On Tue, Jul 07, 2020 at 12:04:58AM -0400, Guillermo Fuentes via FreeIPA-users wrote: > On Mon, Jul 6, 2020 at 5:31 PM Rob Crittenden <[email protected]> wrote: > > > > Guillermo Fuentes via FreeIPA-users wrote: > > > Hi Flo, > > > Here is the value of the entry: > > > # certificateRepository, ca, ipaca > > > dn: ou=certificateRepository,ou=ca,o=ipaca > > > objectClass: top > > > objectClass: repository > > > ou: certificateRepository > > > serialno: 09268369921 > > > nextRange: e0000001 > > > > > > The value of nextRange was modified by hand to fix another issue. > > > According to this > > > https://frasertweedale.github.io/blog-redhat/posts/2019-07-26-dogtag-replica-ranges.html > > > it should be hexadecimal. > > > > Maybe try an upper-case E. > > > > rob > > Same result. > IIRC the ldap objects all use decimal representation. It is only in CS.cfg where some ranges are hexadecimal and others are decimal. I can confirm later. And update the blog post to clarify!
Put the decimal representation in the `nextRange' attribute and see how you go. Cheers, Fraser > > > > > > > > If the code is expecting a decimal value, I'm assuming converting the > > > range from hex to decimal should do it, right? I'll also check for > > > conflicts. > > > > > > Thanks! > > > Guillermo > > > > > > On Mon, Jul 6, 2020 at 12:35 PM Florence Blanc-Renaud <[email protected]> > > > wrote: > > >> > > >> On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote: > > >>> Hi all, > > >>> > > >>> I'm having an issue creating a new replica with CA. > > >>> The Directory Service installation works fine but adding the CA clone > > >>> fails with a java.lang.NumberFormatException when getting the serial > > >>> number range. > > >>> > > >>> This is the error logged in /var/log/pki/pki-tomcat/ca/debug: > > >>> ###### > > >>> ... > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving > > >>> ou=ca, ou=requests,o=ipaca > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating > > >>> nextRange from 80000001 to 90000001 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new > > >>> range object: cn=80000001,ou=requests, ou=ranges,o=ipaca > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: > > >>> getNextRange Next range has been added: 80000001 - 90000000 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns > > >>> now 3 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: > > >>> 80000001 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min > > >>> serial number: 80000001 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > > >>> next min requests number: 80000001 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > > >>> next max requests number: 90000000 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range > > >>> conflict > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In > > >>> LdapBoundConnFactory::getConn() > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: > > >>> true > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is > > >>> connected true > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns > > >>> now 3 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking > > >>> certificate serial number ranges > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > > >>> numbers left in range: 65536 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial > > >>> number: 2415656960 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > > >>> numbers available: 65536 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water > > >>> mark: 33554432 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting > > >>> next range > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In > > >>> LdapBoundConnFactory::getConn() > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: > > >>> true > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is > > >>> connected true > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving > > >>> ou=certificateRepository, ou=ca,o=ipaca > > >> Hi, > > >> > > >> What is the content of this entry? > > >> ldapsearch -D "cn=directory manager" -W -b > > >> "ou=certificateRepository,ou=ca,o=ipaca" -s base > > >> > > >> According to the code, a decimal format is expected for the attribute > > >> nextRange. Was the value modified by hand? If not, I would advise to > > >> open an issue against dogtag, for the team to investigate how an > > >> hexadecimal format could get written there: > > >> https://pagure.io/dogtagpki/new_issue > > >> > > >> HTH, > > >> flo > > >> > > >>> java.lang.NumberFormatException: For input string: "e0000001" > > >>> at > > >>> java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) > > >>> at java.lang.Integer.parseInt(Integer.java:580) > > >>> at java.math.BigInteger.<init>(BigInteger.java:470) > > >>> at java.math.BigInteger.<init>(BigInteger.java:606) > > >>> at > > >>> com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417) > > >>> at > > >>> com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546) > > >>> at > > >>> com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268) > > >>> at com.netscape.certsrv.apps.CMS.startup(CMS.java:204) > > >>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1459) > > >>> at > > >>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) > > >>> at javax.servlet.GenericServlet.init(GenericServlet.java:158) > > >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > >>> at > > >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > >>> at > > >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > >>> at java.lang.reflect.Method.invoke(Method.java:498) > > >>> at > > >>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > > >>> at > > >>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > > >>> at java.security.AccessController.doPrivileged(Native Method) > > >>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > >>> at > > >>> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > > >>> ... > > >>> ###### > > >>> > > >>> This is logged in /var/log/pki/pki-ca-spawn.20200620150752.log: > > >>> ###### > > >>> ... > > >>> 2020-06-20 15:09:47 pkispawn : INFO ....... executing > > >>> 'systemctl stop [email protected]' > > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... removing temp SSL > > >>> server cert from internal token: Server-Cert cert-pki-ca > > >>> 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -D -d > > >>> /var/lib/pki/pki-tomcat/alias -f /tmp/tmptjRzW6/password.txt -n > > >>> Server-Cert cert-pki-ca > > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... importing permanent > > >>> SSL server cert into internal token: Server-Cert cert-pki-ca > > >>> 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -A -d > > >>> /var/lib/pki/pki-tomcat/alias -f /tmp/tmplJLOg8/internal_password.txt > > >>> -n Server-Cert cert-pki-ca -a -i /tmp/tmpeCzA_b/sslserver.crt -t ,, > > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... executing > > >>> 'systemctl daemon-reload' > > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... executing > > >>> 'systemctl start [email protected]' > > >>> 2020-06-20 15:09:48 pkispawn : INFO ........... FIPS mode is > > >>> NOT enabled on this operating system. > > >>> 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - > > >>> server may still be down > > >>> 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - > > >>> exception thrown: ('Connection aborted.', error(111, 'Connection > > >>> refused')) > > >>> 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - > > >>> server may still be down > > >>> 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - > > >>> exception thrown: ('Connection aborted.', error(111, 'Connection > > >>> refused')) > > >>> 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - > > >>> server may still be down > > >>> 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - > > >>> exception thrown: 500 Server Error: Internal Server Error > > >>> 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - > > >>> server may still be down > > >>> 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - > > >>> exception thrown: 500 Server Error: Internal Server Error > > >>> 2020-06-20 15:09:58 pkispawn : DEBUG ........... No connection - > > >>> server may still be down > > >>> ... repeats every second > > >>> 2020-06-20 15:10:47 pkispawn : DEBUG ........... No connection - > > >>> exception thrown: 500 Server Error: Internal Server Error > > >>> 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - > > >>> server may still be down > > >>> 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - > > >>> exception thrown: 500 Server Error: Internal Server Error > > >>> 2020-06-20 15:10:49 pkispawn : ERROR ... server failed to restart > > >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Type: > > >>> RuntimeError > > >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Message: > > >>> server failed to restart > > >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... File > > >>> "/usr/sbin/pkispawn", line 534, in main > > >>> scriptlet.spawn(deployer) > > >>> File > > >>> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", > > >>> line 1304, in spawn > > >>> raise RuntimeError("server failed to restart") > > >>> ###### > > >>> > > >>> And here is the failure in /var/log/ipareplica-ca-install.log: > > >>> ###### > > >>> ... > > >>> --------------- > > >>> Import complete > > >>> --------------- > > >>> Imported certificates into /etc/pki/pki-tomcat/alias: > > >>> > > >>> Certificate Nickname Trust > > >>> Attributes > > >>> > > >>> SSL,S/MIME,JAR/XPI > > >>> > > >>> Third-party RSA CA C,, > > >>> caSigningCert cert-pki-ca CTu,Cu,Cu > > >>> subsystemCert cert-pki-ca u,u,u > > >>> auditSigningCert cert-pki-ca u,u,Pu > > >>> Third-party Root CA C,, > > >>> ocspSigningCert cert-pki-ca u,u,u > > >>> > > >>> Installation failed: server failed to restart > > >>> > > >>> > > >>> 2020-06-20T15:10:50Z DEBUG stderr=pkispawn : ERROR ... server > > >>> failed to restart > > >>> > > >>> 2020-06-20T15:10:50Z CRITICAL Failed to configure CA instance: Command > > >>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpcQ1jxM' returned non-zero exit > > >>> status 1 > > >>> 2020-06-20T15:10:50Z CRITICAL See the installation logs and the > > >>> following files/directories for more information: > > >>> 2020-06-20T15:10:50Z CRITICAL /var/log/pki/pki-tomcat > > >>> 2020-06-20T15:10:50Z DEBUG Traceback (most recent call last): > > >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > > >>> line 567, in start_creation > > >>> run_step(full_msg, method) > > >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > > >>> line 557, in run_step > > >>> method() > > >>> File > > >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > > >>> line 675, in __spawn_instance > > >>> pki_pin) > > >>> File > > >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > > >>> line 167, in spawn_instance > > >>> self.handle_setup_error(e) > > >>> File > > >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > > >>> line 408, in handle_setup_error > > >>> raise RuntimeError("%s configuration failed." % self.subsystem) > > >>> RuntimeError: CA configuration failed. > > >>> > > >>> 2020-06-20T15:10:50Z DEBUG [error] RuntimeError: CA configuration > > >>> failed. > > >>> ... > > >>> ###### > > >>> > > >>> Has anyone run into this? > > >>> Is this a known bug/issue? > > >>> > > >>> Current environment of all replicas: > > >>> - CentOS 7.8 > > >>> - FreeIPA 4.6.6 > > >>> > > >>> Any help/guidance on fixing this would be really appreciated. > > >>> > > >>> Thanks so much, > > >>> > > >>> Guillermo > > >>> _______________________________________________ > > >>> FreeIPA-users mailing list -- [email protected] > > >>> To unsubscribe send an email to > > >>> [email protected] > > >>> Fedora Code of Conduct: > > >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > >>> List Archives: > > >>> https://lists.fedorahosted.org/archives/list/[email protected] > > >>> > > >> > > > _______________________________________________ > > > FreeIPA-users mailing list -- [email protected] > > > To unsubscribe send an email to [email protected] > > > Fedora Code of Conduct: > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
