Guillermo Fuentes via FreeIPA-users wrote: > Hi Flo, > Here is the value of the entry: > # certificateRepository, ca, ipaca > dn: ou=certificateRepository,ou=ca,o=ipaca > objectClass: top > objectClass: repository > ou: certificateRepository > serialno: 09268369921 > nextRange: e0000001 > > The value of nextRange was modified by hand to fix another issue. > According to this > https://frasertweedale.github.io/blog-redhat/posts/2019-07-26-dogtag-replica-ranges.html > it should be hexadecimal.
Maybe try an upper-case E. rob > > If the code is expecting a decimal value, I'm assuming converting the > range from hex to decimal should do it, right? I'll also check for > conflicts. > > Thanks! > Guillermo > > On Mon, Jul 6, 2020 at 12:35 PM Florence Blanc-Renaud <[email protected]> wrote: >> >> On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote: >>> Hi all, >>> >>> I'm having an issue creating a new replica with CA. >>> The Directory Service installation works fine but adding the CA clone >>> fails with a java.lang.NumberFormatException when getting the serial >>> number range. >>> >>> This is the error logged in /var/log/pki/pki-tomcat/ca/debug: >>> ###### >>> ... >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving >>> ou=ca, ou=requests,o=ipaca >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating >>> nextRange from 80000001 to 90000001 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new >>> range object: cn=80000001,ou=requests, ou=ranges,o=ipaca >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: >>> getNextRange Next range has been added: 80000001 - 90000000 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: >>> 80000001 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min >>> serial number: 80000001 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting >>> next min requests number: 80000001 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting >>> next max requests number: 90000000 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range conflict >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In >>> LdapBoundConnFactory::getConn() >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected >>> true >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking >>> certificate serial number ranges >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial >>> numbers left in range: 65536 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial >>> number: 2415656960 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial >>> numbers available: 65536 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water >>> mark: 33554432 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting next >>> range >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In >>> LdapBoundConnFactory::getConn() >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected >>> true >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving >>> ou=certificateRepository, ou=ca,o=ipaca >> Hi, >> >> What is the content of this entry? >> ldapsearch -D "cn=directory manager" -W -b >> "ou=certificateRepository,ou=ca,o=ipaca" -s base >> >> According to the code, a decimal format is expected for the attribute >> nextRange. Was the value modified by hand? If not, I would advise to >> open an issue against dogtag, for the team to investigate how an >> hexadecimal format could get written there: >> https://pagure.io/dogtagpki/new_issue >> >> HTH, >> flo >> >>> java.lang.NumberFormatException: For input string: "e0000001" >>> at >>> java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) >>> at java.lang.Integer.parseInt(Integer.java:580) >>> at java.math.BigInteger.<init>(BigInteger.java:470) >>> at java.math.BigInteger.<init>(BigInteger.java:606) >>> at >>> com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417) >>> at >>> com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546) >>> at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268) >>> at com.netscape.certsrv.apps.CMS.startup(CMS.java:204) >>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1459) >>> at >>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) >>> at javax.servlet.GenericServlet.init(GenericServlet.java:158) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:498) >>> at >>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) >>> at >>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) >>> at >>> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) >>> ... >>> ###### >>> >>> This is logged in /var/log/pki/pki-ca-spawn.20200620150752.log: >>> ###### >>> ... >>> 2020-06-20 15:09:47 pkispawn : INFO ....... executing >>> 'systemctl stop [email protected]' >>> 2020-06-20 15:09:48 pkispawn : INFO ....... removing temp SSL >>> server cert from internal token: Server-Cert cert-pki-ca >>> 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -D -d >>> /var/lib/pki/pki-tomcat/alias -f /tmp/tmptjRzW6/password.txt -n >>> Server-Cert cert-pki-ca >>> 2020-06-20 15:09:48 pkispawn : INFO ....... importing permanent >>> SSL server cert into internal token: Server-Cert cert-pki-ca >>> 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -A -d >>> /var/lib/pki/pki-tomcat/alias -f /tmp/tmplJLOg8/internal_password.txt >>> -n Server-Cert cert-pki-ca -a -i /tmp/tmpeCzA_b/sslserver.crt -t ,, >>> 2020-06-20 15:09:48 pkispawn : INFO ....... executing >>> 'systemctl daemon-reload' >>> 2020-06-20 15:09:48 pkispawn : INFO ....... executing >>> 'systemctl start [email protected]' >>> 2020-06-20 15:09:48 pkispawn : INFO ........... FIPS mode is >>> NOT enabled on this operating system. >>> 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - >>> server may still be down >>> 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - >>> exception thrown: ('Connection aborted.', error(111, 'Connection >>> refused')) >>> 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - >>> server may still be down >>> 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - >>> exception thrown: ('Connection aborted.', error(111, 'Connection >>> refused')) >>> 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - >>> server may still be down >>> 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - >>> exception thrown: 500 Server Error: Internal Server Error >>> 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - >>> server may still be down >>> 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - >>> exception thrown: 500 Server Error: Internal Server Error >>> 2020-06-20 15:09:58 pkispawn : DEBUG ........... No connection - >>> server may still be down >>> ... repeats every second >>> 2020-06-20 15:10:47 pkispawn : DEBUG ........... No connection - >>> exception thrown: 500 Server Error: Internal Server Error >>> 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - >>> server may still be down >>> 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - >>> exception thrown: 500 Server Error: Internal Server Error >>> 2020-06-20 15:10:49 pkispawn : ERROR ... server failed to restart >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Type: RuntimeError >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Message: >>> server failed to restart >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... File >>> "/usr/sbin/pkispawn", line 534, in main >>> scriptlet.spawn(deployer) >>> File >>> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", >>> line 1304, in spawn >>> raise RuntimeError("server failed to restart") >>> ###### >>> >>> And here is the failure in /var/log/ipareplica-ca-install.log: >>> ###### >>> ... >>> --------------- >>> Import complete >>> --------------- >>> Imported certificates into /etc/pki/pki-tomcat/alias: >>> >>> Certificate Nickname Trust >>> Attributes >>> >>> SSL,S/MIME,JAR/XPI >>> >>> Third-party RSA CA C,, >>> caSigningCert cert-pki-ca CTu,Cu,Cu >>> subsystemCert cert-pki-ca u,u,u >>> auditSigningCert cert-pki-ca u,u,Pu >>> Third-party Root CA C,, >>> ocspSigningCert cert-pki-ca u,u,u >>> >>> Installation failed: server failed to restart >>> >>> >>> 2020-06-20T15:10:50Z DEBUG stderr=pkispawn : ERROR ... server >>> failed to restart >>> >>> 2020-06-20T15:10:50Z CRITICAL Failed to configure CA instance: Command >>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpcQ1jxM' returned non-zero exit >>> status 1 >>> 2020-06-20T15:10:50Z CRITICAL See the installation logs and the >>> following files/directories for more information: >>> 2020-06-20T15:10:50Z CRITICAL /var/log/pki/pki-tomcat >>> 2020-06-20T15:10:50Z DEBUG Traceback (most recent call last): >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 567, in start_creation >>> run_step(full_msg, method) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 557, in run_step >>> method() >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>> line 675, in __spawn_instance >>> pki_pin) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", >>> line 167, in spawn_instance >>> self.handle_setup_error(e) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", >>> line 408, in handle_setup_error >>> raise RuntimeError("%s configuration failed." % self.subsystem) >>> RuntimeError: CA configuration failed. >>> >>> 2020-06-20T15:10:50Z DEBUG [error] RuntimeError: CA configuration failed. >>> ... >>> ###### >>> >>> Has anyone run into this? >>> Is this a known bug/issue? >>> >>> Current environment of all replicas: >>> - CentOS 7.8 >>> - FreeIPA 4.6.6 >>> >>> Any help/guidance on fixing this would be really appreciated. >>> >>> Thanks so much, >>> >>> Guillermo >>> _______________________________________________ >>> FreeIPA-users mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> >> > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
