[Freeipa-users] Re: Adding new replica with CA fails.

On Mon, Jul 6, 2020 at 5:31 PM Rob Crittenden <rcritten(a)redhat.com&gt; wrote: > > Guillermo Fuentes via FreeIPA-users wrote: > > Hi Flo, > > Here is the value of the entry: > > # certificateRepository, ca, ipaca > > dn: ou=certificateRepository,ou=ca,o=ipaca > > objectClass: top > > objectClass: repository > > ou: certificateRepository > > serialno: 09268369921 > > nextRange: e0000001 > > > > The value of nextRange was modified by hand to fix another issue. > > According to this > > https://frasertweedale.github.io/blog-redhat/posts/2019-07-26-dogtag-repl... > > it should be hexadecimal. > > Maybe try an upper-case E. > > rob Same result.

> > > > > If the code is expecting a decimal value, I'm assuming converting the > > range from hex to decimal should do it, right? I'll also check for > > conflicts. > > > > Thanks! > > Guillermo > > > > On Mon, Jul 6, 2020 at 12:35 PM Florence Blanc-Renaud <flo(a)redhat.com&gt; wrote: > >> > >> On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote: > >>> Hi all, > >>> > >>> I'm having an issue creating a new replica with CA. > >>> The Directory Service installation works fine but adding the CA clone > >>> fails with a java.lang.NumberFormatException when getting the serial > >>> number range. > >>> > >>> This is the error logged in /var/log/pki/pki-tomcat/ca/debug: > >>> ###### > >>> ... > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving > >>> ou=ca, ou=requests,o=ipaca > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating > >>> nextRange from 80000001 to 90000001 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new > >>> range object: cn=80000001,ou=requests, ou=ranges,o=ipaca > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: > >>> getNextRange Next range has been added: 80000001 - 90000000 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: 80000001 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min > >>> serial number: 80000001 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > >>> next min requests number: 80000001 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > >>> next max requests number: 90000000 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range conflict > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In > >>> LdapBoundConnFactory::getConn() > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking > >>> certificate serial number ranges > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > >>> numbers left in range: 65536 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial > >>> number: 2415656960 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > >>> numbers available: 65536 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water > >>> mark: 33554432 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting next range > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In > >>> LdapBoundConnFactory::getConn() > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving > >>> ou=certificateRepository, ou=ca,o=ipaca > >> Hi, > >> > >> What is the content of this entry? > >> ldapsearch -D "cn=directory manager" -W -b > >> "ou=certificateRepository,ou=ca,o=ipaca" -s base > >> > >> According to the code, a decimal format is expected for the attribute > >> nextRange. Was the value modified by hand? If not, I would advise to > >> open an issue against dogtag, for the team to investigate how an > >> hexadecimal format could get written there: > >> https://pagure.io/dogtagpki/new_issue > >> > >> HTH, > >> flo > >> > >>> java.lang.NumberFormatException: For input string: "e0000001" > >>> at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) > >>> at java.lang.Integer.parseInt(Integer.java:580) > >>> at java.math.BigInteger.<init>(BigInteger.java:470) > >>> at java.math.BigInteger.<init>(BigInteger.java:606) > >>> at com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417) > >>> at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546) > >>> at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268) > >>> at com.netscape.certsrv.apps.CMS.startup(CMS.java:204) > >>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1459) > >>> at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) > >>> at javax.servlet.GenericServlet.init(GenericServlet.java:158) > >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > >>> at java.lang.reflect.Method.invoke(Method.java:498) > >>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > >>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > >>> at java.security.AccessController.doPrivileged(Native Method) > >>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > >>> at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > >>> ... > >>> ###### > >>> > >>> This is logged in /var/log/pki/pki-ca-spawn.20200620150752.log: > >>> ###### > >>> ... > >>> 2020-06-20 15:09:47 pkispawn : INFO ....... executing > >>> 'systemctl stop pki-tomcatd(a)pki-tomcat.service&#39; > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... removing temp SSL > >>> server cert from internal token: Server-Cert cert-pki-ca > >>> 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -D -d > >>> /var/lib/pki/pki-tomcat/alias -f /tmp/tmptjRzW6/password.txt -n > >>> Server-Cert cert-pki-ca > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... importing permanent > >>> SSL server cert into internal token: Server-Cert cert-pki-ca > >>> 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -A -d > >>> /var/lib/pki/pki-tomcat/alias -f /tmp/tmplJLOg8/internal_password.txt > >>> -n Server-Cert cert-pki-ca -a -i /tmp/tmpeCzA_b/sslserver.crt -t ,, > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... executing > >>> 'systemctl daemon-reload' > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... executing > >>> 'systemctl start pki-tomcatd(a)pki-tomcat.service&#39; > >>> 2020-06-20 15:09:48 pkispawn : INFO ........... FIPS mode is > >>> NOT enabled on this operating system. > >>> 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - > >>> server may still be down > >>> 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - > >>> exception thrown: ('Connection aborted.', error(111, 'Connection > >>> refused')) > >>> 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - > >>> server may still be down > >>> 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - > >>> exception thrown: ('Connection aborted.', error(111, 'Connection > >>> refused')) > >>> 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - > >>> server may still be down > >>> 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - > >>> exception thrown: 500 Server Error: Internal Server Error > >>> 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - > >>> server may still be down > >>> 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - > >>> exception thrown: 500 Server Error: Internal Server Error > >>> 2020-06-20 15:09:58 pkispawn : DEBUG ........... No connection - > >>> server may still be down > >>> ... repeats every second > >>> 2020-06-20 15:10:47 pkispawn : DEBUG ........... No connection - > >>> exception thrown: 500 Server Error: Internal Server Error > >>> 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - > >>> server may still be down > >>> 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - > >>> exception thrown: 500 Server Error: Internal Server Error > >>> 2020-06-20 15:10:49 pkispawn : ERROR ... server failed to restart > >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Type: RuntimeError > >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Message: > >>> server failed to restart > >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... File > >>> "/usr/sbin/pkispawn", line 534, in main > >>> scriptlet.spawn(deployer) > >>> File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", > >>> line 1304, in spawn > >>> raise RuntimeError("server failed to restart") > >>> ###### > >>> > >>> And here is the failure in /var/log/ipareplica-ca-install.log: > >>> ###### > >>> ... > >>> --------------- > >>> Import complete > >>> --------------- > >>> Imported certificates into /etc/pki/pki-tomcat/alias: > >>> > >>> Certificate Nickname Trust Attributes > >>> SSL,S/MIME,JAR/XPI > >>> > >>> Third-party RSA CA C,, > >>> caSigningCert cert-pki-ca CTu,Cu,Cu > >>> subsystemCert cert-pki-ca u,u,u > >>> auditSigningCert cert-pki-ca u,u,Pu > >>> Third-party Root CA C,, > >>> ocspSigningCert cert-pki-ca u,u,u > >>> > >>> Installation failed: server failed to restart > >>> > >>> > >>> 2020-06-20T15:10:50Z DEBUG stderr=pkispawn : ERROR ... server > >>> failed to restart > >>> > >>> 2020-06-20T15:10:50Z CRITICAL Failed to configure CA instance: Command > >>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpcQ1jxM' returned non-zero exit > >>> status 1 > >>> 2020-06-20T15:10:50Z CRITICAL See the installation logs and the > >>> following files/directories for more information: > >>> 2020-06-20T15:10:50Z CRITICAL /var/log/pki/pki-tomcat > >>> 2020-06-20T15:10:50Z DEBUG Traceback (most recent call last): > >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > >>> line 567, in start_creation > >>> run_step(full_msg, method) > >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > >>> line 557, in run_step > >>> method() > >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > >>> line 675, in __spawn_instance > >>> pki_pin) > >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > >>> line 167, in spawn_instance > >>> self.handle_setup_error(e) > >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > >>> line 408, in handle_setup_error > >>> raise RuntimeError("%s configuration failed." % self.subsystem) > >>> RuntimeError: CA configuration failed. > >>> > >>> 2020-06-20T15:10:50Z DEBUG [error] RuntimeError: CA configuration failed. > >>> ... > >>> ###### > >>> > >>> Has anyone run into this? > >>> Is this a known bug/issue? > >>> > >>> Current environment of all replicas: > >>> - CentOS 7.8 > >>> - FreeIPA 4.6.6 > >>> > >>> Any help/guidance on fixing this would be really appreciated. > >>> > >>> Thanks so much, > >>> > >>> Guillermo > >>> _______________________________________________ > >>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > >>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > >>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > >>> > >> > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...