Confirmed Fraser. It worked! Thanks so much!
Using the decimal value in the nextRange attribute did the trick.
Thank you everyone for your help.
All the best,
Guillermo
On Tue, Jul 7, 2020 at 3:57 AM Fraser Tweedale <ftweedal(a)redhat.com> wrote:
>
> On Tue, Jul 07, 2020 at 12:04:58AM -0400, Guillermo Fuentes via FreeIPA-users wrote:
> > On Mon, Jul 6, 2020 at 5:31 PM Rob Crittenden <rcritten(a)redhat.com>
wrote:
> > >
> > > Guillermo Fuentes via FreeIPA-users wrote:
> > > > Hi Flo,
> > > > Here is the value of the entry:
> > > > # certificateRepository, ca, ipaca
> > > > dn: ou=certificateRepository,ou=ca,o=ipaca
> > > > objectClass: top
> > > > objectClass: repository
> > > > ou: certificateRepository
> > > > serialno: 09268369921
> > > > nextRange: e0000001
> > > >
> > > > The value of nextRange was modified by hand to fix another issue.
> > > > According to this
> > > >
https://frasertweedale.github.io/blog-redhat/posts/2019-07-26-dogtag-repl...
> > > > it should be hexadecimal.
> > >
> > > Maybe try an upper-case E.
> > >
> > > rob
> >
> > Same result.
> >
> IIRC the ldap objects all use decimal representation. It is only in
> CS.cfg where some ranges are hexadecimal and others are decimal.
> I can confirm later. And update the blog post to clarify!
>
> Put the decimal representation in the `nextRange' attribute and see
> how you go.
>
> Cheers,
> Fraser
>
>
> > >
> > > >
> > > > If the code is expecting a decimal value, I'm assuming converting
the
> > > > range from hex to decimal should do it, right? I'll also check
for
> > > > conflicts.
> > > >
> > > > Thanks!
> > > > Guillermo
> > > >
> > > > On Mon, Jul 6, 2020 at 12:35 PM Florence Blanc-Renaud
<flo(a)redhat.com> wrote:
> > > >>
> > > >> On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote:
> > > >>> Hi all,
> > > >>>
> > > >>> I'm having an issue creating a new replica with CA.
> > > >>> The Directory Service installation works fine but adding the
CA clone
> > > >>> fails with a java.lang.NumberFormatException when getting the
serial
> > > >>> number range.
> > > >>>
> > > >>> This is the error logged in /var/log/pki/pki-tomcat/ca/debug:
> > > >>> ######
> > > >>> ...
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem:
retrieving
> > > >>> ou=ca, ou=requests,o=ipaca
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem:
updating
> > > >>> nextRange from 80000001 to 90000001
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem:
adding new
> > > >>> range object: cn=80000001,ou=requests, ou=ranges,o=ipaca
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem:
> > > >>> getNextRange Next range has been added: 80000001 - 90000000
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap
connection
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn:
mNumConns now 3
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository:
next range: 80000001
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository:
Next min
> > > >>> serial number: 80000001
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem:
Setting
> > > >>> next min requests number: 80000001
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem:
Setting
> > > >>> next max requests number: 90000000
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a
range conflict
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In
> > > >>> LdapBoundConnFactory::getConn()
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is
connected: true
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn
is connected true
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn:
mNumConns now 2
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap
connection
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn:
mNumConns now 3
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine:
checking
> > > >>> certificate serial number ranges
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository:
Serial
> > > >>> numbers left in range: 65536
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository:
Last serial
> > > >>> number: 2415656960
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository:
Serial
> > > >>> numbers available: 65536
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low
water
> > > >>> mark: 33554432
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository:
Requesting next range
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In
> > > >>> LdapBoundConnFactory::getConn()
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is
connected: true
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn
is connected true
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn:
mNumConns now 2
> > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem:
retrieving
> > > >>> ou=certificateRepository, ou=ca,o=ipaca
> > > >> Hi,
> > > >>
> > > >> What is the content of this entry?
> > > >> ldapsearch -D "cn=directory manager" -W -b
> > > >> "ou=certificateRepository,ou=ca,o=ipaca" -s base
> > > >>
> > > >> According to the code, a decimal format is expected for the
attribute
> > > >> nextRange. Was the value modified by hand? If not, I would advise
to
> > > >> open an issue against dogtag, for the team to investigate how an
> > > >> hexadecimal format could get written there:
> > > >>
https://pagure.io/dogtagpki/new_issue
> > > >>
> > > >> HTH,
> > > >> flo
> > > >>
> > > >>> java.lang.NumberFormatException: For input string:
"e0000001"
> > > >>> at
java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
> > > >>> at java.lang.Integer.parseInt(Integer.java:580)
> > > >>> at
java.math.BigInteger.<init>(BigInteger.java:470)
> > > >>> at
java.math.BigInteger.<init>(BigInteger.java:606)
> > > >>> at
com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417)
> > > >>> at
com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546)
> > > >>> at
com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268)
> > > >>> at
com.netscape.certsrv.apps.CMS.startup(CMS.java:204)
> > > >>> at
com.netscape.certsrv.apps.CMS.start(CMS.java:1459)
> > > >>> at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
> > > >>> at
javax.servlet.GenericServlet.init(GenericServlet.java:158)
> > > >>> at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > >>> at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > > >>> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > > >>> at java.lang.reflect.Method.invoke(Method.java:498)
> > > >>> at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
> > > >>> at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
> > > >>> at java.security.AccessController.doPrivileged(Native
Method)
> > > >>> at
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> > > >>> at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
> > > >>> ...
> > > >>> ######
> > > >>>
> > > >>> This is logged in
/var/log/pki/pki-ca-spawn.20200620150752.log:
> > > >>> ######
> > > >>> ...
> > > >>> 2020-06-20 15:09:47 pkispawn : INFO ....... executing
> > > >>> 'systemctl stop pki-tomcatd(a)pki-tomcat.service'
> > > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... removing
temp SSL
> > > >>> server cert from internal token: Server-Cert cert-pki-ca
> > > >>> 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil
-D -d
> > > >>> /var/lib/pki/pki-tomcat/alias -f /tmp/tmptjRzW6/password.txt
-n
> > > >>> Server-Cert cert-pki-ca
> > > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... importing
permanent
> > > >>> SSL server cert into internal token: Server-Cert cert-pki-ca
> > > >>> 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil
-A -d
> > > >>> /var/lib/pki/pki-tomcat/alias -f
/tmp/tmplJLOg8/internal_password.txt
> > > >>> -n Server-Cert cert-pki-ca -a -i /tmp/tmpeCzA_b/sslserver.crt
-t ,,
> > > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... executing
> > > >>> 'systemctl daemon-reload'
> > > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... executing
> > > >>> 'systemctl start pki-tomcatd(a)pki-tomcat.service'
> > > >>> 2020-06-20 15:09:48 pkispawn : INFO ........... FIPS
mode is
> > > >>> NOT enabled on this operating system.
> > > >>> 2020-06-20 15:09:48 pkispawn : DEBUG ........... No
connection -
> > > >>> server may still be down
> > > >>> 2020-06-20 15:09:48 pkispawn : DEBUG ........... No
connection -
> > > >>> exception thrown: ('Connection aborted.', error(111,
'Connection
> > > >>> refused'))
> > > >>> 2020-06-20 15:09:49 pkispawn : DEBUG ........... No
connection -
> > > >>> server may still be down
> > > >>> 2020-06-20 15:09:49 pkispawn : DEBUG ........... No
connection -
> > > >>> exception thrown: ('Connection aborted.', error(111,
'Connection
> > > >>> refused'))
> > > >>> 2020-06-20 15:09:56 pkispawn : DEBUG ........... No
connection -
> > > >>> server may still be down
> > > >>> 2020-06-20 15:09:56 pkispawn : DEBUG ........... No
connection -
> > > >>> exception thrown: 500 Server Error: Internal Server Error
> > > >>> 2020-06-20 15:09:57 pkispawn : DEBUG ........... No
connection -
> > > >>> server may still be down
> > > >>> 2020-06-20 15:09:57 pkispawn : DEBUG ........... No
connection -
> > > >>> exception thrown: 500 Server Error: Internal Server Error
> > > >>> 2020-06-20 15:09:58 pkispawn : DEBUG ........... No
connection -
> > > >>> server may still be down
> > > >>> ... repeats every second
> > > >>> 2020-06-20 15:10:47 pkispawn : DEBUG ........... No
connection -
> > > >>> exception thrown: 500 Server Error: Internal Server Error
> > > >>> 2020-06-20 15:10:48 pkispawn : DEBUG ........... No
connection -
> > > >>> server may still be down
> > > >>> 2020-06-20 15:10:48 pkispawn : DEBUG ........... No
connection -
> > > >>> exception thrown: 500 Server Error: Internal Server Error
> > > >>> 2020-06-20 15:10:49 pkispawn : ERROR ... server failed
to restart
> > > >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Type:
RuntimeError
> > > >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error
Message:
> > > >>> server failed to restart
> > > >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... File
> > > >>> "/usr/sbin/pkispawn", line 534, in main
> > > >>> scriptlet.spawn(deployer)
> > > >>> File
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
> > > >>> line 1304, in spawn
> > > >>> raise RuntimeError("server failed to restart")
> > > >>> ######
> > > >>>
> > > >>> And here is the failure in
/var/log/ipareplica-ca-install.log:
> > > >>> ######
> > > >>> ...
> > > >>> ---------------
> > > >>> Import complete
> > > >>> ---------------
> > > >>> Imported certificates into /etc/pki/pki-tomcat/alias:
> > > >>>
> > > >>> Certificate Nickname
Trust Attributes
> > > >>>
SSL,S/MIME,JAR/XPI
> > > >>>
> > > >>> Third-party RSA CA
C,,
> > > >>> caSigningCert cert-pki-ca
CTu,Cu,Cu
> > > >>> subsystemCert cert-pki-ca
u,u,u
> > > >>> auditSigningCert cert-pki-ca
u,u,Pu
> > > >>> Third-party Root CA
C,,
> > > >>> ocspSigningCert cert-pki-ca
u,u,u
> > > >>>
> > > >>> Installation failed: server failed to restart
> > > >>>
> > > >>>
> > > >>> 2020-06-20T15:10:50Z DEBUG stderr=pkispawn : ERROR ...
server
> > > >>> failed to restart
> > > >>>
> > > >>> 2020-06-20T15:10:50Z CRITICAL Failed to configure CA instance:
Command
> > > >>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpcQ1jxM' returned
non-zero exit
> > > >>> status 1
> > > >>> 2020-06-20T15:10:50Z CRITICAL See the installation logs and
the
> > > >>> following files/directories for more information:
> > > >>> 2020-06-20T15:10:50Z CRITICAL /var/log/pki/pki-tomcat
> > > >>> 2020-06-20T15:10:50Z DEBUG Traceback (most recent call last):
> > > >>> File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> > > >>> line 567, in start_creation
> > > >>> run_step(full_msg, method)
> > > >>> File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> > > >>> line 557, in run_step
> > > >>> method()
> > > >>> File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> > > >>> line 675, in __spawn_instance
> > > >>> pki_pin)
> > > >>> File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> > > >>> line 167, in spawn_instance
> > > >>> self.handle_setup_error(e)
> > > >>> File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
> > > >>> line 408, in handle_setup_error
> > > >>> raise RuntimeError("%s configuration failed." %
self.subsystem)
> > > >>> RuntimeError: CA configuration failed.
> > > >>>
> > > >>> 2020-06-20T15:10:50Z DEBUG [error] RuntimeError: CA
configuration failed.
> > > >>> ...
> > > >>> ######
> > > >>>
> > > >>> Has anyone run into this?
> > > >>> Is this a known bug/issue?
> > > >>>
> > > >>> Current environment of all replicas:
> > > >>> - CentOS 7.8
> > > >>> - FreeIPA 4.6.6
> > > >>>
> > > >>> Any help/guidance on fixing this would be really appreciated.
> > > >>>
> > > >>> Thanks so much,
> > > >>>
> > > >>> Guillermo
> > > >>> _______________________________________________
> > > >>> FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
> > > >>> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> > > >>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > >>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > >>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > >>>
> > > >>
> > > > _______________________________________________
> > > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > > > To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> > > > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > >
> > >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>