Hi,
you are hitting https://github.com/dogtagpki/pki/issues/3544

The issue was solved in dogtag-pki-server-11.1.0-0.1.alpha2.fc36.noarch and dogtag-pki-server-11.0.2-1.fc35.noarch. If you upgrade dogtag-pki-server, you should be able to re-install the replica with the CA role.
HTH,
flo

On Tue, Jan 18, 2022 at 12:39 PM lejeczek via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:


On 18/01/2022 11:23, lejeczek via FreeIPA-users wrote:
> Hi guys.
>
> adding second master failed a number of times so I did go
> without '--setup-ca', now on that master I get lots of:
>
> Invalid PKI instance: pki-tomcat:
>
>   {
>     "source": "pki.server.healthcheck.certs.expiration",
>     "check": "CASystemCertExpiryCheck",
>     "result": "CRITICAL",
>     "uuid": "7b920e6a-4f47-4541-80fa-e9d87dadff20",
>     "when": "20220118102040Z",
>     "duration": "0.000175",
>     "kw": {
>       "msg": "Invalid PKI instance: pki-tomcat"
>     }
>   },
> ...
>   {
>     "source": "ipahealthcheck.ipa.certs",
>     "check": "IPACertfileExpirationCheck",
>     "result": "ERROR",
>     "uuid": "fb01a7bd-3457-4007-8c3d-66662e23b6df",
>     "when": "20220118102040Z",
>     "duration": "0.006617",
>     "kw": {
>       "key": "20210709164208",
>       "dbdir": "/etc/pki/pki-tomcat/alias",
>       "nickname": "auditSigningCert cert-pki-kra",
>       "error": "NSSDB '/etc/pki/pki-tomcat/alias' not
> initialized.",
>       "msg": "Request id {key}: Unable to retrieve cert
> '{nickname}' from '{dbdir}': {error}"
>     }
>   },
> ..
>
>
> first master's healthcheck does not mention these problems.
> Is it that IPA - falsely - believe that this second master
> is CA/KRA?
> If so, then how to resolve this - this second master,
> according to '--uinstall' was removed successfully(each
> time '--setup-ca' failed)
>
> many thanks, L.
>
And when CA install fails on that replica candidate it does
so, each time with:
...
FINE: - subject: SYSTEM
FINE: PKIClientSocketListener.alertSent: begins
FINE: PKIClientSocketListener.alertSent: got description:0
FINE: PKIClientSocketListener.alertSent: got
reason:clientAlertSent: CLOSE_NOTIFY
FINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_TERMINATED
FINE: PKIClientSocketListener: SSL alert sent:
FINE: - reason: clientAlertSent: CLOSE_NOTIFY
FINE: - client: 10.0.0.8
FINE: - server: 10.0.0.8
FINE: - subject: SYSTEM
FINE: - server port: 636
com.netscape.certsrv.base.ConflictingOperationException:
Entry already exists.
     at
com.netscape.certsrv.ldap.LDAPExceptionConverter.toPKIException(LDAPExceptionConverter.java:45)

     at
com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:720)

     at
org.dogtagpki.server.cli.SubsystemUserAddCLI.execute(SubsystemUserAddCLI.java:180)

     at
org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
     at org.dogtagpki.cli.CLI.execute(CLI.java:357)
     at org.dogtagpki.cli.CLI.execute(CLI.java:357)
     at org.dogtagpki.cli.CLI.execute(CLI.java:357)
     at
org.dogtagpki.server.cli.PKIServerCLI.execute(PKIServerCLI.java:93)

     at
org.dogtagpki.server.cli.PKIServerCLI.main(PKIServerCLI.java:123)

Caused by: netscape.ldap.LDAPException: error result (68);
Already exists
     at netscape.ldap.LDAPConnection.checkMsg(Unknown Source)
     at netscape.ldap.LDAPConnection.add(Unknown Source)
     at netscape.ldap.LDAPConnection.add(Unknown Source)
     at netscape.ldap.LDAPConnection.add(Unknown Source)
     at
com.netscape.cmscore.usrgrp.UGSubsystem.addUser(UGSubsystem.java:717)

     ... 7 more
CalledProcessError: Command '['/usr/sbin/runuser', '-u',
'pkiuser', '--', '/usr/lib/jvm/jre-1.8.0-openjdk/bin/java',
'-classpath',
'/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*',
'-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory',
'-Dcatalina.base=/var/lib/pki/pki-tomcat',
'-Dcatalina.home=/usr/share/tomcat',
'-Djava.endorsed.dirs=',
'-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp',
'-Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties',
'-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager',
'-Dcom.redhat.fips=false',
'org.dogtagpki.server.cli.PKIServerCLI', 'ca-user-add',
'--full-name', 'CA-midway.abba.xx.priv.yy-8443', '--type',
'agentType', '--state', '1', '--debug',
'CA-midway.abba.xx.priv.yy-8443']' returned non-zero exit
status 255.
   File
"/usr/lib/python3.6/site-packages/pki/server/pkispawn.py",
line 575, in main
     scriptlet.spawn(deployer)
   File
"/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 740, in spawn
     deployer.setup_subsystem_user(instance, subsystem,
system_certs['subsystem'])
   File
"/usr/lib/python3.6/site-packages/pki/server/deployment/__init__.py",
line 1040, in setup_subsystem_user
     state='1')
   File
"/usr/lib/python3.6/site-packages/pki/server/subsystem.py",
line 1521, in add_user
     capture_output=True)
   File
"/usr/lib/python3.6/site-packages/pki/server/subsystem.py",
line 1653, in run
     check=True)
   File "/usr/lib64/python3.6/subprocess.py", line 438, in run
     output=stdout, stderr=stderr)


2022-01-18T11:00:00Z CRITICAL Failed to configure CA instance


Something fundamentally wrong with that first master?(for
healthcheck says nothing)

thanks, L.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure