Hi, you are hitting https://github.com/dogtagpki/pki/issues/3544
The issue was solved in dogtag-pki-server-11.1.0-0.1.alpha2.fc36.noarch and dogtag-pki-server-11.0.2-1.fc35.noarch. If you upgrade dogtag-pki-server, you should be able to re-install the replica with the CA role. HTH, flo On Tue, Jan 18, 2022 at 12:39 PM lejeczek via FreeIPA-users < [email protected]> wrote: > > > On 18/01/2022 11:23, lejeczek via FreeIPA-users wrote: > > Hi guys. > > > > adding second master failed a number of times so I did go > > without '--setup-ca', now on that master I get lots of: > > > > Invalid PKI instance: pki-tomcat: > > > > { > > "source": "pki.server.healthcheck.certs.expiration", > > "check": "CASystemCertExpiryCheck", > > "result": "CRITICAL", > > "uuid": "7b920e6a-4f47-4541-80fa-e9d87dadff20", > > "when": "20220118102040Z", > > "duration": "0.000175", > > "kw": { > > "msg": "Invalid PKI instance: pki-tomcat" > > } > > }, > > ... > > { > > "source": "ipahealthcheck.ipa.certs", > > "check": "IPACertfileExpirationCheck", > > "result": "ERROR", > > "uuid": "fb01a7bd-3457-4007-8c3d-66662e23b6df", > > "when": "20220118102040Z", > > "duration": "0.006617", > > "kw": { > > "key": "20210709164208", > > "dbdir": "/etc/pki/pki-tomcat/alias", > > "nickname": "auditSigningCert cert-pki-kra", > > "error": "NSSDB '/etc/pki/pki-tomcat/alias' not > > initialized.", > > "msg": "Request id {key}: Unable to retrieve cert > > '{nickname}' from '{dbdir}': {error}" > > } > > }, > > .. > > > > > > first master's healthcheck does not mention these problems. > > Is it that IPA - falsely - believe that this second master > > is CA/KRA? > > If so, then how to resolve this - this second master, > > according to '--uinstall' was removed successfully(each > > time '--setup-ca' failed) > > > > many thanks, L. > > > And when CA install fails on that replica candidate it does > so, each time with: > ... > FINE: - subject: SYSTEM > FINE: PKIClientSocketListener.alertSent: begins > FINE: PKIClientSocketListener.alertSent: got description:0 > FINE: PKIClientSocketListener.alertSent: got > reason:clientAlertSent: CLOSE_NOTIFY > FINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_TERMINATED > FINE: PKIClientSocketListener: SSL alert sent: > FINE: - reason: clientAlertSent: CLOSE_NOTIFY > FINE: - client: 10.0.0.8 > FINE: - server: 10.0.0.8 > FINE: - subject: SYSTEM > FINE: - server port: 636 > com.netscape.certsrv.base.ConflictingOperationException: > Entry already exists. > at > com.netscape.certsrv.ldap.LDAPExceptionConverter.toPKIException(LDAPExceptionConverter.java:45) > > > at > com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:720) > > at > org.dogtagpki.server.cli.SubsystemUserAddCLI.execute(SubsystemUserAddCLI.java:180) > > > at > org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58) > at org.dogtagpki.cli.CLI.execute(CLI.java:357) > at org.dogtagpki.cli.CLI.execute(CLI.java:357) > at org.dogtagpki.cli.CLI.execute(CLI.java:357) > at > org.dogtagpki.server.cli.PKIServerCLI.execute(PKIServerCLI.java:93) > > at > org.dogtagpki.server.cli.PKIServerCLI.main(PKIServerCLI.java:123) > > Caused by: netscape.ldap.LDAPException: error result (68); > Already exists > at netscape.ldap.LDAPConnection.checkMsg(Unknown Source) > at netscape.ldap.LDAPConnection.add(Unknown Source) > at netscape.ldap.LDAPConnection.add(Unknown Source) > at netscape.ldap.LDAPConnection.add(Unknown Source) > at > com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:717) > > ... 7 more > CalledProcessError: Command '['/usr/sbin/runuser', '-u', > 'pkiuser', '--', '/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', > '-classpath', > '/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*', > > '-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory', > > '-Dcatalina.base=/var/lib/pki/pki-tomcat', > '-Dcatalina.home=/usr/share/tomcat', > '-Djava.endorsed.dirs=', > '-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp', > '-Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties', > '-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager', > '-Dcom.redhat.fips=false', > 'org.dogtagpki.server.cli.PKIServerCLI', 'ca-user-add', > '--full-name', 'CA-midway.abba.xx.priv.yy-8443', '--type', > 'agentType', '--state', '1', '--debug', > 'CA-midway.abba.xx.priv.yy-8443']' returned non-zero exit > status 255. > File > "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", > line 575, in main > scriptlet.spawn(deployer) > File > "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", > > line 740, in spawn > deployer.setup_subsystem_user(instance, subsystem, > system_certs['subsystem']) > File > "/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py", > line 1040, in setup_subsystem_user > state='1') > File > "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", > line 1521, in add_user > capture_output=True) > File > "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", > line 1653, in run > check=True) > File "/usr/lib64/python3.6/subprocess.py", line 438, in run > output=stdout, stderr=stderr) > > > 2022-01-18T11:00:00Z CRITICAL Failed to configure CA instance > > > Something fundamentally wrong with that first master?(for > healthcheck says nothing) > > thanks, L. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
