Thank you! Dodgig the dogtag guys, then ;-) Il giorno Gio 11 Feb 2016 13:26 Martin Basti <[email protected]> ha scritto:
> > > On 11.02.2016 12:51, Quasar wrote: > > Martin, > > I've re-tested the replica with a freshly-installed CentOS 7 (1511). > Installation still fails (damn!) and the log is a bit more verbose. I > suppose it has something to do with certificate in my master server proably > due to incremental updates did in the past. > > 2016-02-11T11:09:21Z DEBUG Starting external process > 2016-02-11T11:09:21Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmpRHosRn' > 2016-02-11T11:10:58Z DEBUG Process finished, return code=1 > 2016-02-11T11:10:58Z DEBUG stdout=Log file: > /var/log/pki/pki-ca-spawn.20160211120921.log > Loading deployment configuration from /tmp/tmpRHosRn. > Installing CA into /var/lib/pki/pki-tomcat. > Storing deployment configuration into > /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. > > Installation failed. > > > 2016-02-11T11:10:58Z DEBUG > stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: > InsecureRequestWarning: Unverified HTTPS request is being made. Adding > certificate verification is strongly advised. See: > https://urllib3.readthedocs.org/en/latest/security.html > InsecureRequestWarning) > pkispawn : WARNING ....... unable to validate security domain > user/password through REST interface. Interface not available > pkispawn : ERROR ....... Exception from Java Configuration Servlet: > 500 Server Error: Internal Server Error > pkispawn : ERROR ....... ParseError: not well-formed (invalid > token): line 1, column 0: > {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error > while updating security domain: java.io.IOException: 2"} > > 2016-02-11T11:10:58Z CRITICAL Failed to configure CA instance: Command > ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpRHosRn'' returned non-zero > exit status 1 > 2016-02-11T11:10:58Z CRITICAL See the installation logs and the following > files/directories for more information: > 2016-02-11T11:10:58Z CRITICAL /var/log/pki-ca-install.log > 2016-02-11T11:10:58Z CRITICAL /var/log/pki/pki-tomcat > 2016-02-11T11:10:58Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 418, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 408, in run_step > method() > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 620, in __spawn_instance > DogtagInstance.spawn_instance(self, cfg_file) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 201, in spawn_instance > self.handle_setup_error(e) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 465, in handle_setup_error > raise RuntimeError("%s configuration failed." % self.subsystem) > RuntimeError: CA configuration failed. > > I'm attaching the 3 log files, as usual: > > > > On Thu, Feb 11, 2016 at 11:28 AM, Quasar <[email protected]> wrote: > >> Hi Martin, >> >> first of all thanks for taking some time to read and provide feedback, >> much appreciated. >> >> I firstly tried with CentOS 7.x (build 1511) but got the same errore >> during CA configuration. Then I supposed I had to upgrade step-by-step, >> from 3.0 to 3.3 (instead of 3.0 to 4.x) and used Fedora 23, 20, 19 and 18 >> but with no luck. >> If you need the exact log from CentOS 7.x migration I can provide them to >> you. >> >> About the debug log file, it was attached and these are the final lines >> containing the error: >> >> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: getDomainXML: >> domainInfo=<?xml version="1.0" encoding="UTF-8" >> standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ipaserver.it.fx.lan</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clone>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TRUE</DomainManager></CA><CA><Host>ipaserver-ha.it.fx.lan</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>2&l! >> t;/Subsyst >> emCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo> >> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: Cloning a domain master >> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase >> updateDomainXML start hostname=ipaserver.it.fx.lan port=443 >> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: updateSecurityDomain: >> failed to update security domain using admin port 443: >> org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White >> spaces are required between publicId and systemId. >> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: updateSecurityDomain: now >> trying agent port with client auth >> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase >> updateDomainXML start hostname=ipaserver.it.fx.lan port=443 >> [09/Feb/2016:15:31:42][http-bio-8443-exec-3]: updateDomainXML() >> nickname=subsystemCert cert-pki-ca >> [09/Feb/2016:15:31:43][http-bio-8443-exec-3]: WizardPanelBase >> updateDomainXML: status=1 >> >> >> >> -- >> Giuseppe Calignano >> > > > > -- > Giuseppe Calignano > > > I'm not sure but it looks like the known bug in dogtag 9 and 10 > compatibility (I will try to find related bugzillas). > This should be already fixed in RHEL, so I do not know when it will hit > CentOS or if it is already there. > > pkispawn : WARNING ....... unable to validate security domain > user/password through REST interface. Interface not available > pkispawn : ERROR ....... Exception from Java Configuration Servlet: > 500 Server Error: Internal Server Error > pkispawn : ERROR ....... ParseError: not well-formed (invalid > token): line 1, column 0: > {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error > while updating security domain: java.io.IOException: 2"} > > But I might be wrong, Dogtag guys can you look at it please? :-) > > > Martin >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
