Confirmed Fraser. It worked! Thanks so much! Using the decimal value in the nextRange attribute did the trick. Thank you everyone for your help. All the best, Guillermo
On Tue, Jul 7, 2020 at 3:57 AM Fraser Tweedale <[email protected]> wrote: > > On Tue, Jul 07, 2020 at 12:04:58AM -0400, Guillermo Fuentes via FreeIPA-users > wrote: > > On Mon, Jul 6, 2020 at 5:31 PM Rob Crittenden <[email protected]> wrote: > > > > > > Guillermo Fuentes via FreeIPA-users wrote: > > > > Hi Flo, > > > > Here is the value of the entry: > > > > # certificateRepository, ca, ipaca > > > > dn: ou=certificateRepository,ou=ca,o=ipaca > > > > objectClass: top > > > > objectClass: repository > > > > ou: certificateRepository > > > > serialno: 09268369921 > > > > nextRange: e0000001 > > > > > > > > The value of nextRange was modified by hand to fix another issue. > > > > According to this > > > > https://frasertweedale.github.io/blog-redhat/posts/2019-07-26-dogtag-replica-ranges.html > > > > it should be hexadecimal. > > > > > > Maybe try an upper-case E. > > > > > > rob > > > > Same result. > > > IIRC the ldap objects all use decimal representation. It is only in > CS.cfg where some ranges are hexadecimal and others are decimal. > I can confirm later. And update the blog post to clarify! > > Put the decimal representation in the `nextRange' attribute and see > how you go. > > Cheers, > Fraser > > > > > > > > > > > > > If the code is expecting a decimal value, I'm assuming converting the > > > > range from hex to decimal should do it, right? I'll also check for > > > > conflicts. > > > > > > > > Thanks! > > > > Guillermo > > > > > > > > On Mon, Jul 6, 2020 at 12:35 PM Florence Blanc-Renaud <[email protected]> > > > > wrote: > > > >> > > > >> On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote: > > > >>> Hi all, > > > >>> > > > >>> I'm having an issue creating a new replica with CA. > > > >>> The Directory Service installation works fine but adding the CA clone > > > >>> fails with a java.lang.NumberFormatException when getting the serial > > > >>> number range. > > > >>> > > > >>> This is the error logged in /var/log/pki/pki-tomcat/ca/debug: > > > >>> ###### > > > >>> ... > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving > > > >>> ou=ca, ou=requests,o=ipaca > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating > > > >>> nextRange from 80000001 to 90000001 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new > > > >>> range object: cn=80000001,ou=requests, ou=ranges,o=ipaca > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: > > > >>> getNextRange Next range has been added: 80000001 - 90000000 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap > > > >>> connection > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns > > > >>> now 3 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next > > > >>> range: 80000001 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min > > > >>> serial number: 80000001 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > > > >>> next min requests number: 80000001 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > > > >>> next max requests number: 90000000 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range > > > >>> conflict > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In > > > >>> LdapBoundConnFactory::getConn() > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is > > > >>> connected: true > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is > > > >>> connected true > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now > > > >>> 2 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap > > > >>> connection > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns > > > >>> now 3 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking > > > >>> certificate serial number ranges > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > > > >>> numbers left in range: 65536 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial > > > >>> number: 2415656960 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > > > >>> numbers available: 65536 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water > > > >>> mark: 33554432 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting > > > >>> next range > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In > > > >>> LdapBoundConnFactory::getConn() > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is > > > >>> connected: true > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is > > > >>> connected true > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now > > > >>> 2 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving > > > >>> ou=certificateRepository, ou=ca,o=ipaca > > > >> Hi, > > > >> > > > >> What is the content of this entry? > > > >> ldapsearch -D "cn=directory manager" -W -b > > > >> "ou=certificateRepository,ou=ca,o=ipaca" -s base > > > >> > > > >> According to the code, a decimal format is expected for the attribute > > > >> nextRange. Was the value modified by hand? If not, I would advise to > > > >> open an issue against dogtag, for the team to investigate how an > > > >> hexadecimal format could get written there: > > > >> https://pagure.io/dogtagpki/new_issue > > > >> > > > >> HTH, > > > >> flo > > > >> > > > >>> java.lang.NumberFormatException: For input string: "e0000001" > > > >>> at > > > >>> java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) > > > >>> at java.lang.Integer.parseInt(Integer.java:580) > > > >>> at java.math.BigInteger.<init>(BigInteger.java:470) > > > >>> at java.math.BigInteger.<init>(BigInteger.java:606) > > > >>> at > > > >>> com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417) > > > >>> at > > > >>> com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546) > > > >>> at > > > >>> com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268) > > > >>> at com.netscape.certsrv.apps.CMS.startup(CMS.java:204) > > > >>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1459) > > > >>> at > > > >>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) > > > >>> at javax.servlet.GenericServlet.init(GenericServlet.java:158) > > > >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > > > >>> Method) > > > >>> at > > > >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > > >>> at > > > >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > >>> at java.lang.reflect.Method.invoke(Method.java:498) > > > >>> at > > > >>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > > > >>> at > > > >>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > > > >>> at java.security.AccessController.doPrivileged(Native Method) > > > >>> at > > > >>> javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > > >>> at > > > >>> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > > > >>> ... > > > >>> ###### > > > >>> > > > >>> This is logged in /var/log/pki/pki-ca-spawn.20200620150752.log: > > > >>> ###### > > > >>> ... > > > >>> 2020-06-20 15:09:47 pkispawn : INFO ....... executing > > > >>> 'systemctl stop [email protected]' > > > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... removing temp SSL > > > >>> server cert from internal token: Server-Cert cert-pki-ca > > > >>> 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -D -d > > > >>> /var/lib/pki/pki-tomcat/alias -f /tmp/tmptjRzW6/password.txt -n > > > >>> Server-Cert cert-pki-ca > > > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... importing permanent > > > >>> SSL server cert into internal token: Server-Cert cert-pki-ca > > > >>> 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -A -d > > > >>> /var/lib/pki/pki-tomcat/alias -f /tmp/tmplJLOg8/internal_password.txt > > > >>> -n Server-Cert cert-pki-ca -a -i /tmp/tmpeCzA_b/sslserver.crt -t ,, > > > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... executing > > > >>> 'systemctl daemon-reload' > > > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... executing > > > >>> 'systemctl start [email protected]' > > > >>> 2020-06-20 15:09:48 pkispawn : INFO ........... FIPS mode is > > > >>> NOT enabled on this operating system. > > > >>> 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - > > > >>> server may still be down > > > >>> 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - > > > >>> exception thrown: ('Connection aborted.', error(111, 'Connection > > > >>> refused')) > > > >>> 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - > > > >>> server may still be down > > > >>> 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - > > > >>> exception thrown: ('Connection aborted.', error(111, 'Connection > > > >>> refused')) > > > >>> 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - > > > >>> server may still be down > > > >>> 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - > > > >>> exception thrown: 500 Server Error: Internal Server Error > > > >>> 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - > > > >>> server may still be down > > > >>> 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - > > > >>> exception thrown: 500 Server Error: Internal Server Error > > > >>> 2020-06-20 15:09:58 pkispawn : DEBUG ........... No connection - > > > >>> server may still be down > > > >>> ... repeats every second > > > >>> 2020-06-20 15:10:47 pkispawn : DEBUG ........... No connection - > > > >>> exception thrown: 500 Server Error: Internal Server Error > > > >>> 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - > > > >>> server may still be down > > > >>> 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - > > > >>> exception thrown: 500 Server Error: Internal Server Error > > > >>> 2020-06-20 15:10:49 pkispawn : ERROR ... server failed to > > > >>> restart > > > >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Type: > > > >>> RuntimeError > > > >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Message: > > > >>> server failed to restart > > > >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... File > > > >>> "/usr/sbin/pkispawn", line 534, in main > > > >>> scriptlet.spawn(deployer) > > > >>> File > > > >>> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", > > > >>> line 1304, in spawn > > > >>> raise RuntimeError("server failed to restart") > > > >>> ###### > > > >>> > > > >>> And here is the failure in /var/log/ipareplica-ca-install.log: > > > >>> ###### > > > >>> ... > > > >>> --------------- > > > >>> Import complete > > > >>> --------------- > > > >>> Imported certificates into /etc/pki/pki-tomcat/alias: > > > >>> > > > >>> Certificate Nickname Trust > > > >>> Attributes > > > >>> > > > >>> SSL,S/MIME,JAR/XPI > > > >>> > > > >>> Third-party RSA CA C,, > > > >>> caSigningCert cert-pki-ca CTu,Cu,Cu > > > >>> subsystemCert cert-pki-ca u,u,u > > > >>> auditSigningCert cert-pki-ca u,u,Pu > > > >>> Third-party Root CA C,, > > > >>> ocspSigningCert cert-pki-ca u,u,u > > > >>> > > > >>> Installation failed: server failed to restart > > > >>> > > > >>> > > > >>> 2020-06-20T15:10:50Z DEBUG stderr=pkispawn : ERROR ... server > > > >>> failed to restart > > > >>> > > > >>> 2020-06-20T15:10:50Z CRITICAL Failed to configure CA instance: Command > > > >>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpcQ1jxM' returned non-zero exit > > > >>> status 1 > > > >>> 2020-06-20T15:10:50Z CRITICAL See the installation logs and the > > > >>> following files/directories for more information: > > > >>> 2020-06-20T15:10:50Z CRITICAL /var/log/pki/pki-tomcat > > > >>> 2020-06-20T15:10:50Z DEBUG Traceback (most recent call last): > > > >>> File > > > >>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > > > >>> line 567, in start_creation > > > >>> run_step(full_msg, method) > > > >>> File > > > >>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > > > >>> line 557, in run_step > > > >>> method() > > > >>> File > > > >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > > > >>> line 675, in __spawn_instance > > > >>> pki_pin) > > > >>> File > > > >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > > > >>> line 167, in spawn_instance > > > >>> self.handle_setup_error(e) > > > >>> File > > > >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > > > >>> line 408, in handle_setup_error > > > >>> raise RuntimeError("%s configuration failed." % self.subsystem) > > > >>> RuntimeError: CA configuration failed. > > > >>> > > > >>> 2020-06-20T15:10:50Z DEBUG [error] RuntimeError: CA configuration > > > >>> failed. > > > >>> ... > > > >>> ###### > > > >>> > > > >>> Has anyone run into this? > > > >>> Is this a known bug/issue? > > > >>> > > > >>> Current environment of all replicas: > > > >>> - CentOS 7.8 > > > >>> - FreeIPA 4.6.6 > > > >>> > > > >>> Any help/guidance on fixing this would be really appreciated. > > > >>> > > > >>> Thanks so much, > > > >>> > > > >>> Guillermo > > > >>> _______________________________________________ > > > >>> FreeIPA-users mailing list -- [email protected] > > > >>> To unsubscribe send an email to > > > >>> [email protected] > > > >>> Fedora Code of Conduct: > > > >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > >>> List Guidelines: > > > >>> https://fedoraproject.org/wiki/Mailing_list_guidelines > > > >>> List Archives: > > > >>> https://lists.fedorahosted.org/archives/list/[email protected] > > > >>> > > > >> > > > > _______________________________________________ > > > > FreeIPA-users mailing list -- [email protected] > > > > To unsubscribe send an email to > > > > [email protected] > > > > Fedora Code of Conduct: > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
