it seem this may be in the context of IPA, which versions on replica that fails to install and on master?
cat /etc/redhat-release ; rpm -q ipa-server pki-ca ; ls -l /etc/alternatives/java

there are several LDAP error 68 and 20 about existing entries, try to first uninstall the IPA replica before re-installing

I will add some more notes, but it really seem an IPA replica install/configuration failed, and it should be removed before trying again.
Thanks,
M.

extra notes:

the CA debug log seem to show other errors that are unrelated to the the ipa-replica-install command with "RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500"
try to get more lines before that error in the log file /var/log/ipareplica-install.log
and if there are any matching entries in
/var/log/httpd/error_log

otherwise, on the system with the error
[22/Aug/2017:17:13:08][SerialNumberUpdateTask]: DBSubsystem: getNextRange. Unable to provide next range :netscape.ldap.LDAPException: error result (68)
try to match the LDAP messages related to that time stamp and with err=68, find the conn=xx and match the corresponding search that generated the "already exist" error, it would be interesting to see the fileter and base DN in that search
it should be one of the LDAP connections bound for example, as  "TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipaca "
and, it should , for example, have LDAP searches in "ou=certificateRepository,ou=ranges,o=ipaca" and "ou=requests,ou=ranges,o=ipaca"

on the master, try to list the DNA ranges that are available:
ipa-replica-manage dnarange-show
it should list for example
ipaserver1.example.com: aaaaaa-bbbbb
ipaserver2.example.com: cccccc-dddddd
and there should be no common ranges

see:
14.3. Displaying Currently Assigned ID Rangess
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/display-id-range.html

and
14.5. Manual ID Range Extension and Assigning a New ID Range
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/man-set-extend-id-ranges.html

example of what we should see in /var/log/pki/pki-tomcat/ca/debug for getNextRange
[09/Mar/2017:02:49:31][localhost-startStop-1]: DBSubsystem: getNextRange  Next range has been added: 10000001 - 20000000


On Tue, Aug 29, 2017 at 8:56 AM, pgb205 <pgb205@yahoo.com> wrote:
I have an install that fails at the following stage:
importing CA chain to RA certificate database
  [error] RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500

the logs are not showing anything obvious
22/Aug/2017:17:02:52][http-bio-8443-exec-3]: importLDIFS(): LDAP Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif
[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in adding entry ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68)
[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in modifying entry o=ipaca:netscape.ldap.LDAPException: error result (20)
[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false
[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: makeConnection: errorIfDown false
[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is true
[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown true
[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false
[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown false
[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false
[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown false
[22/Aug/2017:17:02:58][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false
[22/Aug/2017:17:02:58][http-bio-8443-exec-3]: makeConnection: errorIfDown false
[22/Aug/2017:17:03:07][localhost-startStop-1]: init: before makeConnection errorIfDown is true
[22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection: errorIfDown true
[22/Aug/2017:17:03:07][localhost-startStop-1]: init: before makeConnection errorIfDown is false
[22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection: errorIfDown false
[22/Aug/2017:17:03:08][localhost-startStop-1]: init: before makeConnection errorIfDown is false
[22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: errorIfDown false
[22/Aug/2017:17:03:08][localhost-startStop-1]: init: before makeConnection errorIfDown is false
[22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: errorIfDown false
[22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation - caDirUserRenewal caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile
[22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation - caDirUserRenewal
[22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation - IECUserRoles caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile
[22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation - IECUserRoles
[22/Aug/2017:17:03:08][localhost-startStop-1]: init: before makeConnection errorIfDown is false
[22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: errorIfDown false
[22/Aug/2017:17:03:09][localhost-startStop-1]: init: before makeConnection errorIfDown is false
[22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection: errorIfDown false
[22/Aug/2017:17:03:09][localhost-startStop-1]: init: before makeConnection errorIfDown is false
[22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection: errorIfDown false
[22/Aug/2017:17:03:09][localhost-startStop-1]: DBSubsystem: getNextRange. Unable to provide next range :netscape.ldap.LDAPException: error result (68)
[22/Aug/2017:17:13:08][SerialNumberUpdateTask]: DBSubsystem: getNextRange. Unable to provide next range :netscape.ldap.LDAPException: error result (68)

and

[23/Aug/2017:15:24:09][CertStatusUpdateTask]: returnConn: mNumConns now 5
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: searching for entry 20170823152409Z
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList.getEntries()
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: entries: 1
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: top: 0
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: size: 640
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitRevokedExpiredCertificates: list size: 640
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitRevokedExpiredCertificates: ltSize 1
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitRevokedExpired: curRec: 0 CertRecord:     76
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: Record does not qualify,notAfter Mon Aug 28 16:47:53 UTC 2017 date Wed Aug 23 15:24:09 UTC 2017
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitCertList REVOKED_EXPIRED
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: updateCertStatus done

I have full logs if necessary. but I'm unable to determine the  cause for the failure. Asking on freeipa forums this is a problem on the CA server but thats as far as I got with this.

_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users