it seem this may be in the context of IPA, which versions on replica that
fails to install and on master?
cat /etc/redhat-release ; rpm -q ipa-server pki-ca ; ls -l
/etc/alternatives/java
there are several LDAP error 68 and 20 about existing entries, try to first
uninstall the IPA replica before re-installing
I will add some more notes, but it really seem an IPA replica
install/configuration failed, and it should be removed before trying again.
Thanks,
M.
extra notes:
the CA debug log seem to show other errors that are unrelated to the the
ipa-replica-install command with "RuntimeError: Unable to retrieve CA
chain: request failed with HTTP status 500"
try to get more lines before that error in the log file
/var/log/ipareplica-install.log
and if there are any matching entries in
/var/log/httpd/error_log
otherwise, on the system with the error
[22/Aug/2017:17:13:08][SerialNumberUpdateTask]: DBSubsystem: getNextRange.
Unable to provide next range :netscape.ldap.LDAPException: error result (68)
try to match the LDAP messages related to that time stamp and with err=68,
find the conn=xx and match the corresponding search that generated the
"already exist" error, it would be interesting to see the fileter and base
DN in that search
it should be one of the LDAP connections bound for example, as "TLS1.2
client bound as uid=pkidbuser,ou=people,o=ipaca "
and, it should , for example, have LDAP searches in
"ou=certificateRepository,ou=ranges,o=ipaca" and
"ou=requests,ou=ranges,o=ipaca"
on the master, try to list the DNA ranges that are available:
ipa-replica-manage dnarange-show
it should list for example
ipaserver1.example.com: aaaaaa-bbbbb
ipaserver2.example.com: cccccc-dddddd
and there should be no common ranges
see:
14.3. Displaying Currently Assigned ID Rangess
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...
and
14.5. Manual ID Range Extension and Assigning a New ID Range
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...
example of what we should see in /var/log/pki/pki-tomcat/ca/debug
for getNextRange
[09/Mar/2017:02:49:31][localhost-startStop-1]: DBSubsystem: getNextRange
Next range has been added: 10000001 - 20000000
On Tue, Aug 29, 2017 at 8:56 AM, pgb205 <pgb205(a)yahoo.com> wrote:
I have an install that fails at the following stage:
importing CA chain to RA certificate database
[error] RuntimeError: Unable to retrieve CA chain: request failed with
HTTP status 500
the logs are not showing anything obvious
22/Aug/2017:17:02:52][http-bio-8443-exec-3]: importLDIFS(): LDAP Errors
in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif
[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
exception in adding entry ou=csusers,cn=config:netscape.ldap.LDAPException:
error result (68)
[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF:
exception in modifying entry o=ipaca:netscape.ldap.LDAPException: error
result (20)
[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: init: before makeConnection
errorIfDown is false
[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: makeConnection: errorIfDown
false
[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection
errorIfDown is true
[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown
true
[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection
errorIfDown is false
[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown
false
[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection
errorIfDown is false
[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown
false
[22/Aug/2017:17:02:58][http-bio-8443-exec-3]: init: before makeConnection
errorIfDown is false
[22/Aug/2017:17:02:58][http-bio-8443-exec-3]: makeConnection: errorIfDown
false
[22/Aug/2017:17:03:07][localhost-startStop-1]: init: before
makeConnection errorIfDown is true
[22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection:
errorIfDown true
[22/Aug/2017:17:03:07][localhost-startStop-1]: init: before
makeConnection errorIfDown is false
[22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection:
errorIfDown false
[22/Aug/2017:17:03:08][localhost-startStop-1]: init: before
makeConnection errorIfDown is false
[22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection:
errorIfDown false
[22/Aug/2017:17:03:08][localhost-startStop-1]: init: before
makeConnection errorIfDown is false
[22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection:
errorIfDown false
[22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation -
caDirUserRenewal caEnrollImpl com.netscape.cms.profile.
common.CAEnrollProfile
[22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation -
caDirUserRenewal
[22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation -
IECUserRoles caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile
[22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation -
IECUserRoles
[22/Aug/2017:17:03:08][localhost-startStop-1]: init: before
makeConnection errorIfDown is false
[22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection:
errorIfDown false
[22/Aug/2017:17:03:09][localhost-startStop-1]: init: before
makeConnection errorIfDown is false
[22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection:
errorIfDown false
[22/Aug/2017:17:03:09][localhost-startStop-1]: init: before
makeConnection errorIfDown is false
[22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection:
errorIfDown false
[22/Aug/2017:17:03:09][localhost-startStop-1]: DBSubsystem: getNextRange.
Unable to provide next range :netscape.ldap.LDAPException: error result (68)
[22/Aug/2017:17:13:08][SerialNumberUpdateTask]: DBSubsystem:
getNextRange. Unable to provide next range :netscape.ldap.LDAPException:
error result (68)
and
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: returnConn: mNumConns now 5
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: searching
for entry 20170823152409Z
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList.getEntries()
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: entries: 1
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: top: 0
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: size: 640
[23/Aug/2017:15:24:09][CertStatusUpdateTask]:
transitRevokedExpiredCertificates: list size: 640
[23/Aug/2017:15:24:09][CertStatusUpdateTask]:
transitRevokedExpiredCertificates: ltSize 1
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitRevokedExpired:
curRec: 0 CertRecord: 76
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: Record does not
qualify,notAfter Mon Aug 28 16:47:53 UTC 2017 date Wed Aug 23 15:24:09 UTC
2017
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitCertList
REVOKED_EXPIRED
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: updateCertStatus done
I have full logs if necessary. but I'm unable to determine the cause for
the failure. Asking on freeipa forums this is a problem on the CA server
but thats as far as I got with this.
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users