On 11.02.2016 13:33, Quasar wrote:
Thank you!
Dodgig the dogtag guys, then ;-)
Do you have CA configured as external CA?
It could be:
https://bugzilla.redhat.com/show_bug.cgi?id=1291747
I don't think that it is already in CentOS
Il giorno Gio 11 Feb 2016 13:26 Martin Basti <[email protected]
<mailto:[email protected]>> ha scritto:
On 11.02.2016 12:51, Quasar wrote:
Martin,
I've re-tested the replica with a freshly-installed CentOS 7 (1511).
Installation still fails (damn!) and the log is a bit more
verbose. I suppose it has something to do with certificate in my
master server proably due to incremental updates did in the past.
2016-02-11T11:09:21Z DEBUG Starting external process
2016-02-11T11:09:21Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA'
'-f' '/tmp/tmpRHosRn'
2016-02-11T11:10:58Z DEBUG Process finished, return code=1
2016-02-11T11:10:58Z DEBUG stdout=Log file:
/var/log/pki/pki-ca-spawn.20160211120921.log
Loading deployment configuration from /tmp/tmpRHosRn.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
2016-02-11T11:10:58Z DEBUG
stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made.
Adding certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
pkispawn : WARNING ....... unable to validate security domain
user/password through REST interface. Interface not available
pkispawn : ERROR ....... Exception from Java Configuration
Servlet: 500 Server Error: Internal Server Error
pkispawn : ERROR ....... ParseError: not well-formed
(invalid token): line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
while updating security domain: java.io.IOException: 2"}
2016-02-11T11:10:58Z CRITICAL Failed to configure CA instance:
Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpRHosRn''
returned non-zero exit status 1
2016-02-11T11:10:58Z CRITICAL See the installation logs and the
following files/directories for more information:
2016-02-11T11:10:58Z CRITICAL /var/log/pki-ca-install.log
2016-02-11T11:10:58Z CRITICAL /var/log/pki/pki-tomcat
2016-02-11T11:10:58Z DEBUG Traceback (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 620, in __spawn_instance
DogtagInstance.spawn_instance(self, cfg_file)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 201, in spawn_instance
self.handle_setup_error(e)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 465, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.
I'm attaching the 3 log files, as usual:
On Thu, Feb 11, 2016 at 11:28 AM, Quasar <[email protected]
<mailto:[email protected]>> wrote:
Hi Martin,
first of all thanks for taking some time to read and provide
feedback, much appreciated.
I firstly tried with CentOS 7.x (build 1511) but got the same
errore during CA configuration. Then I supposed I had to
upgrade step-by-step, from 3.0 to 3.3 (instead of 3.0 to 4.x)
and used Fedora 23, 20, 19 and 18 but with no luck.
If you need the exact log from CentOS 7.x migration I can
provide them to you.
About the debug log file, it was attached and these are the
final lines containing the error:
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: getDomainXML:
domainInfo=<?xml version="1.0" encoding="UTF-8"
standalone="no"?><DomainInfo><Name>IPA</Name><CAList><CA><Host>ipaserver.it.fx.lan</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><UnSecurePort>80</UnSecurePort><Clone>FALSE</Clone><SubsystemName>pki-cad</SubsystemName><DomainManager>TRUE</DomainManager></CA><CA><Host>ipaserver-ha.it.fx.lan</Host><SecurePort>443</SecurePort><SecureAgentPort>443</SecureAgentPort><SecureAdminPort>443</SecureAdminPort><UnSecurePort>80</UnSecurePort><SecureEEClientAuthPort>443</SecureEEClientAuthPort><DomainManager>TRUE</DomainManager><Clone>TRUE</Clone><SubsystemName>pki-cad</SubsystemName></CA><SubsystemCount>2&l!
t;/Subsyst
emCount></CAList><OCSPList><SubsystemCount>0</SubsystemCount></OCSPList><KRAList><SubsystemCount>0</SubsystemCount></KRAList><RAList><SubsystemCount>0</SubsystemCount></RAList><TKSList><SubsystemCount>0</SubsystemCount></TKSList><TPSList><SubsystemCount>0</SubsystemCount></TPSList></DomainInfo>
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: Cloning a
domain master
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML start hostname=ipaserver.it.fx.lan port=443
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
updateSecurityDomain: failed to update security domain using
admin port 443: org.xml.sax.SAXParseException; lineNumber: 1;
columnNumber: 50; White spaces are required between publicId
and systemId.
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
updateSecurityDomain: now trying agent port with client auth
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML start hostname=ipaserver.it.fx.lan port=443
[09/Feb/2016:15:31:42][http-bio-8443-exec-3]:
updateDomainXML() nickname=subsystemCert cert-pki-ca
[09/Feb/2016:15:31:43][http-bio-8443-exec-3]: WizardPanelBase
updateDomainXML: status=1
--
Giuseppe Calignano
--
Giuseppe Calignano
I'm not sure but it looks like the known bug in dogtag 9 and 10
compatibility (I will try to find related bugzillas).
This should be already fixed in RHEL, so I do not know when it
will hit CentOS or if it is already there.
pkispawn : WARNING ....... unable to validate security domain
user/password through REST interface. Interface not available
pkispawn : ERROR ....... Exception from Java Configuration
Servlet: 500 Server Error: Internal Server Error
pkispawn : ERROR ....... ParseError: not well-formed
(invalid token): line 1, column 0:
{"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error
while updating security domain: java.io.IOException: 2"}
But I might be wrong, Dogtag guys can you look at it please? :-)
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
