On 11.02.2016 12:51, Quasar wrote:
Martin,
I've re-tested the replica with a freshly-installed CentOS 7 (1511).
Installation still fails (damn!) and the log is a bit more verbose. I
suppose it has something to do with certificate in my master server
proably due to incremental updates did in the past.
2016-02-11T11:09:21Z DEBUG Starting external process
2016-02-11T11:09:21Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpRHosRn'
2016-02-11T11:10:58Z DEBUG Process finished, return code=1
2016-02-11T11:10:58Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20160211120921.log
Loading deployment configuration from /tmp/tmpRHosRn.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
2016-02-11T11:10:58Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
pkispawn : WARNING ....... unable to validate security domain
user/password through REST interface. Interface not available
pkispawn : ERROR ....... Exception from Java Configuration
Servlet: 500 Server Error: Internal Server Error
pkispawn : ERROR ....... ParseError: not well-formed (invalid
token): line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
while updating security domain: java.io.IOException: 2"}
2016-02-11T11:10:58Z CRITICAL Failed to configure CA instance: Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpRHosRn'' returned
non-zero exit status 1
2016-02-11T11:10:58Z CRITICAL See the installation logs and the
following files/directories for more information:
2016-02-11T11:10:58Z CRITICAL /var/log/pki-ca-install.log
2016-02-11T11:10:58Z CRITICAL /var/log/pki/pki-tomcat
2016-02-11T11:10:58Z DEBUG Traceback (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
418, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
408, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 620, in __spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line
201, in spawn_instance
self.handle_setup_error(e)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line
465, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
I'm attaching the 3 log files, as usual:
On Thu, Feb 11, 2016 at 11:28 AM, Quasar <[email protected]
<mailto:[email protected]>> wrote:
Hi Martin,
first of all thanks for taking some time to read and provide
feedback, much appreciated.
I firstly tried with CentOS 7.x (build 1511) but got the same
errore during CA configuration. Then I supposed I had to upgrade
step-by-step, from 3.0 to 3.3 (instead of 3.0 to 4.x) and used
Fedora 23, 20, 19 and 18 but with no luck.
If you need the exact log from CentOS 7.x migration I can provide
them to you.
About the debug log file, it was attached and these are the final
lines containing the error:
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: getDomainXML:
domainInfo=<?xml version="1.0" encoding="UTF-8"
standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ipaserver.it.fx.lan</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clone>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TRUE</DomainManager></CA><CA><Host>ipaserver-ha.it.fx.lan</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>2</SubsystemCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: Cloning a domain master
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML start hostname=ipaserver.it.fx.lan port=443
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
updateSecurityDomain: failed to update security domain using admin
port 443: org.xml.sax.SAXParseException; lineNumber: 1;
columnNumber: 50; White spaces are required between publicId and
systemId.
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
updateSecurityDomain: now trying agent port with client auth
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML start hostname=ipaserver.it.fx.lan port=443
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: updateDomainXML()
nickname=subsystemCert cert-pki-ca
[09/Feb/2016:15:31:43][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML: status=1
--
Giuseppe Calignano
--
Giuseppe Calignano
I'm not sure but it looks like the known bug in dogtag 9 and 10
compatibility (I will try to find related bugzillas).
This should be already fixed in RHEL, so I do not know when it will hit
CentOS or if it is already there.
pkispawn : WARNING ....... unable to validate security domain
user/password through REST interface. Interface not available
pkispawn : ERROR ....... Exception from Java Configuration
Servlet: 500 Server Error: Internal Server Error
pkispawn : ERROR ....... ParseError: not well-formed (invalid
token): line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
while updating security domain: java.io.IOException: 2"}
But I might be wrong, Dogtag guys can you look at it please? :-)
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
