Hi Flo, Here is the value of the entry: # certificateRepository, ca, ipaca dn: ou=certificateRepository,ou=ca,o=ipaca objectClass: top objectClass: repository ou: certificateRepository serialno: 09268369921 nextRange: e0000001 The value of nextRange was modified by hand to fix another issue. According to this https://frasertweedale.github.io/blog-redhat/posts/2019-07-26-dogtag-repl... it should be hexadecimal. If the code is expecting a decimal value, I'm assuming converting the range from hex to decimal should do it, right? I'll also check for conflicts. Thanks! Guillermo On Mon, Jul 6, 2020 at 12:35 PM Florence Blanc-Renaud <flo(a)redhat.com&gt; wrote: > > On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote: > > Hi all, > > > > I'm having an issue creating a new replica with CA. > > The Directory Service installation works fine but adding the CA clone > > fails with a java.lang.NumberFormatException when getting the serial > > number range. > > > > This is the error logged in /var/log/pki/pki-tomcat/ca/debug: > > ###### > > ... > > [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving > > ou=ca, ou=requests,o=ipaca > > [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating > > nextRange from 80000001 to 90000001 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new > > range object: cn=80000001,ou=requests, ou=ranges,o=ipaca > > [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: > > getNextRange Next range has been added: 80000001 - 90000000 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection > > [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: 80000001 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min > > serial number: 80000001 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > > next min requests number: 80000001 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > > next max requests number: 90000000 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range conflict > > [20/Jun/2020:15:09:55][localhost-startStop-1]: In > > LdapBoundConnFactory::getConn() > > [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true > > [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true > > [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection > > [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking > > certificate serial number ranges > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > > numbers left in range: 65536 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial > > number: 2415656960 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > > numbers available: 65536 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water > > mark: 33554432 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting next range > > [20/Jun/2020:15:09:55][localhost-startStop-1]: In > > LdapBoundConnFactory::getConn() > > [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true > > [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true > > [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving > > ou=certificateRepository, ou=ca,o=ipaca > Hi, > > What is the content of this entry? > ldapsearch -D "cn=directory manager" -W -b > "ou=certificateRepository,ou=ca,o=ipaca" -s base > > According to the code, a decimal format is expected for the attribute > nextRange. Was the value modified by hand? If not, I would advise to > open an issue against dogtag, for the team to investigate how an > hexadecimal format could get written there: > https://pagure.io/dogtagpki/new_issue > > HTH, > flo > > > java.lang.NumberFormatException: For input string: "e0000001" > > at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) > > at java.lang.Integer.parseInt(Integer.java:580) > > at java.math.BigInteger.<init>(BigInteger.java:470) > > at java.math.BigInteger.<init>(BigInteger.java:606) > > at com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417) > > at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546) > > at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268) > > at com.netscape.certsrv.apps.CMS.startup(CMS.java:204) > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1459) > > at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) > > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > > at java.security.AccessController.doPrivileged(Native Method) > > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > > ... > > ###### > > > > This is logged in /var/log/pki/pki-ca-spawn.20200620150752.log: > > ###### > > ... > > 2020-06-20 15:09:47 pkispawn : INFO ....... executing > > 'systemctl stop pki-tomcatd(a)pki-tomcat.service&#39; > > 2020-06-20 15:09:48 pkispawn : INFO ....... removing temp SSL > > server cert from internal token: Server-Cert cert-pki-ca > > 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -D -d > > /var/lib/pki/pki-tomcat/alias -f /tmp/tmptjRzW6/password.txt -n > > Server-Cert cert-pki-ca > > 2020-06-20 15:09:48 pkispawn : INFO ....... importing permanent > > SSL server cert into internal token: Server-Cert cert-pki-ca > > 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -A -d > > /var/lib/pki/pki-tomcat/alias -f /tmp/tmplJLOg8/internal_password.txt > > -n Server-Cert cert-pki-ca -a -i /tmp/tmpeCzA_b/sslserver.crt -t ,, > > 2020-06-20 15:09:48 pkispawn : INFO ....... executing > > 'systemctl daemon-reload' > > 2020-06-20 15:09:48 pkispawn : INFO ....... executing > > 'systemctl start pki-tomcatd(a)pki-tomcat.service&#39; > > 2020-06-20 15:09:48 pkispawn : INFO ........... FIPS mode is > > NOT enabled on this operating system. > > 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - > > server may still be down > > 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - > > exception thrown: ('Connection aborted.', error(111, 'Connection > > refused')) > > 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - > > server may still be down > > 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - > > exception thrown: ('Connection aborted.', error(111, 'Connection > > refused')) > > 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - > > server may still be down > > 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - > > exception thrown: 500 Server Error: Internal Server Error > > 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - > > server may still be down > > 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - > > exception thrown: 500 Server Error: Internal Server Error > > 2020-06-20 15:09:58 pkispawn : DEBUG ........... No connection - > > server may still be down > > ... repeats every second > > 2020-06-20 15:10:47 pkispawn : DEBUG ........... No connection - > > exception thrown: 500 Server Error: Internal Server Error > > 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - > > server may still be down > > 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - > > exception thrown: 500 Server Error: Internal Server Error > > 2020-06-20 15:10:49 pkispawn : ERROR ... server failed to restart > > 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Type: RuntimeError > > 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Message: > > server failed to restart > > 2020-06-20 15:10:49 pkispawn : DEBUG ....... File > > "/usr/sbin/pkispawn", line 534, in main > > scriptlet.spawn(deployer) > > File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", > > line 1304, in spawn > > raise RuntimeError("server failed to restart") > > ###### > > > > And here is the failure in /var/log/ipareplica-ca-install.log: > > ###### > > ... > > --------------- > > Import complete > > --------------- > > Imported certificates into /etc/pki/pki-tomcat/alias: > > > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > > > Third-party RSA CA C,, > > caSigningCert cert-pki-ca CTu,Cu,Cu > > subsystemCert cert-pki-ca u,u,u > > auditSigningCert cert-pki-ca u,u,Pu > > Third-party Root CA C,, > > ocspSigningCert cert-pki-ca u,u,u > > > > Installation failed: server failed to restart > > > > > > 2020-06-20T15:10:50Z DEBUG stderr=pkispawn : ERROR ... server > > failed to restart > > > > 2020-06-20T15:10:50Z CRITICAL Failed to configure CA instance: Command > > '/usr/sbin/pkispawn -s CA -f /tmp/tmpcQ1jxM' returned non-zero exit > > status 1 > > 2020-06-20T15:10:50Z CRITICAL See the installation logs and the > > following files/directories for more information: > > 2020-06-20T15:10:50Z CRITICAL /var/log/pki/pki-tomcat > > 2020-06-20T15:10:50Z DEBUG Traceback (most recent call last): > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > > line 567, in start_creation > > run_step(full_msg, method) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > > line 557, in run_step > > method() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > > line 675, in __spawn_instance > > pki_pin) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > > line 167, in spawn_instance > > self.handle_setup_error(e) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > > line 408, in handle_setup_error > > raise RuntimeError("%s configuration failed." % self.subsystem) > > RuntimeError: CA configuration failed. > > > > 2020-06-20T15:10:50Z DEBUG [error] RuntimeError: CA configuration failed. > > ... > > ###### > > > > Has anyone run into this? > > Is this a known bug/issue? > > > > Current environment of all replicas: > > - CentOS 7.8 > > - FreeIPA 4.6.6 > > > > Any help/guidance on fixing this would be really appreciated. > > > > Thanks so much, > > > > Guillermo > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > >

On Mon, Jul 6, 2020 at 5:31 PM Rob Crittenden <rcritten(a)redhat.com&gt; wrote: Same result. > > > > > If the code is expecting a decimal value, I'm assuming converting the > > range from hex to decimal should do it, right? I'll also check for > > conflicts. > > > > Thanks! > > Guillermo > > > > On Mon, Jul 6, 2020 at 12:35 PM Florence Blanc-Renaud <flo(a)redhat.com&gt; wrote: > >> > >> On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote: > >>> Hi all, > >>> > >>> I'm having an issue creating a new replica with CA. > >>> The Directory Service installation works fine but adding the CA clone > >>> fails with a java.lang.NumberFormatException when getting the serial > >>> number range. > >>> > >>> This is the error logged in /var/log/pki/pki-tomcat/ca/debug: > >>> ###### > >>> ... > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving > >>> ou=ca, ou=requests,o=ipaca > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating > >>> nextRange from 80000001 to 90000001 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new > >>> range object: cn=80000001,ou=requests, ou=ranges,o=ipaca > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: > >>> getNextRange Next range has been added: 80000001 - 90000000 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: 80000001 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min > >>> serial number: 80000001 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > >>> next min requests number: 80000001 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > >>> next max requests number: 90000000 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range conflict > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In > >>> LdapBoundConnFactory::getConn() > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking > >>> certificate serial number ranges > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > >>> numbers left in range: 65536 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial > >>> number: 2415656960 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > >>> numbers available: 65536 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water > >>> mark: 33554432 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting next range > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In > >>> LdapBoundConnFactory::getConn() > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving > >>> ou=certificateRepository, ou=ca,o=ipaca > >> Hi, > >> > >> What is the content of this entry? > >> ldapsearch -D "cn=directory manager" -W -b > >> "ou=certificateRepository,ou=ca,o=ipaca" -s base > >> > >> According to the code, a decimal format is expected for the attribute > >> nextRange. Was the value modified by hand? If not, I would advise to > >> open an issue against dogtag, for the team to investigate how an > >> hexadecimal format could get written there: > >> https://pagure.io/dogtagpki/new_issue > >> > >> HTH, > >> flo > >> > >>> java.lang.NumberFormatException: For input string: "e0000001" > >>> at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) > >>> at java.lang.Integer.parseInt(Integer.java:580) > >>> at java.math.BigInteger.<init>(BigInteger.java:470) > >>> at java.math.BigInteger.<init>(BigInteger.java:606) > >>> at com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417) > >>> at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546) > >>> at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268) > >>> at com.netscape.certsrv.apps.CMS.startup(CMS.java:204) > >>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1459) > >>> at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) > >>> at javax.servlet.GenericServlet.init(GenericServlet.java:158) > >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > >>> at java.lang.reflect.Method.invoke(Method.java:498) > >>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > >>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > >>> at java.security.AccessController.doPrivileged(Native Method) > >>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > >>> at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > >>> ... > >>> ###### > >>> > >>> This is logged in /var/log/pki/pki-ca-spawn.20200620150752.log: > >>> ###### > >>> ... > >>> 2020-06-20 15:09:47 pkispawn : INFO ....... executing > >>> 'systemctl stop pki-tomcatd(a)pki-tomcat.service&#39; > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... removing temp SSL > >>> server cert from internal token: Server-Cert cert-pki-ca > >>> 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -D -d > >>> /var/lib/pki/pki-tomcat/alias -f /tmp/tmptjRzW6/password.txt -n > >>> Server-Cert cert-pki-ca > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... importing permanent > >>> SSL server cert into internal token: Server-Cert cert-pki-ca > >>> 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -A -d > >>> /var/lib/pki/pki-tomcat/alias -f /tmp/tmplJLOg8/internal_password.txt > >>> -n Server-Cert cert-pki-ca -a -i /tmp/tmpeCzA_b/sslserver.crt -t ,, > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... executing > >>> 'systemctl daemon-reload' > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... executing > >>> 'systemctl start pki-tomcatd(a)pki-tomcat.service&#39; > >>> 2020-06-20 15:09:48 pkispawn : INFO ........... FIPS mode is > >>> NOT enabled on this operating system. > >>> 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - > >>> server may still be down > >>> 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - > >>> exception thrown: ('Connection aborted.', error(111, 'Connection > >>> refused')) > >>> 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - > >>> server may still be down > >>> 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - > >>> exception thrown: ('Connection aborted.', error(111, 'Connection > >>> refused')) > >>> 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - > >>> server may still be down > >>> 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - > >>> exception thrown: 500 Server Error: Internal Server Error > >>> 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - > >>> server may still be down > >>> 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - > >>> exception thrown: 500 Server Error: Internal Server Error > >>> 2020-06-20 15:09:58 pkispawn : DEBUG ........... No connection - > >>> server may still be down > >>> ... repeats every second > >>> 2020-06-20 15:10:47 pkispawn : DEBUG ........... No connection - > >>> exception thrown: 500 Server Error: Internal Server Error > >>> 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - > >>> server may still be down > >>> 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - > >>> exception thrown: 500 Server Error: Internal Server Error > >>> 2020-06-20 15:10:49 pkispawn : ERROR ... server failed to restart > >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Type: RuntimeError > >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Message: > >>> server failed to restart > >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... File > >>> "/usr/sbin/pkispawn", line 534, in main > >>> scriptlet.spawn(deployer) > >>> File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", > >>> line 1304, in spawn > >>> raise RuntimeError("server failed to restart") > >>> ###### > >>> > >>> And here is the failure in /var/log/ipareplica-ca-install.log: > >>> ###### > >>> ... > >>> --------------- > >>> Import complete > >>> --------------- > >>> Imported certificates into /etc/pki/pki-tomcat/alias: > >>> > >>> Certificate Nickname Trust Attributes > >>> SSL,S/MIME,JAR/XPI > >>> > >>> Third-party RSA CA C,, > >>> caSigningCert cert-pki-ca CTu,Cu,Cu > >>> subsystemCert cert-pki-ca u,u,u > >>> auditSigningCert cert-pki-ca u,u,Pu > >>> Third-party Root CA C,, > >>> ocspSigningCert cert-pki-ca u,u,u > >>> > >>> Installation failed: server failed to restart > >>> > >>> > >>> 2020-06-20T15:10:50Z DEBUG stderr=pkispawn : ERROR ... server > >>> failed to restart > >>> > >>> 2020-06-20T15:10:50Z CRITICAL Failed to configure CA instance: Command > >>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpcQ1jxM' returned non-zero exit > >>> status 1 > >>> 2020-06-20T15:10:50Z CRITICAL See the installation logs and the > >>> following files/directories for more information: > >>> 2020-06-20T15:10:50Z CRITICAL /var/log/pki/pki-tomcat > >>> 2020-06-20T15:10:50Z DEBUG Traceback (most recent call last): > >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > >>> line 567, in start_creation > >>> run_step(full_msg, method) > >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > >>> line 557, in run_step > >>> method() > >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > >>> line 675, in __spawn_instance > >>> pki_pin) > >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > >>> line 167, in spawn_instance > >>> self.handle_setup_error(e) > >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > >>> line 408, in handle_setup_error > >>> raise RuntimeError("%s configuration failed." % self.subsystem) > >>> RuntimeError: CA configuration failed. > >>> > >>> 2020-06-20T15:10:50Z DEBUG [error] RuntimeError: CA configuration failed. > >>> ... > >>> ###### > >>> > >>> Has anyone run into this? > >>> Is this a known bug/issue? > >>> > >>> Current environment of all replicas: > >>> - CentOS 7.8 > >>> - FreeIPA 4.6.6 > >>> > >>> Any help/guidance on fixing this would be really appreciated. > >>> > >>> Thanks so much, > >>> > >>> Guillermo > >>> _______________________________________________ > >>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > >>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > >>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > >>> > >> > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > >

Confirmed Fraser. It worked! Thanks so much! Using the decimal value in the nextRange attribute did the trick. Thank you everyone for your help. All the best, Guillermo On Tue, Jul 7, 2020 at 3:57 AM Fraser Tweedale <ftweedal(a)redhat.com&gt; wrote: > > On Tue, Jul 07, 2020 at 12:04:58AM -0400, Guillermo Fuentes via FreeIPA-users wrote: > > On Mon, Jul 6, 2020 at 5:31 PM Rob Crittenden <rcritten(a)redhat.com&gt; wrote: > > > > > > Guillermo Fuentes via FreeIPA-users wrote: > > > > Hi Flo, > > > > Here is the value of the entry: > > > > # certificateRepository, ca, ipaca > > > > dn: ou=certificateRepository,ou=ca,o=ipaca > > > > objectClass: top > > > > objectClass: repository > > > > ou: certificateRepository > > > > serialno: 09268369921 > > > > nextRange: e0000001 > > > > > > > > The value of nextRange was modified by hand to fix another issue. > > > > According to this > > > > https://frasertweedale.github.io/blog-redhat/posts/2019-07-26-dogtag-repl... > > > > it should be hexadecimal. > > > > > > Maybe try an upper-case E. > > > > > > rob > > > > Same result. > > > IIRC the ldap objects all use decimal representation. It is only in > CS.cfg where some ranges are hexadecimal and others are decimal. > I can confirm later. And update the blog post to clarify! > > Put the decimal representation in the `nextRange' attribute and see > how you go. > > Cheers, > Fraser > > > > > > > > > > > > > If the code is expecting a decimal value, I'm assuming converting the > > > > range from hex to decimal should do it, right? I'll also check for > > > > conflicts. > > > > > > > > Thanks! > > > > Guillermo > > > > > > > > On Mon, Jul 6, 2020 at 12:35 PM Florence Blanc-Renaud <flo(a)redhat.com&gt; wrote: > > > >> > > > >> On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote: > > > >>> Hi all, > > > >>> > > > >>> I'm having an issue creating a new replica with CA. > > > >>> The Directory Service installation works fine but adding the CA clone > > > >>> fails with a java.lang.NumberFormatException when getting the serial > > > >>> number range. > > > >>> > > > >>> This is the error logged in /var/log/pki/pki-tomcat/ca/debug: > > > >>> ###### > > > >>> ... > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving > > > >>> ou=ca, ou=requests,o=ipaca > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating > > > >>> nextRange from 80000001 to 90000001 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new > > > >>> range object: cn=80000001,ou=requests, ou=ranges,o=ipaca > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: > > > >>> getNextRange Next range has been added: 80000001 - 90000000 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: 80000001 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min > > > >>> serial number: 80000001 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > > > >>> next min requests number: 80000001 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > > > >>> next max requests number: 90000000 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range conflict > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In > > > >>> LdapBoundConnFactory::getConn() > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking > > > >>> certificate serial number ranges > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > > > >>> numbers left in range: 65536 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial > > > >>> number: 2415656960 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > > > >>> numbers available: 65536 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water > > > >>> mark: 33554432 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting next range > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In > > > >>> LdapBoundConnFactory::getConn() > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving > > > >>> ou=certificateRepository, ou=ca,o=ipaca > > > >> Hi, > > > >> > > > >> What is the content of this entry? > > > >> ldapsearch -D "cn=directory manager" -W -b > > > >> "ou=certificateRepository,ou=ca,o=ipaca" -s base > > > >> > > > >> According to the code, a decimal format is expected for the attribute > > > >> nextRange. Was the value modified by hand? If not, I would advise to > > > >> open an issue against dogtag, for the team to investigate how an > > > >> hexadecimal format could get written there: > > > >> https://pagure.io/dogtagpki/new_issue > > > >> > > > >> HTH, > > > >> flo > > > >> > > > >>> java.lang.NumberFormatException: For input string: "e0000001" > > > >>> at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) > > > >>> at java.lang.Integer.parseInt(Integer.java:580) > > > >>> at java.math.BigInteger.<init>(BigInteger.java:470) > > > >>> at java.math.BigInteger.<init>(BigInteger.java:606) > > > >>> at com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417) > > > >>> at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546) > > > >>> at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268) > > > >>> at com.netscape.certsrv.apps.CMS.startup(CMS.java:204) > > > >>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1459) > > > >>> at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) > > > >>> at javax.servlet.GenericServlet.init(GenericServlet.java:158) > > > >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > >>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > > >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > >>> at java.lang.reflect.Method.invoke(Method.java:498) > > > >>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > > > >>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > > > >>> at java.security.AccessController.doPrivileged(Native Method) > > > >>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > > >>> at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > > > >>> ... > > > >>> ###### > > > >>> > > > >>> This is logged in /var/log/pki/pki-ca-spawn.20200620150752.log: > > > >>> ###### > > > >>> ... > > > >>> 2020-06-20 15:09:47 pkispawn : INFO ....... executing > > > >>> 'systemctl stop pki-tomcatd(a)pki-tomcat.service&#39; > > > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... removing temp SSL > > > >>> server cert from internal token: Server-Cert cert-pki-ca > > > >>> 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -D -d > > > >>> /var/lib/pki/pki-tomcat/alias -f /tmp/tmptjRzW6/password.txt -n > > > >>> Server-Cert cert-pki-ca > > > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... importing permanent > > > >>> SSL server cert into internal token: Server-Cert cert-pki-ca > > > >>> 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -A -d > > > >>> /var/lib/pki/pki-tomcat/alias -f /tmp/tmplJLOg8/internal_password.txt > > > >>> -n Server-Cert cert-pki-ca -a -i /tmp/tmpeCzA_b/sslserver.crt -t ,, > > > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... executing > > > >>> 'systemctl daemon-reload' > > > >>> 2020-06-20 15:09:48 pkispawn : INFO ....... executing > > > >>> 'systemctl start pki-tomcatd(a)pki-tomcat.service&#39; > > > >>> 2020-06-20 15:09:48 pkispawn : INFO ........... FIPS mode is > > > >>> NOT enabled on this operating system. > > > >>> 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - > > > >>> server may still be down > > > >>> 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - > > > >>> exception thrown: ('Connection aborted.', error(111, 'Connection > > > >>> refused')) > > > >>> 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - > > > >>> server may still be down > > > >>> 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - > > > >>> exception thrown: ('Connection aborted.', error(111, 'Connection > > > >>> refused')) > > > >>> 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - > > > >>> server may still be down > > > >>> 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - > > > >>> exception thrown: 500 Server Error: Internal Server Error > > > >>> 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - > > > >>> server may still be down > > > >>> 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - > > > >>> exception thrown: 500 Server Error: Internal Server Error > > > >>> 2020-06-20 15:09:58 pkispawn : DEBUG ........... No connection - > > > >>> server may still be down > > > >>> ... repeats every second > > > >>> 2020-06-20 15:10:47 pkispawn : DEBUG ........... No connection - > > > >>> exception thrown: 500 Server Error: Internal Server Error > > > >>> 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - > > > >>> server may still be down > > > >>> 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - > > > >>> exception thrown: 500 Server Error: Internal Server Error > > > >>> 2020-06-20 15:10:49 pkispawn : ERROR ... server failed to restart > > > >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Type: RuntimeError > > > >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Message: > > > >>> server failed to restart > > > >>> 2020-06-20 15:10:49 pkispawn : DEBUG ....... File > > > >>> "/usr/sbin/pkispawn", line 534, in main > > > >>> scriptlet.spawn(deployer) > > > >>> File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", > > > >>> line 1304, in spawn > > > >>> raise RuntimeError("server failed to restart") > > > >>> ###### > > > >>> > > > >>> And here is the failure in /var/log/ipareplica-ca-install.log: > > > >>> ###### > > > >>> ... > > > >>> --------------- > > > >>> Import complete > > > >>> --------------- > > > >>> Imported certificates into /etc/pki/pki-tomcat/alias: > > > >>> > > > >>> Certificate Nickname Trust Attributes > > > >>> SSL,S/MIME,JAR/XPI > > > >>> > > > >>> Third-party RSA CA C,, > > > >>> caSigningCert cert-pki-ca CTu,Cu,Cu > > > >>> subsystemCert cert-pki-ca u,u,u > > > >>> auditSigningCert cert-pki-ca u,u,Pu > > > >>> Third-party Root CA C,, > > > >>> ocspSigningCert cert-pki-ca u,u,u > > > >>> > > > >>> Installation failed: server failed to restart > > > >>> > > > >>> > > > >>> 2020-06-20T15:10:50Z DEBUG stderr=pkispawn : ERROR ... server > > > >>> failed to restart > > > >>> > > > >>> 2020-06-20T15:10:50Z CRITICAL Failed to configure CA instance: Command > > > >>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpcQ1jxM' returned non-zero exit > > > >>> status 1 > > > >>> 2020-06-20T15:10:50Z CRITICAL See the installation logs and the > > > >>> following files/directories for more information: > > > >>> 2020-06-20T15:10:50Z CRITICAL /var/log/pki/pki-tomcat > > > >>> 2020-06-20T15:10:50Z DEBUG Traceback (most recent call last): > > > >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > > > >>> line 567, in start_creation > > > >>> run_step(full_msg, method) > > > >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > > > >>> line 557, in run_step > > > >>> method() > > > >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > > > >>> line 675, in __spawn_instance > > > >>> pki_pin) > > > >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > > > >>> line 167, in spawn_instance > > > >>> self.handle_setup_error(e) > > > >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > > > >>> line 408, in handle_setup_error > > > >>> raise RuntimeError("%s configuration failed." % self.subsystem) > > > >>> RuntimeError: CA configuration failed. > > > >>> > > > >>> 2020-06-20T15:10:50Z DEBUG [error] RuntimeError: CA configuration failed. > > > >>> ... > > > >>> ###### > > > >>> > > > >>> Has anyone run into this? > > > >>> Is this a known bug/issue? > > > >>> > > > >>> Current environment of all replicas: > > > >>> - CentOS 7.8 > > > >>> - FreeIPA 4.6.6 > > > >>> > > > >>> Any help/guidance on fixing this would be really appreciated. > > > >>> > > > >>> Thanks so much, > > > >>> > > > >>> Guillermo > > > >>> _______________________________________________ > > > >>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > > > >>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > > > >>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > >>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > > >>> > > > >> > > > > _______________________________________________ > > > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > > > > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > > > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > > > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >