Hi all,
I'm having an issue creating a new replica with CA. The Directory Service installation works fine but adding the CA clone fails with a java.lang.NumberFormatException when getting the serial number range.
This is the error logged in /var/log/pki/pki-tomcat/ca/debug: ###### ... [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving ou=ca, ou=requests,o=ipaca [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating nextRange from 80000001 to 90000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new range object: cn=80000001,ou=requests, ou=ranges,o=ipaca [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: getNextRange Next range has been added: 80000001 - 90000000 [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min serial number: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting next min requests number: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting next max requests number: 90000000 [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range conflict [20/Jun/2020:15:09:55][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking certificate serial number ranges [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial numbers left in range: 65536 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial number: 2415656960 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial numbers available: 65536 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water mark: 33554432 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting next range [20/Jun/2020:15:09:55][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving ou=certificateRepository, ou=ca,o=ipaca java.lang.NumberFormatException: For input string: "e0000001" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) at java.lang.Integer.parseInt(Integer.java:580) at java.math.BigInteger.<init>(BigInteger.java:470) at java.math.BigInteger.<init>(BigInteger.java:606) at com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417) at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546) at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268) at com.netscape.certsrv.apps.CMS.startup(CMS.java:204) at com.netscape.certsrv.apps.CMS.start(CMS.java:1459) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) ... ######
This is logged in /var/log/pki/pki-ca-spawn.20200620150752.log: ###### ... 2020-06-20 15:09:47 pkispawn : INFO ....... executing 'systemctl stop pki-tomcatd@pki-tomcat.service' 2020-06-20 15:09:48 pkispawn : INFO ....... removing temp SSL server cert from internal token: Server-Cert cert-pki-ca 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -D -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmptjRzW6/password.txt -n Server-Cert cert-pki-ca 2020-06-20 15:09:48 pkispawn : INFO ....... importing permanent SSL server cert into internal token: Server-Cert cert-pki-ca 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -A -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmplJLOg8/internal_password.txt -n Server-Cert cert-pki-ca -a -i /tmp/tmpeCzA_b/sslserver.crt -t ,, 2020-06-20 15:09:48 pkispawn : INFO ....... executing 'systemctl daemon-reload' 2020-06-20 15:09:48 pkispawn : INFO ....... executing 'systemctl start pki-tomcatd@pki-tomcat.service' 2020-06-20 15:09:48 pkispawn : INFO ........... FIPS mode is NOT enabled on this operating system. 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:09:58 pkispawn : DEBUG ........... No connection - server may still be down ... repeats every second 2020-06-20 15:10:47 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:10:49 pkispawn : ERROR ... server failed to restart 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Type: RuntimeError 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Message: server failed to restart 2020-06-20 15:10:49 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 534, in main scriptlet.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 1304, in spawn raise RuntimeError("server failed to restart") ######
And here is the failure in /var/log/ipareplica-ca-install.log: ###### ... --------------- Import complete --------------- Imported certificates into /etc/pki/pki-tomcat/alias:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Third-party RSA CA C,, caSigningCert cert-pki-ca CTu,Cu,Cu subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu Third-party Root CA C,, ocspSigningCert cert-pki-ca u,u,u
Installation failed: server failed to restart
2020-06-20T15:10:50Z DEBUG stderr=pkispawn : ERROR ... server failed to restart
2020-06-20T15:10:50Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpcQ1jxM' returned non-zero exit status 1 2020-06-20T15:10:50Z CRITICAL See the installation logs and the following files/directories for more information: 2020-06-20T15:10:50Z CRITICAL /var/log/pki/pki-tomcat 2020-06-20T15:10:50Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 675, in __spawn_instance pki_pin) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 167, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 408, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed.
2020-06-20T15:10:50Z DEBUG [error] RuntimeError: CA configuration failed. ... ######
Has anyone run into this? Is this a known bug/issue?
Current environment of all replicas: - CentOS 7.8 - FreeIPA 4.6.6
Any help/guidance on fixing this would be really appreciated.
Thanks so much,
Guillermo
On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote:
Hi all,
I'm having an issue creating a new replica with CA. The Directory Service installation works fine but adding the CA clone fails with a java.lang.NumberFormatException when getting the serial number range.
This is the error logged in /var/log/pki/pki-tomcat/ca/debug: ###### ... [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving ou=ca, ou=requests,o=ipaca [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating nextRange from 80000001 to 90000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new range object: cn=80000001,ou=requests, ou=ranges,o=ipaca [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: getNextRange Next range has been added: 80000001 - 90000000 [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min serial number: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting next min requests number: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting next max requests number: 90000000 [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range conflict [20/Jun/2020:15:09:55][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking certificate serial number ranges [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial numbers left in range: 65536 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial number: 2415656960 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial numbers available: 65536 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water mark: 33554432 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting next range [20/Jun/2020:15:09:55][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving ou=certificateRepository, ou=ca,o=ipaca
Hi,
What is the content of this entry? ldapsearch -D "cn=directory manager" -W -b "ou=certificateRepository,ou=ca,o=ipaca" -s base
According to the code, a decimal format is expected for the attribute nextRange. Was the value modified by hand? If not, I would advise to open an issue against dogtag, for the team to investigate how an hexadecimal format could get written there: https://pagure.io/dogtagpki/new_issue
HTH, flo
java.lang.NumberFormatException: For input string: "e0000001" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) at java.lang.Integer.parseInt(Integer.java:580) at java.math.BigInteger.<init>(BigInteger.java:470) at java.math.BigInteger.<init>(BigInteger.java:606) at com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417) at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546) at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268) at com.netscape.certsrv.apps.CMS.startup(CMS.java:204) at com.netscape.certsrv.apps.CMS.start(CMS.java:1459) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) ... ######
This is logged in /var/log/pki/pki-ca-spawn.20200620150752.log: ###### ... 2020-06-20 15:09:47 pkispawn : INFO ....... executing 'systemctl stop pki-tomcatd@pki-tomcat.service' 2020-06-20 15:09:48 pkispawn : INFO ....... removing temp SSL server cert from internal token: Server-Cert cert-pki-ca 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -D -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmptjRzW6/password.txt -n Server-Cert cert-pki-ca 2020-06-20 15:09:48 pkispawn : INFO ....... importing permanent SSL server cert into internal token: Server-Cert cert-pki-ca 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -A -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmplJLOg8/internal_password.txt -n Server-Cert cert-pki-ca -a -i /tmp/tmpeCzA_b/sslserver.crt -t ,, 2020-06-20 15:09:48 pkispawn : INFO ....... executing 'systemctl daemon-reload' 2020-06-20 15:09:48 pkispawn : INFO ....... executing 'systemctl start pki-tomcatd@pki-tomcat.service' 2020-06-20 15:09:48 pkispawn : INFO ........... FIPS mode is NOT enabled on this operating system. 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:09:58 pkispawn : DEBUG ........... No connection - server may still be down ... repeats every second 2020-06-20 15:10:47 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:10:49 pkispawn : ERROR ... server failed to restart 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Type: RuntimeError 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Message: server failed to restart 2020-06-20 15:10:49 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 534, in main scriptlet.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 1304, in spawn raise RuntimeError("server failed to restart") ######
And here is the failure in /var/log/ipareplica-ca-install.log: ###### ...
Import complete
Imported certificates into /etc/pki/pki-tomcat/alias:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Third-party RSA CA C,, caSigningCert cert-pki-ca CTu,Cu,Cu subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu Third-party Root CA C,, ocspSigningCert cert-pki-ca u,u,u
Installation failed: server failed to restart
2020-06-20T15:10:50Z DEBUG stderr=pkispawn : ERROR ... server failed to restart
2020-06-20T15:10:50Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpcQ1jxM' returned non-zero exit status 1 2020-06-20T15:10:50Z CRITICAL See the installation logs and the following files/directories for more information: 2020-06-20T15:10:50Z CRITICAL /var/log/pki/pki-tomcat 2020-06-20T15:10:50Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 675, in __spawn_instance pki_pin) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 167, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 408, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed.
2020-06-20T15:10:50Z DEBUG [error] RuntimeError: CA configuration failed. ... ######
Has anyone run into this? Is this a known bug/issue?
Current environment of all replicas:
- CentOS 7.8
- FreeIPA 4.6.6
Any help/guidance on fixing this would be really appreciated.
Thanks so much,
Guillermo _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi Flo, Here is the value of the entry: # certificateRepository, ca, ipaca dn: ou=certificateRepository,ou=ca,o=ipaca objectClass: top objectClass: repository ou: certificateRepository serialno: 09268369921 nextRange: e0000001
The value of nextRange was modified by hand to fix another issue. According to this https://frasertweedale.github.io/blog-redhat/posts/2019-07-26-dogtag-replica... it should be hexadecimal.
If the code is expecting a decimal value, I'm assuming converting the range from hex to decimal should do it, right? I'll also check for conflicts.
Thanks! Guillermo
On Mon, Jul 6, 2020 at 12:35 PM Florence Blanc-Renaud flo@redhat.com wrote:
On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote:
Hi all,
I'm having an issue creating a new replica with CA. The Directory Service installation works fine but adding the CA clone fails with a java.lang.NumberFormatException when getting the serial number range.
This is the error logged in /var/log/pki/pki-tomcat/ca/debug: ###### ... [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving ou=ca, ou=requests,o=ipaca [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating nextRange from 80000001 to 90000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new range object: cn=80000001,ou=requests, ou=ranges,o=ipaca [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: getNextRange Next range has been added: 80000001 - 90000000 [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min serial number: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting next min requests number: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting next max requests number: 90000000 [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range conflict [20/Jun/2020:15:09:55][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking certificate serial number ranges [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial numbers left in range: 65536 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial number: 2415656960 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial numbers available: 65536 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water mark: 33554432 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting next range [20/Jun/2020:15:09:55][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving ou=certificateRepository, ou=ca,o=ipaca
Hi,
What is the content of this entry? ldapsearch -D "cn=directory manager" -W -b "ou=certificateRepository,ou=ca,o=ipaca" -s base
According to the code, a decimal format is expected for the attribute nextRange. Was the value modified by hand? If not, I would advise to open an issue against dogtag, for the team to investigate how an hexadecimal format could get written there: https://pagure.io/dogtagpki/new_issue
HTH, flo
java.lang.NumberFormatException: For input string: "e0000001" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) at java.lang.Integer.parseInt(Integer.java:580) at java.math.BigInteger.<init>(BigInteger.java:470) at java.math.BigInteger.<init>(BigInteger.java:606) at com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417) at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546) at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268) at com.netscape.certsrv.apps.CMS.startup(CMS.java:204) at com.netscape.certsrv.apps.CMS.start(CMS.java:1459) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) ... ######
This is logged in /var/log/pki/pki-ca-spawn.20200620150752.log: ###### ... 2020-06-20 15:09:47 pkispawn : INFO ....... executing 'systemctl stop pki-tomcatd@pki-tomcat.service' 2020-06-20 15:09:48 pkispawn : INFO ....... removing temp SSL server cert from internal token: Server-Cert cert-pki-ca 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -D -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmptjRzW6/password.txt -n Server-Cert cert-pki-ca 2020-06-20 15:09:48 pkispawn : INFO ....... importing permanent SSL server cert into internal token: Server-Cert cert-pki-ca 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -A -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmplJLOg8/internal_password.txt -n Server-Cert cert-pki-ca -a -i /tmp/tmpeCzA_b/sslserver.crt -t ,, 2020-06-20 15:09:48 pkispawn : INFO ....... executing 'systemctl daemon-reload' 2020-06-20 15:09:48 pkispawn : INFO ....... executing 'systemctl start pki-tomcatd@pki-tomcat.service' 2020-06-20 15:09:48 pkispawn : INFO ........... FIPS mode is NOT enabled on this operating system. 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:09:58 pkispawn : DEBUG ........... No connection - server may still be down ... repeats every second 2020-06-20 15:10:47 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:10:49 pkispawn : ERROR ... server failed to restart 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Type: RuntimeError 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Message: server failed to restart 2020-06-20 15:10:49 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 534, in main scriptlet.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 1304, in spawn raise RuntimeError("server failed to restart") ######
And here is the failure in /var/log/ipareplica-ca-install.log: ###### ...
Import complete
Imported certificates into /etc/pki/pki-tomcat/alias:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Third-party RSA CA C,, caSigningCert cert-pki-ca CTu,Cu,Cu subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu Third-party Root CA C,, ocspSigningCert cert-pki-ca u,u,u
Installation failed: server failed to restart
2020-06-20T15:10:50Z DEBUG stderr=pkispawn : ERROR ... server failed to restart
2020-06-20T15:10:50Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpcQ1jxM' returned non-zero exit status 1 2020-06-20T15:10:50Z CRITICAL See the installation logs and the following files/directories for more information: 2020-06-20T15:10:50Z CRITICAL /var/log/pki/pki-tomcat 2020-06-20T15:10:50Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 675, in __spawn_instance pki_pin) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 167, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 408, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed.
2020-06-20T15:10:50Z DEBUG [error] RuntimeError: CA configuration failed. ... ######
Has anyone run into this? Is this a known bug/issue?
Current environment of all replicas:
- CentOS 7.8
- FreeIPA 4.6.6
Any help/guidance on fixing this would be really appreciated.
Thanks so much,
Guillermo _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Guillermo Fuentes via FreeIPA-users wrote:
Hi Flo, Here is the value of the entry: # certificateRepository, ca, ipaca dn: ou=certificateRepository,ou=ca,o=ipaca objectClass: top objectClass: repository ou: certificateRepository serialno: 09268369921 nextRange: e0000001
The value of nextRange was modified by hand to fix another issue. According to this https://frasertweedale.github.io/blog-redhat/posts/2019-07-26-dogtag-replica... it should be hexadecimal.
Maybe try an upper-case E.
rob
If the code is expecting a decimal value, I'm assuming converting the range from hex to decimal should do it, right? I'll also check for conflicts.
Thanks! Guillermo
On Mon, Jul 6, 2020 at 12:35 PM Florence Blanc-Renaud flo@redhat.com wrote:
On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote:
Hi all,
I'm having an issue creating a new replica with CA. The Directory Service installation works fine but adding the CA clone fails with a java.lang.NumberFormatException when getting the serial number range.
This is the error logged in /var/log/pki/pki-tomcat/ca/debug: ###### ... [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving ou=ca, ou=requests,o=ipaca [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating nextRange from 80000001 to 90000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new range object: cn=80000001,ou=requests, ou=ranges,o=ipaca [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: getNextRange Next range has been added: 80000001 - 90000000 [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min serial number: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting next min requests number: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting next max requests number: 90000000 [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range conflict [20/Jun/2020:15:09:55][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking certificate serial number ranges [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial numbers left in range: 65536 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial number: 2415656960 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial numbers available: 65536 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water mark: 33554432 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting next range [20/Jun/2020:15:09:55][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving ou=certificateRepository, ou=ca,o=ipaca
Hi,
What is the content of this entry? ldapsearch -D "cn=directory manager" -W -b "ou=certificateRepository,ou=ca,o=ipaca" -s base
According to the code, a decimal format is expected for the attribute nextRange. Was the value modified by hand? If not, I would advise to open an issue against dogtag, for the team to investigate how an hexadecimal format could get written there: https://pagure.io/dogtagpki/new_issue
HTH, flo
java.lang.NumberFormatException: For input string: "e0000001" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) at java.lang.Integer.parseInt(Integer.java:580) at java.math.BigInteger.<init>(BigInteger.java:470) at java.math.BigInteger.<init>(BigInteger.java:606) at com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417) at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546) at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268) at com.netscape.certsrv.apps.CMS.startup(CMS.java:204) at com.netscape.certsrv.apps.CMS.start(CMS.java:1459) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) ... ######
This is logged in /var/log/pki/pki-ca-spawn.20200620150752.log: ###### ... 2020-06-20 15:09:47 pkispawn : INFO ....... executing 'systemctl stop pki-tomcatd@pki-tomcat.service' 2020-06-20 15:09:48 pkispawn : INFO ....... removing temp SSL server cert from internal token: Server-Cert cert-pki-ca 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -D -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmptjRzW6/password.txt -n Server-Cert cert-pki-ca 2020-06-20 15:09:48 pkispawn : INFO ....... importing permanent SSL server cert into internal token: Server-Cert cert-pki-ca 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -A -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmplJLOg8/internal_password.txt -n Server-Cert cert-pki-ca -a -i /tmp/tmpeCzA_b/sslserver.crt -t ,, 2020-06-20 15:09:48 pkispawn : INFO ....... executing 'systemctl daemon-reload' 2020-06-20 15:09:48 pkispawn : INFO ....... executing 'systemctl start pki-tomcatd@pki-tomcat.service' 2020-06-20 15:09:48 pkispawn : INFO ........... FIPS mode is NOT enabled on this operating system. 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:09:58 pkispawn : DEBUG ........... No connection - server may still be down ... repeats every second 2020-06-20 15:10:47 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:10:49 pkispawn : ERROR ... server failed to restart 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Type: RuntimeError 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Message: server failed to restart 2020-06-20 15:10:49 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 534, in main scriptlet.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 1304, in spawn raise RuntimeError("server failed to restart") ######
And here is the failure in /var/log/ipareplica-ca-install.log: ###### ...
Import complete
Imported certificates into /etc/pki/pki-tomcat/alias:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Third-party RSA CA C,, caSigningCert cert-pki-ca CTu,Cu,Cu subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu Third-party Root CA C,, ocspSigningCert cert-pki-ca u,u,u
Installation failed: server failed to restart
2020-06-20T15:10:50Z DEBUG stderr=pkispawn : ERROR ... server failed to restart
2020-06-20T15:10:50Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpcQ1jxM' returned non-zero exit status 1 2020-06-20T15:10:50Z CRITICAL See the installation logs and the following files/directories for more information: 2020-06-20T15:10:50Z CRITICAL /var/log/pki/pki-tomcat 2020-06-20T15:10:50Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 675, in __spawn_instance pki_pin) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 167, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 408, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed.
2020-06-20T15:10:50Z DEBUG [error] RuntimeError: CA configuration failed. ... ######
Has anyone run into this? Is this a known bug/issue?
Current environment of all replicas:
- CentOS 7.8
- FreeIPA 4.6.6
Any help/guidance on fixing this would be really appreciated.
Thanks so much,
Guillermo _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Mon, Jul 6, 2020 at 5:31 PM Rob Crittenden rcritten@redhat.com wrote:
Guillermo Fuentes via FreeIPA-users wrote:
Hi Flo, Here is the value of the entry: # certificateRepository, ca, ipaca dn: ou=certificateRepository,ou=ca,o=ipaca objectClass: top objectClass: repository ou: certificateRepository serialno: 09268369921 nextRange: e0000001
The value of nextRange was modified by hand to fix another issue. According to this https://frasertweedale.github.io/blog-redhat/posts/2019-07-26-dogtag-replica... it should be hexadecimal.
Maybe try an upper-case E.
rob
Same result.
If the code is expecting a decimal value, I'm assuming converting the range from hex to decimal should do it, right? I'll also check for conflicts.
Thanks! Guillermo
On Mon, Jul 6, 2020 at 12:35 PM Florence Blanc-Renaud flo@redhat.com wrote:
On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote:
Hi all,
I'm having an issue creating a new replica with CA. The Directory Service installation works fine but adding the CA clone fails with a java.lang.NumberFormatException when getting the serial number range.
This is the error logged in /var/log/pki/pki-tomcat/ca/debug: ###### ... [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving ou=ca, ou=requests,o=ipaca [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating nextRange from 80000001 to 90000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new range object: cn=80000001,ou=requests, ou=ranges,o=ipaca [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: getNextRange Next range has been added: 80000001 - 90000000 [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min serial number: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting next min requests number: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting next max requests number: 90000000 [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range conflict [20/Jun/2020:15:09:55][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking certificate serial number ranges [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial numbers left in range: 65536 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial number: 2415656960 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial numbers available: 65536 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water mark: 33554432 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting next range [20/Jun/2020:15:09:55][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving ou=certificateRepository, ou=ca,o=ipaca
Hi,
What is the content of this entry? ldapsearch -D "cn=directory manager" -W -b "ou=certificateRepository,ou=ca,o=ipaca" -s base
According to the code, a decimal format is expected for the attribute nextRange. Was the value modified by hand? If not, I would advise to open an issue against dogtag, for the team to investigate how an hexadecimal format could get written there: https://pagure.io/dogtagpki/new_issue
HTH, flo
java.lang.NumberFormatException: For input string: "e0000001" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) at java.lang.Integer.parseInt(Integer.java:580) at java.math.BigInteger.<init>(BigInteger.java:470) at java.math.BigInteger.<init>(BigInteger.java:606) at com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417) at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546) at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268) at com.netscape.certsrv.apps.CMS.startup(CMS.java:204) at com.netscape.certsrv.apps.CMS.start(CMS.java:1459) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) ... ######
This is logged in /var/log/pki/pki-ca-spawn.20200620150752.log: ###### ... 2020-06-20 15:09:47 pkispawn : INFO ....... executing 'systemctl stop pki-tomcatd@pki-tomcat.service' 2020-06-20 15:09:48 pkispawn : INFO ....... removing temp SSL server cert from internal token: Server-Cert cert-pki-ca 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -D -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmptjRzW6/password.txt -n Server-Cert cert-pki-ca 2020-06-20 15:09:48 pkispawn : INFO ....... importing permanent SSL server cert into internal token: Server-Cert cert-pki-ca 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -A -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmplJLOg8/internal_password.txt -n Server-Cert cert-pki-ca -a -i /tmp/tmpeCzA_b/sslserver.crt -t ,, 2020-06-20 15:09:48 pkispawn : INFO ....... executing 'systemctl daemon-reload' 2020-06-20 15:09:48 pkispawn : INFO ....... executing 'systemctl start pki-tomcatd@pki-tomcat.service' 2020-06-20 15:09:48 pkispawn : INFO ........... FIPS mode is NOT enabled on this operating system. 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:09:58 pkispawn : DEBUG ........... No connection - server may still be down ... repeats every second 2020-06-20 15:10:47 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:10:49 pkispawn : ERROR ... server failed to restart 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Type: RuntimeError 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Message: server failed to restart 2020-06-20 15:10:49 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 534, in main scriptlet.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 1304, in spawn raise RuntimeError("server failed to restart") ######
And here is the failure in /var/log/ipareplica-ca-install.log: ###### ...
Import complete
Imported certificates into /etc/pki/pki-tomcat/alias:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Third-party RSA CA C,, caSigningCert cert-pki-ca CTu,Cu,Cu subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu Third-party Root CA C,, ocspSigningCert cert-pki-ca u,u,u
Installation failed: server failed to restart
2020-06-20T15:10:50Z DEBUG stderr=pkispawn : ERROR ... server failed to restart
2020-06-20T15:10:50Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpcQ1jxM' returned non-zero exit status 1 2020-06-20T15:10:50Z CRITICAL See the installation logs and the following files/directories for more information: 2020-06-20T15:10:50Z CRITICAL /var/log/pki/pki-tomcat 2020-06-20T15:10:50Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 675, in __spawn_instance pki_pin) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 167, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 408, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed.
2020-06-20T15:10:50Z DEBUG [error] RuntimeError: CA configuration failed. ... ######
Has anyone run into this? Is this a known bug/issue?
Current environment of all replicas:
- CentOS 7.8
- FreeIPA 4.6.6
Any help/guidance on fixing this would be really appreciated.
Thanks so much,
Guillermo _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Tue, Jul 07, 2020 at 12:04:58AM -0400, Guillermo Fuentes via FreeIPA-users wrote:
On Mon, Jul 6, 2020 at 5:31 PM Rob Crittenden rcritten@redhat.com wrote:
Guillermo Fuentes via FreeIPA-users wrote:
Hi Flo, Here is the value of the entry: # certificateRepository, ca, ipaca dn: ou=certificateRepository,ou=ca,o=ipaca objectClass: top objectClass: repository ou: certificateRepository serialno: 09268369921 nextRange: e0000001
The value of nextRange was modified by hand to fix another issue. According to this https://frasertweedale.github.io/blog-redhat/posts/2019-07-26-dogtag-replica... it should be hexadecimal.
Maybe try an upper-case E.
rob
Same result.
IIRC the ldap objects all use decimal representation. It is only in CS.cfg where some ranges are hexadecimal and others are decimal. I can confirm later. And update the blog post to clarify!
Put the decimal representation in the `nextRange' attribute and see how you go.
Cheers, Fraser
If the code is expecting a decimal value, I'm assuming converting the range from hex to decimal should do it, right? I'll also check for conflicts.
Thanks! Guillermo
On Mon, Jul 6, 2020 at 12:35 PM Florence Blanc-Renaud flo@redhat.com wrote:
On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote:
Hi all,
I'm having an issue creating a new replica with CA. The Directory Service installation works fine but adding the CA clone fails with a java.lang.NumberFormatException when getting the serial number range.
This is the error logged in /var/log/pki/pki-tomcat/ca/debug: ###### ... [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving ou=ca, ou=requests,o=ipaca [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating nextRange from 80000001 to 90000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new range object: cn=80000001,ou=requests, ou=ranges,o=ipaca [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: getNextRange Next range has been added: 80000001 - 90000000 [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min serial number: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting next min requests number: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting next max requests number: 90000000 [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range conflict [20/Jun/2020:15:09:55][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking certificate serial number ranges [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial numbers left in range: 65536 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial number: 2415656960 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial numbers available: 65536 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water mark: 33554432 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting next range [20/Jun/2020:15:09:55][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving ou=certificateRepository, ou=ca,o=ipaca
Hi,
What is the content of this entry? ldapsearch -D "cn=directory manager" -W -b "ou=certificateRepository,ou=ca,o=ipaca" -s base
According to the code, a decimal format is expected for the attribute nextRange. Was the value modified by hand? If not, I would advise to open an issue against dogtag, for the team to investigate how an hexadecimal format could get written there: https://pagure.io/dogtagpki/new_issue
HTH, flo
java.lang.NumberFormatException: For input string: "e0000001" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) at java.lang.Integer.parseInt(Integer.java:580) at java.math.BigInteger.<init>(BigInteger.java:470) at java.math.BigInteger.<init>(BigInteger.java:606) at com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417) at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546) at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268) at com.netscape.certsrv.apps.CMS.startup(CMS.java:204) at com.netscape.certsrv.apps.CMS.start(CMS.java:1459) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) ... ######
This is logged in /var/log/pki/pki-ca-spawn.20200620150752.log: ###### ... 2020-06-20 15:09:47 pkispawn : INFO ....... executing 'systemctl stop pki-tomcatd@pki-tomcat.service' 2020-06-20 15:09:48 pkispawn : INFO ....... removing temp SSL server cert from internal token: Server-Cert cert-pki-ca 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -D -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmptjRzW6/password.txt -n Server-Cert cert-pki-ca 2020-06-20 15:09:48 pkispawn : INFO ....... importing permanent SSL server cert into internal token: Server-Cert cert-pki-ca 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -A -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmplJLOg8/internal_password.txt -n Server-Cert cert-pki-ca -a -i /tmp/tmpeCzA_b/sslserver.crt -t ,, 2020-06-20 15:09:48 pkispawn : INFO ....... executing 'systemctl daemon-reload' 2020-06-20 15:09:48 pkispawn : INFO ....... executing 'systemctl start pki-tomcatd@pki-tomcat.service' 2020-06-20 15:09:48 pkispawn : INFO ........... FIPS mode is NOT enabled on this operating system. 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:09:58 pkispawn : DEBUG ........... No connection - server may still be down ... repeats every second 2020-06-20 15:10:47 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:10:49 pkispawn : ERROR ... server failed to restart 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Type: RuntimeError 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Message: server failed to restart 2020-06-20 15:10:49 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 534, in main scriptlet.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 1304, in spawn raise RuntimeError("server failed to restart") ######
And here is the failure in /var/log/ipareplica-ca-install.log: ###### ...
Import complete
Imported certificates into /etc/pki/pki-tomcat/alias:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Third-party RSA CA C,, caSigningCert cert-pki-ca CTu,Cu,Cu subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu Third-party Root CA C,, ocspSigningCert cert-pki-ca u,u,u
Installation failed: server failed to restart
2020-06-20T15:10:50Z DEBUG stderr=pkispawn : ERROR ... server failed to restart
2020-06-20T15:10:50Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpcQ1jxM' returned non-zero exit status 1 2020-06-20T15:10:50Z CRITICAL See the installation logs and the following files/directories for more information: 2020-06-20T15:10:50Z CRITICAL /var/log/pki/pki-tomcat 2020-06-20T15:10:50Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 675, in __spawn_instance pki_pin) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 167, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 408, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed.
2020-06-20T15:10:50Z DEBUG [error] RuntimeError: CA configuration failed. ... ######
Has anyone run into this? Is this a known bug/issue?
Current environment of all replicas:
- CentOS 7.8
- FreeIPA 4.6.6
Any help/guidance on fixing this would be really appreciated.
Thanks so much,
Guillermo _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Confirmed Fraser. It worked! Thanks so much! Using the decimal value in the nextRange attribute did the trick. Thank you everyone for your help. All the best, Guillermo
On Tue, Jul 7, 2020 at 3:57 AM Fraser Tweedale ftweedal@redhat.com wrote:
On Tue, Jul 07, 2020 at 12:04:58AM -0400, Guillermo Fuentes via FreeIPA-users wrote:
On Mon, Jul 6, 2020 at 5:31 PM Rob Crittenden rcritten@redhat.com wrote:
Guillermo Fuentes via FreeIPA-users wrote:
Hi Flo, Here is the value of the entry: # certificateRepository, ca, ipaca dn: ou=certificateRepository,ou=ca,o=ipaca objectClass: top objectClass: repository ou: certificateRepository serialno: 09268369921 nextRange: e0000001
The value of nextRange was modified by hand to fix another issue. According to this https://frasertweedale.github.io/blog-redhat/posts/2019-07-26-dogtag-replica... it should be hexadecimal.
Maybe try an upper-case E.
rob
Same result.
IIRC the ldap objects all use decimal representation. It is only in CS.cfg where some ranges are hexadecimal and others are decimal. I can confirm later. And update the blog post to clarify!
Put the decimal representation in the `nextRange' attribute and see how you go.
Cheers, Fraser
If the code is expecting a decimal value, I'm assuming converting the range from hex to decimal should do it, right? I'll also check for conflicts.
Thanks! Guillermo
On Mon, Jul 6, 2020 at 12:35 PM Florence Blanc-Renaud flo@redhat.com wrote:
On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote:
Hi all,
I'm having an issue creating a new replica with CA. The Directory Service installation works fine but adding the CA clone fails with a java.lang.NumberFormatException when getting the serial number range.
This is the error logged in /var/log/pki/pki-tomcat/ca/debug: ###### ... [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving ou=ca, ou=requests,o=ipaca [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating nextRange from 80000001 to 90000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new range object: cn=80000001,ou=requests, ou=ranges,o=ipaca [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: getNextRange Next range has been added: 80000001 - 90000000 [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min serial number: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting next min requests number: 80000001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting next max requests number: 90000000 [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range conflict [20/Jun/2020:15:09:55][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking certificate serial number ranges [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial numbers left in range: 65536 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial number: 2415656960 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial numbers available: 65536 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water mark: 33554432 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting next range [20/Jun/2020:15:09:55][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving ou=certificateRepository, ou=ca,o=ipaca
Hi,
What is the content of this entry? ldapsearch -D "cn=directory manager" -W -b "ou=certificateRepository,ou=ca,o=ipaca" -s base
According to the code, a decimal format is expected for the attribute nextRange. Was the value modified by hand? If not, I would advise to open an issue against dogtag, for the team to investigate how an hexadecimal format could get written there: https://pagure.io/dogtagpki/new_issue
HTH, flo
java.lang.NumberFormatException: For input string: "e0000001" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) at java.lang.Integer.parseInt(Integer.java:580) at java.math.BigInteger.<init>(BigInteger.java:470) at java.math.BigInteger.<init>(BigInteger.java:606) at com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417) at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546) at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268) at com.netscape.certsrv.apps.CMS.startup(CMS.java:204) at com.netscape.certsrv.apps.CMS.start(CMS.java:1459) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) ... ######
This is logged in /var/log/pki/pki-ca-spawn.20200620150752.log: ###### ... 2020-06-20 15:09:47 pkispawn : INFO ....... executing 'systemctl stop pki-tomcatd@pki-tomcat.service' 2020-06-20 15:09:48 pkispawn : INFO ....... removing temp SSL server cert from internal token: Server-Cert cert-pki-ca 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -D -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmptjRzW6/password.txt -n Server-Cert cert-pki-ca 2020-06-20 15:09:48 pkispawn : INFO ....... importing permanent SSL server cert into internal token: Server-Cert cert-pki-ca 2020-06-20 15:09:48 pki.nssdb : DEBUG Command: certutil -A -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmplJLOg8/internal_password.txt -n Server-Cert cert-pki-ca -a -i /tmp/tmpeCzA_b/sslserver.crt -t ,, 2020-06-20 15:09:48 pkispawn : INFO ....... executing 'systemctl daemon-reload' 2020-06-20 15:09:48 pkispawn : INFO ....... executing 'systemctl start pki-tomcatd@pki-tomcat.service' 2020-06-20 15:09:48 pkispawn : INFO ........... FIPS mode is NOT enabled on this operating system. 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:48 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:49 pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:56 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:09:57 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:09:58 pkispawn : DEBUG ........... No connection - server may still be down ... repeats every second 2020-06-20 15:10:47 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - server may still be down 2020-06-20 15:10:48 pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error 2020-06-20 15:10:49 pkispawn : ERROR ... server failed to restart 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Type: RuntimeError 2020-06-20 15:10:49 pkispawn : DEBUG ....... Error Message: server failed to restart 2020-06-20 15:10:49 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 534, in main scriptlet.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 1304, in spawn raise RuntimeError("server failed to restart") ######
And here is the failure in /var/log/ipareplica-ca-install.log: ###### ...
Import complete
Imported certificates into /etc/pki/pki-tomcat/alias:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Third-party RSA CA C,, caSigningCert cert-pki-ca CTu,Cu,Cu subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu Third-party Root CA C,, ocspSigningCert cert-pki-ca u,u,u
Installation failed: server failed to restart
2020-06-20T15:10:50Z DEBUG stderr=pkispawn : ERROR ... server failed to restart
2020-06-20T15:10:50Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpcQ1jxM' returned non-zero exit status 1 2020-06-20T15:10:50Z CRITICAL See the installation logs and the following files/directories for more information: 2020-06-20T15:10:50Z CRITICAL /var/log/pki/pki-tomcat 2020-06-20T15:10:50Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 675, in __spawn_instance pki_pin) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 167, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 408, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed.
2020-06-20T15:10:50Z DEBUG [error] RuntimeError: CA configuration failed. ... ######
Has anyone run into this? Is this a known bug/issue?
Current environment of all replicas:
- CentOS 7.8
- FreeIPA 4.6.6
Any help/guidance on fixing this would be really appreciated.
Thanks so much,
Guillermo _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Florence Blanc-Renaud -
Fraser Tweedale -
Guillermo Fuentes -
Rob Crittenden