]:

Begin installation (Yes/No/Quit)? Yes

Log file: /var/log/pki/pki-ca-spawn.20170925074602.log
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
pkispawn??? : ERROR??? ....... server failed to restart

Installation failed: server failed to restart

Note that it is a fresh installation. No any customization. 389 server
is running and it got tested before starting with the CA subsystem
installation procedure. All DNS records matching the machine address are
available.

I checked the spawn log file
(/var/log/pki/pki-ca-spawn.20170925074602.log). Most of the entries
there seem absolutely fine. The only records that show some problems are:

2017-09-25 06:32:28 pkispawn??? : INFO???? ....... executing 'systemctl
daemon-reload'
2017-09-25 06:32:28 pkispawn??? : INFO???? ....... executing 'systemctl
start pki-tomcatd at pki-tomcat.service'
2017-09-25 06:32:29 pkispawn??? : DEBUG??? ........... No connection -
server may still be down
2017-09-25 06:32:29 pkispawn??? : DEBUG??? ........... No connection -
exception thrown: 404 Client Error: Not Found
2017-09-25 06:32:30 pkispawn??? : DEBUG??? ........... No connection -
server may still be down
2017-09-25 06:32:30 pkispawn??? : DEBUG??? ........... No connection -
exception thrown: 404 Client Error: Not Found
2017-09-25 06:32:31 pkispawn??? : DEBUG??? ........... No connection -
server may still be down
2017-09-25 06:32:31 pkispawn??? : DEBUG??? ........... No connection -
exception thrown: 404 Client Error: Not Found
...

2017-09-25 06:33:30 pkispawn??? : ERROR??? ....... server failed to restart
2017-09-25 06:33:30 pkispawn??? : DEBUG??? ....... Error Type: Exception
2017-09-25 06:33:30 pkispawn??? : DEBUG??? ....... Error Message: server
failed to restart
2017-09-25 06:33:30 pkispawn??? : DEBUG??? .......?? File
"/sbin/pkispawn", line 533, in main

Since that piece of information is not very particular on what exactly
happens, I checked the debug log in /var/log/pki/pki-tomcat/ca/debug and
found these pieces of suspicious info:

[25/Sep/2017:07:46:56][localhost-startStop-1]: CMSEngine: restart at
autoShutdown? false
[25/Sep/2017:07:46:56][localhost-startStop-1]: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[25/Sep/2017:07:46:56][localhost-startStop-1]: CMSEngine: about to look
for cert for auto-shutdown support:auditSigningCert cert-pki-tomcat
[25/Sep/2017:07:46:56][localhost-startStop-1]: CMSEngine: cert not
found:auditSigningCert cert-pki-tomcat
[25/Sep/2017:07:46:56][localhost-startStop-1]: CMSEngine:
Exception:org.mozilla.jss.crypto.ObjectNotFoundException

...

Property internaldb.ldapconn.port missing value

...

I know that "Property internaldb.ldapconn.port missing value" error is
explained here http://pki.fedoraproject.org/wiki/Troubleshooting as
something that could be ignored, but the spawn process does not create
any new LDAP data base (it is supposed to create o=pki-tomcat-CA).
Moreover, except from the cn=Directory Manager dn password validation,
there is no even a single attempt to connect to the 389 directory server
running on the same machine.


Anyone with experience in that?

Best,

Veselin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20170924/6ec939e7/attachment.htm>

From aleksey.chudov at gmail.com  Mon Sep 25 11:35:53 2017
From: aleksey.chudov at gmail.com (Aleksey Chudov)
Date: Mon, 25 Sep 2017 14:35:53 +0300
Subject: [Pki-users] pkiconsole does not launch on CentOS 7.4.1708
Message-ID: <CA+g23TuWks00rh_RY9Rnj9UZWeTe=N3hGhzFVRg_NMj3uwOVqA@mail.gmail.com>

Hi,

I'm trying to setup pkiconsole on CentOS 7.4.1708.

I rebuild pki-console and redhat-pki-console-theme packages from

http://ftp.redhat.com/pub/redhat/linux/enterprise/7Server/en/RHCERT/SRPMS/

Than I placed two packages to local repo

pki-console-10.4.1-6.el7.centos.noarch.rpm
redhat-pki-console-theme-10.4.1-1.el7.centos.noarch.rpm

Than just yum install pki-console

Now I have the following packages installed

$ yum list installed | grep pki
pki-base.noarch                       10.4.1-13.el7_4
@updates
pki-base-java.noarch                  10.4.1-13.el7_4
@updates
pki-console.noarch                    10.4.1-6.el7.centos
@local
redhat-pki-console-theme.noarch       10.4.1-1.el7.centos            @local

But pkiconsole does not launch with PKIException: Not Found

$ pkiconsole -D 9:all https://dogtag.example.com:8443/ca
1 14:17:54.441 L9 (Console.java:1653) java.util.prefs.userRoot=/tmp/java
2 14:17:54.442 (0.001) L9 (Console.java:1653) java.runtime.name=OpenJDK
Runtime Environment
3 14:17:54.443 (0.001) L9 (Console.java:1653)
sun.boot.library.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/amd64
4 14:17:54.444 (0.001) L9 (Console.java:1653) java.vm.version=25.144-b01
5 14:17:54.444 (0.0) L9 (Console.java:1653) java.vm.vendor=Oracle
Corporation
6 14:17:54.444 (0.0) L9 (Console.java:1653) java.vendor.url=
http://java.oracle.com/
7 14:17:54.444 (0.0) L9 (Console.java:1653) path.separator=:
8 14:17:54.445 (0.001) L9 (Console.java:1653)
java.util.logging.config.file=/usr/share/pki/etc/logging.properties
9 14:17:54.445 (0.0) L9 (Console.java:1653) java.vm.name=OpenJDK 64-Bit
Server VM
10 14:17:54.445 (0.0) L9 (Console.java:1653) file.encoding.pkg=sun.io
11 14:17:54.445 (0.0) L9 (Console.java:1653) user.country=US
12 14:17:54.446 (0.001) L9 (Console.java:1653)
sun.java.launcher=SUN_STANDARD
13 14:17:54.446 (0.0) L9 (Console.java:1653) sun.os.patch.level=unknown
14 14:17:54.446 (0.0) L9 (Console.java:1653) java.vm.specification.name=Java
Virtual Machine Specification
15 14:17:54.446 (0.0) L9 (Console.java:1653) user.dir=/home/aleksey
16 14:17:54.446 (0.0) L9 (Console.java:1653)
java.runtime.version=1.8.0_144-b01
17 14:17:54.446 (0.0) L9 (Console.java:1653)
java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment
18 14:17:54.447 (0.001) L9 (Console.java:1653)
java.endorsed.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/endorsed
19 14:17:54.447 (0.0) L9 (Console.java:1653) os.arch=amd64
20 14:17:54.447 (0.0) L9 (Console.java:1653) java.io.tmpdir=/tmp
21 14:17:54.447 (0.0) L9 (Console.java:1653) line.separator=

22 14:17:54.448 (0.001) L9 (Console.java:1653)
java.vm.specification.vendor=Oracle Corporation
23 14:17:54.448 (0.0) L9 (Console.java:1653) os.name=Linux
24 14:17:54.448 (0.0) L9 (Console.java:1653) sun.jnu.encoding=UTF-8
25 14:17:54.448 (0.0) L9 (Console.java:1653)
java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
26 14:17:54.448 (0.0) L9 (Console.java:1653) java.specification.name=Java
Platform API Specification
27 14:17:54.449 (0.001) L9 (Console.java:1653) java.class.version=52.0
28 14:17:54.449 (0.0) L9 (Console.java:1653)
sun.management.compiler=HotSpot 64-Bit Tiered Compilers
29 14:17:54.449 (0.0) L9 (Console.java:1653)
os.version=3.10.0-693.2.2.el7.x86_64
30 14:17:54.449 (0.0) L9 (Console.java:1653) user.home=/home/aleksey
31 14:17:54.449 (0.0) L9 (Console.java:1653) user.timezone=Europe/Riga
32 14:17:54.449 (0.0) L9 (Console.java:1653)
java.awt.printerjob=sun.print.PSPrinterJob
33 14:17:54.450 (0.001) L9 (Console.java:1653) file.encoding=UTF-8
34 14:17:54.450 (0.0) L9 (Console.java:1653) java.specification.version=1.8
35 14:17:54.450 (0.0) L9 (Console.java:1653)
java.class.path=/usr/share/java/pki/pki-console.jar:/usr/share/java/pki/pki-console-theme.jar:/usr/share/java/389-console_en.jar:/usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-mcc.jar:/usr/share/java/idm-console-nmclf_en.jar:/usr/share/java/idm-console-nmclf.jar:/usr/share/pki/lib/commons-cli.jar:/usr/share/pki/lib/commons-codec.jar:/usr/share/pki/lib/commons-httpclient.jar:/usr/share/pki/lib/commons-io.jar:/usr/share/pki/lib/commons-lang.jar:/usr/share/pki/lib/commons-logging.jar:/usr/share/pki/lib/httpclient.jar:/usr/share/pki/lib/httpcore.jar:/usr/share/pki/lib/jackson-core-asl.jar:/usr/share/pki/lib/jackson-jaxrs.jar:/usr/share/pki/lib/jackson-mapper-asl.jar:/usr/share/pki/lib/jackson-mrbean.jar:/usr/share/pki/lib/jackson-smile.jar:/usr/share/pki/lib/jackson-xc.jar:/usr/share/pki/lib/jaxb-api.jar:/usr/share/pki/lib/jss4.jar:/usr/share/pki/lib/ldapjdk.jar:/usr/share/pki/lib/pki-certsrv.jar:/usr/share/pki/lib/pki-cmsutil.jar:/usr/share/pki/lib/pki-nsutil.jar:/usr/share/pki/lib/pki-tools.jar:/usr/share/pki/lib/resteasy-atom-provider.jar:/usr/share/pki/lib/resteasy-client.jar:/usr/share/pki/lib/resteasy-jackson-provider.jar:/usr/share/pki/lib/resteasy-jaxb-provider.jar:/usr/share/pki/lib/resteasy-jaxrs-api.jar:/usr/share/pki/lib/resteasy-jaxrs-jandex.jar:/usr/share/pki/lib/resteasy-jaxrs.jar:/usr/share/pki/lib/servlet.jar:/usr/share/pki/lib/slf4j-api.jar:/usr/share/pki/lib/slf4j-jdk14.jar
36 14:17:54.450 (0.0) L9 (Console.java:1653) user.name=aleksey
37 14:17:54.450 (0.0) L9 (Console.java:1653)
java.vm.specification.version=1.8
38 14:17:54.450 (0.0) L9 (Console.java:1653)
sun.java.command=com.netscape.admin.certsrv.Console -D 9:all
https://dogtag.example.com:8443/ca
39 14:17:54.451 (0.001) L9 (Console.java:1653)
java.home=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre
40 14:17:54.451 (0.0) L9 (Console.java:1653) sun.arch.data.model=64
41 14:17:54.451 (0.0) L9 (Console.java:1653)
java.util.prefs.systemRoot=/tmp/.java
42 14:17:54.451 (0.0) L9 (Console.java:1653) user.language=en
43 14:17:54.451 (0.0) L9 (Console.java:1653)
java.specification.vendor=Oracle Corporation
44 14:17:54.452 (0.001) L9 (Console.java:1653)
awt.toolkit=sun.awt.X11.XToolkit
45 14:17:54.452 (0.0) L9 (Console.java:1653) java.vm.info=mixed mode
46 14:17:54.452 (0.0) L9 (Console.java:1653) java.version=1.8.0_144
47 14:17:54.452 (0.0) L9 (Console.java:1653)
java.ext.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/ext:/usr/java/packages/lib/ext
48 14:17:54.452 (0.0) L9 (Console.java:1653)
sun.boot.class.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/resources.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/rt.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/jsse.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/jce.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/charsets.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/jfr.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/classes
49 14:17:54.452 (0.0) L9 (Console.java:1653) java.vendor=Oracle Corporation
50 14:17:54.452 (0.0) L9 (Console.java:1653) file.separator=/
51 14:17:54.453 (0.001) L9 (Console.java:1653) java.vendor.url.bug=
http://bugreport.sun.com/bugreport/
52 14:17:54.453 (0.0) L9 (Console.java:1653)
sun.io.unicode.encoding=UnicodeLittle
53 14:17:54.453 (0.0) L9 (Console.java:1653) sun.cpu.endian=little
54 14:17:54.453 (0.0) L9 (Console.java:1653) sun.desktop=gnome
55 14:17:54.453 (0.0) L9 (Console.java:1653) sun.cpu.isalist=
56 14:17:54.454 (0.001) L1 (Unknown Source) ResourceSet:getString():Unable
to resolve console-displayVersion
57 14:17:54.454 (0.0) L0 (Console.java:1665) Management-Console/null
B2017.257.1933
58 14:17:54.460 (0.006) L9 (Unknown Source) ResourceSet: NOT found in cache
loader118352462:com.netscape.management.client.default
59 14:17:54.464 (0.004) L9 (Unknown Source) ResourceSet: NOT found in cache
loader118352462:com.netscape.management.client.topology.topology
60 14:17:54.469 (0.005) L9 (Unknown Source) ResourceSet: NOT found in cache
loader118352462:CMSAdminRS
61 14:17:54.501 (0.032) L9 (Unknown Source) ResourceSet: found in cache
loader118352462:CMSAdminRS
PKIException: Not Found

How to launch pkiconsole on CentOS 7.4.1708?

Regards,
Aleksey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20170925/3c899b6d/attachment.htm>