On Tue, Jul 07, 2020 at 12:04:58AM -0400, Guillermo Fuentes via FreeIPA-users wrote:
On Mon, Jul 6, 2020 at 5:31 PM Rob Crittenden
<rcritten(a)redhat.com> wrote:
>
> Guillermo Fuentes via FreeIPA-users wrote:
> > Hi Flo,
> > Here is the value of the entry:
> > # certificateRepository, ca, ipaca
> > dn: ou=certificateRepository,ou=ca,o=ipaca
> > objectClass: top
> > objectClass: repository
> > ou: certificateRepository
> > serialno: 09268369921
> > nextRange: e0000001
> >
> > The value of nextRange was modified by hand to fix another issue.
> > According to this
> >
https://frasertweedale.github.io/blog-redhat/posts/2019-07-26-dogtag-repl...
> > it should be hexadecimal.
>
> Maybe try an upper-case E.
>
> rob
Same result.
IIRC the ldap objects all use decimal representation. It is only in
CS.cfg where some ranges are hexadecimal and others are decimal.
I can confirm later. And update the blog post to clarify!
Put the decimal representation in the `nextRange' attribute and see
how you go.
Cheers,
Fraser
>
> >
> > If the code is expecting a decimal value, I'm assuming converting the
> > range from hex to decimal should do it, right? I'll also check for
> > conflicts.
> >
> > Thanks!
> > Guillermo
> >
> > On Mon, Jul 6, 2020 at 12:35 PM Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
> >>
> >> On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote:
> >>> Hi all,
> >>>
> >>> I'm having an issue creating a new replica with CA.
> >>> The Directory Service installation works fine but adding the CA clone
> >>> fails with a java.lang.NumberFormatException when getting the serial
> >>> number range.
> >>>
> >>> This is the error logged in /var/log/pki/pki-tomcat/ca/debug:
> >>> ######
> >>> ...
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving
> >>> ou=ca, ou=requests,o=ipaca
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating
> >>> nextRange from 80000001 to 90000001
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new
> >>> range object: cn=80000001,ou=requests, ou=ranges,o=ipaca
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem:
> >>> getNextRange Next range has been added: 80000001 - 90000000
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap
connection
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns
now 3
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range:
80000001
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min
> >>> serial number: 80000001
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting
> >>> next min requests number: 80000001
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting
> >>> next max requests number: 90000000
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range
conflict
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In
> >>> LdapBoundConnFactory::getConn()
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected:
true
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is
connected true
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now
2
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap
connection
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns
now 3
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking
> >>> certificate serial number ranges
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial
> >>> numbers left in range: 65536
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial
> >>> number: 2415656960
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial
> >>> numbers available: 65536
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water
> >>> mark: 33554432
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting
next range
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In
> >>> LdapBoundConnFactory::getConn()
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected:
true
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is
connected true
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now
2
> >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving
> >>> ou=certificateRepository, ou=ca,o=ipaca
> >> Hi,
> >>
> >> What is the content of this entry?
> >> ldapsearch -D "cn=directory manager" -W -b
> >> "ou=certificateRepository,ou=ca,o=ipaca" -s base
> >>
> >> According to the code, a decimal format is expected for the attribute
> >> nextRange. Was the value modified by hand? If not, I would advise to
> >> open an issue against dogtag, for the team to investigate how an
> >> hexadecimal format could get written there:
> >>
https://pagure.io/dogtagpki/new_issue
> >>
> >> HTH,
> >> flo
> >>
> >>> java.lang.NumberFormatException: For input string:
"e0000001"
> >>> at
java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
> >>> at java.lang.Integer.parseInt(Integer.java:580)
> >>> at java.math.BigInteger.<init>(BigInteger.java:470)
> >>> at java.math.BigInteger.<init>(BigInteger.java:606)
> >>> at
com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417)
> >>> at
com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546)
> >>> at
com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268)
> >>> at com.netscape.certsrv.apps.CMS.startup(CMS.java:204)
> >>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1459)
> >>> at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
> >>> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
> >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
> >>> at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> >>> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >>> at java.lang.reflect.Method.invoke(Method.java:498)
> >>> at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
> >>> at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
> >>> at java.security.AccessController.doPrivileged(Native Method)
> >>> at
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> >>> at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
> >>> ...
> >>> ######
> >>>
> >>> This is logged in /var/log/pki/pki-ca-spawn.20200620150752.log:
> >>> ######
> >>> ...
> >>> 2020-06-20 15:09:47 pkispawn : INFO ....... executing
> >>> 'systemctl stop pki-tomcatd(a)pki-tomcat.service'
> >>> 2020-06-20 15:09:48 pkispawn : INFO ....... removing temp SSL
> >>> server cert from internal token: Server-Cert cert-pki-ca
> >>> 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -D -d
> >>> /var/lib/pki/pki-tomcat/alias -f /tmp/tmptjRzW6/password.txt -n
> >>> Server-Cert cert-pki-ca
> >>> 2020-06-20 15:09:48 pkispawn : INFO ....... importing permanent
> >>> SSL server cert into internal token: Server-Cert cert-pki-ca
> >>> 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -A -d
> >>> /var/lib/pki/pki-tomcat/alias -f /tmp/tmplJLOg8/internal_password.txt
> >>> -n Server-Cert cert-pki-ca -a -i /tmp/tmpeCzA_b/sslserver.crt -t ,,
> >>> 2020-06-20 15:09:48 pkispawn : INFO ....... executing
> >>> 'systemctl daemon-reload'
> >>> 2020-06-20 15:09:48 pkispawn : INFO ....... executing
> >>> 'systemctl start pki-tomcatd(a)pki-tomcat.service'
> >>> 2020-06-20 15:09:48 pkispawn : INFO ........... FIPS mode is
> >>> NOT enabled on this operating system.
> >>> 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection -
> >>> server may still be down
> >>> 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection -
> >>> exception thrown: ('Connection aborted.', error(111,
'Connection
> >>> refused'))
> >>> 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection -
> >>> server may still be down
> >>> 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection -
> >>> exception thrown: ('Connection aborted.', error(111,
'Connection
> >>> refused'))
> >>> 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection -
> >>> server may still be down
> >>> 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection -
> >>> exception thrown: 500 Server Error: Internal Server Error
> >>> 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection -
> >>> server may still be down
> >>> 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection -
> >>> exception thrown: 500 Server Error: Internal Server Error
> >>> 2020-06-20 15:09:58 pkispawn : DEBUG ........... No connection -
> >>> server may still be down
> >>> ... repeats every second
> >>> 2020-06-20 15:10:47 pkispawn : DEBUG ........... No connection -
> >>> exception thrown: 500 Server Error: Internal Server Error
> >>> 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection -
> >>> server may still be down
> >>> 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection -
> >>> exception thrown: 500 Server Error: Internal Server Error
> >>> 2020-06-20 15:10:49 pkispawn : ERROR ... server failed to
restart
> >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Type:
RuntimeError
> >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Message:
> >>> server failed to restart
> >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... File
> >>> "/usr/sbin/pkispawn", line 534, in main
> >>> scriptlet.spawn(deployer)
> >>> File
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
> >>> line 1304, in spawn
> >>> raise RuntimeError("server failed to restart")
> >>> ######
> >>>
> >>> And here is the failure in /var/log/ipareplica-ca-install.log:
> >>> ######
> >>> ...
> >>> ---------------
> >>> Import complete
> >>> ---------------
> >>> Imported certificates into /etc/pki/pki-tomcat/alias:
> >>>
> >>> Certificate Nickname Trust
Attributes
> >>>
SSL,S/MIME,JAR/XPI
> >>>
> >>> Third-party RSA CA C,,
> >>> caSigningCert cert-pki-ca CTu,Cu,Cu
> >>> subsystemCert cert-pki-ca u,u,u
> >>> auditSigningCert cert-pki-ca u,u,Pu
> >>> Third-party Root CA C,,
> >>> ocspSigningCert cert-pki-ca u,u,u
> >>>
> >>> Installation failed: server failed to restart
> >>>
> >>>
> >>> 2020-06-20T15:10:50Z DEBUG stderr=pkispawn : ERROR ... server
> >>> failed to restart
> >>>
> >>> 2020-06-20T15:10:50Z CRITICAL Failed to configure CA instance: Command
> >>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpcQ1jxM' returned non-zero
exit
> >>> status 1
> >>> 2020-06-20T15:10:50Z CRITICAL See the installation logs and the
> >>> following files/directories for more information:
> >>> 2020-06-20T15:10:50Z CRITICAL /var/log/pki/pki-tomcat
> >>> 2020-06-20T15:10:50Z DEBUG Traceback (most recent call last):
> >>> File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> >>> line 567, in start_creation
> >>> run_step(full_msg, method)
> >>> File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> >>> line 557, in run_step
> >>> method()
> >>> File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> >>> line 675, in __spawn_instance
> >>> pki_pin)
> >>> File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> >>> line 167, in spawn_instance
> >>> self.handle_setup_error(e)
> >>> File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> >>> line 408, in handle_setup_error
> >>> raise RuntimeError("%s configuration failed." %
self.subsystem)
> >>> RuntimeError: CA configuration failed.
> >>>
> >>> 2020-06-20T15:10:50Z DEBUG [error] RuntimeError: CA configuration
failed.
> >>> ...
> >>> ######
> >>>
> >>> Has anyone run into this?
> >>> Is this a known bug/issue?
> >>>
> >>> Current environment of all replicas:
> >>> - CentOS 7.8
> >>> - FreeIPA 4.6.6
> >>>
> >>> Any help/guidance on fixing this would be really appreciated.
> >>>
> >>> Thanks so much,
> >>>
> >>> Guillermo
> >>> _______________________________________________
> >>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> >>> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> >>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >>>
> >>
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...